diff options
49 files changed, 2821 insertions, 727 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 743bc08a4f..19ed5548b3 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db" +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db" CVE_CHECK_LOG ?= "${T}/cve.log" CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" @@ -37,39 +37,39 @@ CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" # Whitelist for packages (PN) -CVE_CHECK_PN_WHITELIST = "\ - glibc-locale \ -" +CVE_CHECK_PN_WHITELIST ?= "" -# Whitelist for CVE and version of package -CVE_CHECK_CVE_WHITELIST = "{\ - 'CVE-2014-2524': ('6.3','5.2',), \ -}" +# Whitelist for CVE. If a CVE is found, then it is considered patched. +# The value is a string containing space separated CVE values: +# +# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' +# +CVE_CHECK_WHITELIST ?= "" python do_cve_check () { """ Check recipe for patched and unpatched CVEs """ - if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): patched_cves = get_patches_cves(d) patched, unpatched = check_cves(d, patched_cves) if patched or unpatched: cve_data = get_cve_info(d, patched + unpatched) cve_write_data(d, patched, unpatched, cve_data) else: - bb.note("Failed to update CVE database, skipping CVE check") + bb.note("No CVE database found, skipping CVE check") + } -addtask cve_check after do_unpack before do_build -do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db" +addtask cve_check before do_build +do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" do_cve_check[nostamp] = "1" python cve_check_cleanup () { """ Delete the file used to gather all the CVE information. """ - bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE")) } @@ -163,89 +163,121 @@ def get_patches_cves(d): def check_cves(d, patched_cves): """ - Run cve-check-tool looking for patched and unpatched CVEs. + Connect to the NVD database and find unpatched cves. """ + from distutils.version import LooseVersion - import ast, csv, tempfile, subprocess, io - - cves_patched = [] cves_unpatched = [] - bpn = d.getVar("CVE_PRODUCT") + # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) + products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) - if not bpn: + if not products: return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - cves = " ".join(patched_cves) - cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") - cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) - cve_cmd = "cve-check-tool" - cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] # If the recipe has been whitlisted we return empty lists if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], []) - try: - # Write the faux CSV file to be used with cve-check-tool - fd, faux = tempfile.mkstemp(prefix="cve-faux-") - with os.fdopen(fd, "w") as f: - for pn in bpn.split(): - f.write("%s,%s,%s,\n" % (pn, pv, cves)) - cmd.append(faux) - - output = subprocess.check_output(cmd).decode("utf-8") - bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output)) - except subprocess.CalledProcessError as e: - bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output)) - finally: - os.remove(faux) - - for row in csv.reader(io.StringIO(output)): - # Third row has the unpatched CVEs - if row[2]: - for cve in row[2].split(): - # Skip if the CVE has been whitlisted for the current version - if pv in cve_whitelist.get(cve,[]): - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) + old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") + if old_cve_whitelist: + bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.") + cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() + + import sqlite3 + db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") + conn = sqlite3.connect(db_file, uri=True) + + # For each of the known product names (e.g. curl has CPEs using curl and libcurl)... + for product in products: + if ":" in product: + vendor, product = product.split(":", 1) + else: + vendor = "%" + + # Find all relevant CVE IDs. + for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): + cve = cverow[0] + + if cve in cve_whitelist: + bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) + # TODO: this should be in the report as 'whitelisted' + patched_cves.add(cve) + continue + elif cve in patched_cves: + bb.note("%s has been patched" % (cve)) + continue + + vulnerable = False + for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): + (_, _, _, version_start, operator_start, version_end, operator_end) = row + #bb.debug(2, "Evaluating row " + str(row)) + + if (operator_start == '=' and pv == version_start): + vulnerable = True else: + if operator_start: + try: + vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) + vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + except: + bb.warn("%s: Failed to compare %s %s %s for %s" % + (product, pv, operator_start, version_start, cve)) + vulnerable_start = False + else: + vulnerable_start = False + + if operator_end: + try: + vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) + vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + except: + bb.warn("%s: Failed to compare %s %s %s for %s" % + (product, pv, operator_end, version_end, cve)) + vulnerable_end = False + else: + vulnerable_end = False + + if operator_start and operator_end: + vulnerable = vulnerable_start and vulnerable_end + else: + vulnerable = vulnerable_start or vulnerable_end + + if vulnerable: + bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) - # Fourth row has patched CVEs - if row[3]: - for cve in row[3].split(): - cves_patched.append(cve) - bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve)) + break + + if not vulnerable: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + # TODO: not patched but not vulnerable + patched_cves.add(cve) + + conn.close() - return (cves_patched, cves_unpatched) + return (list(patched_cves), cves_unpatched) def get_cve_info(d, cves): """ - Get CVE information from the database used by cve-check-tool. - - Unfortunately the only way to get CVE info is set the output to - html (hard to parse) or query directly the database. + Get CVE information from the database. """ - try: - import sqlite3 - except ImportError: - from pysqlite2 import dbapi2 as sqlite3 + import sqlite3 cve_data = {} - db_file = d.getVar("CVE_CHECK_DB_FILE") - placeholder = ",".join("?" * len(cves)) - query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder - conn = sqlite3.connect(db_file) - cur = conn.cursor() - for row in cur.execute(query, tuple(cves)): - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["score"] = row[2] - cve_data[row[0]]["modified"] = row[3] - cve_data[row[0]]["vector"] = row[4] - conn.close() + conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) + for cve in cves: + for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): + cve_data[row[0]] = {} + cve_data[row[0]]["summary"] = row[1] + cve_data[row[0]]["scorev2"] = row[2] + cve_data[row[0]]["scorev3"] = row[3] + cve_data[row[0]]["modified"] = row[4] + cve_data[row[0]]["vector"] = row[5] + + conn.close() return cve_data def cve_write_data(d, patched, unpatched, cve_data): @@ -270,7 +302,8 @@ def cve_write_data(d, patched, unpatched, cve_data): unpatched_cves.append(cve) write_string += "CVE STATUS: Unpatched\n" write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass index 40b0375e0b..9bab54c6bd 100644 --- a/meta/classes/populate_sdk_ext.bbclass +++ b/meta/classes/populate_sdk_ext.bbclass @@ -574,8 +574,8 @@ sdk_ext_preinst() { exit 1 fi # The relocation script used by buildtools installer requires python - if ! command -v python > /dev/null; then - echo "ERROR: The installer requires python, please install it first" + if ! command -v python3 > /dev/null; then + echo "ERROR: The installer requires python3, please install it first" exit 1 fi missing_utils="" @@ -634,7 +634,7 @@ sdk_ext_postinst() { # current working directory when first ran, nor will it set $1 when # sourcing a script. That is why this has to look so ugly. LOGFILE="$target_sdk_dir/preparing_build_system.log" - sh -c ". buildtools/environment-setup* > $LOGFILE && cd $target_sdk_dir/`dirname ${oe_init_build_env_path}` && set $target_sdk_dir && . $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> $LOGFILE && python $target_sdk_dir/ext-sdk-prepare.py $LOGFILE '${SDK_INSTALL_TARGETS}'" || { echo "printf 'ERROR: this SDK was not fully installed and needs reinstalling\n'" >> $env_setup_script ; exit 1 ; } + sh -c ". buildtools/environment-setup* > $LOGFILE && cd $target_sdk_dir/`dirname ${oe_init_build_env_path}` && set $target_sdk_dir && . $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> $LOGFILE && python3 $target_sdk_dir/ext-sdk-prepare.py $LOGFILE '${SDK_INSTALL_TARGETS}'" || { echo "printf 'ERROR: this SDK was not fully installed and needs reinstalling\n'" >> $env_setup_script ; exit 1 ; } rm $target_sdk_dir/ext-sdk-prepare.py fi echo done diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 672f067792..8eb5e7a864 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -81,6 +81,7 @@ RECIPE_MAINTAINER_pn-build-appliance-image = "Richard Purdie <richard.purdie@lin RECIPE_MAINTAINER_pn-build-compare = "Paul Eggleton <paul.eggleton@linux.intel.com>" RECIPE_MAINTAINER_pn-build-sysroots = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER_pn-builder = "Richard Purdie <richard.purdie@linuxfoundation.org>" +RECIPE_MAINTAINER_pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER_pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" RECIPE_MAINTAINER_pn-busybox = "Andrej Valek <andrej.valek@siemens.com>" RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@ti.com>" @@ -116,6 +117,7 @@ RECIPE_MAINTAINER_pn-cryptodev-tests = "Robert Yang <liezhi.yang@windriver.com>" RECIPE_MAINTAINER_pn-cups = "Chen Qi <Qi.Chen@windriver.com>" RECIPE_MAINTAINER_pn-curl = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-cve-check-tool = "Ross Burton <ross.burton@intel.com>" +RECIPE_MAINTAINER_pn-cve-update-db-native = "Ross Burton <ross.burton@intel.com>" RECIPE_MAINTAINER_pn-cwautomacros = "Ross Burton <ross.burton@intel.com>" RECIPE_MAINTAINER_pn-db = "Mark Hatle <mark.hatle@windriver.com>" RECIPE_MAINTAINER_pn-dbus = "Chen Qi <Qi.Chen@windriver.com>" diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index ad75d3e2a3..69b6edee5f 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,9 +6,9 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.30" +UNINATIVE_MAXGLIBCVERSION = "2.32" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.7/" -UNINATIVE_CHECKSUM[aarch64] ?= "e76a45886ee8a0b3904b761c17ac8ff91edf9811ee455f1832d10763ba794dfc" -UNINATIVE_CHECKSUM[i686] ?= "810d027dfb1c7675226afbcec07808770516c969ee7378f6d8240281083f8924" -UNINATIVE_CHECKSUM[x86_64] ?= "9498d8bba047499999a7310ac2576d0796461184965351a56f6d32c888a1f216" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/" +UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81" +UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36" +UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423" diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh index 9eabd62630..6c4d14a038 100644 --- a/meta/files/toolchain-shar-extract.sh +++ b/meta/files/toolchain-shar-extract.sh @@ -1,13 +1,8 @@ #!/bin/sh -[ -z "$ENVCLEANED" ] && exec /usr/bin/env -i ENVCLEANED=1 HOME="$HOME" \ - LC_ALL=en_US.UTF-8 \ - TERM=$TERM \ - ICECC_PATH="$ICECC_PATH" \ - http_proxy="$http_proxy" https_proxy="$https_proxy" ftp_proxy="$ftp_proxy" \ - no_proxy="$no_proxy" all_proxy="$all_proxy" GIT_PROXY_COMMAND="$GIT_PROXY_COMMAND" "$0" "$@" -[ -f /etc/environment ] && . /etc/environment -export PATH=`echo "$PATH" | sed -e 's/:\.//' -e 's/::/:/'` +export LC_ALL=en_US.UTF-8 +# Remove invalid PATH elements first (maybe from a previously setup toolchain now deleted +PATH=`python3 -c 'import os; print(":".join(e for e in os.environ["PATH"].split(":") if os.path.exists(e)))'` tweakpath () { case ":${PATH}:" in diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py index 153b07d76b..ef81f8cf60 100644 --- a/meta/lib/oe/sdk.py +++ b/meta/lib/oe/sdk.py @@ -84,10 +84,6 @@ class Sdk(object, metaclass=ABCMeta): bb.warn("cannot remove SDK dir: %s" % path) def install_locales(self, pm): - # This is only relevant for glibc - if self.d.getVar("TCLIBC") != "glibc": - return - linguas = self.d.getVar("SDKIMAGE_LINGUAS") if linguas: import fnmatch diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py index 8a584d6ddd..96ebc36b8b 100644 --- a/meta/lib/oe/utils.py +++ b/meta/lib/oe/utils.py @@ -370,7 +370,7 @@ def host_gcc_version(d, taskcontextonly=False): except subprocess.CalledProcessError as e: bb.fatal("Error running %s --version: %s" % (compiler, e.output.decode("utf-8"))) - match = re.match(".* (\d\.\d)\.\d.*", output.split('\n')[0]) + match = re.match(r".* (\d+\.\d+)\.\d+.*", output.split('\n')[0]) if not match: bb.fatal("Can't get compiler version from %s --version output" % compiler) diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py index 1a58d35ba0..3e0e5d770c 100644 --- a/meta/lib/oeqa/core/utils/concurrencytest.py +++ b/meta/lib/oeqa/core/utils/concurrencytest.py @@ -194,7 +194,7 @@ def fork_for_tests(concurrency_num, suite): oe.path.copytree(selftestdir, newselftestdir) for e in os.environ: - if builddir in os.environ[e]: + if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir): os.environ[e] = os.environ[e].replace(builddir, newbuilddir) subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True) diff --git a/meta/lib/oeqa/sdkext/testsdk.py b/meta/lib/oeqa/sdkext/testsdk.py index 57b2e0e03f..8ec5262d56 100644 --- a/meta/lib/oeqa/sdkext/testsdk.py +++ b/meta/lib/oeqa/sdkext/testsdk.py @@ -22,11 +22,8 @@ class TestSDKExt(TestSDKBase): subprocesstweak.errors_have_output() - # extensible sdk can be contaminated if native programs are - # in PATH, i.e. use perl-native instead of eSDK one. - paths_to_avoid = [d.getVar('STAGING_DIR'), - d.getVar('BASE_WORKDIR')] - os.environ['PATH'] = avoid_paths_in_environ(paths_to_avoid) + # We need the original PATH for testing the eSDK, not with our manipulations + os.environ['PATH'] = d.getVar("BB_ORIGENV", False).getVar("PATH") tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh") if not os.path.exists(tcname): diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py index 4fa99acbc9..8d585430be 100644 --- a/meta/lib/oeqa/selftest/cases/signing.py +++ b/meta/lib/oeqa/selftest/cases/signing.py @@ -40,7 +40,9 @@ class Signing(OESelftestTestCase): origenv = os.environ.copy() for e in os.environ: - if builddir in os.environ[e]: + if builddir + "/" in os.environ[e]: + os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/") + if os.environ[e].endswith(builddir): os.environ[e] = os.environ[e].replace(builddir, newbuilddir) os.chdir(newbuilddir) diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc index 1b676dc26e..97d83cb856 100644 --- a/meta/recipes-core/glibc/glibc-locale.inc +++ b/meta/recipes-core/glibc/glibc-locale.inc @@ -95,3 +95,6 @@ do_install () { inherit libc-package BBCLASSEXTEND = "nativesdk" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc index d703c14bdc..ef9d60ec23 100644 --- a/meta/recipes-core/glibc/glibc-mtrace.inc +++ b/meta/recipes-core/glibc/glibc-mtrace.inc @@ -11,3 +11,6 @@ do_install() { install -d -m 0755 ${D}${bindir} install -m 0755 ${SRC}/mtrace ${D}${bindir}/ } + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc index 2a2b41507e..14a14e4512 100644 --- a/meta/recipes-core/glibc/glibc-scripts.inc +++ b/meta/recipes-core/glibc/glibc-scripts.inc @@ -18,3 +18,6 @@ do_install() { # sotruss script requires sotruss-lib.so (given by libsotruss package), # to produce trace of the library calls. RDEPENDS_${PN} += "libsotruss" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch index b53f2ef2e2..a5c2992f2e 100644 --- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch +++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch @@ -65,3 +65,36 @@ index 68822a6319..537bc35149 100644 /* Load the locale data for CATEGORY from the file specified by *NAME. If *NAME is "", use environment variables as specified by POSIX, and +Index: git/locale/programs/locale.c +=================================================================== +--- git.orig/locale/programs/locale.c ++++ git/locale/programs/locale.c +@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b + ((const struct nameent *) b)->name); + } + ++static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME; + + static int + write_archive_locales (void **all_datap, char *linebuf) +@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap, + int fd, ret = 0; + uint32_t cnt; + +- fd = open64 (ARCHIVE_NAME, O_RDONLY); ++ fd = open64 (_write_archive_locales_path, O_RDONLY); + if (fd < 0) + return 0; + +@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap, + if (cnt) + putchar_unlocked ('\n'); + +- printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n", +- names[cnt].name, linebuf); ++ printf ("locale: %-15.15s archive: %s\n%s\n", ++ names[cnt].name, _write_archive_locales_path, linebuf); + + locrec = (struct locrecent *) (addr + names[cnt].locrec_offset); + + diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch index 7eb55d6663..7dc842887c 100644 --- a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch +++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch @@ -5,12 +5,12 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001 From: Florian Weimer <fweimer@redhat.com> Date: Mon, 21 Jan 2019 08:59:42 +0100 -Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style +Subject: [PATCH 1/4] resolv: Reformat inet_addr, inet_aton to GNU style (cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0) --- ChangeLog | 5 ++ - resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++------------------------- + resolv/inet_addr.c | 192 ++++++++++++++++++++++++--------------------- 2 files changed, 106 insertions(+), 91 deletions(-) diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c @@ -229,4 +229,908 @@ index 022f7ea084..32f58b0e13 100644 weak_alias (__inet_aton, inet_aton) libc_hidden_def (__inet_aton) -- -2.11.0 +2.20.1 + + +From 37edf1d3f8ab9adefb61cc466ac52b53114fbd5b Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 21 Jan 2019 09:26:41 +0100 +Subject: [PATCH 2/4] resolv: Do not send queries for non-host-names in nss_dns + [BZ #24112] + +Before this commit, nss_dns would send a query which did not contain a +host name as the query name (such as invalid\032name.example.com) and +then reject the answer in getanswer_r and gaih_getanswer_slice, using +a check based on res_hnok. With this commit, no query is sent, and a +host-not-found error is returned to NSS without network interaction. + +(cherry picked from commit 6ca53a2453598804a2559a548a08424fca96434a) +--- + ChangeLog | 9 +++++++++ + resolv/nss_dns/dns-host.c | 24 ++++++++++++++++++++++-- + 2 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 5dc2829cd1..99c3b61e1c 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -274,11 +274,26 @@ gethostbyname3_context (struct resolv_context *ctx, + return status; + } + ++/* Verify that the name looks like a host name. There is no point in ++ sending a query which will not produce a usable name in the ++ response. */ ++static enum nss_status ++check_name (const char *name, int *h_errnop) ++{ ++ if (res_hnok (name)) ++ return NSS_STATUS_SUCCESS; ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++} ++ + enum nss_status + _nss_dns_gethostbyname2_r (const char *name, int af, struct hostent *result, + char *buffer, size_t buflen, int *errnop, + int *h_errnop) + { ++ enum nss_status status = check_name (name, h_errnop); ++ if (status != NSS_STATUS_SUCCESS) ++ return status; + return _nss_dns_gethostbyname3_r (name, af, result, buffer, buflen, errnop, + h_errnop, NULL, NULL); + } +@@ -289,6 +304,9 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result, + char *buffer, size_t buflen, int *errnop, + int *h_errnop) + { ++ enum nss_status status = check_name (name, h_errnop); ++ if (status != NSS_STATUS_SUCCESS) ++ return status; + struct resolv_context *ctx = __resolv_context_get (); + if (ctx == NULL) + { +@@ -296,7 +314,7 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result, + *h_errnop = NETDB_INTERNAL; + return NSS_STATUS_UNAVAIL; + } +- enum nss_status status = NSS_STATUS_NOTFOUND; ++ status = NSS_STATUS_NOTFOUND; + if (res_use_inet6 ()) + status = gethostbyname3_context (ctx, name, AF_INET6, result, buffer, + buflen, errnop, h_errnop, NULL, NULL); +@@ -313,6 +331,9 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, + char *buffer, size_t buflen, int *errnop, + int *herrnop, int32_t *ttlp) + { ++ enum nss_status status = check_name (name, herrnop); ++ if (status != NSS_STATUS_SUCCESS) ++ return status; + struct resolv_context *ctx = __resolv_context_get (); + if (ctx == NULL) + { +@@ -347,7 +368,6 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, + int ans2p_malloced = 0; + + int olderr = errno; +- enum nss_status status; + int n = __res_context_search (ctx, name, C_IN, T_QUERY_A_AND_AAAA, + host_buffer.buf->buf, 2048, &host_buffer.ptr, + &ans2p, &nans2p, &resplen2, &ans2p_malloced); +-- +2.20.1 + + +From 2373941bd73cb288c8a42a33e23e7f7bb81151e7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 21 Jan 2019 21:26:03 +0100 +Subject: [PATCH 3/4] CVE-2016-10739: getaddrinfo: Fully parse IPv4 address + strings [BZ #20018] + +The IPv4 address parser in the getaddrinfo function is changed so that +it does not ignore trailing whitespace and all characters after it. +For backwards compatibility, the getaddrinfo function still recognizes +legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8 +(octal). + +This commit does not change the behavior of inet_addr and inet_aton. +gethostbyname already had additional sanity checks (but is switched +over to the new __inet_aton_exact function for completeness as well). + +To avoid sending the problematic query names over DNS, commit +6ca53a2453598804a2559a548a08424fca96434a ("resolv: Do not send queries +for non-host-names in nss_dns [BZ #24112]") is needed. + +(cherry picked from commit 108bc4049f8ae82710aec26a92ffdb4b439c83fd) +--- + ChangeLog | 33 ++++++++ + NEWS | 4 + + include/arpa/inet.h | 6 +- + nscd/gai.c | 1 - + nscd/gethstbynm3_r.c | 2 - + nss/digits_dots.c | 3 +- + resolv/Makefile | 7 ++ + resolv/Versions | 1 + + resolv/inet_addr.c | 62 ++++++++++----- + resolv/res_init.c | 17 ++-- + resolv/tst-aton.c | 35 +++++++-- + resolv/tst-inet_aton_exact.c | 47 +++++++++++ + resolv/tst-resolv-nondecimal.c | 139 +++++++++++++++++++++++++++++++++ + resolv/tst-resolv-trailing.c | 136 ++++++++++++++++++++++++++++++++ + sysdeps/posix/getaddrinfo.c | 2 +- + 15 files changed, 455 insertions(+), 40 deletions(-) + create mode 100644 resolv/tst-inet_aton_exact.c + create mode 100644 resolv/tst-resolv-nondecimal.c + create mode 100644 resolv/tst-resolv-trailing.c + +diff --git a/include/arpa/inet.h b/include/arpa/inet.h +index c3f28f2baa..19aec74275 100644 +--- a/include/arpa/inet.h ++++ b/include/arpa/inet.h +@@ -1,10 +1,10 @@ + #include <inet/arpa/inet.h> + + #ifndef _ISOMAC +-extern int __inet_aton (const char *__cp, struct in_addr *__inp); +-libc_hidden_proto (__inet_aton) ++/* Variant of inet_aton which rejects trailing garbage. */ ++extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp); ++libc_hidden_proto (__inet_aton_exact) + +-libc_hidden_proto (inet_aton) + libc_hidden_proto (inet_ntop) + libc_hidden_proto (inet_pton) + extern __typeof (inet_pton) __inet_pton; +diff --git a/nscd/gai.c b/nscd/gai.c +index 24bdfee1db..f57f396f57 100644 +--- a/nscd/gai.c ++++ b/nscd/gai.c +@@ -19,7 +19,6 @@ + + /* This file uses the getaddrinfo code but it compiles it without NSCD + support. We just need a few symbol renames. */ +-#define __inet_aton inet_aton + #define __ioctl ioctl + #define __getsockname getsockname + #define __socket socket +diff --git a/nscd/gethstbynm3_r.c b/nscd/gethstbynm3_r.c +index 7beb9dce9f..f792c4fcd0 100644 +--- a/nscd/gethstbynm3_r.c ++++ b/nscd/gethstbynm3_r.c +@@ -38,8 +38,6 @@ + #define HAVE_LOOKUP_BUFFER 1 + #define HAVE_AF 1 + +-#define __inet_aton inet_aton +- + /* We are nscd, so we don't want to be talking to ourselves. */ + #undef USE_NSCD + +diff --git a/nss/digits_dots.c b/nss/digits_dots.c +index 39bff38865..5441bce16e 100644 +--- a/nss/digits_dots.c ++++ b/nss/digits_dots.c +@@ -29,7 +29,6 @@ + #include "nsswitch.h" + + #ifdef USE_NSCD +-# define inet_aton __inet_aton + # include <nscd/nscd_proto.h> + #endif + +@@ -160,7 +159,7 @@ __nss_hostname_digits_dots_context (struct resolv_context *ctx, + 255.255.255.255? The test below will succeed + spuriously... ??? */ + if (af == AF_INET) +- ok = __inet_aton (name, (struct in_addr *) host_addr); ++ ok = __inet_aton_exact (name, (struct in_addr *) host_addr); + else + { + assert (af == AF_INET6); +diff --git a/resolv/Makefile b/resolv/Makefile +index ea395ac3eb..d36eedd34a 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -34,6 +34,9 @@ routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \ + tests = tst-aton tst-leaks tst-inet_ntop + xtests = tst-leaks2 + ++tests-internal += tst-inet_aton_exact ++ ++ + generate := mtrace-tst-leaks.out tst-leaks.mtrace tst-leaks2.mtrace + + extra-libs := libresolv libnss_dns +@@ -54,8 +57,10 @@ tests += \ + tst-resolv-binary \ + tst-resolv-edns \ + tst-resolv-network \ ++ tst-resolv-nondecimal \ + tst-resolv-res_init-multi \ + tst-resolv-search \ ++ tst-resolv-trailing \ + + # These tests need libdl. + ifeq (yes,$(build-shared)) +@@ -190,9 +195,11 @@ $(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \ + $(shared-thread-library) ++$(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-trailing: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-threads: \ + $(libdl) $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-canonname: \ +diff --git a/resolv/Versions b/resolv/Versions +index b05778d965..9a82704af7 100644 +--- a/resolv/Versions ++++ b/resolv/Versions +@@ -27,6 +27,7 @@ libc { + __h_errno; __resp; + + __res_iclose; ++ __inet_aton_exact; + __inet_pton_length; + __resolv_context_get; + __resolv_context_get_preinit; +diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c +index 32f58b0e13..41b6166a5b 100644 +--- a/resolv/inet_addr.c ++++ b/resolv/inet_addr.c +@@ -96,26 +96,14 @@ + #include <limits.h> + #include <errno.h> + +-/* ASCII IPv4 Internet address interpretation routine. The value +- returned is in network order. */ +-in_addr_t +-__inet_addr (const char *cp) +-{ +- struct in_addr val; +- +- if (__inet_aton (cp, &val)) +- return val.s_addr; +- return INADDR_NONE; +-} +-weak_alias (__inet_addr, inet_addr) +- + /* Check whether "cp" is a valid ASCII representation of an IPv4 + Internet address and convert it to a binary address. Returns 1 if + the address is valid, 0 if not. This replaces inet_addr, the + return value from which cannot distinguish between failure and a +- local broadcast address. */ +-int +-__inet_aton (const char *cp, struct in_addr *addr) ++ local broadcast address. Write a pointer to the first ++ non-converted character to *endp. */ ++static int ++inet_aton_end (const char *cp, struct in_addr *addr, const char **endp) + { + static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; + in_addr_t val; +@@ -180,6 +168,7 @@ __inet_aton (const char *cp, struct in_addr *addr) + + if (addr != NULL) + addr->s_addr = res.word | htonl (val); ++ *endp = cp; + + __set_errno (saved_errno); + return 1; +@@ -188,6 +177,41 @@ __inet_aton (const char *cp, struct in_addr *addr) + __set_errno (saved_errno); + return 0; + } +-weak_alias (__inet_aton, inet_aton) +-libc_hidden_def (__inet_aton) +-libc_hidden_weak (inet_aton) ++ ++int ++__inet_aton_exact (const char *cp, struct in_addr *addr) ++{ ++ struct in_addr val; ++ const char *endp; ++ /* Check that inet_aton_end parsed the entire string. */ ++ if (inet_aton_end (cp, &val, &endp) != 0 && *endp == 0) ++ { ++ *addr = val; ++ return 1; ++ } ++ else ++ return 0; ++} ++libc_hidden_def (__inet_aton_exact) ++ ++/* inet_aton ignores trailing garbage. */ ++int ++__inet_aton_ignore_trailing (const char *cp, struct in_addr *addr) ++{ ++ const char *endp; ++ return inet_aton_end (cp, addr, &endp); ++} ++weak_alias (__inet_aton_ignore_trailing, inet_aton) ++ ++/* ASCII IPv4 Internet address interpretation routine. The value ++ returned is in network order. */ ++in_addr_t ++__inet_addr (const char *cp) ++{ ++ struct in_addr val; ++ const char *endp; ++ if (inet_aton_end (cp, &val, &endp)) ++ return val.s_addr; ++ return INADDR_NONE; ++} ++weak_alias (__inet_addr, inet_addr) +diff --git a/resolv/res_init.c b/resolv/res_init.c +index f5e52cbbb9..94743a252e 100644 +--- a/resolv/res_init.c ++++ b/resolv/res_init.c +@@ -399,8 +399,16 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser) + cp = parser->buffer + sizeof ("nameserver") - 1; + while (*cp == ' ' || *cp == '\t') + cp++; ++ ++ /* Ignore trailing contents on the name server line. */ ++ { ++ char *el; ++ if ((el = strpbrk (cp, " \t\n")) != NULL) ++ *el = '\0'; ++ } ++ + struct sockaddr *sa; +- if ((*cp != '\0') && (*cp != '\n') && __inet_aton (cp, &a)) ++ if ((*cp != '\0') && (*cp != '\n') && __inet_aton_exact (cp, &a)) + { + sa = allocate_address_v4 (a, NAMESERVER_PORT); + if (sa == NULL) +@@ -410,9 +418,6 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser) + { + struct in6_addr a6; + char *el; +- +- if ((el = strpbrk (cp, " \t\n")) != NULL) +- *el = '\0'; + if ((el = strchr (cp, SCOPE_DELIMITER)) != NULL) + *el = '\0'; + if ((*cp != '\0') && (__inet_pton (AF_INET6, cp, &a6) > 0)) +@@ -472,7 +477,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser) + char separator = *cp; + *cp = 0; + struct resolv_sortlist_entry e; +- if (__inet_aton (net, &a)) ++ if (__inet_aton_exact (net, &a)) + { + e.addr = a; + if (is_sort_mask (separator)) +@@ -484,7 +489,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser) + cp++; + separator = *cp; + *cp = 0; +- if (__inet_aton (net, &a)) ++ if (__inet_aton_exact (net, &a)) + e.mask = a.s_addr; + else + e.mask = net_mask (e.addr); +diff --git a/resolv/tst-aton.c b/resolv/tst-aton.c +index 08110a007a..eb734d7758 100644 +--- a/resolv/tst-aton.c ++++ b/resolv/tst-aton.c +@@ -1,11 +1,29 @@ ++/* Test legacy IPv4 text-to-address function inet_aton. ++ Copyright (C) 1998-2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <array_length.h> + #include <stdio.h> + #include <stdint.h> + #include <sys/socket.h> + #include <netinet/in.h> + #include <arpa/inet.h> + +- +-static struct tests ++static const struct tests + { + const char *input; + int valid; +@@ -16,6 +34,7 @@ static struct tests + { "-1", 0, 0 }, + { "256", 1, 0x00000100 }, + { "256.", 0, 0 }, ++ { "255a", 0, 0 }, + { "256a", 0, 0 }, + { "0x100", 1, 0x00000100 }, + { "0200.0x123456", 1, 0x80123456 }, +@@ -40,7 +59,12 @@ static struct tests + { "1.2.256.4", 0, 0 }, + { "1.2.3.0x100", 0, 0 }, + { "323543357756889", 0, 0 }, +- { "10.1.2.3.4", 0, 0}, ++ { "10.1.2.3.4", 0, 0 }, ++ { "192.0.2.1", 1, 0xc0000201 }, ++ { "192.0.2.2\nX", 1, 0xc0000202 }, ++ { "192.0.2.3 Y", 1, 0xc0000203 }, ++ { "192.0.2.3Z", 0, 0 }, ++ { "192.000.002.010", 1, 0xc0000208 }, + }; + + +@@ -50,7 +74,7 @@ do_test (void) + int result = 0; + size_t cnt; + +- for (cnt = 0; cnt < sizeof (tests) / sizeof (tests[0]); ++cnt) ++ for (cnt = 0; cnt < array_length (tests); ++cnt) + { + struct in_addr addr; + +@@ -73,5 +97,4 @@ do_test (void) + return result; + } + +-#define TEST_FUNCTION do_test () +-#include "../test-skeleton.c" ++#include <support/test-driver.c> +diff --git a/resolv/tst-inet_aton_exact.c b/resolv/tst-inet_aton_exact.c +new file mode 100644 +index 0000000000..0fdfa3d6aa +--- /dev/null ++++ b/resolv/tst-inet_aton_exact.c +@@ -0,0 +1,47 @@ ++/* Test internal legacy IPv4 text-to-address function __inet_aton_exact. ++ Copyright (C) 2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <arpa/inet.h> ++#include <support/check.h> ++ ++static int ++do_test (void) ++{ ++ struct in_addr addr = { }; ++ ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.1", &addr), 1); ++ TEST_COMPARE (ntohl (addr.s_addr), 0xC0000201); ++ ++ TEST_COMPARE (__inet_aton_exact ("192.000.002.010", &addr), 1); ++ TEST_COMPARE (ntohl (addr.s_addr), 0xC0000208); ++ TEST_COMPARE (__inet_aton_exact ("0xC0000234", &addr), 1); ++ TEST_COMPARE (ntohl (addr.s_addr), 0xC0000234); ++ ++ /* Trailing content is not accepted. */ ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.2X", &addr), 0); ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.3 Y", &addr), 0); ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.4\nZ", &addr), 0); ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.5\tT", &addr), 0); ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.6 Y", &addr), 0); ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.7\n", &addr), 0); ++ TEST_COMPARE (__inet_aton_exact ("192.0.2.8\t", &addr), 0); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/resolv/tst-resolv-nondecimal.c b/resolv/tst-resolv-nondecimal.c +new file mode 100644 +index 0000000000..a0df6f332a +--- /dev/null ++++ b/resolv/tst-resolv-nondecimal.c +@@ -0,0 +1,139 @@ ++/* Test name resolution behavior for octal, hexadecimal IPv4 addresses. ++ Copyright (C) 2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <netdb.h> ++#include <stdlib.h> ++#include <support/check.h> ++#include <support/check_nss.h> ++#include <support/resolv_test.h> ++#include <support/support.h> ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* The tests are not supposed send any DNS queries. */ ++ FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype); ++} ++ ++static void ++run_query_addrinfo (const char *query, const char *address) ++{ ++ char *quoted_query = support_quote_string (query); ++ ++ struct addrinfo *ai; ++ struct addrinfo hints = ++ { ++ .ai_socktype = SOCK_STREAM, ++ .ai_protocol = IPPROTO_TCP, ++ }; ++ ++ char *context = xasprintf ("getaddrinfo \"%s\" AF_INET", quoted_query); ++ char *expected = xasprintf ("address: STREAM/TCP %s 80\n", address); ++ hints.ai_family = AF_INET; ++ int ret = getaddrinfo (query, "80", &hints, &ai); ++ check_addrinfo (context, ai, ret, expected); ++ if (ret == 0) ++ freeaddrinfo (ai); ++ free (context); ++ ++ context = xasprintf ("getaddrinfo \"%s\" AF_UNSPEC", quoted_query); ++ hints.ai_family = AF_UNSPEC; ++ ret = getaddrinfo (query, "80", &hints, &ai); ++ check_addrinfo (context, ai, ret, expected); ++ if (ret == 0) ++ freeaddrinfo (ai); ++ free (expected); ++ free (context); ++ ++ context = xasprintf ("getaddrinfo \"%s\" AF_INET6", quoted_query); ++ expected = xasprintf ("flags: AI_V4MAPPED\n" ++ "address: STREAM/TCP ::ffff:%s 80\n", ++ address); ++ hints.ai_family = AF_INET6; ++ hints.ai_flags = AI_V4MAPPED; ++ ret = getaddrinfo (query, "80", &hints, &ai); ++ check_addrinfo (context, ai, ret, expected); ++ if (ret == 0) ++ freeaddrinfo (ai); ++ free (expected); ++ free (context); ++ ++ free (quoted_query); ++} ++ ++static void ++run_query (const char *query, const char *address) ++{ ++ char *quoted_query = support_quote_string (query); ++ char *context = xasprintf ("gethostbyname (\"%s\")", quoted_query); ++ char *expected = xasprintf ("name: %s\n" ++ "address: %s\n", query, address); ++ check_hostent (context, gethostbyname (query), expected); ++ free (context); ++ ++ context = xasprintf ("gethostbyname_r \"%s\"", quoted_query); ++ struct hostent storage; ++ char buf[4096]; ++ struct hostent *e = NULL; ++ TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf), ++ &e, &h_errno), 0); ++ check_hostent (context, e, expected); ++ free (context); ++ ++ context = xasprintf ("gethostbyname2 (\"%s\", AF_INET)", quoted_query); ++ check_hostent (context, gethostbyname2 (query, AF_INET), expected); ++ free (context); ++ ++ context = xasprintf ("gethostbyname2_r \"%s\" AF_INET", quoted_query); ++ e = NULL; ++ TEST_COMPARE (gethostbyname2_r (query, AF_INET, &storage, buf, sizeof (buf), ++ &e, &h_errno), 0); ++ check_hostent (context, e, expected); ++ free (context); ++ free (expected); ++ ++ free (quoted_query); ++ ++ /* The gethostbyname tests are always valid for getaddrinfo, but not ++ vice versa. */ ++ run_query_addrinfo (query, address); ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *aux = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response, ++ }); ++ ++ run_query ("192.000.002.010", "192.0.2.8"); ++ ++ /* Hexadecimal numbers are not accepted by gethostbyname. */ ++ run_query_addrinfo ("0xc0000210", "192.0.2.16"); ++ run_query_addrinfo ("192.0x234", "192.0.2.52"); ++ ++ resolv_test_end (aux); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/resolv/tst-resolv-trailing.c b/resolv/tst-resolv-trailing.c +new file mode 100644 +index 0000000000..7504bdae57 +--- /dev/null ++++ b/resolv/tst-resolv-trailing.c +@@ -0,0 +1,136 @@ ++/* Test name resolution behavior with trailing characters. ++ Copyright (C) 2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <array_length.h> ++#include <netdb.h> ++#include <support/check.h> ++#include <support/check_nss.h> ++#include <support/resolv_test.h> ++#include <support/support.h> ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* The tests are not supposed send any DNS queries. */ ++ FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype); ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *aux = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response, ++ }); ++ ++ static const char *const queries[] = ++ { ++ "192.0.2.1 ", ++ "192.0.2.2\t", ++ "192.0.2.3\n", ++ "192.0.2.4 X", ++ "192.0.2.5\tY", ++ "192.0.2.6\nZ", ++ "192.0.2. ", ++ "192.0.2.\t", ++ "192.0.2.\n", ++ "192.0.2. X", ++ "192.0.2.\tY", ++ "192.0.2.\nZ", ++ "2001:db8::1 ", ++ "2001:db8::2\t", ++ "2001:db8::3\n", ++ "2001:db8::4 X", ++ "2001:db8::5\tY", ++ "2001:db8::6\nZ", ++ }; ++ for (size_t query_idx = 0; query_idx < array_length (queries); ++query_idx) ++ { ++ const char *query = queries[query_idx]; ++ struct hostent storage; ++ char buf[4096]; ++ struct hostent *e; ++ ++ h_errno = 0; ++ TEST_VERIFY (gethostbyname (query) == NULL); ++ TEST_COMPARE (h_errno, HOST_NOT_FOUND); ++ ++ h_errno = 0; ++ e = NULL; ++ TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf), ++ &e, &h_errno), 0); ++ TEST_VERIFY (e == NULL); ++ TEST_COMPARE (h_errno, HOST_NOT_FOUND); ++ ++ h_errno = 0; ++ TEST_VERIFY (gethostbyname2 (query, AF_INET) == NULL); ++ TEST_COMPARE (h_errno, HOST_NOT_FOUND); ++ ++ h_errno = 0; ++ e = NULL; ++ TEST_COMPARE (gethostbyname2_r (query, AF_INET, ++ &storage, buf, sizeof (buf), ++ &e, &h_errno), 0); ++ TEST_VERIFY (e == NULL); ++ TEST_COMPARE (h_errno, HOST_NOT_FOUND); ++ ++ h_errno = 0; ++ TEST_VERIFY (gethostbyname2 (query, AF_INET6) == NULL); ++ TEST_COMPARE (h_errno, HOST_NOT_FOUND); ++ ++ h_errno = 0; ++ e = NULL; ++ TEST_COMPARE (gethostbyname2_r (query, AF_INET6, ++ &storage, buf, sizeof (buf), ++ &e, &h_errno), 0); ++ TEST_VERIFY (e == NULL); ++ TEST_COMPARE (h_errno, HOST_NOT_FOUND); ++ ++ static const int gai_flags[] = ++ { ++ 0, ++ AI_ADDRCONFIG, ++ AI_NUMERICHOST, ++ AI_IDN, ++ AI_IDN | AI_NUMERICHOST, ++ AI_V4MAPPED, ++ AI_V4MAPPED | AI_NUMERICHOST, ++ }; ++ for (size_t gai_flags_idx; gai_flags_idx < array_length (gai_flags); ++ ++gai_flags_idx) ++ { ++ struct addrinfo hints = { .ai_flags = gai_flags[gai_flags_idx], }; ++ struct addrinfo *ai; ++ hints.ai_family = AF_INET; ++ TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME); ++ hints.ai_family = AF_INET6; ++ TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME); ++ hints.ai_family = AF_UNSPEC; ++ TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME); ++ } ++ }; ++ ++ resolv_test_end (aux); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 553833d1f2..c91b281e31 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -488,7 +488,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + malloc_name = true; + } + +- if (__inet_aton (name, (struct in_addr *) at->addr) != 0) ++ if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0) + { + if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET) + at->family = AF_INET; +-- +2.20.1 + + +From c533244b8e00ae701583ec50aeb43377d292452d Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 4 Feb 2019 20:07:18 +0100 +Subject: [PATCH 4/4] nscd: Do not use __inet_aton_exact@GLIBC_PRIVATE [BZ + #20018] + +This commit avoids referencing the __inet_aton_exact@GLIBC_PRIVATE +symbol from nscd. In master, the separately-compiled getaddrinfo +implementation in nscd needs it, however such an internal ABI change +is not desirable on a release branch if it can be avoided. +--- + ChangeLog | 10 ++++++++++ + nscd/Makefile | 2 +- + nscd/gai.c | 6 ++++++ + nscd/nscd-inet_addr.c | 32 ++++++++++++++++++++++++++++++++ + 4 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 nscd/nscd-inet_addr.c + +diff --git a/nscd/Makefile b/nscd/Makefile +index b713a84c49..eb23c01a39 100644 +--- a/nscd/Makefile ++++ b/nscd/Makefile +@@ -36,7 +36,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \ + getsrvbynm_r getsrvbypt_r servicescache \ + dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \ + xmalloc xstrdup aicache initgrcache gai res_hconf \ +- netgroupcache ++ netgroupcache nscd-inet_addr + + ifeq ($(build-nscd)$(have-thread-library),yesyes) + +diff --git a/nscd/gai.c b/nscd/gai.c +index f57f396f57..68a4abd30e 100644 +--- a/nscd/gai.c ++++ b/nscd/gai.c +@@ -33,6 +33,12 @@ + #define __getifaddrs getifaddrs + #define __freeifaddrs freeifaddrs + ++/* We do not want to export __inet_aton_exact. Get the prototype and ++ change its visibility to hidden. */ ++#include <arpa/inet.h> ++__typeof__ (__inet_aton_exact) __inet_aton_exact ++ __attribute__ ((visibility ("hidden"))); ++ + /* We are nscd, so we don't want to be talking to ourselves. */ + #undef USE_NSCD + +diff --git a/nscd/nscd-inet_addr.c b/nscd/nscd-inet_addr.c +new file mode 100644 +index 0000000000..f366b9567d +--- /dev/null ++++ b/nscd/nscd-inet_addr.c +@@ -0,0 +1,32 @@ ++/* Legacy IPv4 text-to-address functions. Version for nscd. ++ Copyright (C) 2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <arpa/inet.h> ++ ++/* We do not want to export __inet_aton_exact. Get the prototype and ++ change the visibility to hidden. */ ++#include <arpa/inet.h> ++__typeof__ (__inet_aton_exact) __inet_aton_exact ++ __attribute__ ((visibility ("hidden"))); ++ ++/* Do not provide definitions of the public symbols exported from ++ libc. */ ++#undef weak_alias ++#define weak_alias(from, to) ++ ++#include <resolv/inet_addr.c> +-- +2.20.1 diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index de844f2d69..2099a12425 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -22,7 +22,7 @@ IMAGE_FSTYPES = "wic.vmdk" inherit core-image module-base setuptools3 -SRCREV ?= "795af97c45a436e32023ee383ce30194dec262c4" +SRCREV ?= "2c5af52109bca8c0452b1539589cf073f6f0064a" SRC_URI = "git://git.yoctoproject.org/poky;branch=thud \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb new file mode 100644 index 0000000000..94ed57585b --- /dev/null +++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb @@ -0,0 +1,36 @@ +require recipes-core/meta/buildtools-tarball.bb + +DESCRIPTION = "SDK type target for building a standalone tarball containing build-essentials, python3, chrpath, \ + make, git and tar. The tarball can be used to run bitbake builds on systems which don't meet the \ + usual version requirements and have ancient compilers." +SUMMARY = "Standalone tarball for running builds on systems with inadequate software and ancient compilers" +LICENSE = "MIT" + +# Add nativesdk equivalent of build-essentials +TOOLCHAIN_HOST_TASK += "\ + nativesdk-automake \ + nativesdk-autoconf \ + nativesdk-binutils \ + nativesdk-binutils-symlinks \ + nativesdk-cpp \ + nativesdk-cpp-symlinks \ + nativesdk-gcc \ + nativesdk-gcc-symlinks \ + nativesdk-g++ \ + nativesdk-g++-symlinks \ + nativesdk-gettext \ + nativesdk-libatomic \ + nativesdk-libgcc \ + nativesdk-libstdc++ \ + nativesdk-libstdc++-dev \ + nativesdk-libstdc++-staticdev \ + nativesdk-libtool \ + nativesdk-pkgconfig \ + nativesdk-glibc-utils \ + nativesdk-python \ + nativesdk-libxcrypt-dev \ + " + +TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}" + +SDK_TITLE = "Extended Build tools" diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb index 91df6f1ae9..aba10b4cd6 100644 --- a/meta/recipes-core/meta/buildtools-tarball.bb +++ b/meta/recipes-core/meta/buildtools-tarball.bb @@ -72,7 +72,13 @@ create_sdk_files_append () { toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script + mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ + echo '${SDKPATHNATIVE}${libdir} +${SDKPATHNATIVE}${base_libdir} +include /etc/ld.so.conf' > ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ld.so.conf if [ "${SDKMACHINE}" = "i686" ]; then echo 'export NO32LIBS="0"' >>$script echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb new file mode 100644 index 0000000000..e9a023e9bd --- /dev/null +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -0,0 +1,190 @@ +SUMMARY = "Updates the NVD CVE database" +LICENSE = "MIT" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native + +deltask do_unpack +deltask do_patch +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot + +python () { + if not d.getVar("CVE_CHECK_DB_FILE"): + raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") +} + +python do_populate_cve_db() { + """ + Update NVD database with json data feed + """ + import bb.utils + import sqlite3, urllib, urllib.parse, shutil, gzip + from datetime import date + + bb.utils.export_proxies(d) + + BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" + YEAR_START = 2002 + + db_file = d.getVar("CVE_CHECK_DB_FILE") + db_dir = os.path.dirname(db_file) + json_tmpfile = os.path.join(db_dir, 'nvd.json.gz') + + # Don't refresh the database more than once an hour + try: + import time + if time.time() - os.path.getmtime(db_file) < (60*60): + return + except OSError: + pass + + cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') + + if not os.path.isdir(db_dir): + os.mkdir(db_dir) + + # Connect to database + conn = sqlite3.connect(db_file) + c = conn.cursor() + + initialize_db(c) + + for year in range(YEAR_START, date.today().year + 1): + year_url = BASE_URL + str(year) + meta_url = year_url + ".meta" + json_url = year_url + ".json.gz" + + # Retrieve meta last modified date + response = urllib.request.urlopen(meta_url) + if response: + for l in response.read().decode("utf-8").splitlines(): + key, value = l.split(":", 1) + if key == "lastModifiedDate": + last_modified = value + break + else: + bb.warn("Cannot parse CVE metadata, update failed") + return + + # Compare with current db last modified date + c.execute("select DATE from META where YEAR = ?", (year,)) + meta = c.fetchone() + if not meta or meta[0] != last_modified: + # Clear products table entries corresponding to current year + c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)) + + # Update db with current year json file + try: + response = urllib.request.urlopen(json_url) + if response: + update_db(c, gzip.decompress(response.read()).decode('utf-8')) + c.execute("insert or replace into META values (?, ?)", [year, last_modified]) + except urllib.error.URLError as e: + cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') + bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) + return + + # Update success, set the date to cve_check file. + if year == date.today().year: + cve_f.write('CVE database update : %s\n\n' % date.today()) + + cve_f.close() + conn.commit() + conn.close() +} + +def initialize_db(c): + c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") + + c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ + SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + + c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ + VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ + VERSION_END TEXT, OPERATOR_END TEXT)") + c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") + +def parse_node_and_insert(c, node, cveId): + # Parse children node if needed + for child in node.get('children', ()): + parse_node_and_insert(c, child, cveId) + + def cpe_generator(): + for cpe in node.get('cpe_match', ()): + if not cpe['vulnerable']: + return + cpe23 = cpe['cpe23Uri'].split(':') + vendor = cpe23[3] + product = cpe23[4] + version = cpe23[5] + + if version != '*': + # Version is defined, this is a '=' match + yield [cveId, vendor, product, version, '=', '', ''] + else: + # Parse start version, end version and operators + op_start = '' + op_end = '' + v_start = '' + v_end = '' + + if 'versionStartIncluding' in cpe: + op_start = '>=' + v_start = cpe['versionStartIncluding'] + + if 'versionStartExcluding' in cpe: + op_start = '>' + v_start = cpe['versionStartExcluding'] + + if 'versionEndIncluding' in cpe: + op_end = '<=' + v_end = cpe['versionEndIncluding'] + + if 'versionEndExcluding' in cpe: + op_end = '<' + v_end = cpe['versionEndExcluding'] + + yield [cveId, vendor, product, v_start, op_start, v_end, op_end] + + c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()) + +def update_db(c, jsondata): + import json + root = json.loads(jsondata) + + for elt in root['CVE_Items']: + if not elt['impact']: + continue + + accessVector = None + cveId = elt['cve']['CVE_data_meta']['ID'] + cveDesc = elt['cve']['description']['description_data'][0]['value'] + date = elt['lastModifiedDate'] + try: + accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector'] + cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore'] + except KeyError: + cvssv2 = 0.0 + try: + accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] + cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] + except KeyError: + accessVector = accessVector or "UNKNOWN" + cvssv3 = 0.0 + + c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) + + configurations = elt['configurations']['nodes'] + for config in configurations: + parse_node_and_insert(c, config, cveId) + + +addtask do_populate_cve_db before do_fetch +do_populate_cve_db[nostamp] = "1" + +EXCLUDE_FROM_WORLD = "1" diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb index 6a8748acdf..ee7d7cd660 100644 --- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb +++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb @@ -15,12 +15,15 @@ DUMMYPROVIDES = "\ nativesdk-perl-module-file-find \ nativesdk-perl-module-file-glob \ nativesdk-perl-module-file-path \ + nativesdk-perl-module-file-spec \ nativesdk-perl-module-file-stat \ nativesdk-perl-module-getopt-long \ nativesdk-perl-module-io-file \ + nativesdk-perl-module-overloading \ nativesdk-perl-module-posix \ nativesdk-perl-module-thread-queue \ nativesdk-perl-module-threads \ + nativesdk-perl-module-warnings \ /usr/bin/perl \ " diff --git a/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch new file mode 100644 index 0000000000..408f7d18b7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch @@ -0,0 +1,80 @@ +We need binutils to look at our ld.so.conf file within the SDK to ensure +we search the SDK's libdirs as well as those from the host system. + +We therefore pass in the directory to the code using a define, then add +it to a section we relocate in a similar way to the way we relocate the +gcc internal paths. This ensures that ld works correctly in our buildtools +tarball. + +Standard sysroot relocation doesn't work since we're not in a sysroot, +we want to use both the host system and SDK libs. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +2020/1/17 +Upstream-Status: Inappropriate [OE specific tweak] + +Index: git/ld/Makefile.am +=================================================================== +--- git.orig/ld/Makefile.am ++++ git/ld/Makefile.am +@@ -36,7 +36,8 @@ am__skipyacc = + + ELF_CLFAGS=-DELF_LIST_OPTIONS=@elf_list_options@ \ + -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ +- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ ++ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ ++ -DSYSCONFDIR="\"$(sysconfdir)\"" + WARN_CFLAGS = @WARN_CFLAGS@ + NO_WERROR = @NO_WERROR@ + AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) +Index: git/ld/Makefile.in +=================================================================== +--- git.orig/ld/Makefile.in ++++ git/ld/Makefile.in +@@ -546,7 +546,8 @@ am__skiplex = + am__skipyacc = + ELF_CLFAGS = -DELF_LIST_OPTIONS=@elf_list_options@ \ + -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ +- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ ++ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ ++ -DSYSCONFDIR="\"$(sysconfdir)\"" + + AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) + @ENABLE_PLUGINS_FALSE@PLUGIN_C = +Index: git/ld/emultempl/elf32.em +=================================================================== +--- git.orig/ld/emultempl/elf32.em ++++ git/ld/emultempl/elf32.em +@@ -1024,7 +1024,7 @@ gld${EMULATION_NAME}_check_ld_so_conf (c + + info.path = NULL; + info.len = info.alloc = 0; +- tmppath = concat (ld_sysroot, "${prefix}/etc/ld.so.conf", ++ tmppath = concat (ld_sysconfdir, "/ld.so.conf", + (const char *) NULL); + if (!gld${EMULATION_NAME}_parse_ld_so_conf (&info, tmppath)) + { +Index: git/ld/ldmain.c +=================================================================== +--- git.orig/ld/ldmain.c ++++ git/ld/ldmain.c +@@ -68,6 +68,7 @@ char *program_name; + + /* The prefix for system library directories. */ + const char *ld_sysroot; ++char ld_sysconfdir[4096] __attribute__ ((section (".gccrelocprefix"))) = SYSCONFDIR; + + /* The canonical representation of ld_sysroot. */ + char *ld_canon_sysroot; +Index: git/ld/ldmain.h +=================================================================== +--- git.orig/ld/ldmain.h ++++ git/ld/ldmain.h +@@ -23,6 +23,7 @@ + + extern char *program_name; + extern const char *ld_sysroot; ++extern char ld_sysconfdir[4096]; + extern char *ld_canon_sysroot; + extern int ld_canon_sysroot_len; + extern FILE *saved_script_handle; diff --git a/meta/recipes-devtools/binutils/binutils_2.31.bb b/meta/recipes-devtools/binutils/binutils_2.31.bb index 51a9748906..625e18c787 100644 --- a/meta/recipes-devtools/binutils/binutils_2.31.bb +++ b/meta/recipes-devtools/binutils/binutils_2.31.bb @@ -46,4 +46,9 @@ do_install_class-native () { PACKAGE_BEFORE_PN += "libbfd" FILES_libbfd = "${libdir}/libbfd-*.so" +SRC_URI_append_class-nativesdk = "file://nativesdk-relocation.patch" + +USE_ALTERNATIVES_FOR_class-nativesdk = "" +FILES_${PN}_append_class-nativesdk = " ${bindir}" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb deleted file mode 100644 index 1c84fb1cf2..0000000000 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ /dev/null @@ -1,62 +0,0 @@ -SUMMARY = "cve-check-tool" -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\ -The tool will identify potentially vunlnerable software packages within Linux distributions through version matching." -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool" -SECTION = "Development/Tools" -LICENSE = "GPL-2.0+" -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" - -SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ - file://check-for-malloc_trim-before-using-it.patch \ - file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ - file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ - file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ - file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \ - " - -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" -SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b" - -UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases" - -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates" - -RDEPENDS_${PN} = "ca-certificates" - -inherit pkgconfig autotools - -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins" -CFLAGS_append = " -Wno-error=pedantic" - -do_populate_cve_db() { - if [ "${BB_NO_NETWORK}" = "1" ] ; then - bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected" - return - fi - - # In case we don't inherit cve-check class, use default values defined in the class. - cve_dir="${CVE_CHECK_DB_DIR}" - cve_file="${CVE_CHECK_TMP_FILE}" - - [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK" - [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" - - unused="${@bb.utils.export_proxies(d)}" - bbdebug 2 "Updating cve-check-tool database located in $cve_dir" - # --cacert works around curl-native not finding the CA bundle - if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then - printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" - else - bbwarn "Error in executing cve-check-update" - if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then - bbwarn "Failed to update cve-check-tool database, CVEs won't be checked" - fi - fi -} - -addtask populate_cve_db after do_populate_sysroot -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot" -do_populate_cve_db[nostamp] = "1" -do_populate_cve_db[progress] = "percent" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch deleted file mode 100644 index 4a82cf2dde..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001 -From: Peter Marko <peter.marko@siemens.com> -Date: Thu, 13 Apr 2017 23:09:52 +0200 -Subject: [PATCH] Fix freeing memory allocated by sqlite - -Upstream-Status: Backport -Signed-off-by: Peter Marko <peter.marko@siemens.com> ---- - src/core.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/core.c b/src/core.c -index 6263031..6788f16 100644 ---- a/src/core.c -+++ b/src/core.c -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - if (err) { -- free(err); -+ sqlite3_free(err); - } - - return true; --- -2.1.4 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch deleted file mode 100644 index 3d8ebd1bd2..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 -From: Jussi Kukkonen <jussi.kukkonen@intel.com> -Date: Thu, 9 Feb 2017 14:51:28 +0200 -Subject: [PATCH] curl: allow overriding default CA certificate file - -Similar to curl, --cacert can now be used in cve-check-tool and -cve-check-update to override the default CA certificate file. Useful -in cases where the system default is unsuitable (for example, -out-dated) or broken (as in OE's current native libcurl, which embeds -a path string from one build host and then uses it on another although -the right path may have become something different). - -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> - - -Took Patrick Ohlys original patch from meta-security-isafw, rebased -on top of other patches. - -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> ---- - src/library/cve-check-tool.h | 1 + - src/library/fetch.c | 10 +++++++++- - src/library/fetch.h | 3 ++- - src/main.c | 5 ++++- - src/update-main.c | 4 +++- - src/update.c | 12 +++++++----- - src/update.h | 2 +- - 7 files changed, 27 insertions(+), 10 deletions(-) - -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h -index e4bb5b1..f89eade 100644 ---- a/src/library/cve-check-tool.h -+++ b/src/library/cve-check-tool.h -@@ -43,6 +43,7 @@ typedef struct CveCheckTool { - bool bugs; /**<Whether bug tracking is enabled */ - GHashTable *mapping; /**<CVE Mapping */ - const char *output_file; /**<Output file, if any */ -+ const char *cacert_file; /**<Non-default SSL certificate file, if any */ - } CveCheckTool; - - /** -diff --git a/src/library/fetch.c b/src/library/fetch.c -index 0fe6d76..8f998c3 100644 ---- a/src/library/fetch.c -+++ b/src/library/fetch.c -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow - } - - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -- unsigned int start_percent, unsigned int end_percent) -+ unsigned int start_percent, unsigned int end_percent, -+ const char *cacert_file) - { - FetchStatus ret = FETCH_STATUS_FAIL; - CURLcode res; -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, - return ret; - } - -+ if (cacert_file) { -+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file); -+ if (res != CURLE_OK) { -+ goto bail; -+ } -+ } -+ - if (stat(target, &st) == 0) { - res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE); - if (res != CURLE_OK) { -diff --git a/src/library/fetch.h b/src/library/fetch.h -index 4cce5d1..836c7d7 100644 ---- a/src/library/fetch.h -+++ b/src/library/fetch.h -@@ -29,7 +29,8 @@ typedef enum { - * @return A FetchStatus, indicating the operation taken - */ - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -- unsigned int this_percent, unsigned int next_percent); -+ unsigned int this_percent, unsigned int next_percent, -+ const char *cacert_file); - - /** - * Attempt to extract the given gzipped file -diff --git a/src/main.c b/src/main.c -index 8e6f158..ae69d47 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -280,6 +280,7 @@ static bool csv_mode = false; - static char *modified_stamp = NULL; - static gchar *mapping_file = NULL; - static gchar *output_file = NULL; -+static gchar *cacert_file = NULL; - - static GOptionEntry _entries[] = { - { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL }, -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = { - { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL }, - { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL}, - { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL}, -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, - { .short_name = 0 } - }; - -@@ -492,6 +494,7 @@ int main(int argc, char **argv) - - quiet = csv_mode || !no_html; - self->output_file = output_file; -+ self->cacert_file = cacert_file; - - if (!csv_mode && self->output_file) { - quiet = false; -@@ -530,7 +533,7 @@ int main(int argc, char **argv) - if (status) { - fprintf(stderr, "Update of db forced\n"); - cve_db_unlock(); -- if (!update_db(quiet, db_path->str)) { -+ if (!update_db(quiet, db_path->str, self->cacert_file)) { - fprintf(stderr, "DB update failure\n"); - goto cleanup; - } -diff --git a/src/update-main.c b/src/update-main.c -index 2379cfa..c52d9d0 100644 ---- a/src/update-main.c -+++ b/src/update-main.c -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ - static gchar *nvds = NULL; - static bool _show_version = false; - static bool _quiet = false; -+static const char *_cacert_file = NULL; - - static GOptionEntry _entries[] = { - { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, - { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, - { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, - { .short_name = 0 } - }; - -@@ -88,7 +90,7 @@ int main(int argc, char **argv) - goto end; - } - -- if (update_db(_quiet, db_path->str)) { -+ if (update_db(_quiet, db_path->str, _cacert_file)) { - ret = EXIT_SUCCESS; - } else { - fprintf(stderr, "Failed to update database\n"); -diff --git a/src/update.c b/src/update.c -index 070560a..8cb4a39 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) - - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, - bool db_exist, bool verbose, -- unsigned int this_percent, unsigned int next_percent) -+ unsigned int this_percent, unsigned int next_percent, -+ const char *cacert_file) - { - const char nvd_uri[] = URI_PREFIX; - autofree(cve_string) *uri_meta = NULL; -@@ -331,14 +332,14 @@ refetch: - } - - /* Fetch NVD META file */ -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); - if (st == FETCH_STATUS_FAIL) { - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); - return -1; - } - - /* Fetch NVD XML file */ -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); - switch (st) { - case FETCH_STATUS_FAIL: - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); -@@ -391,7 +392,7 @@ refetch: - return 0; - } - --bool update_db(bool quiet, const char *db_file) -+bool update_db(bool quiet, const char *db_file, const char *cacert_file) - { - autofree(char) *db_dir = NULL; - autofree(CveDB) *cve_db = NULL; -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) - if (!quiet) - fprintf(stderr, "completed: %u%%\r", start_percent); - rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, -- start_percent, end_percent); -+ start_percent, end_percent, -+ cacert_file); - switch (rc) { - case 0: - if (!quiet) -diff --git a/src/update.h b/src/update.h -index b8e9911..ceea0c3 100644 ---- a/src/update.h -+++ b/src/update.h -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); - - int update_required(const char *db_file); - --bool update_db(bool quiet, const char *db_file); -+bool update_db(bool quiet, const char *db_file, const char *cacert_file); - - - /* --- -2.1.4 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch deleted file mode 100644 index 8ea6f686e3..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch +++ /dev/null @@ -1,135 +0,0 @@ -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> -Date: Mon, 26 Sep 2016 12:12:41 +0100 -Subject: [PATCH] print progress in percent when downloading CVE db -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream-Status: Pending -Signed-off-by: André Draszik <git@andred.net> ---- - src/library/fetch.c | 28 +++++++++++++++++++++++++++- - src/library/fetch.h | 3 ++- - src/update.c | 16 ++++++++++++---- - 3 files changed, 41 insertions(+), 6 deletions(-) - -diff --git a/src/library/fetch.c b/src/library/fetch.c -index 06d4b30..0fe6d76 100644 ---- a/src/library/fetch.c -+++ b/src/library/fetch.c -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f - return fwrite(ptr, size, nmemb, f->f); - } - --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) -+struct percent_t { -+ unsigned int start; -+ unsigned int end; -+}; -+ -+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow) -+{ -+ (void) ultotal; -+ (void) ulnow; -+ -+ struct percent_t *percent = (struct percent_t *) ptr; -+ -+ if (dltotal && percent && percent->end >= percent->start) { -+ unsigned int diff = percent->end - percent->start; -+ if (diff) { -+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal)); -+ } -+ } -+ -+ return 0; -+} -+ -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -+ unsigned int start_percent, unsigned int end_percent) - { - FetchStatus ret = FETCH_STATUS_FAIL; - CURLcode res; - struct stat st; - CURL *curl = NULL; - struct fetch_t *f = NULL; -+ struct percent_t percent = { .start = start_percent, .end = end_percent }; - - curl = curl_easy_init(); - if (!curl) { -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) - } - if (verbose) { - (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L); -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent); -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new); - } - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func); - if (res != CURLE_OK) { -diff --git a/src/library/fetch.h b/src/library/fetch.h -index 70c3779..4cce5d1 100644 ---- a/src/library/fetch.h -+++ b/src/library/fetch.h -@@ -28,7 +28,8 @@ typedef enum { - * @param verbose Whether to be verbose - * @return A FetchStatus, indicating the operation taken - */ --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose); -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -+ unsigned int this_percent, unsigned int next_percent); - - /** - * Attempt to extract the given gzipped file -diff --git a/src/update.c b/src/update.c -index 30fbe96..eaeeefd 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) - } - - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, -- bool db_exist, bool verbose) -+ bool db_exist, bool verbose, -+ unsigned int this_percent, unsigned int next_percent) - { - const char nvd_uri[] = URI_PREFIX; - autofree(cve_string) *uri_meta = NULL; -@@ -330,14 +331,14 @@ refetch: - } - - /* Fetch NVD META file */ -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose); -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); - if (st == FETCH_STATUS_FAIL) { - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); - return -1; - } - - /* Fetch NVD XML file */ -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose); -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); - switch (st) { - case FETCH_STATUS_FAIL: - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file) - for (int i = YEAR_START; i <= year+1; i++) { - int y = i > year ? -1 : i; - int rc; -+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START); -+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START); - -- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet); -+ if (!quiet) -+ fprintf(stderr, "completed: %u%%\r", start_percent); -+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, -+ start_percent, end_percent); - switch (rc) { - case 0: -+ if (!quiet) -+ fprintf(stderr,"completed: %u%%\r", end_percent); - continue; - case ENOMEM: - goto oom; --- -2.9.3 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch deleted file mode 100644 index 458c0cc84e..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 -From: Sergey Popovich <popovich_sergei@mail.ua> -Date: Fri, 21 Apr 2017 07:32:23 -0700 -Subject: [PATCH] update: Compare computed vs expected sha256 digit string - ignoring case - -We produce sha256 digest string using %x snprintf() -qualifier for each byte of digest which uses alphabetic -characters from "a" to "f" in lower case to represent -integer values from 10 to 15. - -Previously all of the NVD META files supply sha256 -digest string for corresponding XML file in lower case. - -However due to some reason this changed recently to -provide digest digits in upper case causing fetched -data consistency checks to fail. This prevents database -from being updated periodically. - -While commit c4f6e94 (update: Do not treat sha256 failure -as fatal if requested) adds useful option to skip -digest validation at all and thus provides workaround for -this situation, it might be unacceptable for some -deployments where we need to ensure that downloaded -data is consistent before start parsing it and update -SQLite database. - -Use strcasecmp() to compare two digest strings case -insensitively and addressing this case. - -Upstream-Status: Backport -Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> ---- - src/update.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/update.c b/src/update.c -index 8588f38..3cc6b67 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) - snprintf(&csum_data[idx], len, "%02hhx", digest[i]); - } - -- ret = streq(csum_meta, csum_data); -+ ret = !strcasecmp(csum_meta, csum_data); - - err_unmap: - munmap(buffer, length); --- -2.11.0 - diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch deleted file mode 100644 index 0774ad946a..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 22 Aug 2016 22:54:24 -0700 -Subject: [PATCH] Check for malloc_trim before using it - -malloc_trim is gnu specific and not all libc -implement it, threfore write a configure check -to poke for it first and use the define to -guard its use. - -Helps in compiling on musl based systems - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48] - configure.ac | 2 ++ - src/core.c | 4 ++-- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d3b66ce..79c3542 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0]) - m4_define([openssl_required_version],[1.0.0]) - # TODO: Set minimum sqlite - -+AC_CHECK_FUNCS_ONCE(malloc_trim) -+ - PKG_CHECK_MODULES(CVE_CHECK_TOOL, - [ - glib-2.0 >= glib_required_version, -diff --git a/src/core.c b/src/core.c -index 6263031..0d5df29 100644 ---- a/src/core.c -+++ b/src/core.c -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname) - } - - b = true; -- -+#ifdef HAVE_MALLOC_TRIM - malloc_trim(0); -- -+#endif - xmlFreeTextReader(r); - if (fd) { - close(fd); --- -2.9.3 - diff --git a/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch new file mode 100644 index 0000000000..594510342b --- /dev/null +++ b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch @@ -0,0 +1,23 @@ +traceback2 adds traceback for python2. Rather than depend on traceback2, we're +python3 only so just use traceback. +This caused breakage in oe-selftest -j which uses testtools on the autobuilder +using buildtools-tarball. + +Upstream-Status: Inappropriate [Our recipe is python3 specific] +(Once py2 is EOL upstream probably could/should take this) +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: testtools-2.3.0/testtools/content.py +=================================================================== +--- testtools-2.3.0.orig/testtools/content.py ++++ testtools-2.3.0/testtools/content.py +@@ -19,8 +19,7 @@ import os + import sys + + from extras import try_import +-# To let setup.py work, make this a conditional import. +-traceback = try_import('traceback2') ++import traceback + + from testtools.compat import ( + _b, diff --git a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb index 896ecee65c..a254b90a75 100644 --- a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb +++ b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb @@ -1,2 +1,4 @@ inherit setuptools3 require python-testtools.inc + +SRC_URI += "file://no_traceback2.patch" diff --git a/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch b/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch new file mode 100644 index 0000000000..48d4f73e9c --- /dev/null +++ b/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch @@ -0,0 +1,35 @@ +From ffe7797637f08cd6ee4c82e2d67462c5e194d30a Mon Sep 17 00:00:00 2001 +From: Jaewon Lee <jaewon.lee@xilinx.com> +Date: Thu, 25 Apr 2019 15:34:26 -0700 +Subject: [PATCH] main.c: if OEPYTHON3HOME is set use instead of PYTHONHOME + +There is one variable PYTHONHOME to determine where libraries are coming +from for both python2 and python3. This becomes an issue if only one has +libraries in the specified PYTHONHOME path, but they are using the same +PYTHONHOME. Creating another variable OEPYTHON3HOME to allow for a way +to set a different path for python3 + +Signed-off-by: Jaewon Lee <jaewon.lee@xilinx.com> +RP: Backported to 3.5.6 (code totally different to original path for +later python versions) +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +--- + Modules/main.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +Index: Python-3.5.6/Python/pylifecycle.c +=================================================================== +--- Python-3.5.6.orig/Python/pylifecycle.c ++++ Python-3.5.6/Python/pylifecycle.c +@@ -864,7 +864,9 @@ Py_GetPythonHome(void) + { + wchar_t *home = default_home; + if (home == NULL && !Py_IgnoreEnvironmentFlag) { +- char* chome = Py_GETENV("PYTHONHOME"); ++ char* chome = Py_GETENV("OEPYTHON3HOME"); ++ if (!chome) ++ chome = Py_GETENV("PYTHONHOME"); + if (chome) { + size_t size = Py_ARRAY_LENGTH(env_home); + size_t r = mbstowcs(env_home, chome, size); diff --git a/meta/recipes-devtools/python/python3_3.5.6.bb b/meta/recipes-devtools/python/python3_3.5.6.bb index b2f8a3d034..4633a3d239 100644 --- a/meta/recipes-devtools/python/python3_3.5.6.bb +++ b/meta/recipes-devtools/python/python3_3.5.6.bb @@ -50,6 +50,10 @@ SRC_URI += "\ file://CVE-2019-9636.patch \ " +SRC_URI_append_class-nativesdk = " \ + file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \ + " + inherit multilib_header python3native update-alternatives qemu ptest MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}" @@ -184,7 +188,7 @@ do_install() { } do_install_append_class-nativesdk () { - create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} PYTHONHOME='${prefix}' TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1' + create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} OEPYTHON3HOME='${prefix}' TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1' } SSTATE_SCAN_FILES += "Makefile" diff --git a/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch new file mode 100644 index 0000000000..618ebcdc81 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch @@ -0,0 +1,62 @@ +From 0f1f2d4596aee037d3ccbcf10592466daa54107f Mon Sep 17 00:00:00 2001 +From: Laurent Vivier <laurent@vivier.eu> +Date: Tue, 12 Nov 2019 15:25:56 +0100 +Subject: [PATCH] linux-user: remove host stime() syscall + +stime() has been withdrawn from glibc +(12cbde1dae6f "Use clock_settime to implement stime; withdraw stime.") + +Implement the target stime() syscall using host +clock_settime(CLOCK_REALTIME, ...) as it is done internally in glibc. + +Tested qemu-ppc/x86_64 with: + + #include <time.h> + #include <stdio.h> + + int main(void) + { + time_t t; + int ret; + + /* date -u -d"2019-11-12T15:11:00" "+%s" */ + t = 1573571460; + ret = stime(&t); + printf("ret %d\n", ret); + return 0; + } + + # date; ./stime; date + Tue Nov 12 14:18:32 UTC 2019 + ret 0 + Tue Nov 12 15:11:00 UTC 2019 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0f1f2d4596aee037d3ccbcf10592466daa54107f] +Buglink: https://bugs.launchpad.net/qemu/+bug/1852115 +Reported-by: Cole Robinson <crobinso@redhat.com> +Signed-off-by: Laurent Vivier <laurent@vivier.eu> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Message-Id: <20191112142556.6335-1-laurent@vivier.eu> +--- + linux-user/syscall.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +Index: qemu-3.0.0/linux-user/syscall.c +=================================================================== +--- qemu-3.0.0.orig/linux-user/syscall.c ++++ qemu-3.0.0/linux-user/syscall.c +@@ -8520,10 +8520,11 @@ abi_long do_syscall(void *cpu_env, int n + #ifdef TARGET_NR_stime /* not on alpha */ + case TARGET_NR_stime: + { +- time_t host_time; +- if (get_user_sal(host_time, arg1)) ++ struct timespec ts; ++ ts.tv_nsec = 0; ++ if (get_user_sal(ts.tv_sec, arg1)) + goto efault; +- ret = get_errno(stime(&host_time)); ++ ret = get_errno(clock_settime(CLOCK_REALTIME, &ts)); + } + break; + #endif diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index e483acab55..1daee7211f 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb @@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2019-8934.patch \ file://0001-linux-user-assume-__NR_gettid-always-exists.patch \ file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \ + file://0011-linux-user-remove-host-stime-syscall.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch new file mode 100644 index 0000000000..f954fac8fc --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch @@ -0,0 +1,170 @@ +Treat an ID of -1 as invalid since that means "no change". +Fixes CVE-2019-14287. +Found by Joe Vennix from Apple Information Security. + +CVE: CVE-2019-14287 +Upstream-Status: Backport +[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7] + +Signed-off-by: Dan Tran <dantran@microsoft.com> + +Index: sudo-1.8.21p2/lib/util/strtoid.c +=================================================================== +--- sudo-1.8.21p2.orig/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 ++++ sudo-1.8.21p2/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 +@@ -42,6 +42,27 @@ + #include "sudo_util.h" + + /* ++ * Make sure that the ID ends with a valid separator char. ++ */ ++static bool ++valid_separator(const char *p, const char *ep, const char *sep) ++{ ++ bool valid = false; ++ debug_decl(valid_separator, SUDO_DEBUG_UTIL) ++ ++ if (ep != p) { ++ /* check for valid separator (including '\0') */ ++ if (sep == NULL) ++ sep = ""; ++ do { ++ if (*ep == *sep) ++ valid = true; ++ } while (*sep++ != '\0'); ++ } ++ debug_return_bool(valid); ++} ++ ++/* + * Parse a uid/gid in string form. + * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) + * If endp is non-NULL it is set to the next char after the ID. +@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha + char *ep; + id_t ret = 0; + long long llval; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ ++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ + errno = 0; + llval = strtoll(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); ++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too large"); ++ goto done; + } +- if (!valid) { ++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { ++ errno = ERANGE; + if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; ++ *errstr = N_("value too small"); + goto done; + } +- if (errno == ERANGE) { +- if (errstr != NULL) { +- if (llval == LLONG_MAX) +- *errstr = N_("value too large"); +- else +- *errstr = N_("value too small"); +- } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; + goto done; + } + ret = (id_t)llval; +@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha + { + char *ep; + id_t ret = 0; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ + errno = 0; + if (*p == '-') { + long lval = strtol(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { +- if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; +- goto done; +- } + if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { + errno = ERANGE; + if (errstr != NULL) +@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha + *errstr = N_("value too small"); + goto done; + } +- ret = (id_t)lval; +- } else { +- unsigned long ulval = strtoul(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || lval == -1) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } ++ ret = (id_t)lval; ++ } else { ++ unsigned long ulval = strtoul(p, &ep, 10); + if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { + errno = ERANGE; + if (errstr != NULL) + *errstr = N_("value too large"); + goto done; + } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; ++ goto done; ++ } + ret = (id_t)ulval; + } + if (errstr != NULL) diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch new file mode 100644 index 0000000000..dcb2703d23 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch @@ -0,0 +1,98 @@ +CVE: CVE-2019-14287 +Upstream-Status: Backport +[https://www.sudo.ws/repos/sudo/rev/db06a8336c09] + +Signed-off-by: Dan Tran <dantran@microsoft.com> + +Index: sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c +=================================================================== +--- sudo-1.8.21p2.orig/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:13:07.471005893 -0400 +@@ -24,6 +24,7 @@ + #else + # include "compat/stdbool.h" + #endif ++#include <errno.h> + + #include "sudo_compat.h" + #include "sudo_util.h" +@@ -78,15 +79,20 @@ static struct strtoid_data { + id_t id; + const char *sep; + const char *ep; ++ int errnum; + } strtoid_data[] = { +- { "0,1", 0, ",", "," }, +- { "10", 10, NULL, NULL }, +- { "-2", -2, NULL, NULL }, ++ { "0,1", 0, ",", ",", 0 }, ++ { "10", 10, NULL, NULL, 0 }, ++ { "-1", 0, NULL, NULL, EINVAL }, ++ { "4294967295", 0, NULL, NULL, EINVAL }, ++ { "4294967296", 0, NULL, NULL, ERANGE }, ++ { "-2147483649", 0, NULL, NULL, ERANGE }, ++ { "-2", -2, NULL, NULL, 0 }, + #if SIZEOF_ID_T != SIZEOF_LONG_LONG +- { "-2", 4294967294U, NULL, NULL }, ++ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, + #endif +- { "4294967294", 4294967294U, NULL, NULL }, +- { NULL, 0, NULL, NULL } ++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, ++ { NULL, 0, NULL, NULL, 0 } + }; + + static int +@@ -102,11 +108,23 @@ test_strtoid(int *ntests) + (*ntests)++; + errstr = "some error"; + value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); +- if (errstr != NULL) { +- if (d->id != (id_t)-1) { +- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ if (d->errnum != 0) { ++ if (errstr == NULL) { ++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", ++ d->idstr, d->errnum); ++ errors++; ++ } else if (value != 0) { ++ sudo_warnx_nodebug("FAIL: %s should return 0 on error", ++ d->idstr); ++ errors++; ++ } else if (errno != d->errnum) { ++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", ++ d->idstr, errno, d->errnum); + errors++; + } ++ } else if (errstr != NULL) { ++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ errors++; + } else if (value != d->id) { + sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); + errors++; +Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok +=================================================================== +--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.870655365 -0400 +@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. + Entries for user root: + + Command unmatched +-testsudoers: test5.inc should be owned by gid 4294967295 ++testsudoers: test5.inc should be owned by gid 4294967294 + Parse error in sudoers near line 1. + + Entries for user root: +Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh +=================================================================== +--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.870655365 -0400 +@@ -24,7 +24,7 @@ EOF + + # Test group writable + chmod 664 $TESTFILE +-./testsudoers -U $MYUID -G -1 root id <<EOF ++./testsudoers -U $MYUID -G -2 root id <<EOF + #include $TESTFILE + EOF + diff --git a/meta/recipes-extended/sudo/sudo_1.8.23.bb b/meta/recipes-extended/sudo/sudo_1.8.23.bb index ce32bd187e..d12cf2d549 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.23.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.23.bb @@ -3,6 +3,8 @@ require sudo.inc SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-Include-sys-types.h-for-id_t-definition.patch \ + file://CVE-2019-14287_p1.patch \ + file://CVE-2019-14287_p2.patch \ " PAM_SRC_URI = "file://sudo.pam" diff --git a/meta/recipes-extended/tar/tar/CVE-2018-20482.patch b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch new file mode 100644 index 0000000000..2a13148427 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch @@ -0,0 +1,405 @@ +From 331be56598b284d41370c67046df25673b040a55 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Thu, 27 Dec 2018 17:48:57 +0200 +Subject: [PATCH] Fix CVE-2018-20482 + +* NEWS: Update. +* src/sparse.c (sparse_dump_region): Handle short read condition. +(sparse_extract_region,check_data_region): Fix dumped_size calculation. +Handle short read condition. +(pax_decode_header): Fix dumped_size calculation. +* tests/Makefile.am: Add new testcases. +* tests/testsuite.at: Likewise. + +* tests/sptrcreat.at: New file. +* tests/sptrdiff00.at: New file. +* tests/sptrdiff01.at: New file. + +CVE: CVE-2018-20482 +Upstream-Status: Backport +[http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + src/sparse.c | 50 +++++++++++++++++++++++++++++++----- + tests/Makefile.am | 5 +++- + tests/sptrcreat.at | 62 +++++++++++++++++++++++++++++++++++++++++++++ + tests/sptrdiff00.at | 55 ++++++++++++++++++++++++++++++++++++++++ + tests/sptrdiff01.at | 55 ++++++++++++++++++++++++++++++++++++++++ + tests/testsuite.at | 5 +++- + 6 files changed, 224 insertions(+), 8 deletions(-) + create mode 100644 tests/sptrcreat.at + create mode 100644 tests/sptrdiff00.at + create mode 100644 tests/sptrdiff01.at + +diff --git a/src/sparse.c b/src/sparse.c +index 0830f62..e8e8259 100644 +--- a/src/sparse.c ++++ b/src/sparse.c +@@ -1,6 +1,6 @@ + /* Functions for dealing with sparse files + +- Copyright 2003-2007, 2010, 2013-2017 Free Software Foundation, Inc. ++ Copyright 2003-2007, 2010, 2013-2018 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the +@@ -427,6 +427,30 @@ sparse_dump_region (struct tar_sparse_file *file, size_t i) + bufsize); + return false; + } ++ else if (bytes_read == 0) ++ { ++ char buf[UINTMAX_STRSIZE_BOUND]; ++ struct stat st; ++ size_t n; ++ if (fstat (file->fd, &st) == 0) ++ n = file->stat_info->stat.st_size - st.st_size; ++ else ++ n = file->stat_info->stat.st_size ++ - (file->stat_info->sparse_map[i].offset ++ + file->stat_info->sparse_map[i].numbytes ++ - bytes_left); ++ ++ WARNOPT (WARN_FILE_SHRANK, ++ (0, 0, ++ ngettext ("%s: File shrank by %s byte; padding with zeros", ++ "%s: File shrank by %s bytes; padding with zeros", ++ n), ++ quotearg_colon (file->stat_info->orig_file_name), ++ STRINGIFY_BIGINT (n, buf))); ++ if (! ignore_failed_read_option) ++ set_exit_status (TAREXIT_DIFFERS); ++ return false; ++ } + + memset (blk->buffer + bytes_read, 0, BLOCKSIZE - bytes_read); + bytes_left -= bytes_read; +@@ -464,9 +488,9 @@ sparse_extract_region (struct tar_sparse_file *file, size_t i) + return false; + } + set_next_block_after (blk); ++ file->dumped_size += BLOCKSIZE; + count = blocking_write (file->fd, blk->buffer, wrbytes); + write_size -= count; +- file->dumped_size += count; + mv_size_left (file->stat_info->archive_file_size - file->dumped_size); + file->offset += count; + if (count != wrbytes) +@@ -598,6 +622,12 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end) + rdsize); + return false; + } ++ else if (bytes_read == 0) ++ { ++ report_difference (file->stat_info, _("Size differs")); ++ return false; ++ } ++ + if (!zero_block_p (diff_buffer, bytes_read)) + { + char begbuf[INT_BUFSIZE_BOUND (off_t)]; +@@ -609,6 +639,7 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end) + + beg += bytes_read; + } ++ + return true; + } + +@@ -635,6 +666,7 @@ check_data_region (struct tar_sparse_file *file, size_t i) + return false; + } + set_next_block_after (blk); ++ file->dumped_size += BLOCKSIZE; + bytes_read = safe_read (file->fd, diff_buffer, rdsize); + if (bytes_read == SAFE_READ_ERROR) + { +@@ -645,7 +677,11 @@ check_data_region (struct tar_sparse_file *file, size_t i) + rdsize); + return false; + } +- file->dumped_size += bytes_read; ++ else if (bytes_read == 0) ++ { ++ report_difference (¤t_stat_info, _("Size differs")); ++ return false; ++ } + size_left -= bytes_read; + mv_size_left (file->stat_info->archive_file_size - file->dumped_size); + if (memcmp (blk->buffer, diff_buffer, rdsize)) +@@ -1213,7 +1249,8 @@ pax_decode_header (struct tar_sparse_file *file) + union block *blk; + char *p; + size_t i; +- ++ off_t start; ++ + #define COPY_BUF(b,buf,src) do \ + { \ + char *endp = b->buffer + BLOCKSIZE; \ +@@ -1229,7 +1266,6 @@ pax_decode_header (struct tar_sparse_file *file) + if (src == endp) \ + { \ + set_next_block_after (b); \ +- file->dumped_size += BLOCKSIZE; \ + b = find_next_block (); \ + if (!b) \ + FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \ +@@ -1242,8 +1278,8 @@ pax_decode_header (struct tar_sparse_file *file) + dst[-1] = 0; \ + } while (0) + ++ start = current_block_ordinal (); + set_next_block_after (current_header); +- file->dumped_size += BLOCKSIZE; + blk = find_next_block (); + if (!blk) + FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); +@@ -1282,6 +1318,8 @@ pax_decode_header (struct tar_sparse_file *file) + sparse_add_map (file->stat_info, &sp); + } + set_next_block_after (blk); ++ ++ file->dumped_size += BLOCKSIZE * (current_block_ordinal () - start); + } + + return true; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 2d7939d..ac3b6e7 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1,6 +1,6 @@ + # Makefile for GNU tar regression tests. + +-# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2015 Free Software ++# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2018 Free Software + + # This file is part of GNU tar. + +@@ -228,6 +228,9 @@ TESTSUITE_AT = \ + spmvp00.at\ + spmvp01.at\ + spmvp10.at\ ++ sptrcreat.at\ ++ sptrdiff00.at\ ++ sptrdiff01.at\ + time01.at\ + time02.at\ + truncate.at\ +diff --git a/tests/sptrcreat.at b/tests/sptrcreat.at +new file mode 100644 +index 0000000..8e28f0e +--- /dev/null ++++ b/tests/sptrcreat.at +@@ -0,0 +1,62 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++ ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++ ++# This file is part of GNU tar. ++ ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++ ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# Tar up to 1.30 would loop endlessly if a sparse file had been truncated ++# while being archived (with --sparse flag). ++# ++# The bug has been assigned id CVE-2018-20482 (on the grounds that it is a ++# denial of service possibility). ++# ++# Reported by: Chris Siebenmann <cks.gnutar-01@cs.toronto.edu> ++# References: <20181226223948.781EB32008E@apps1.cs.toronto.edu>, ++# <http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html> ++# <https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug> ++# <https://nvd.nist.gov/vuln/detail/CVE-2018-20482> ++ ++AT_SETUP([sparse file truncated while archiving]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrcreat]) ++ ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++genfile --run --checkpoint 3 --length 200m --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vcf bar foo baz ++echo Exit status: $? ++echo separator ++genfile --file foo --seek 200m --length 11575296 --pattern=zeros ++tar dvf bar], ++[1], ++[foo ++baz ++Exit status: 1 ++separator ++foo ++foo: Mod time differs ++baz ++], ++[tar: foo: File shrank by 11575296 bytes; padding with zeros ++], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/sptrdiff00.at b/tests/sptrdiff00.at +new file mode 100644 +index 0000000..c410561 +--- /dev/null ++++ b/tests/sptrdiff00.at +@@ -0,0 +1,55 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++# ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++# ++# This file is part of GNU tar. ++# ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered ++# that similar bug exists in file checking code (tar d). ++# This test case checks if tar correctly handles a short read condition ++# appearing in check_sparse_region. ++ ++AT_SETUP([file truncated in sparse region while comparing]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff]) ++ ++# This triggers short read in check_sparse_region. ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++echo creating ++tar --sparse -vcf bar foo baz ++echo comparing ++genfile --run --checkpoint 3 --length 200m --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo='Write checkpoint %u' \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vdf bar ++], ++[1], ++[creating ++foo ++baz ++comparing ++foo ++foo: Size differs ++baz ++], ++[], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/sptrdiff01.at b/tests/sptrdiff01.at +new file mode 100644 +index 0000000..2da2267 +--- /dev/null ++++ b/tests/sptrdiff01.at +@@ -0,0 +1,55 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++# ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++# ++# This file is part of GNU tar. ++# ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered ++# that similar bug exists in file checking code (tar d). ++# This test case checks if tar correctly handles a short read condition ++# appearing in check_data_region. ++ ++AT_SETUP([file truncated in data region while comparing]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff]) ++ ++# This triggers short read in check_data_region. ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++echo creating ++tar --sparse -vcf bar foo baz ++echo comparing ++genfile --run --checkpoint 5 --length 221278210 --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo='Write checkpoint %u' \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vdf bar ++], ++[1], ++[creating ++foo ++baz ++comparing ++foo ++foo: Size differs ++baz ++], ++[], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/testsuite.at b/tests/testsuite.at +index 2a83757..23386f7 100644 +--- a/tests/testsuite.at ++++ b/tests/testsuite.at +@@ -1,7 +1,7 @@ + # Process this file with autom4te to create testsuite. -*- Autotest -*- + + # Test suite for GNU tar. +-# Copyright 2004-2008, 2010-2017 Free Software Foundation, Inc. ++# Copyright 2004-2008, 2010-2018 Free Software Foundation, Inc. + + # This file is part of GNU tar. + +@@ -405,6 +405,9 @@ m4_include([sparsemv.at]) + m4_include([spmvp00.at]) + m4_include([spmvp01.at]) + m4_include([spmvp10.at]) ++m4_include([sptrcreat.at]) ++m4_include([sptrdiff00.at]) ++m4_include([sptrdiff01.at]) + + AT_BANNER([Updates]) + m4_include([update.at]) +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/meta/recipes-extended/tar/tar_1.30.bb b/meta/recipes-extended/tar/tar_1.30.bb index ab1b33b378..7cf0522455 100644 --- a/meta/recipes-extended/tar/tar_1.30.bb +++ b/meta/recipes-extended/tar/tar_1.30.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://remove-gets.patch \ file://musl_dirent.patch \ file://CVE-2019-9923.patch \ + file://CVE-2018-20482.patch \ " SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65" diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb index 0ed290088a..de6f5c98bf 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "72075349c6af55a7a6d024f0aa241711653fcb97" -SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f" +SRCREV_machine ?= "3aa9671ae072f45665e72591be5636522c8a6215" +SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}" -LINUX_VERSION ?= "4.14.143" +LINUX_VERSION ?= "4.14.154" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb index cb463074e1..52c02cad10 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb @@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "4.14.143" +LINUX_VERSION ?= "4.14.154" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" @@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "3d884bc92763f474cc0728d1feb0becad8ed37d5" -SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f" +SRCREV_machine ?= "38c3a6549d60a3b4a5ab0cb6a440929ba8502f7f" +SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/meta/recipes-kernel/linux/linux-yocto_4.14.bb index 4a92d27e78..0048735c01 100644 --- a/meta/recipes-kernel/linux/linux-yocto_4.14.bb +++ b/meta/recipes-kernel/linux/linux-yocto_4.14.bb @@ -11,20 +11,20 @@ KBRANCH_qemux86 ?= "v4.14/standard/base" KBRANCH_qemux86-64 ?= "v4.14/standard/base" KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "bd85f4880bb890bf9c45ee6c2fd95f077d2bf67e" -SRCREV_machine_qemuarm64 ?= "445a4787bd489eb6b3d5c172b9842dbe5a34d734" -SRCREV_machine_qemumips ?= "3d07ac9aa6ca729674dfb763563202f18f9eedde" -SRCREV_machine_qemuppc ?= "81ba8dbab3b1bfc371e539956be905809db0e41a" -SRCREV_machine_qemux86 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755" -SRCREV_machine_qemux86-64 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755" -SRCREV_machine_qemumips64 ?= "3c4acadcbe2ee11043f7d0fce43a5181511d0935" -SRCREV_machine ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755" -SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f" +SRCREV_machine_qemuarm ?= "e4e2990af921c2d1544d18efa5f7183f95289cd0" +SRCREV_machine_qemuarm64 ?= "51c9e69ebef5d2d15dfbcdf098269d86e0e38317" +SRCREV_machine_qemumips ?= "e70c76a3fe9cc785619d9e4c8e28cb4d4d76ecaf" +SRCREV_machine_qemuppc ?= "6b6eab44d3a04294c233e0b47d6b7c6cbb6e9ffb" +SRCREV_machine_qemux86 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce" +SRCREV_machine_qemux86-64 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce" +SRCREV_machine_qemumips64 ?= "4e099e87d223bfc1526543a5e4c5383cb2edda70" +SRCREV_machine ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce" +SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}" -LINUX_VERSION ?= "4.14.143" +LINUX_VERSION ?= "4.14.154" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/meta/recipes-support/atk/at-spi2-core_2.28.0.bb b/meta/recipes-support/atk/at-spi2-core_2.28.0.bb index 7975f58bad..0bdb1e37f3 100644 --- a/meta/recipes-support/atk/at-spi2-core_2.28.0.bb +++ b/meta/recipes-support/atk/at-spi2-core_2.28.0.bb @@ -18,7 +18,7 @@ inherit meson gtk-doc gettext systemd pkgconfig distro_features_check upstream-v REQUIRED_DISTRO_FEATURES = "x11" EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \ - -Ddbus_daemon=${bindir}" + -Ddbus_daemon=${bindir}/dbus-daemon" GTKDOC_ENABLE_FLAG = "-Denable_docs=true" GTKDOC_DISABLE_FLAG = "-Denable_docs=false" diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb index fc88bef830..c3da66a0c7 100644 --- a/meta/recipes-support/attr/attr_2.4.47.bb +++ b/meta/recipes-support/attr/attr_2.4.47.bb @@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \ SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" +# Has issues with newer versions of make +PARALLEL_MAKEINST = "" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/iso-codes/iso-codes_4.1.bb b/meta/recipes-support/iso-codes/iso-codes_4.1.bb index 1761ded44e..a70513033d 100644 --- a/meta/recipes-support/iso-codes/iso-codes_4.1.bb +++ b/meta/recipes-support/iso-codes/iso-codes_4.1.bb @@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http" +SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;" SRCREV = "164802d5fd8c7a8167816fd86a62b286680619f0" # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which diff --git a/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch new file mode 100644 index 0000000000..cda52119ba --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch @@ -0,0 +1,176 @@ +From 263ad8ae08f287e32656d4e3e0116479f3d9ad9d Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Fri, 31 May 2019 17:27:25 +0300 +Subject: [PATCH] GCM: move look-up table to .data section and unshare between processes +Reply-To: shuagr@microsoft.com + +CVE: CVE-2019-12904_p1 +Upstream-Status: Backport +Signed-off-by: Shubham Agrawal<shuagr@microsoft.com> +Upstream-commit : https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 + +* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New. +(gcmR): Move to 'gcm_table' structure. +(gcm_table): New structure for look-up table with counters before and +after. +(gcmR): New macro. +(prefetch_table): Handle input with length not multiple of 256. +(do_prefetch_tables): Modify pre- and post-table counters to unshare +look-up table pages between processes. +-- +GnuPG-bug-id: 4541 +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> +--- + cipher/cipher-gcm.c | 129 ++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 95 insertions(+), 34 deletions(-) + +diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c +index 6169d14..97a8015 100644 +--- a/cipher/cipher-gcm.c ++++ b/cipher/cipher-gcm.c +@@ -30,6 +30,14 @@ + #include "./cipher-internal.h" + + ++/* Helper macro to force alignment to 16 or 64 bytes. */ ++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) ++#else ++# define ATTR_ALIGNED_64 ++#endif ++ ++ + #ifdef GCM_USE_INTEL_PCLMUL + extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c); + +@@ -63,40 +71,93 @@ ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf, + + + #ifdef GCM_USE_TABLES +-static const u16 gcmR[256] = { +- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, +- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, +- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, +- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, +- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, +- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, +- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, +- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, +- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, +- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, +- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, +- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, +- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, +- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, +- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, +- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, +- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, +- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, +- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, +- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, +- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, +- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, +- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, +- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, +- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, +- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, +- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, +- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, +- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, +- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, +- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, +- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, +-}; ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u16 R[256]; ++ volatile u32 counter_tail; ++} gcm_table ATTR_ALIGNED_64 = ++ { ++ 0, ++ { 0, }, ++ { ++ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e, ++ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e, ++ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e, ++ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e, ++ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e, ++ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e, ++ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e, ++ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e, ++ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce, ++ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde, ++ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee, ++ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe, ++ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e, ++ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e, ++ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae, ++ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe, ++ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e, ++ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e, ++ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e, ++ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e, ++ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e, ++ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e, ++ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e, ++ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e, ++ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce, ++ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade, ++ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee, ++ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe, ++ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e, ++ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e, ++ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae, ++ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe, ++ }, ++ 0 ++ }; ++ ++#define gcmR gcm_table.R ++static inline ++void prefetch_table(const void *tab, size_t len) ++{ ++ const volatile byte *vtab = tab; ++ size_t i; ++ ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) ++ { ++ (void)vtab[i + 0 * 32]; ++ (void)vtab[i + 1 * 32]; ++ (void)vtab[i + 2 * 32]; ++ (void)vtab[i + 3 * 32]; ++ (void)vtab[i + 4 * 32]; ++ (void)vtab[i + 5 * 32]; ++ (void)vtab[i + 6 * 32]; ++ (void)vtab[i + 7 * 32]; ++ } ++ for (; i < len; i += 32) ++ { ++ (void)vtab[i]; ++ } ++ ++ (void)vtab[len - 1]; ++} ++ ++static inline void ++do_prefetch_tables (const void *gcmM, size_t gcmM_size) ++{ ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ gcm_table.counter_head++; ++ gcm_table.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ ++ prefetch_table(gcmM, gcmM_size); ++ prefetch_table(&gcm_table, sizeof(gcm_table)); ++} + + #ifdef GCM_TABLES_USE_U64 + static void +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch new file mode 100644 index 0000000000..0cb503ed65 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch @@ -0,0 +1,330 @@ +From a5c359cc68a4def9bf39f63070837d89711b4e17 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna <jussi.kivilinna@iki.fi> +Date: Fri, 31 May 2019 17:18:09 +0300 +Subject: [PATCH] AES: move look-up tables to .data section and unshare between processes +Reply-To: shuagr@microsoft.com + +CVE: CVE-2019-12904_p2 +Upstream-status: Backport +Signed-off-by: Shubham Agrawal<shuagr@microsoft.com> +Upstream-commit: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 + +* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New. +* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure. +(enc_tables): New structure for encryption table with counters before +and after. +(encT): New macro. +(dec_tables): Add counters before and after encryption table; Move +from .rodata to .data section. +(do_encrypt): Change 'encT' to 'enc_tables.T'. +(do_decrypt): Change '&dec_tables' to 'dec_tables.T'. +* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input +with length not multiple of 256. +(prefetch_enc, prefetch_dec): Modify pre- and post-table counters +to unshare look-up table pages between processes. +-- + +GnuPG-bug-id: 4541 +Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> +--- + cipher/rijndael-internal.h | 4 +- + cipher/rijndael-tables.h | 155 +++++++++++++++++++++++++-------------------- + cipher/rijndael.c | 35 ++++++++-- + 3 files changed, 118 insertions(+), 76 deletions(-) + +diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h +index 160fb8c..a62d4b7 100644 +--- a/cipher/rijndael-internal.h ++++ b/cipher/rijndael-internal.h +@@ -29,11 +29,13 @@ + #define BLOCKSIZE (128/8) + + +-/* Helper macro to force alignment to 16 bytes. */ ++/* Helper macro to force alignment to 16 or 64 bytes. */ + #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED + # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) ++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64))) + #else + # define ATTR_ALIGNED_16 ++# define ATTR_ALIGNED_64 + #endif + + +diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h +index 8359470..b54d959 100644 +--- a/cipher/rijndael-tables.h ++++ b/cipher/rijndael-tables.h +@@ -21,80 +21,98 @@ + /* To keep the actual implementation at a readable size we use this + include file to define the tables. */ + +-static const u32 encT[256] = ++static struct ++{ ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; ++ u32 T[256]; ++ volatile u32 counter_tail; ++} enc_tables ATTR_ALIGNED_64 = + { +- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, +- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, +- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, +- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, +- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, +- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, +- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, +- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, +- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, +- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, +- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, +- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, +- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, +- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, +- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, +- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, +- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, +- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, +- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, +- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, +- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, +- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, +- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, +- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, +- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, +- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, +- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, +- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, +- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, +- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, +- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, +- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, +- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, +- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, +- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, +- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, +- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, +- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, +- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, +- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, +- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, +- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, +- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, +- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, +- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, +- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, +- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, +- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, +- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, +- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, +- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, +- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, +- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, +- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, +- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, +- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, +- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, +- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, +- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, +- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, +- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, +- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, +- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, +- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ 0, ++ { 0, }, ++ { ++ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, ++ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, ++ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, ++ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, ++ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, ++ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, ++ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, ++ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, ++ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, ++ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, ++ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, ++ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, ++ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, ++ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, ++ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, ++ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, ++ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, ++ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, ++ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, ++ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, ++ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, ++ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, ++ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, ++ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, ++ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, ++ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, ++ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, ++ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, ++ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, ++ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, ++ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, ++ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, ++ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, ++ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, ++ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, ++ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, ++ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, ++ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, ++ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, ++ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, ++ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, ++ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, ++ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, ++ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, ++ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, ++ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, ++ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, ++ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, ++ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, ++ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, ++ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, ++ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, ++ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, ++ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, ++ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, ++ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, ++ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, ++ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, ++ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, ++ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, ++ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, ++ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, ++ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, ++ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c ++ }, ++ 0 + }; + +-static const struct ++#define encT enc_tables.T ++ ++static struct + { ++ volatile u32 counter_head; ++ u32 cacheline_align[64 / 4 - 1]; + u32 T[256]; + byte inv_sbox[256]; +-} dec_tables = ++ volatile u32 counter_tail; ++} dec_tables ATTR_ALIGNED_64 = + { ++ 0, ++ { 0, }, + { + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, + 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, +@@ -194,7 +212,8 @@ static const struct + 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, + 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, + 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +- } ++ }, ++ 0 + }; + + #define decT dec_tables.T +diff --git a/cipher/rijndael.c b/cipher/rijndael.c +index 8637195..d0edab2 100644 +--- a/cipher/rijndael.c ++++ b/cipher/rijndael.c +@@ -227,11 +227,11 @@ static const char *selftest(void); + + + /* Prefetching for encryption/decryption tables. */ +-static void prefetch_table(const volatile byte *tab, size_t len) ++static inline void prefetch_table(const volatile byte *tab, size_t len) + { + size_t i; + +- for (i = 0; i < len; i += 8 * 32) ++ for (i = 0; len - i >= 8 * 32; i += 8 * 32) + { + (void)tab[i + 0 * 32]; + (void)tab[i + 1 * 32]; +@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len) + (void)tab[i + 6 * 32]; + (void)tab[i + 7 * 32]; + } ++ for (; i < len; i += 32) ++ { ++ (void)tab[i]; ++ } + + (void)tab[len - 1]; + } + + static void prefetch_enc(void) + { +- prefetch_table((const void *)encT, sizeof(encT)); ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ enc_tables.counter_head++; ++ enc_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ ++ prefetch_table((const void *)&enc_tables, sizeof(enc_tables)); + } + + static void prefetch_dec(void) + { ++ /* Modify counters to trigger copy-on-write and unsharing if physical pages ++ * of look-up table are shared between processes. Modifying counters also ++ * causes checksums for pages to change and hint same-page merging algorithm ++ * that these pages are frequently changing. */ ++ dec_tables.counter_head++; ++ dec_tables.counter_tail++; ++ ++ /* Prefetch look-up tables to cache. */ + prefetch_table((const void *)&dec_tables, sizeof(dec_tables)); + } + +@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, +- encT); ++ enc_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx, + return ret; + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) +- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT); ++ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, ++ enc_tables.T); + #else + return do_encrypt_fn (ctx, bx, ax); + #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/ +@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + #ifdef USE_AMD64_ASM + # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS + return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + # else + /* Call SystemV ABI function without storing non-volatile XMM registers, + * as target function does not use vector instruction sets. */ +@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx, + # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */ + #elif defined(USE_ARM_ASM) + return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds, +- &dec_tables); ++ dec_tables.T); + #else + return do_decrypt_fn (ctx, bx, ax); + #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/ +-- +2.7.4 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb index fda68a2938..13d037880b 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb @@ -21,6 +21,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \ file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \ file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ + file://CVE-2019-12904_p1.patch \ + file://CVE-2019-12904_p2.patch \ " SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" diff --git a/scripts/runqemu b/scripts/runqemu index f83e05728b..b0509672d5 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -157,19 +157,6 @@ def get_first_file(cmds): return f return '' -def check_free_port(host, port): - """ Check whether the port is free or not """ - import socket - from contextlib import closing - - with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock: - if sock.connect_ex((host, port)) == 0: - # Port is open, so not free - return False - else: - # Port is not open, so free - return True - class BaseConfig(object): def __init__(self): # The self.d saved vars from self.set(), part of them are from qemuboot.conf @@ -218,8 +205,9 @@ class BaseConfig(object): self.audio_enabled = False self.tcpserial_portnum = '' self.custombiosdir = '' - self.lock = '' - self.lock_descriptor = None + self.taplock = '' + self.taplock_descriptor = None + self.portlocks = {} self.bitbake_e = '' self.snapshot = False self.fstypes = ('ext2', 'ext3', 'ext4', 'jffs2', 'nfs', 'btrfs', @@ -240,30 +228,81 @@ class BaseConfig(object): # avoid cleanup twice self.cleaned = False - def acquire_lock(self, error=True): - logger.debug("Acquiring lockfile %s..." % self.lock) + def acquire_taplock(self, error=True): + logger.debug("Acquiring lockfile %s..." % self.taplock) try: - self.lock_descriptor = open(self.lock, 'w') - fcntl.flock(self.lock_descriptor, fcntl.LOCK_EX|fcntl.LOCK_NB) + self.taplock_descriptor = open(self.taplock, 'w') + fcntl.flock(self.taplock_descriptor, fcntl.LOCK_EX|fcntl.LOCK_NB) except Exception as e: - msg = "Acquiring lockfile %s failed: %s" % (self.lock, e) + msg = "Acquiring lockfile %s failed: %s" % (self.taplock, e) if error: logger.error(msg) else: logger.info(msg) - if self.lock_descriptor: - self.lock_descriptor.close() - self.lock_descriptor = None + if self.taplock_descriptor: + self.taplock_descriptor.close() + self.taplock_descriptor = None return False return True - def release_lock(self): - if self.lock_descriptor: + def release_taplock(self): + if self.taplock_descriptor: logger.debug("Releasing lockfile for tap device '%s'" % self.tap) - fcntl.flock(self.lock_descriptor, fcntl.LOCK_UN) - self.lock_descriptor.close() - os.remove(self.lock) - self.lock_descriptor = None + fcntl.flock(self.taplock_descriptor, fcntl.LOCK_UN) + self.taplock_descriptor.close() + os.remove(self.taplock) + self.taplock_descriptor = None + + def check_free_port(self, host, port, lockdir): + """ Check whether the port is free or not """ + import socket + from contextlib import closing + + lockfile = os.path.join(lockdir, str(port) + '.lock') + if self.acquire_portlock(lockfile): + with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock: + if sock.connect_ex((host, port)) == 0: + # Port is open, so not free + self.release_portlock(lockfile) + return False + else: + # Port is not open, so free + return True + else: + return False + + def acquire_portlock(self, lockfile, error=True): + logger.debug("Acquiring lockfile %s..." % lockfile) + try: + portlock_descriptor = open(lockfile, 'w') + self.portlocks.update({lockfile: portlock_descriptor}) + fcntl.flock(self.portlocks[lockfile], fcntl.LOCK_EX|fcntl.LOCK_NB) + except Exception as e: + msg = "Acquiring lockfile %s failed: %s" % (lockfile, e) + if error: + logger.error(msg) + else: + logger.info(msg) + if self.portlocks[lockfile]: + self.portlocks[lockfile].close() + del self.portlocks[lockfile] + return False + return True + + def release_portlock(self, lockfile=None): + if lockfile != None: + logger.debug("Releasing lockfile '%s'" % lockfile) + fcntl.flock(self.portlocks[lockfile], fcntl.LOCK_UN) + self.portlocks[lockfile].close() + os.remove(lockfile) + del self.portlocks[lockfile] + elif len(self.portlocks): + for lockfile, descriptor in self.portlocks.items(): + logger.debug("Releasing lockfile '%s'" % lockfile) + fcntl.flock(descriptor, fcntl.LOCK_UN) + descriptor.close() + os.remove(lockfile) + self.portlocks = {} def get(self, key): if key in self.d: @@ -923,10 +962,21 @@ class BaseConfig(object): ports = re.findall('hostfwd=[^-]*:([0-9]+)-[^,-]*', qb_slirp_opt) ports = [int(i) for i in ports] mac = 2 + + lockdir = "/tmp/qemu-port-locks" + if not os.path.exists(lockdir): + # There might be a race issue when multi runqemu processess are + # running at the same time. + try: + os.mkdir(lockdir) + os.chmod(lockdir, 0o777) + except FileExistsError: + pass + # Find a free port to avoid conflicts for p in ports[:]: p_new = p - while not check_free_port('localhost', p_new): + while not self.check_free_port('localhost', p_new, lockdir): p_new += 1 mac += 1 while p_new in ports: @@ -981,8 +1031,8 @@ class BaseConfig(object): if os.path.exists('%s.skip' % lockfile): logger.info('Found %s.skip, skipping %s' % (lockfile, p)) continue - self.lock = lockfile + '.lock' - if self.acquire_lock(error=False): + self.taplock = lockfile + '.lock' + if self.acquire_taplock(error=False): tap = p logger.info("Using preconfigured tap device %s" % tap) logger.info("If this is not intended, touch %s.skip to make runqemu skip %s." %(lockfile, tap)) @@ -1000,8 +1050,8 @@ class BaseConfig(object): cmd = ('sudo', self.qemuifup, str(uid), str(gid), self.bindir_native) tap = subprocess.check_output(cmd).decode('utf-8').strip() lockfile = os.path.join(lockdir, tap) - self.lock = lockfile + '.lock' - self.acquire_lock() + self.taplock = lockfile + '.lock' + self.acquire_taplock() self.cleantap = True logger.debug('Created tap: %s' % tap) @@ -1233,8 +1283,11 @@ class BaseConfig(object): cmds = shlex.split(cmd) logger.info('Running %s\n' % cmd) pass_fds = [] - if self.lock_descriptor: - pass_fds = [self.lock_descriptor.fileno()] + if self.taplock_descriptor: + pass_fds = [self.taplock_descriptor.fileno()] + if len(self.portlocks): + for descriptor in self.portlocks.values(): + pass_fds.append(descriptor.fileno()) process = subprocess.Popen(cmds, stderr=subprocess.PIPE, pass_fds=pass_fds) self.qemupid = process.pid retcode = process.wait() @@ -1256,7 +1309,8 @@ class BaseConfig(object): cmd = ('sudo', self.qemuifdown, self.tap, self.bindir_native) logger.debug('Running %s' % str(cmd)) subprocess.check_call(cmd) - self.release_lock() + self.release_taplock() + self.release_portlock() if self.nfs_running: logger.info("Shutting down the userspace NFS server...") |