diff options
41 files changed, 1862 insertions, 30 deletions
diff --git a/meta/classes/pypi.bbclass b/meta/classes/pypi.bbclass index e5d7ab3ce1..87b4c85fc0 100644 --- a/meta/classes/pypi.bbclass +++ b/meta/classes/pypi.bbclass @@ -22,5 +22,5 @@ SECTION = "devel/python" SRC_URI += "${PYPI_SRC_URI}" S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" -UPSTREAM_CHECK_URI ?= "https://pypi.python.org/pypi/${PYPI_PACKAGE}/" -UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)" +UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/" +UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/" diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 889695eae3..69b6edee5f 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,9 +6,9 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.31" +UNINATIVE_MAXGLIBCVERSION = "2.32" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.8/" -UNINATIVE_CHECKSUM[aarch64] ?= "989187344bf9539b464fb7ed9c223e51f4bdb4c7a677d2c314e6fed393176efe" -UNINATIVE_CHECKSUM[i686] ?= "cc3e45bc8594488b407363e3fa9af5a099279dab2703c64342098719bd674990" -UNINATIVE_CHECKSUM[x86_64] ?= "a09922172c3a439105e0ae6b943daad2d83505b17da0aba97961ff433b8c21ab" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/" +UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81" +UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36" +UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423" diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh index 4c4b4deb4c..2e0fe94963 100644 --- a/meta/files/toolchain-shar-extract.sh +++ b/meta/files/toolchain-shar-extract.sh @@ -1,13 +1,8 @@ #!/bin/sh -[ -z "$ENVCLEANED" ] && exec /usr/bin/env -i ENVCLEANED=1 HOME="$HOME" \ - LC_ALL=en_US.UTF-8 \ - TERM=$TERM \ - ICECC_PATH="$ICECC_PATH" \ - http_proxy="$http_proxy" https_proxy="$https_proxy" ftp_proxy="$ftp_proxy" \ - no_proxy="$no_proxy" all_proxy="$all_proxy" GIT_PROXY_COMMAND="$GIT_PROXY_COMMAND" "$0" "$@" -[ -f /etc/environment ] && . /etc/environment -export PATH=`echo "$PATH" | sed -e 's/:\.//' -e 's/::/:/'` +export LC_ALL=en_US.UTF-8 +# Remove invalid PATH elements first (maybe from a previously setup toolchain now deleted +PATH=`python3 -c 'import os; print(":".join(e for e in os.environ["PATH"].split(":") if os.path.exists(e)))'` tweakpath () { case ":${PATH}:" in diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py index 0f7b3dcc11..e6b14da89d 100644 --- a/meta/lib/oeqa/core/utils/concurrencytest.py +++ b/meta/lib/oeqa/core/utils/concurrencytest.py @@ -261,7 +261,7 @@ def fork_for_tests(concurrency_num, suite): oe.path.copytree(selftestdir, newselftestdir) for e in os.environ: - if builddir in os.environ[e]: + if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir): os.environ[e] = os.environ[e].replace(builddir, newbuilddir) subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True) diff --git a/meta/lib/oeqa/sdkext/testsdk.py b/meta/lib/oeqa/sdkext/testsdk.py index 785b5dda53..c5c46df6cd 100644 --- a/meta/lib/oeqa/sdkext/testsdk.py +++ b/meta/lib/oeqa/sdkext/testsdk.py @@ -25,11 +25,8 @@ class TestSDKExt(TestSDKBase): subprocesstweak.errors_have_output() - # extensible sdk can be contaminated if native programs are - # in PATH, i.e. use perl-native instead of eSDK one. - paths_to_avoid = [d.getVar('STAGING_DIR'), - d.getVar('BASE_WORKDIR')] - os.environ['PATH'] = avoid_paths_in_environ(paths_to_avoid) + # We need the original PATH for testing the eSDK, not with our manipulations + os.environ['PATH'] = d.getVar("BB_ORIGENV", False).getVar("PATH") tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh") if not os.path.exists(tcname): diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 7d3922ce44..d4fea91350 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -166,7 +166,7 @@ class TestImage(OESelftestTestCase): bitbake('core-image-full-cmdline socat') bitbake('-c testimage core-image-full-cmdline') - def test_testimage_virgl_gtk(self): + def disabled_test_testimage_virgl_gtk(self): """ Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py index 5c4e01b2c3..5b8f9bbd38 100644 --- a/meta/lib/oeqa/selftest/cases/signing.py +++ b/meta/lib/oeqa/selftest/cases/signing.py @@ -44,7 +44,9 @@ class Signing(OESelftestTestCase): origenv = os.environ.copy() for e in os.environ: - if builddir in os.environ[e]: + if builddir + "/" in os.environ[e]: + os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/") + if os.environ[e].endswith(builddir): os.environ[e] = os.environ[e].replace(builddir, newbuilddir) os.chdir(newbuilddir) diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch new file mode 100644 index 0000000000..dec5672657 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch @@ -0,0 +1,60 @@ +From ca543240380475d888d660ea3296fc880ce52f35 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 15 Jul 2020 16:07:51 +1000 +Subject: [PATCH] bind: Always keep a copy of the message + +this allows it to be available even when dns_message_parse() +returns a error. + +Upstream-Status: Backport +CVE: CVE-2020-8622 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + lib/dns/message.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/message.c b/lib/dns/message.c +index ac637a2..39ed80f 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1679,6 +1679,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + msg->header_ok = 0; + msg->question_ok = 0; + ++ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { ++ isc_buffer_usedregion(&origsource, &msg->saved); ++ } else { ++ msg->saved.length = isc_buffer_usedlength(&origsource); ++ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); ++ if (msg->saved.base == NULL) { ++ return (ISC_R_NOMEMORY); ++ } ++ memmove(msg->saved.base, isc_buffer_base(&origsource), ++ msg->saved.length); ++ msg->free_saved = 1; ++ } ++ + isc_buffer_remainingregion(source, &r); + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_UNEXPECTEDEND); +@@ -1754,17 +1767,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + } + + truncated: +- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) +- isc_buffer_usedregion(&origsource, &msg->saved); +- else { +- msg->saved.length = isc_buffer_usedlength(&origsource); +- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); +- if (msg->saved.base == NULL) +- return (ISC_R_NOMEMORY); +- memmove(msg->saved.base, isc_buffer_base(&origsource), +- msg->saved.length); +- msg->free_saved = 1; +- } + + if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) + return (DNS_R_RECOVERABLE); +-- +1.9.1 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch new file mode 100644 index 0000000000..8e5412a89e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch @@ -0,0 +1,402 @@ +From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> +Date: Tue, 21 Jul 2020 14:42:47 +0200 +Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used + +When pk11_numbits() is passed a user provided input that contains all +zeroes (via crafted DNS message), it would crash with assertion +failure. Fix that by properly handling such input. + +Upstream-Status: Backport +CVE: CVE-2020-8623 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + lib/dns/pkcs11dh_link.c | 15 ++++++- + lib/dns/pkcs11dsa_link.c | 8 +++- + lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- + lib/isc/include/pk11/internal.h | 3 +- + lib/isc/pk11.c | 61 ++++++++++++++++--------- + 5 files changed, 121 insertions(+), 45 deletions(-) + +diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c +index e2b60ea7c5..4cd8e32d60 100644 +--- a/lib/dns/pkcs11dh_link.c ++++ b/lib/dns/pkcs11dh_link.c +@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; + CK_ATTRIBUTE *attr; + int special = 0; ++ unsigned int bits; + isc_result_t result; + + isc_buffer_remainingregion(data, &r); +@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + pub = r.base; + isc_region_consume(&r, publen); + +- key->key_size = pk11_numbits(prime, plen_); ++ result = pk11_numbits(prime, plen_, &bits); ++ if (result != ISC_R_SUCCESS) { ++ goto cleanup; ++ } ++ key->key_size = bits; + + dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); + if (dh->repr == NULL) +@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dh = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx; +@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dh, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c +index 12d707a112..24d4c149ff 100644 +--- a/lib/dns/pkcs11dsa_link.c ++++ b/lib/dns/pkcs11dsa_link.c +@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dsa = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; +@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dsa, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index 096c1a8e91..1d10d26564 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + key->key_alg == DST_ALG_RSASHA256 || + key->key_alg == DST_ALG_RSASHA512); + #endif ++ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); + + /* + * Reject incorrect RSA key lengths. +@@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + for (attr = pk11_attribute_first(rsa); + attr != NULL; + attr = pk11_attribute_next(rsa, attr)) ++ { + switch (attr->type) { + case CKA_MODULUS: + INSIST(keyTemplate[5].type == attr->type); +@@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) > maxbits && +- maxbits != 0) ++ unsigned int bits; ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || ++ (bits > maxbits && maxbits != 0)) { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } ++ } + pk11_ctx->object = CK_INVALID_HANDLE; + pk11_ctx->ontoken = false; + PK11_RET(pkcs_C_CreateObject, +@@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + keyTemplate[5].ulValueLen = attr->ulValueLen; + break; + case CKA_PUBLIC_EXPONENT: ++ unsigned int bits; + INSIST(keyTemplate[6].type == attr->type); + keyTemplate[6].pValue = isc_mem_get(dctx->mctx, + attr->ulValueLen); +@@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) +- > RSA_MAX_PUBEXP_BITS) ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) ++ { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } + pk11_ctx->object = CK_INVALID_HANDLE; +@@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *exponent = NULL, *modulus = NULL; + CK_ATTRIBUTE *attr; + unsigned int length; ++ unsigned int bits; ++ isc_result_t ret = ISC_R_SUCCESS; + + isc_buffer_remainingregion(data, &r); + if (r.length == 0) +@@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + if (e_bytes == 0) { + if (r.length < 2) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + e_bytes = (*r.base) << 8; + isc_region_consume(&r, 1); +@@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + } + + if (r.length < e_bytes) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + exponent = r.base; + isc_region_consume(&r, e_bytes); + modulus = r.base; + mod_bytes = r.length; + +- key->key_size = pk11_numbits(modulus, mod_bytes); ++ ret = pk11_numbits(modulus, mod_bytes, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + isc_buffer_forward(data, length); + +@@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + rsa->repr, + rsa->attrcnt * sizeof(*attr)); + } ++ ret = ISC_R_NOMEMORY; ++ ++ err: + isc_safe_memwipe(rsa, sizeof(*rsa)); + isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (ISC_R_NOMEMORY); ++ return (ret); + } + + static isc_result_t +@@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + pk11_object_t *pubrsa; + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; ++ unsigned int bits; + + if (label == NULL) + return (DST_R_NOENGINE); +@@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +@@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; + const char *engine = NULL, *label = NULL; ++ unsigned int bits; + + /* read private key file */ + ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); +@@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + dst__privstruct_free(&priv, mctx); + isc_safe_memwipe(&priv, sizeof(priv)); +@@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; + unsigned int i; ++ unsigned int bits; + + UNUSED(pin); + +@@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + pk11_return_session(pk11_ctx); + isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); +diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h +index aa8907ab08..7cc8ec812b 100644 +--- a/lib/isc/include/pk11/internal.h ++++ b/lib/isc/include/pk11/internal.h +@@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size); + + CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); + +-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); + + CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); + +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index 012afd968a..4e4052044b 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) { + return (token->slotid); + } + +-unsigned int +-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { + unsigned int bitcnt, i; + CK_BYTE top; + +- if (bytecnt == 0) +- return (0); ++ if (bytecnt == 0) { ++ *bits = 0; ++ return (ISC_R_SUCCESS); ++ } + bitcnt = bytecnt * 8; + for (i = 0; i < bytecnt; i++) { + top = data[i]; +@@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { + bitcnt -= 8; + continue; + } +- if (top & 0x80) +- return (bitcnt); +- if (top & 0x40) +- return (bitcnt - 1); +- if (top & 0x20) +- return (bitcnt - 2); +- if (top & 0x10) +- return (bitcnt - 3); +- if (top & 0x08) +- return (bitcnt - 4); +- if (top & 0x04) +- return (bitcnt - 5); +- if (top & 0x02) +- return (bitcnt - 6); +- if (top & 0x01) +- return (bitcnt - 7); ++ if (top & 0x80) { ++ *bits = bitcnt; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x40) { ++ *bits = bitcnt - 1; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x20) { ++ *bits = bitcnt - 2; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x10) { ++ *bits = bitcnt - 3; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x08) { ++ *bits = bitcnt - 4; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x04) { ++ *bits = bitcnt - 5; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x02) { ++ *bits = bitcnt - 6; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x01) { ++ *bits = bitcnt - 7; ++ return (ISC_R_SUCCESS); ++ } + break; + } +- INSIST(0); +- ISC_UNREACHABLE(); ++ return (ISC_R_RANGE); + } + + CK_ATTRIBUTE * +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch new file mode 100644 index 0000000000..9cffe358bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch @@ -0,0 +1,33 @@ +From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 29 Jul 2020 23:36:03 +1000 +Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as + 'zonesub' + +resulting in names outside the specified subdomain having the wrong +restrictions for the given key. + +Upstream-Status: Backport +CVE: CVE-2020-8624 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + bin/named/zoneconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index e237bdb..4898447 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, + + str = cfg_obj_asstring(matchtype); + CHECK(dns_ssu_mtypefromstring(str, &mtype)); +- if (mtype == dns_ssumatchtype_subdomain) { ++ if (mtype == dns_ssumatchtype_subdomain && ++ strcasecmp(str, "zonesub") == 0) { + usezone = true; + } + +-- +1.9.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb index a77be8678f..d4467b0b48 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.19.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb @@ -18,6 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2020-8622.patch \ + file://CVE-2020-8623.patch \ + file://CVE-2020-8624.patch \ " SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329" diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch index 3aad603ada..5cd235f6ac 100644 --- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch +++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch @@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644 /* Load the locale data for CATEGORY from the file specified by *NAME. If *NAME is "", use environment variables as specified by POSIX, and --- -2.22.0 - +Index: git/locale/programs/locale.c +=================================================================== +--- git.orig/locale/programs/locale.c ++++ git/locale/programs/locale.c +@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b + ((const struct nameent *) b)->name); + } + ++static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME; + + static int + write_archive_locales (void **all_datap, char *linebuf) +@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap, + int fd, ret = 0; + uint32_t cnt; + +- fd = open64 (ARCHIVE_NAME, O_RDONLY); ++ fd = open64 (_write_archive_locales_path, O_RDONLY); + if (fd < 0) + return 0; + +@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap, + if (cnt) + putchar_unlocked ('\n'); + +- printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n", +- names[cnt].name, linebuf); ++ printf ("locale: %-15.15s archive: %s\n%s\n", ++ names[cnt].name, _write_archive_locales_path, linebuf); + + locrec = (struct locrecent *) (addr + names[cnt].locrec_offset); + diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7d8b665e6b..e993bde2d7 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk" inherit core-image module-base setuptools3 -SRCREV ?= "0ae1964fb16a0e92b163f48ceb127a40e8397339" +SRCREV ?= "f4b1c01110bf6cf7691aa6f214cecd89a52d5661" SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb new file mode 100644 index 0000000000..94ed57585b --- /dev/null +++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb @@ -0,0 +1,36 @@ +require recipes-core/meta/buildtools-tarball.bb + +DESCRIPTION = "SDK type target for building a standalone tarball containing build-essentials, python3, chrpath, \ + make, git and tar. The tarball can be used to run bitbake builds on systems which don't meet the \ + usual version requirements and have ancient compilers." +SUMMARY = "Standalone tarball for running builds on systems with inadequate software and ancient compilers" +LICENSE = "MIT" + +# Add nativesdk equivalent of build-essentials +TOOLCHAIN_HOST_TASK += "\ + nativesdk-automake \ + nativesdk-autoconf \ + nativesdk-binutils \ + nativesdk-binutils-symlinks \ + nativesdk-cpp \ + nativesdk-cpp-symlinks \ + nativesdk-gcc \ + nativesdk-gcc-symlinks \ + nativesdk-g++ \ + nativesdk-g++-symlinks \ + nativesdk-gettext \ + nativesdk-libatomic \ + nativesdk-libgcc \ + nativesdk-libstdc++ \ + nativesdk-libstdc++-dev \ + nativesdk-libstdc++-staticdev \ + nativesdk-libtool \ + nativesdk-pkgconfig \ + nativesdk-glibc-utils \ + nativesdk-python \ + nativesdk-libxcrypt-dev \ + " + +TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}" + +SDK_TITLE = "Extended Build tools" diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb index 66201514d7..ceb60b0e48 100644 --- a/meta/recipes-core/meta/buildtools-tarball.bb +++ b/meta/recipes-core/meta/buildtools-tarball.bb @@ -73,7 +73,13 @@ create_sdk_files_append () { toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script + mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ + echo '${SDKPATHNATIVE}${libdir} +${SDKPATHNATIVE}${base_libdir} +include /etc/ld.so.conf' > ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ld.so.conf if [ "${SDKMACHINE}" = "i686" ]; then echo 'export NO32LIBS="0"' >>$script echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb index 5bc11b9daf..cfa41c4ae6 100644 --- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb +++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb @@ -15,12 +15,15 @@ DUMMYPROVIDES_PACKAGES = "\ nativesdk-perl-module-file-find \ nativesdk-perl-module-file-glob \ nativesdk-perl-module-file-path \ + nativesdk-perl-module-file-spec \ nativesdk-perl-module-file-stat \ nativesdk-perl-module-getopt-long \ nativesdk-perl-module-io-file \ + nativesdk-perl-module-overloading \ nativesdk-perl-module-posix \ nativesdk-perl-module-thread-queue \ nativesdk-perl-module-threads \ + nativesdk-perl-module-warnings \ " DUMMYPROVIDES = "\ diff --git a/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch new file mode 100644 index 0000000000..408f7d18b7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch @@ -0,0 +1,80 @@ +We need binutils to look at our ld.so.conf file within the SDK to ensure +we search the SDK's libdirs as well as those from the host system. + +We therefore pass in the directory to the code using a define, then add +it to a section we relocate in a similar way to the way we relocate the +gcc internal paths. This ensures that ld works correctly in our buildtools +tarball. + +Standard sysroot relocation doesn't work since we're not in a sysroot, +we want to use both the host system and SDK libs. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +2020/1/17 +Upstream-Status: Inappropriate [OE specific tweak] + +Index: git/ld/Makefile.am +=================================================================== +--- git.orig/ld/Makefile.am ++++ git/ld/Makefile.am +@@ -36,7 +36,8 @@ am__skipyacc = + + ELF_CLFAGS=-DELF_LIST_OPTIONS=@elf_list_options@ \ + -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ +- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ ++ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ ++ -DSYSCONFDIR="\"$(sysconfdir)\"" + WARN_CFLAGS = @WARN_CFLAGS@ + NO_WERROR = @NO_WERROR@ + AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) +Index: git/ld/Makefile.in +=================================================================== +--- git.orig/ld/Makefile.in ++++ git/ld/Makefile.in +@@ -546,7 +546,8 @@ am__skiplex = + am__skipyacc = + ELF_CLFAGS = -DELF_LIST_OPTIONS=@elf_list_options@ \ + -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ +- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ ++ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ ++ -DSYSCONFDIR="\"$(sysconfdir)\"" + + AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) + @ENABLE_PLUGINS_FALSE@PLUGIN_C = +Index: git/ld/emultempl/elf32.em +=================================================================== +--- git.orig/ld/emultempl/elf32.em ++++ git/ld/emultempl/elf32.em +@@ -1024,7 +1024,7 @@ gld${EMULATION_NAME}_check_ld_so_conf (c + + info.path = NULL; + info.len = info.alloc = 0; +- tmppath = concat (ld_sysroot, "${prefix}/etc/ld.so.conf", ++ tmppath = concat (ld_sysconfdir, "/ld.so.conf", + (const char *) NULL); + if (!gld${EMULATION_NAME}_parse_ld_so_conf (&info, tmppath)) + { +Index: git/ld/ldmain.c +=================================================================== +--- git.orig/ld/ldmain.c ++++ git/ld/ldmain.c +@@ -68,6 +68,7 @@ char *program_name; + + /* The prefix for system library directories. */ + const char *ld_sysroot; ++char ld_sysconfdir[4096] __attribute__ ((section (".gccrelocprefix"))) = SYSCONFDIR; + + /* The canonical representation of ld_sysroot. */ + char *ld_canon_sysroot; +Index: git/ld/ldmain.h +=================================================================== +--- git.orig/ld/ldmain.h ++++ git/ld/ldmain.h +@@ -23,6 +23,7 @@ + + extern char *program_name; + extern const char *ld_sysroot; ++extern char ld_sysconfdir[4096]; + extern char *ld_canon_sysroot; + extern int ld_canon_sysroot_len; + extern FILE *saved_script_handle; diff --git a/meta/recipes-devtools/binutils/binutils_2.32.bb b/meta/recipes-devtools/binutils/binutils_2.32.bb index 89315915c4..ecdab96658 100644 --- a/meta/recipes-devtools/binutils/binutils_2.32.bb +++ b/meta/recipes-devtools/binutils/binutils_2.32.bb @@ -51,5 +51,10 @@ do_install_class-native () { PACKAGE_BEFORE_PN += "libbfd" FILES_libbfd = "${libdir}/libbfd-*.so" +SRC_URI_append_class-nativesdk = "file://nativesdk-relocation.patch" + +USE_ALTERNATIVES_FOR_class-nativesdk = "" +FILES_${PN}_append_class-nativesdk = " ${bindir}" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index 6aecaad75d..2a0680aeaa 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc @@ -18,6 +18,10 @@ SRC_URI += "\ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ file://0010-fix-CVE-2019-17596.patch \ + file://CVE-2020-15586.patch \ + file://CVE-2020-16845.patch \ + file://0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch \ + file://CVE-2020-24553.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch new file mode 100644 index 0000000000..7c07961c03 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch @@ -0,0 +1,28 @@ +From 8390c478600b852392cb116741b3cb239c94d123 Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick <bradfitz@golang.org> +Date: Wed, 15 Jan 2020 18:08:10 +0000 +Subject: [PATCH] net/http/cgi: rename a test file to be less cute + +My fault (from CL 4245070), sorry. + +Change-Id: Ib95d3170dc326e74aa74c22421c4e44a8b00f577 +Reviewed-on: https://go-review.googlesource.com/c/go/+/214920 +Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> + +Upstream-Status: Backport +[lz: Add this patch for merging the patch for CVE-2020-24553] +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/net/http/cgi/{matryoshka_test.go => integration_test.go} | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + rename src/net/http/cgi/{matryoshka_test.go => integration_test.go} (100%) + +diff --git a/src/net/http/cgi/matryoshka_test.go b/src/net/http/cgi/integration_test.go +similarity index 100% +rename from src/net/http/cgi/matryoshka_test.go +rename to src/net/http/cgi/integration_test.go +-- +2.17.1 + diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch new file mode 100644 index 0000000000..ebdc5aec6d --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch @@ -0,0 +1,131 @@ +From fa98f46741f818913a8c11b877520a548715131f Mon Sep 17 00:00:00 2001 +From: Russ Cox <rsc@golang.org> +Date: Mon, 13 Jul 2020 13:27:22 -0400 +Subject: [PATCH] net/http: synchronize "100 Continue" write and Handler writes + +The expectContinueReader writes to the connection on the first +Request.Body read. Since a Handler might be doing a read in parallel or +before a write, expectContinueReader needs to synchronize with the +ResponseWriter, and abort if a response already went out. + +The tests will land in a separate CL. + +Fixes #34902 +Fixes CVE-2020-15586 + +Change-Id: Icdd8dd539f45e8863762bd378194bb4741e875fc +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793350 +Reviewed-by: Filippo Valsorda <valsorda@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/242598 +Run-TryBot: Katie Hockman <katie@golang.org> +Reviewed-by: Filippo Valsorda <filippo@golang.org> +TryBot-Result: Gobot Gobot <gobot@golang.org> + +Upstream-Status: Backport +CVE: CVE-2020-15586 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/net/http/server.go | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/src/net/http/server.go b/src/net/http/server.go +index a995a50658..d41b5f6f48 100644 +--- a/src/net/http/server.go ++++ b/src/net/http/server.go +@@ -425,6 +425,16 @@ type response struct { + wants10KeepAlive bool // HTTP/1.0 w/ Connection "keep-alive" + wantsClose bool // HTTP request has Connection "close" + ++ // canWriteContinue is a boolean value accessed as an atomic int32 ++ // that says whether or not a 100 Continue header can be written ++ // to the connection. ++ // writeContinueMu must be held while writing the header. ++ // These two fields together synchronize the body reader ++ // (the expectContinueReader, which wants to write 100 Continue) ++ // against the main writer. ++ canWriteContinue atomicBool ++ writeContinueMu sync.Mutex ++ + w *bufio.Writer // buffers output in chunks to chunkWriter + cw chunkWriter + +@@ -515,6 +525,7 @@ type atomicBool int32 + + func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 } + func (b *atomicBool) setTrue() { atomic.StoreInt32((*int32)(b), 1) } ++func (b *atomicBool) setFalse() { atomic.StoreInt32((*int32)(b), 0) } + + // declareTrailer is called for each Trailer header when the + // response header is written. It notes that a header will need to be +@@ -878,21 +889,27 @@ type expectContinueReader struct { + resp *response + readCloser io.ReadCloser + closed bool +- sawEOF bool ++ sawEOF atomicBool + } + + func (ecr *expectContinueReader) Read(p []byte) (n int, err error) { + if ecr.closed { + return 0, ErrBodyReadAfterClose + } +- if !ecr.resp.wroteContinue && !ecr.resp.conn.hijacked() { +- ecr.resp.wroteContinue = true +- ecr.resp.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n") +- ecr.resp.conn.bufw.Flush() ++ w := ecr.resp ++ if !w.wroteContinue && w.canWriteContinue.isSet() && !w.conn.hijacked() { ++ w.wroteContinue = true ++ w.writeContinueMu.Lock() ++ if w.canWriteContinue.isSet() { ++ w.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n") ++ w.conn.bufw.Flush() ++ w.canWriteContinue.setFalse() ++ } ++ w.writeContinueMu.Unlock() + } + n, err = ecr.readCloser.Read(p) + if err == io.EOF { +- ecr.sawEOF = true ++ ecr.sawEOF.setTrue() + } + return + } +@@ -1311,7 +1328,7 @@ func (cw *chunkWriter) writeHeader(p []byte) { + // because we don't know if the next bytes on the wire will be + // the body-following-the-timer or the subsequent request. + // See Issue 11549. +- if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF { ++ if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF.isSet() { + w.closeAfterReply = true + } + +@@ -1561,6 +1578,17 @@ func (w *response) write(lenData int, dataB []byte, dataS string) (n int, err er + } + return 0, ErrHijacked + } ++ ++ if w.canWriteContinue.isSet() { ++ // Body reader wants to write 100 Continue but hasn't yet. ++ // Tell it not to. The store must be done while holding the lock ++ // because the lock makes sure that there is not an active write ++ // this very moment. ++ w.writeContinueMu.Lock() ++ w.canWriteContinue.setFalse() ++ w.writeContinueMu.Unlock() ++ } ++ + if !w.wroteHeader { + w.WriteHeader(StatusOK) + } +@@ -1872,6 +1900,7 @@ func (c *conn) serve(ctx context.Context) { + if req.ProtoAtLeast(1, 1) && req.ContentLength != 0 { + // Wrap the Body reader with one that replies on the connection + req.Body = &expectContinueReader{readCloser: req.Body, resp: w} ++ w.canWriteContinue.setTrue() + } + } else if req.Header.get("Expect") != "" { + w.sendExpectationFailed() +-- +2.17.1 + diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch new file mode 100644 index 0000000000..80f467522f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch @@ -0,0 +1,110 @@ +From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001 +From: Katie Hockman <katie@golang.org> +Date: Tue, 4 Aug 2020 11:45:32 -0400 +Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in + ReadUvarint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This CL ensures that ReadUvarint consumes only a limited +amount of input (instead of an unbounded amount). + +On some inputs, ReadUvarint could read an arbitrary number +of bytes before deciding to return an overflow error. +After this CL, ReadUvarint returns that same overflow +error sooner, after reading at most MaxVarintLen64 bytes. + +Fix authored by Robert Griesemer and Filippo Valsorda. + +Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, +and Preston Van Loon for reporting this. + +Fixes #40618 +Fixes CVE-2020-16845 + +Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 +Reviewed-by: Filippo Valsorda <valsorda@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 +Run-TryBot: Katie Hockman <katie@golang.org> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Alexander Rakoczy <alex@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go.git] +CVE: CVE-2020-16845 +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + src/encoding/binary/varint.go | 5 +++-- + src/encoding/binary/varint_test.go | 18 ++++++++++++------ + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go +index bcb8ac9a45..38af61075c 100644 +--- a/src/encoding/binary/varint.go ++++ b/src/encoding/binary/varint.go +@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer") + func ReadUvarint(r io.ByteReader) (uint64, error) { + var x uint64 + var s uint +- for i := 0; ; i++ { ++ for i := 0; i < MaxVarintLen64; i++ { + b, err := r.ReadByte() + if err != nil { + return x, err + } + if b < 0x80 { +- if i > 9 || i == 9 && b > 1 { ++ if i == 9 && b > 1 { + return x, overflow + } + return x | uint64(b)<<s, nil +@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) { + x |= uint64(b&0x7f) << s + s += 7 + } ++ return x, overflow + } + + // ReadVarint reads an encoded signed integer from r and returns it as an int64. +diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go +index ca411ecbd6..6ef4c99505 100644 +--- a/src/encoding/binary/varint_test.go ++++ b/src/encoding/binary/varint_test.go +@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) { + } + } + +-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) { ++func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) { + x, n := Uvarint(buf) + if x != 0 || n != n0 { + t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0) + } + +- x, err := ReadUvarint(bytes.NewReader(buf)) +- if x != 0 || err != err0 { +- t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0) ++ r := bytes.NewReader(buf) ++ len := r.Len() ++ x, err := ReadUvarint(r) ++ if x != x0 || err != err0 { ++ t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0) ++ } ++ if read := len - r.Len(); read > MaxVarintLen64 { ++ t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read) + } + } + + func TestOverflow(t *testing.T) { +- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow) +- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow) ++ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow) ++ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow) ++ testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow + } + + func TestNonCanonicalZero(t *testing.T) { +-- +2.17.0 + diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch new file mode 100644 index 0000000000..18a218bc9a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch @@ -0,0 +1,429 @@ +From eb07103a083237414145a45f029c873d57037e06 Mon Sep 17 00:00:00 2001 +From: Roberto Clapis <roberto@golang.org> +Date: Wed, 26 Aug 2020 08:53:03 +0200 +Subject: [PATCH] [release-branch.go1.15-security] net/http/cgi,net/http/fcgi: + add Content-Type detection + +This CL ensures that responses served via CGI and FastCGI +have a Content-Type header based on the content of the +response if not explicitly set by handlers. + +If the implementers of the handler did not explicitly +specify a Content-Type both CGI implementations would default +to "text/html", potentially causing cross-site scripting. + +Thanks to RedTeam Pentesting GmbH for reporting this. + +Fixes CVE-2020-24553 + +Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 +Reviewed-by: Russ Cox <rsc@google.com> +(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> + +Upstream-Status: Backport +CVE: CVE-2020-24553 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/net/http/cgi/child.go | 36 ++++++++++----- + src/net/http/cgi/child_test.go | 69 ++++++++++++++++++++++++++++ + src/net/http/cgi/integration_test.go | 53 ++++++++++++++++++++- + src/net/http/fcgi/child.go | 39 ++++++++++++---- + src/net/http/fcgi/fcgi_test.go | 52 +++++++++++++++++++++ + 5 files changed, 227 insertions(+), 22 deletions(-) + +diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go +index 9474175f17..61de6165f6 100644 +--- a/src/net/http/cgi/child.go ++++ b/src/net/http/cgi/child.go +@@ -163,10 +163,12 @@ func Serve(handler http.Handler) error { + } + + type response struct { +- req *http.Request +- header http.Header +- bufw *bufio.Writer +- headerSent bool ++ req *http.Request ++ header http.Header ++ code int ++ wroteHeader bool ++ wroteCGIHeader bool ++ bufw *bufio.Writer + } + + func (r *response) Flush() { +@@ -178,26 +180,38 @@ func (r *response) Header() http.Header { + } + + func (r *response) Write(p []byte) (n int, err error) { +- if !r.headerSent { ++ if !r.wroteHeader { + r.WriteHeader(http.StatusOK) + } ++ if !r.wroteCGIHeader { ++ r.writeCGIHeader(p) ++ } + return r.bufw.Write(p) + } + + func (r *response) WriteHeader(code int) { +- if r.headerSent { ++ if r.wroteHeader { + // Note: explicitly using Stderr, as Stdout is our HTTP output. + fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL) + return + } +- r.headerSent = true +- fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code)) ++ r.wroteHeader = true ++ r.code = code ++} + +- // Set a default Content-Type ++// writeCGIHeader finalizes the header sent to the client and writes it to the output. ++// p is not written by writeHeader, but is the first chunk of the body ++// that will be written. It is sniffed for a Content-Type if none is ++// set explicitly. ++func (r *response) writeCGIHeader(p []byte) { ++ if r.wroteCGIHeader { ++ return ++ } ++ r.wroteCGIHeader = true ++ fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code)) + if _, hasType := r.header["Content-Type"]; !hasType { +- r.header.Add("Content-Type", "text/html; charset=utf-8") ++ r.header.Set("Content-Type", http.DetectContentType(p)) + } +- + r.header.Write(r.bufw) + r.bufw.WriteString("\r\n") + r.bufw.Flush() +diff --git a/src/net/http/cgi/child_test.go b/src/net/http/cgi/child_test.go +index 14e0af475f..f6ecb6eb80 100644 +--- a/src/net/http/cgi/child_test.go ++++ b/src/net/http/cgi/child_test.go +@@ -7,6 +7,11 @@ + package cgi + + import ( ++ "bufio" ++ "bytes" ++ "net/http" ++ "net/http/httptest" ++ "strings" + "testing" + ) + +@@ -148,3 +153,67 @@ func TestRequestWithoutRemotePort(t *testing.T) { + t.Errorf("RemoteAddr: got %q; want %q", g, e) + } + } ++ ++type countingWriter int ++ ++func (c *countingWriter) Write(p []byte) (int, error) { ++ *c += countingWriter(len(p)) ++ return len(p), nil ++} ++func (c *countingWriter) WriteString(p string) (int, error) { ++ *c += countingWriter(len(p)) ++ return len(p), nil ++} ++ ++func TestResponse(t *testing.T) { ++ var tests = []struct { ++ name string ++ body string ++ wantCT string ++ }{ ++ { ++ name: "no body", ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "html", ++ body: "<html><head><title>test page</title></head><body>This is a body</body></html>", ++ wantCT: "text/html; charset=utf-8", ++ }, ++ { ++ name: "text", ++ body: strings.Repeat("gopher", 86), ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "jpg", ++ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), ++ wantCT: "image/jpeg", ++ }, ++ } ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ var buf bytes.Buffer ++ resp := response{ ++ req: httptest.NewRequest("GET", "/", nil), ++ header: http.Header{}, ++ bufw: bufio.NewWriter(&buf), ++ } ++ n, err := resp.Write([]byte(tt.body)) ++ if err != nil { ++ t.Errorf("Write: unexpected %v", err) ++ } ++ if want := len(tt.body); n != want { ++ t.Errorf("reported short Write: got %v want %v", n, want) ++ } ++ resp.writeCGIHeader(nil) ++ resp.Flush() ++ if got := resp.Header().Get("Content-Type"); got != tt.wantCT { ++ t.Errorf("wrong content-type: got %q, want %q", got, tt.wantCT) ++ } ++ if !bytes.HasSuffix(buf.Bytes(), []byte(tt.body)) { ++ t.Errorf("body was not correctly written") ++ } ++ }) ++ } ++} +diff --git a/src/net/http/cgi/integration_test.go b/src/net/http/cgi/integration_test.go +index 32d59c09a3..295c3b82d4 100644 +--- a/src/net/http/cgi/integration_test.go ++++ b/src/net/http/cgi/integration_test.go +@@ -16,7 +16,9 @@ import ( + "io" + "net/http" + "net/http/httptest" ++ "net/url" + "os" ++ "strings" + "testing" + "time" + ) +@@ -52,7 +54,7 @@ func TestHostingOurselves(t *testing.T) { + } + replay := runCgiTest(t, h, "GET /test.go?foo=bar&a=b HTTP/1.0\nHost: example.com\n\n", expectedMap) + +- if expected, got := "text/html; charset=utf-8", replay.Header().Get("Content-Type"); got != expected { ++ if expected, got := "text/plain; charset=utf-8", replay.Header().Get("Content-Type"); got != expected { + t.Errorf("got a Content-Type of %q; expected %q", got, expected) + } + if expected, got := "X-Test-Value", replay.Header().Get("X-Test-Header"); got != expected { +@@ -152,6 +154,51 @@ func TestChildOnlyHeaders(t *testing.T) { + } + } + ++func TestChildContentType(t *testing.T) { ++ testenv.MustHaveExec(t) ++ ++ h := &Handler{ ++ Path: os.Args[0], ++ Root: "/test.go", ++ Args: []string{"-test.run=TestBeChildCGIProcess"}, ++ } ++ var tests = []struct { ++ name string ++ body string ++ wantCT string ++ }{ ++ { ++ name: "no body", ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "html", ++ body: "<html><head><title>test page</title></head><body>This is a body</body></html>", ++ wantCT: "text/html; charset=utf-8", ++ }, ++ { ++ name: "text", ++ body: strings.Repeat("gopher", 86), ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "jpg", ++ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), ++ wantCT: "image/jpeg", ++ }, ++ } ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ expectedMap := map[string]string{"_body": tt.body} ++ req := fmt.Sprintf("GET /test.go?exact-body=%s HTTP/1.0\nHost: example.com\n\n", url.QueryEscape(tt.body)) ++ replay := runCgiTest(t, h, req, expectedMap) ++ if got := replay.Header().Get("Content-Type"); got != tt.wantCT { ++ t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT) ++ } ++ }) ++ } ++} ++ + // golang.org/issue/7198 + func Test500WithNoHeaders(t *testing.T) { want500Test(t, "/immediate-disconnect") } + func Test500WithNoContentType(t *testing.T) { want500Test(t, "/no-content-type") } +@@ -203,6 +250,10 @@ func TestBeChildCGIProcess(t *testing.T) { + if req.FormValue("no-body") == "1" { + return + } ++ if eb, ok := req.Form["exact-body"]; ok { ++ io.WriteString(rw, eb[0]) ++ return ++ } + if req.FormValue("write-forever") == "1" { + io.Copy(rw, neverEnding('a')) + for { +diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go +index 30a6b2ce2d..a31273b3ec 100644 +--- a/src/net/http/fcgi/child.go ++++ b/src/net/http/fcgi/child.go +@@ -74,10 +74,12 @@ func (r *request) parseParams() { + + // response implements http.ResponseWriter. + type response struct { +- req *request +- header http.Header +- w *bufWriter +- wroteHeader bool ++ req *request ++ header http.Header ++ code int ++ wroteHeader bool ++ wroteCGIHeader bool ++ w *bufWriter + } + + func newResponse(c *child, req *request) *response { +@@ -92,11 +94,14 @@ func (r *response) Header() http.Header { + return r.header + } + +-func (r *response) Write(data []byte) (int, error) { ++func (r *response) Write(p []byte) (n int, err error) { + if !r.wroteHeader { + r.WriteHeader(http.StatusOK) + } +- return r.w.Write(data) ++ if !r.wroteCGIHeader { ++ r.writeCGIHeader(p) ++ } ++ return r.w.Write(p) + } + + func (r *response) WriteHeader(code int) { +@@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) { + return + } + r.wroteHeader = true ++ r.code = code + if code == http.StatusNotModified { + // Must not have body. + r.header.Del("Content-Type") + r.header.Del("Content-Length") + r.header.Del("Transfer-Encoding") +- } else if r.header.Get("Content-Type") == "" { +- r.header.Set("Content-Type", "text/html; charset=utf-8") + } +- + if r.header.Get("Date") == "" { + r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat)) + } ++} + +- fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code)) ++// writeCGIHeader finalizes the header sent to the client and writes it to the output. ++// p is not written by writeHeader, but is the first chunk of the body ++// that will be written. It is sniffed for a Content-Type if none is ++// set explicitly. ++func (r *response) writeCGIHeader(p []byte) { ++ if r.wroteCGIHeader { ++ return ++ } ++ r.wroteCGIHeader = true ++ fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code)) ++ if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType { ++ r.header.Set("Content-Type", http.DetectContentType(p)) ++ } + r.header.Write(r.w) + r.w.WriteString("\r\n") ++ r.w.Flush() + } + + func (r *response) Flush() { +@@ -290,6 +307,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) { + httpReq = httpReq.WithContext(envVarCtx) + c.handler.ServeHTTP(r, httpReq) + } ++ // Make sure we serve something even if nothing was written to r ++ r.Write(nil) + r.Close() + c.mu.Lock() + delete(c.requests, req.reqId) +diff --git a/src/net/http/fcgi/fcgi_test.go b/src/net/http/fcgi/fcgi_test.go +index e9d2b34023..4a27a12c35 100644 +--- a/src/net/http/fcgi/fcgi_test.go ++++ b/src/net/http/fcgi/fcgi_test.go +@@ -10,6 +10,7 @@ import ( + "io" + "io/ioutil" + "net/http" ++ "strings" + "testing" + ) + +@@ -344,3 +345,54 @@ func TestChildServeReadsEnvVars(t *testing.T) { + <-done + } + } ++ ++func TestResponseWriterSniffsContentType(t *testing.T) { ++ var tests = []struct { ++ name string ++ body string ++ wantCT string ++ }{ ++ { ++ name: "no body", ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "html", ++ body: "<html><head><title>test page</title></head><body>This is a body</body></html>", ++ wantCT: "text/html; charset=utf-8", ++ }, ++ { ++ name: "text", ++ body: strings.Repeat("gopher", 86), ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "jpg", ++ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), ++ wantCT: "image/jpeg", ++ }, ++ } ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ input := make([]byte, len(streamFullRequestStdin)) ++ copy(input, streamFullRequestStdin) ++ rc := nopWriteCloser{bytes.NewBuffer(input)} ++ done := make(chan bool) ++ var resp *response ++ c := newChild(rc, http.HandlerFunc(func( ++ w http.ResponseWriter, ++ r *http.Request, ++ ) { ++ io.WriteString(w, tt.body) ++ resp = w.(*response) ++ done <- true ++ })) ++ defer c.cleanUp() ++ go c.serve() ++ <-done ++ if got := resp.Header().Get("Content-Type"); got != tt.wantCT { ++ t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT) ++ } ++ }) ++ } ++} +-- +2.17.1 + diff --git a/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch new file mode 100644 index 0000000000..594510342b --- /dev/null +++ b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch @@ -0,0 +1,23 @@ +traceback2 adds traceback for python2. Rather than depend on traceback2, we're +python3 only so just use traceback. +This caused breakage in oe-selftest -j which uses testtools on the autobuilder +using buildtools-tarball. + +Upstream-Status: Inappropriate [Our recipe is python3 specific] +(Once py2 is EOL upstream probably could/should take this) +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: testtools-2.3.0/testtools/content.py +=================================================================== +--- testtools-2.3.0.orig/testtools/content.py ++++ testtools-2.3.0/testtools/content.py +@@ -19,8 +19,7 @@ import os + import sys + + from extras import try_import +-# To let setup.py work, make this a conditional import. +-traceback = try_import('traceback2') ++import traceback + + from testtools.compat import ( + _b, diff --git a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb index 896ecee65c..a254b90a75 100644 --- a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb +++ b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb @@ -1,2 +1,4 @@ inherit setuptools3 require python-testtools.inc + +SRC_URI += "file://no_traceback2.patch" diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5cdba1f02c..ec32c90ad5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,6 +39,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-11869.patch \ file://CVE-2020-13765.patch \ file://CVE-2020-10702.patch \ + file://CVE-2020-16092.patch \ + file://CVE-2020-10756.patch \ + file://CVE-2020-15863.patch \ + file://CVE-2020-14364.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch new file mode 100644 index 0000000000..306aef061b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch @@ -0,0 +1,40 @@ +From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp <rhafer@suse.com> +Date: Fri, 3 Jul 2020 14:51:16 +0200 +Subject: [PATCH] Drop bogus IPv6 messages + +Drop IPv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). They're invalid an could +lead to data leakage in icmp6_send_echoreply(). + +CVE: CVE-2020-10756 +Upstream-Status: Backport +https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 + +[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context] +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + slirp/src/ip6_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index d9d2b7e9..0f2b1785 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) + goto bad; + } + ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch new file mode 100644 index 0000000000..a109ac08d6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch @@ -0,0 +1,93 @@ +From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 25 Aug 2020 07:36:36 +0200 +Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) + +Store calculated setup_len in a local variable, verify it, and only +write it to the struct (USBDevice->setup_len) in case it passed the +sanity checks. + +This prevents other code (do_token_{in,out} functions specifically) +from working with invalid USBDevice->setup_len values and overrunning +the USBDevice->setup_buf[] buffer. + +Fixes: CVE-2020-14364 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Gonglei <arei.gonglei@huawei.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-id: 20200825053636.29648-1-kraxel@redhat.com + +Upstream-Status: Backport +CVE: CVE-2020-14364 +[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/usb/core.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 5abd128..5234dcc 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) + static void do_token_setup(USBDevice *s, USBPacket *p) + { + int request, value, index; ++ unsigned int setup_len; + + if (p->iov.size != 8) { + p->status = USB_RET_STALL; +@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) + usb_packet_copy(p, s->setup_buf, p->iov.size); + s->setup_index = 0; + p->actual_length = 0; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; +@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) + static void do_parameter(USBDevice *s, USBPacket *p) + { + int i, request, value, index; ++ unsigned int setup_len; + + for (i = 0; i < 8; i++) { + s->setup_buf[i] = p->parameter >> (i*8); + } + + s->setup_state = SETUP_STATE_PARAM; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + s->setup_index = 0; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; + index = (s->setup_buf[5] << 8) | s->setup_buf[4]; + +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + if (p->pid == USB_TOKEN_OUT) { + usb_packet_copy(p, s->data_buf, s->setup_len); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch @@ -0,0 +1,64 @@ +From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Fri, 10 Jul 2020 11:19:41 +0200 +Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() + +A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It +occurs while sending an Ethernet frame due to missing break statements +and improper checking of the buffer size. + +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +CVE: CVE-2020-15863 +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/net/xgmac.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c +index f49df95..f496f7e 100644 +--- a/hw/net/xgmac.c ++++ b/hw/net/xgmac.c +@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s) + } + len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); + ++ /* ++ * FIXME: these cases of malformed tx descriptors (bad sizes) ++ * should probably be reported back to the guest somehow ++ * rather than simply silently stopping processing, but we ++ * don't know what the hardware does in this situation. ++ * This will only happen for buggy guests anyway. ++ */ + if ((bd.buffer1_size & 0xfff) > 2048) { + DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " + "xgmac buffer 1 len on send > 2048 (0x%x)\n", + __func__, bd.buffer1_size & 0xfff); ++ break; + } + if ((bd.buffer2_size & 0xfff) != 0) { + DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " + "xgmac buffer 2 len on send != 0 (0x%x)\n", + __func__, bd.buffer2_size & 0xfff); ++ break; + } +- if (len >= sizeof(frame)) { ++ if (frame_size + len >= sizeof(frame)) { + DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " +- "buffer\n" , __func__, len, sizeof(frame)); ++ "buffer\n" , __func__, frame_size + len, sizeof(frame)); + DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", + __func__, bd.buffer1_size, bd.buffer2_size); ++ break; + } + + cpu_physical_memory_read(bd.buffer1_addr, ptr, len); +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch new file mode 100644 index 0000000000..8ce01e26ad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch @@ -0,0 +1,49 @@ +From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Sat, 1 Aug 2020 18:42:38 +0200 +Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in + net_tx_pkt_add_raw_fragment() + +An assertion failure issue was found in the code that processes network +packets +while adding data fragments into the packet context. It could be abused +by a +malicious guest to abort the QEMU process on the host. This patch +replaces the +affected assert() with a conditional statement, returning false if the +current +data fragment exceeds max_raw_frags. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-16092 +[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/net/net_tx_pkt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 162f802..54d4c3b 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, + hwaddr mapped_len = 0; + struct iovec *ventry; + assert(pkt); +- assert(pkt->max_raw_frags > pkt->raw_frags); ++ ++ if (pkt->raw_frags >= pkt->max_raw_frags) { ++ return false; ++ } + + if (!len) { + return true; +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch new file mode 100644 index 0000000000..20a604869b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch @@ -0,0 +1,37 @@ +From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Sat, 25 Jul 2020 19:33:50 +0200 +Subject: [PATCH] fix for ZDI-11426 + +Avoid leaking un-initalized memory to clients by zeroing the +whole pixmap on initial allocation. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport +CVE: CVE-2020-14347 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + dix/pixmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/pixmap.c b/dix/pixmap.c +index 1186d7dbb..5a0146bbb 100644 +--- a/dix/pixmap.c ++++ b/dix/pixmap.c +@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) + if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) + return NullPixmap; + +- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); ++ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); + if (!pPixmap) + return NullPixmap; + +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb index 3de6d22e57..f0f15a2584 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-test-xtest-Initialize-array-with-braces.patch \ file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \ file://sdksyms-no-build-path.patch \ + file://CVE-2020-14347.patch \ " SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130" SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc index bc24b05fec..92b473add6 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc @@ -3,7 +3,7 @@ HOMEPAGE = "http://gstreamer.freedesktop.org/" BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer" SECTION = "multimedia" -DEPENDS = "gstreamer1.0 glib-2.0-native" +DEPENDS = "gstreamer1.0 glib-2.0-native make-native" SRC_URI_append = " file://gtk-doc-tweaks.patch" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb index 15ef5d1b28..b7470b0047 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb @@ -4,7 +4,7 @@ SECTION = "multimedia" LICENSE = "LGPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d" -DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base" +DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base make-native" PNREAL = "gst-rtsp-server" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb index cf7c1bca12..96a6ade22b 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb @@ -6,7 +6,7 @@ BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer" SECTION = "multimedia" LICENSE = "LGPLv2+" -DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native" +DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native make-native" inherit autotools pkgconfig gettext upstream-version-is-even gobject-introspection gtk-doc ptest diff --git a/meta/recipes-support/attr/acl_2.2.52.bb b/meta/recipes-support/attr/acl_2.2.52.bb index 6bc77d868d..31ec64a43d 100644 --- a/meta/recipes-support/attr/acl_2.2.52.bb +++ b/meta/recipes-support/attr/acl_2.2.52.bb @@ -25,6 +25,9 @@ SRC_URI[sha256sum] = "179074bb0580c06c4b4137be4c5a92a701583277967acdb5546043c787 require ea-acl.inc +# Has issues with newer versions of make +PARALLEL_MAKEINST = "" + # avoid RPATH hardcode to staging dir do_configure_append() { sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb index fc88bef830..c3da66a0c7 100644 --- a/meta/recipes-support/attr/attr_2.4.47.bb +++ b/meta/recipes-support/attr/attr_2.4.47.bb @@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \ SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" +# Has issues with newer versions of make +PARALLEL_MAKEINST = "" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch new file mode 100644 index 0000000000..1702325e66 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch @@ -0,0 +1,117 @@ +From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Sat, 22 Aug 2020 17:19:39 +0200 +Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is + incomplete + +If the initial handshake is incomplete and the server sends a +no_renegotiation alert, the client should treat it as a fatal error +even if its level is warning. Otherwise the same handshake +state (e.g., DHE parameters) are reused in the next gnutls_handshake +call, if it is called in the loop idiom: + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +CVE: CVE-2020-24659 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + lib/gnutls_int.h | 1 + + lib/handshake.c | 48 +++++++++++++----- + 2 files changed, 36 insertions(+), 13 deletions(-) + +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index bb6c19713..31cec5c0c 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -1370,6 +1370,7 @@ typedef struct { + #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ + #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */ + #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */ ++#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ + + /* The hsk_flags are for use within the ongoing handshake; + * they are reset to zero prior to handshake start by gnutls_handshake. */ +diff --git a/lib/handshake.c b/lib/handshake.c +index b40f84b3d..ce2d160e2 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session, + if (ret < 0) + return gnutls_assert_val(ret); + ++ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; ++ + return 0; + } + +@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session) + return 0; + } + ++/* This function checks whether the error code should be treated fatal ++ * or not, and also does the necessary state transition. In ++ * particular, in the case of a rehandshake abort it resets the ++ * handshake's internal state. ++ */ + inline static int + _gnutls_abort_handshake(gnutls_session_t session, int ret) + { +- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && +- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) +- || ret == GNUTLS_E_GOT_APPLICATION_DATA) +- return 0; ++ switch (ret) { ++ case GNUTLS_E_WARNING_ALERT_RECEIVED: ++ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { ++ /* The server always toleretes a "no_renegotiation" alert. */ ++ if (session->security_parameters.entity == GNUTLS_SERVER) { ++ STATE = STATE0; ++ return ret; ++ } ++ ++ /* The client should tolerete a "no_renegotiation" alert only if: ++ * - the initial handshake has completed, or ++ * - a Server Hello is not yet received ++ */ ++ if (session->internals.initial_negotiation_completed || ++ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { ++ STATE = STATE0; ++ return ret; ++ } + +- /* this doesn't matter */ +- return GNUTLS_E_INTERNAL_ERROR; ++ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); ++ } ++ return ret; ++ case GNUTLS_E_GOT_APPLICATION_DATA: ++ STATE = STATE0; ++ return ret; ++ default: ++ return ret; ++ } + } + + +@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session) + } + + if (ret < 0) { +- /* In the case of a rehandshake abort +- * we should reset the handshake's internal state. +- */ +- if (_gnutls_abort_handshake(session, ret) == 0) +- STATE = STATE0; +- +- return ret; ++ return _gnutls_abort_handshake(session, ret); + } + + /* clear handshake buffer */ +-- +2.17.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.13.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb index ab537981ac..2ed012f9d6 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.13.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb @@ -22,6 +22,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2020-13777-a.patch \ file://CVE-2020-13777-b.patch \ file://CVE-2020-13777-c.patch \ + file://CVE-2020-24659.patch \ " SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f" diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..183512fd7d --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch @@ -0,0 +1,41 @@ +--- pcre-8.43/pcre_compile.c 2020-07-05 22:26:25.310501521 +0530 ++++ pcre-8.43/pcre_compile1.c 2020-07-05 22:30:22.254489562 +0530 + +CVE: CVE-2020-14155 +Upstream-Status: Backport [https://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=patch&r1=1761&r2=1760&pathrev=1761] +Signed-off-by: Rahul Taya<Rahul.Taya@kpit.com> + +@@ -6,7 +6,7 @@ + and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel +- Copyright (c) 1997-2018 University of Cambridge ++ Copyright (c) 1997-2020 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -7130,17 +7130,19 @@ + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ diff --git a/meta/recipes-support/libpcre/libpcre_8.43.bb b/meta/recipes-support/libpcre/libpcre_8.43.bb index b97af08b25..60ece64504 100644 --- a/meta/recipes-support/libpcre/libpcre_8.43.bb +++ b/meta/recipes-support/libpcre/libpcre_8.43.bb @@ -12,6 +12,7 @@ SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ file://out-of-tree.patch \ file://run-ptest \ file://Makefile \ + file://CVE-2020-14155.patch \ " SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" |