summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch565
-rw-r--r--meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb (renamed from meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb)6
2 files changed, 2 insertions, 569 deletions
diff --git a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
deleted file mode 100644
index 64dffb923b..0000000000
--- a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
+++ /dev/null
@@ -1,565 +0,0 @@
-From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
-From: Dai Ngo <dai.ngo@oracle.com>
-Date: Sat, 21 Aug 2021 13:16:23 -0400
-Subject: [PATCH] Fix DoS vulnerability in libtirpc
-
-Currently svc_run does not handle poll timeout and rendezvous_request
-does not handle EMFILE error returned from accept(2 as it used to.
-These two missing functionality were removed by commit b2c9430f46c4.
-
-The effect of not handling poll timeout allows idle TCP conections
-to remain ESTABLISHED indefinitely. When the number of connections
-reaches the limit of the open file descriptors (ulimit -n) then
-accept(2) fails with EMFILE. Since there is no handling of EMFILE
-error this causes svc_run() to get in a tight loop calling accept(2).
-This resulting in the RPC service of svc_run is being down, it's
-no longer able to service any requests.
-
-RPC service rpcbind, statd and mountd are effected by this
-problem.
-
-Fix by enhancing rendezvous_request to keep the number of
-SVCXPRT conections to 4/5 of the size of the file descriptor
-table. When this thresold is reached, it destroys the idle
-TCP connections or destroys the least active connection if
-no idle connnction was found.
-
-Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
-
-CVE: CVE-2021-46828
-Upstream-Status: Backport [http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed]
-Signed-off-by: dai.ngo@oracle.com
-Signed-off-by: Steve Dickson <steved@redhat.com>
----
- INSTALL | 371 +----------------------------------------------------------
- src/svc.c | 17 ++-
- src/svc_vc.c | 62 +++++++++-
- 3 files changed, 78 insertions(+), 372 deletions(-)
- mode change 100644 => 120000 INSTALL
-
-diff --git a/INSTALL b/INSTALL
-deleted file mode 100644
-index 2099840..0000000
---- a/INSTALL
-+++ /dev/null
-@@ -1,370 +0,0 @@
--Installation Instructions
--*************************
--
--Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
--Inc.
--
-- Copying and distribution of this file, with or without modification,
--are permitted in any medium without royalty provided the copyright
--notice and this notice are preserved. This file is offered as-is,
--without warranty of any kind.
--
--Basic Installation
--==================
--
-- Briefly, the shell command `./configure && make && make install'
--should configure, build, and install this package. The following
--more-detailed instructions are generic; see the `README' file for
--instructions specific to this package. Some packages provide this
--`INSTALL' file but do not implement all of the features documented
--below. The lack of an optional feature in a given package is not
--necessarily a bug. More recommendations for GNU packages can be found
--in *note Makefile Conventions: (standards)Makefile Conventions.
--
-- The `configure' shell script attempts to guess correct values for
--various system-dependent variables used during compilation. It uses
--those values to create a `Makefile' in each directory of the package.
--It may also create one or more `.h' files containing system-dependent
--definitions. Finally, it creates a shell script `config.status' that
--you can run in the future to recreate the current configuration, and a
--file `config.log' containing compiler output (useful mainly for
--debugging `configure').
--
-- It can also use an optional file (typically called `config.cache'
--and enabled with `--cache-file=config.cache' or simply `-C') that saves
--the results of its tests to speed up reconfiguring. Caching is
--disabled by default to prevent problems with accidental use of stale
--cache files.
--
-- If you need to do unusual things to compile the package, please try
--to figure out how `configure' could check whether to do them, and mail
--diffs or instructions to the address given in the `README' so they can
--be considered for the next release. If you are using the cache, and at
--some point `config.cache' contains results you don't want to keep, you
--may remove or edit it.
--
-- The file `configure.ac' (or `configure.in') is used to create
--`configure' by a program called `autoconf'. You need `configure.ac' if
--you want to change it or regenerate `configure' using a newer version
--of `autoconf'.
--
-- The simplest way to compile this package is:
--
-- 1. `cd' to the directory containing the package's source code and type
-- `./configure' to configure the package for your system.
--
-- Running `configure' might take a while. While running, it prints
-- some messages telling which features it is checking for.
--
-- 2. Type `make' to compile the package.
--
-- 3. Optionally, type `make check' to run any self-tests that come with
-- the package, generally using the just-built uninstalled binaries.
--
-- 4. Type `make install' to install the programs and any data files and
-- documentation. When installing into a prefix owned by root, it is
-- recommended that the package be configured and built as a regular
-- user, and only the `make install' phase executed with root
-- privileges.
--
-- 5. Optionally, type `make installcheck' to repeat any self-tests, but
-- this time using the binaries in their final installed location.
-- This target does not install anything. Running this target as a
-- regular user, particularly if the prior `make install' required
-- root privileges, verifies that the installation completed
-- correctly.
--
-- 6. You can remove the program binaries and object files from the
-- source code directory by typing `make clean'. To also remove the
-- files that `configure' created (so you can compile the package for
-- a different kind of computer), type `make distclean'. There is
-- also a `make maintainer-clean' target, but that is intended mainly
-- for the package's developers. If you use it, you may have to get
-- all sorts of other programs in order to regenerate files that came
-- with the distribution.
--
-- 7. Often, you can also type `make uninstall' to remove the installed
-- files again. In practice, not all packages have tested that
-- uninstallation works correctly, even though it is required by the
-- GNU Coding Standards.
--
-- 8. Some packages, particularly those that use Automake, provide `make
-- distcheck', which can by used by developers to test that all other
-- targets like `make install' and `make uninstall' work correctly.
-- This target is generally not run by end users.
--
--Compilers and Options
--=====================
--
-- Some systems require unusual options for compilation or linking that
--the `configure' script does not know about. Run `./configure --help'
--for details on some of the pertinent environment variables.
--
-- You can give `configure' initial values for configuration parameters
--by setting variables in the command line or in the environment. Here
--is an example:
--
-- ./configure CC=c99 CFLAGS=-g LIBS=-lposix
--
-- *Note Defining Variables::, for more details.
--
--Compiling For Multiple Architectures
--====================================
--
-- You can compile the package for more than one kind of computer at the
--same time, by placing the object files for each architecture in their
--own directory. To do this, you can use GNU `make'. `cd' to the
--directory where you want the object files and executables to go and run
--the `configure' script. `configure' automatically checks for the
--source code in the directory that `configure' is in and in `..'. This
--is known as a "VPATH" build.
--
-- With a non-GNU `make', it is safer to compile the package for one
--architecture at a time in the source code directory. After you have
--installed the package for one architecture, use `make distclean' before
--reconfiguring for another architecture.
--
-- On MacOS X 10.5 and later systems, you can create libraries and
--executables that work on multiple system types--known as "fat" or
--"universal" binaries--by specifying multiple `-arch' options to the
--compiler but only a single `-arch' option to the preprocessor. Like
--this:
--
-- ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
-- CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
-- CPP="gcc -E" CXXCPP="g++ -E"
--
-- This is not guaranteed to produce working output in all cases, you
--may have to build one architecture at a time and combine the results
--using the `lipo' tool if you have problems.
--
--Installation Names
--==================
--
-- By default, `make install' installs the package's commands under
--`/usr/local/bin', include files under `/usr/local/include', etc. You
--can specify an installation prefix other than `/usr/local' by giving
--`configure' the option `--prefix=PREFIX', where PREFIX must be an
--absolute file name.
--
-- You can specify separate installation prefixes for
--architecture-specific files and architecture-independent files. If you
--pass the option `--exec-prefix=PREFIX' to `configure', the package uses
--PREFIX as the prefix for installing programs and libraries.
--Documentation and other data files still use the regular prefix.
--
-- In addition, if you use an unusual directory layout you can give
--options like `--bindir=DIR' to specify different values for particular
--kinds of files. Run `configure --help' for a list of the directories
--you can set and what kinds of files go in them. In general, the
--default for these options is expressed in terms of `${prefix}', so that
--specifying just `--prefix' will affect all of the other directory
--specifications that were not explicitly provided.
--
-- The most portable way to affect installation locations is to pass the
--correct locations to `configure'; however, many packages provide one or
--both of the following shortcuts of passing variable assignments to the
--`make install' command line to change installation locations without
--having to reconfigure or recompile.
--
-- The first method involves providing an override variable for each
--affected directory. For example, `make install
--prefix=/alternate/directory' will choose an alternate location for all
--directory configuration variables that were expressed in terms of
--`${prefix}'. Any directories that were specified during `configure',
--but not in terms of `${prefix}', must each be overridden at install
--time for the entire installation to be relocated. The approach of
--makefile variable overrides for each directory variable is required by
--the GNU Coding Standards, and ideally causes no recompilation.
--However, some platforms have known limitations with the semantics of
--shared libraries that end up requiring recompilation when using this
--method, particularly noticeable in packages that use GNU Libtool.
--
-- The second method involves providing the `DESTDIR' variable. For
--example, `make install DESTDIR=/alternate/directory' will prepend
--`/alternate/directory' before all installation names. The approach of
--`DESTDIR' overrides is not required by the GNU Coding Standards, and
--does not work on platforms that have drive letters. On the other hand,
--it does better at avoiding recompilation issues, and works well even
--when some directory options were not specified in terms of `${prefix}'
--at `configure' time.
--
--Optional Features
--=================
--
-- If the package supports it, you can cause programs to be installed
--with an extra prefix or suffix on their names by giving `configure' the
--option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
--
-- Some packages pay attention to `--enable-FEATURE' options to
--`configure', where FEATURE indicates an optional part of the package.
--They may also pay attention to `--with-PACKAGE' options, where PACKAGE
--is something like `gnu-as' or `x' (for the X Window System). The
--`README' should mention any `--enable-' and `--with-' options that the
--package recognizes.
--
-- For packages that use the X Window System, `configure' can usually
--find the X include and library files automatically, but if it doesn't,
--you can use the `configure' options `--x-includes=DIR' and
--`--x-libraries=DIR' to specify their locations.
--
-- Some packages offer the ability to configure how verbose the
--execution of `make' will be. For these packages, running `./configure
----enable-silent-rules' sets the default to minimal output, which can be
--overridden with `make V=1'; while running `./configure
----disable-silent-rules' sets the default to verbose, which can be
--overridden with `make V=0'.
--
--Particular systems
--==================
--
-- On HP-UX, the default C compiler is not ANSI C compatible. If GNU
--CC is not installed, it is recommended to use the following options in
--order to use an ANSI C compiler:
--
-- ./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
--
--and if that doesn't work, install pre-built binaries of GCC for HP-UX.
--
-- HP-UX `make' updates targets which have the same time stamps as
--their prerequisites, which makes it generally unusable when shipped
--generated files such as `configure' are involved. Use GNU `make'
--instead.
--
-- On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
--parse its `<wchar.h>' header file. The option `-nodtk' can be used as
--a workaround. If GNU CC is not installed, it is therefore recommended
--to try
--
-- ./configure CC="cc"
--
--and if that doesn't work, try
--
-- ./configure CC="cc -nodtk"
--
-- On Solaris, don't put `/usr/ucb' early in your `PATH'. This
--directory contains several dysfunctional programs; working variants of
--these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
--in your `PATH', put it _after_ `/usr/bin'.
--
-- On Haiku, software installed for all users goes in `/boot/common',
--not `/usr/local'. It is recommended to use the following options:
--
-- ./configure --prefix=/boot/common
--
--Specifying the System Type
--==========================
--
-- There may be some features `configure' cannot figure out
--automatically, but needs to determine by the type of machine the package
--will run on. Usually, assuming the package is built to be run on the
--_same_ architectures, `configure' can figure that out, but if it prints
--a message saying it cannot guess the machine type, give it the
--`--build=TYPE' option. TYPE can either be a short name for the system
--type, such as `sun4', or a canonical name which has the form:
--
-- CPU-COMPANY-SYSTEM
--
--where SYSTEM can have one of these forms:
--
-- OS
-- KERNEL-OS
--
-- See the file `config.sub' for the possible values of each field. If
--`config.sub' isn't included in this package, then this package doesn't
--need to know the machine type.
--
-- If you are _building_ compiler tools for cross-compiling, you should
--use the option `--target=TYPE' to select the type of system they will
--produce code for.
--
-- If you want to _use_ a cross compiler, that generates code for a
--platform different from the build platform, you should specify the
--"host" platform (i.e., that on which the generated programs will
--eventually be run) with `--host=TYPE'.
--
--Sharing Defaults
--================
--
-- If you want to set default values for `configure' scripts to share,
--you can create a site shell script called `config.site' that gives
--default values for variables like `CC', `cache_file', and `prefix'.
--`configure' looks for `PREFIX/share/config.site' if it exists, then
--`PREFIX/etc/config.site' if it exists. Or, you can set the
--`CONFIG_SITE' environment variable to the location of the site script.
--A warning: not all `configure' scripts look for a site script.
--
--Defining Variables
--==================
--
-- Variables not defined in a site shell script can be set in the
--environment passed to `configure'. However, some packages may run
--configure again during the build, and the customized values of these
--variables may be lost. In order to avoid this problem, you should set
--them in the `configure' command line, using `VAR=value'. For example:
--
-- ./configure CC=/usr/local2/bin/gcc
--
--causes the specified `gcc' to be used as the C compiler (unless it is
--overridden in the site shell script).
--
--Unfortunately, this technique does not work for `CONFIG_SHELL' due to
--an Autoconf limitation. Until the limitation is lifted, you can use
--this workaround:
--
-- CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
--
--`configure' Invocation
--======================
--
-- `configure' recognizes the following options to control how it
--operates.
--
--`--help'
--`-h'
-- Print a summary of all of the options to `configure', and exit.
--
--`--help=short'
--`--help=recursive'
-- Print a summary of the options unique to this package's
-- `configure', and exit. The `short' variant lists options used
-- only in the top level, while the `recursive' variant lists options
-- also present in any nested packages.
--
--`--version'
--`-V'
-- Print the version of Autoconf used to generate the `configure'
-- script, and exit.
--
--`--cache-file=FILE'
-- Enable the cache: use and save the results of the tests in FILE,
-- traditionally `config.cache'. FILE defaults to `/dev/null' to
-- disable caching.
--
--`--config-cache'
--`-C'
-- Alias for `--cache-file=config.cache'.
--
--`--quiet'
--`--silent'
--`-q'
-- Do not print messages saying which checks are being made. To
-- suppress all normal output, redirect it to `/dev/null' (any error
-- messages will still be shown).
--
--`--srcdir=DIR'
-- Look for the package's source code in directory DIR. Usually
-- `configure' can determine that directory automatically.
--
--`--prefix=DIR'
-- Use DIR as the installation prefix. *note Installation Names::
-- for more details, including other options available for fine-tuning
-- the installation locations.
--
--`--no-create'
--`-n'
-- Run the configure checks, but stop before creating any output
-- files.
--
--`configure' also accepts some other, not widely useful, options. Run
--`configure --help' for more details.
-diff --git a/INSTALL b/INSTALL
-new file mode 120000
-index 0000000..e3f22c0
---- /dev/null
-+++ b/INSTALL
-@@ -0,0 +1 @@
-+/usr/share/automake-1.16/INSTALL
-\ No newline at end of file
-diff --git a/src/svc.c b/src/svc.c
-index 6db164b..3a8709f 100644
---- a/src/svc.c
-+++ b/src/svc.c
-@@ -57,7 +57,7 @@
-
- #define max(a, b) (a > b ? a : b)
-
--static SVCXPRT **__svc_xports;
-+SVCXPRT **__svc_xports;
- int __svc_maxrec;
-
- /*
-@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
- rwlock_unlock (&svc_fd_lock);
- }
-
-+int
-+svc_open_fds()
-+{
-+ int ix;
-+ int nfds = 0;
-+
-+ rwlock_rdlock (&svc_fd_lock);
-+ for (ix = 0; ix < svc_max_pollfd; ++ix) {
-+ if (svc_pollfd[ix].fd != -1)
-+ nfds++;
-+ }
-+ rwlock_unlock (&svc_fd_lock);
-+ return (nfds);
-+}
-+
- /*
- * Add a service program to the callout list.
- * The dispatch routine will be called when a rpc request for this
-diff --git a/src/svc_vc.c b/src/svc_vc.c
-index f1d9f00..3dc8a75 100644
---- a/src/svc_vc.c
-+++ b/src/svc_vc.c
-@@ -64,6 +64,8 @@
-
-
- extern rwlock_t svc_fd_lock;
-+extern SVCXPRT **__svc_xports;
-+extern int svc_open_fds();
-
- static SVCXPRT *makefd_xprt(int, u_int, u_int);
- static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
-@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
- static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
- static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
- void *in);
-+static int __svc_destroy_idle(int timeout);
-
- struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
- u_int sendsize;
-@@ -313,13 +316,14 @@ done:
- return (xprt);
- }
-
-+
- /*ARGSUSED*/
- static bool_t
- rendezvous_request(xprt, msg)
- SVCXPRT *xprt;
- struct rpc_msg *msg;
- {
-- int sock, flags;
-+ int sock, flags, nfds, cnt;
- struct cf_rendezvous *r;
- struct cf_conn *cd;
- struct sockaddr_storage addr;
-@@ -379,6 +383,16 @@ again:
-
- gettimeofday(&cd->last_recv_time, NULL);
-
-+ nfds = svc_open_fds();
-+ if (nfds >= (_rpc_dtablesize() / 5) * 4) {
-+ /* destroy idle connections */
-+ cnt = __svc_destroy_idle(15);
-+ if (cnt == 0) {
-+ /* destroy least active */
-+ __svc_destroy_idle(0);
-+ }
-+ }
-+
- return (FALSE); /* there is never an rpc msg to be processed */
- }
-
-@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
- {
- return FALSE;
- }
-+
-+static int
-+__svc_destroy_idle(int timeout)
-+{
-+ int i, ncleaned = 0;
-+ SVCXPRT *xprt, *least_active;
-+ struct timeval tv, tdiff, tmax;
-+ struct cf_conn *cd;
-+
-+ gettimeofday(&tv, NULL);
-+ tmax.tv_sec = tmax.tv_usec = 0;
-+ least_active = NULL;
-+ rwlock_wrlock(&svc_fd_lock);
-+
-+ for (i = 0; i <= svc_max_pollfd; i++) {
-+ if (svc_pollfd[i].fd == -1)
-+ continue;
-+ xprt = __svc_xports[i];
-+ if (xprt == NULL || xprt->xp_ops == NULL ||
-+ xprt->xp_ops->xp_recv != svc_vc_recv)
-+ continue;
-+ cd = (struct cf_conn *)xprt->xp_p1;
-+ if (!cd->nonblock)
-+ continue;
-+ if (timeout == 0) {
-+ timersub(&tv, &cd->last_recv_time, &tdiff);
-+ if (timercmp(&tdiff, &tmax, >)) {
-+ tmax = tdiff;
-+ least_active = xprt;
-+ }
-+ continue;
-+ }
-+ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
-+ __xprt_unregister_unlocked(xprt);
-+ __svc_vc_dodestroy(xprt);
-+ ncleaned++;
-+ }
-+ }
-+ if (timeout == 0 && least_active != NULL) {
-+ __xprt_unregister_unlocked(least_active);
-+ __svc_vc_dodestroy(least_active);
-+ ncleaned++;
-+ }
-+ rwlock_unlock(&svc_fd_lock);
-+ return (ncleaned);
-+}
---
-1.8.3.1
-
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index cc87638c0f..bd13f6e95e 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -9,12 +9,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \
PROVIDES = "virtual/librpc"
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2 \
- file://CVE-2021-46828.patch \
- "
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2"
UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
-SRC_URI[sha256sum] = "e24eb88b8ce7db3b7ca6eb80115dd1284abc5ec32a8deccfed2224fc2532b9fd"
+SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
inherit autotools pkgconfig