diff options
Diffstat (limited to 'meta/recipes-extended')
40 files changed, 894 insertions, 142 deletions
diff --git a/meta/recipes-extended/asciidoc/asciidoc_9.1.0.bb b/meta/recipes-extended/asciidoc/asciidoc_9.1.0.bb index dd9f8e32c4..6d52b5ba04 100644 --- a/meta/recipes-extended/asciidoc/asciidoc_9.1.0.bb +++ b/meta/recipes-extended/asciidoc/asciidoc_9.1.0.bb @@ -8,7 +8,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=4e5d1baf6f20559e3bec172226a47e4e \ file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 " -SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https;branch=9.x" +SRC_URI = "git://github.com/asciidoc/asciidoc-py;protocol=https;branch=9.x" SRCREV = "9705d428439530104ce55d0ba12e8ef9d1b57ad1" DEPENDS = "libxml2-native libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb index 296bc68d41..ab63012922 100644 --- a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb +++ b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb @@ -22,7 +22,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=600af43c50f1fcb82e " SRC_URI = "https://sourceware.org/pub/${BPN}/${BPN}-${PV}.tar.gz \ - git://sourceware.org/git/bzip2-tests.git;name=bzip2-tests \ + git://sourceware.org/git/bzip2-tests.git;name=bzip2-tests;branch=master \ file://configure.ac;subdir=${BP} \ file://Makefile.am;subdir=${BP} \ file://run-ptest \ diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index f6f8637a43..a8e790bd8f 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -44,11 +44,12 @@ PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi" PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl" PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls" PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam" -PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd" +PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd" PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd" EXTRA_OECONF = " \ --enable-dbus \ + --with-dbusdir=${sysconfdir}/dbus-1 \ --enable-browsing \ --disable-gssapi \ --enable-debug \ diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch new file mode 100644 index 0000000000..27ef83bb85 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781.patch @@ -0,0 +1,236 @@ +From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 7 Sep 2021 20:36:12 +0100 +Subject: [PATCH] Bug 704342: Include device specifier strings in access + validation + +for the "%pipe%", %handle%" and %printer% io devices. + +We previously validated only the part after the "%pipe%" Postscript device +specifier, but this proved insufficient. + +This rebuilds the original file name string, and validates it complete. The +slight complication for "%pipe%" is it can be reached implicitly using +"|" so we have to check both prefixes. + +Addresses CVE-2021-3781 + +Upstream-Status: Backport[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20] +CVE: CVE-2021-3781 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + base/gdevpipe.c | 22 +++++++++++++++- + base/gp_mshdl.c | 11 +++++++- + base/gp_msprn.c | 10 ++++++- + base/gp_os2pr.c | 13 +++++++++- + base/gslibctx.c | 69 ++++++++++--------------------------------------- + 5 files changed, 65 insertions(+), 60 deletions(-) + +diff --git a/base/gdevpipe.c b/base/gdevpipe.c +index 96d71f5d8..5bdc485be 100644 +--- a/base/gdevpipe.c ++++ b/base/gdevpipe.c +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, + #else + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ /* The pipe device can be reached in two ways, explicltly with %pipe% ++ or implicitly with "|", so we have to check for both ++ */ ++ char f[gp_file_name_sizeof]; ++ const char *pipestr = "|"; ++ const size_t pipestrlen = strlen(pipestr); ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); ++ int code1; ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ code1 = gp_validate_path(mem, f, access); ++ ++ memcpy(f, pipestr, pipestrlen); ++ memcpy(f + pipestrlen, fname, nlen + 1); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) + return gs_error_invalidfileaccess; + + /* +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c +index 2b964ed74..8d87ceadc 100644 +--- a/base/gp_mshdl.c ++++ b/base/gp_mshdl.c +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, + long hfile; /* Correct for Win32, may be wrong for Win64 */ + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ char f[gp_file_name_sizeof]; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, f, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_handle method. */ +diff --git a/base/gp_msprn.c b/base/gp_msprn.c +index ed4827968..746a974f7 100644 +--- a/base/gp_msprn.c ++++ b/base/gp_msprn.c +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(pname, iodev->dname, preflen); ++ memcpy(pname + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, pname, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c +index f852c71fc..ba54cde66 100644 +--- a/base/gp_os2pr.c ++++ b/base/gp_os2pr.c +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + FILE ** pfile, char *rfname, uint rnamelen) + { + os2_printer_t *pr = (os2_printer_t *)iodev->state; +- char driver_name[256]; ++ char driver_name[gp_file_name_sizeof]; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const int size_t = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(driver_name, iodev->dname, preflen); ++ memcpy(driver_name + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, driver_name, access) != 0) ++ return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ + /* Note that the loop condition here ensures we don't +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 6dfed6cd5..318039fad 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) + int + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ + rewrite_percent_specifiers(f); +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_add_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_add_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ ++ code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_add_control_path(mem, gs_permit_file_writing, fp); ++ return gs_add_control_path(mem, gs_permit_file_writing, f); + } + + int + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_remove_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_remove_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ rewrite_percent_specifiers(f); ++ ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_remove_control_path(mem, gs_permit_file_writing, fp); ++ return gs_remove_control_path(mem, gs_permit_file_writing, f); + } + + int +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..8e4fd40932 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch @@ -0,0 +1,68 @@ +From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 1 Jun 2021 19:57:16 +0100 +Subject: [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] +CVE: CVE-2021-45949 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + psi/zfsample.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0e8e4bc8d..00cd0cfdd 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + for (j = 0; j < bps; j++) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } +- pop(num_out); /* Move op to base of result values */ + +- /* Check if we are done collecting data. */ ++ pop(num_out); /* Move op to base of result values */ + ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ ++ /* Check if we are done collecting data. */ + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) + make_null(op - i); + } +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb index 59cc560cf8..28d064a1a8 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb @@ -33,6 +33,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://do-not-check-local-libpng-source.patch \ file://avoid-host-contamination.patch \ file://mkdir-p.patch \ + file://CVE-2021-45949.patch \ + file://CVE-2021-3781.patch \ " SRC_URI = "${SRC_URI_BASE} \ diff --git a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb index aeff482f3b..4e582edcf1 100644 --- a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb +++ b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://golang.org/" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" -SRC_URI = "git://${GO_IMPORT}" +SRC_URI = "git://${GO_IMPORT};branch=master;protocol=https" SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe" UPSTREAM_CHECK_COMMITS = "1" diff --git a/meta/recipes-extended/iputils/iputils_20210722.bb b/meta/recipes-extended/iputils/iputils_20210722.bb index e1940b77b5..d81f787dd8 100644 --- a/meta/recipes-extended/iputils/iputils_20210722.bb +++ b/meta/recipes-extended/iputils/iputils_20210722.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55aa8c9fcad0691cef0ecd420361e390" DEPENDS = "gnutls" -SRC_URI = "git://github.com/iputils/iputils \ +SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \ file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \ file://0001-meson-Make-tests-optional.patch \ " diff --git a/meta/recipes-extended/libaio/libaio_0.3.112.bb b/meta/recipes-extended/libaio/libaio_0.3.112.bb index b3606474a5..3892f3244e 100644 --- a/meta/recipes-extended/libaio/libaio_0.3.112.bb +++ b/meta/recipes-extended/libaio/libaio_0.3.112.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://lse.sourceforge.net/io/aio.html" LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" -SRC_URI = "git://pagure.io/libaio.git;protocol=https \ +SRC_URI = "git://pagure.io/libaio.git;protocol=https;branch=master \ file://00_arches.patch \ file://libaio_fix_for_mips_syscalls.patch \ file://system-linkage.patch \ diff --git a/meta/recipes-extended/libarchive/libarchive_3.5.1.bb b/meta/recipes-extended/libarchive/libarchive_3.5.3.bb index 7d98e573b8..dd607aca0a 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.5.1.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.5.3.bb @@ -34,7 +34,7 @@ EXTRA_OECONF += "--enable-largefile" SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" -SRC_URI[sha256sum] = "9015d109ec00bb9ae1a384b172bf2fc1dff41e2c66e5a9eeddf933af9db37f5a" +SRC_URI[sha256sum] = "72788e5f58d16febddfa262a5215e05fc9c79f2670f641ac039e6df44330ef51" inherit autotools update-alternatives pkgconfig diff --git a/meta/recipes-extended/libnsl/libnsl2_git.bb b/meta/recipes-extended/libnsl/libnsl2_git.bb index 53be67fe85..3f6ccbad70 100644 --- a/meta/recipes-extended/libnsl/libnsl2_git.bb +++ b/meta/recipes-extended/libnsl/libnsl2_git.bb @@ -14,7 +14,7 @@ PV = "2.0.0" SRCREV = "82245c0c58add79a8e34ab0917358217a70e5100" -SRC_URI = "git://github.com/thkukuk/libnsl \ +SRC_URI = "git://github.com/thkukuk/libnsl;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-extended/libnss-nis/libnss-nis.bb b/meta/recipes-extended/libnss-nis/libnss-nis.bb index 34103428e9..478e9e2be3 100644 --- a/meta/recipes-extended/libnss-nis/libnss-nis.bb +++ b/meta/recipes-extended/libnss-nis/libnss-nis.bb @@ -17,7 +17,7 @@ PV = "3.1+git${SRCPV}" SRCREV = "062f31999b35393abf7595cb89dfc9590d5a42ad" -SRC_URI = "git://github.com/thkukuk/libnss_nis \ +SRC_URI = "git://github.com/thkukuk/libnss_nis;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.19.bb b/meta/recipes-extended/libsolv/libsolv_0.7.19.bb index bb925073ed..a3a4fc7896 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.7.19.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.7.19.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8" DEPENDS = "expat zlib" -SRC_URI = "git://github.com/openSUSE/libsolv.git \ +SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \ " SRCREV = "c773294be6b0a2425f344a8999f173fb00cfd16f" diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..f4e93d1065 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch @@ -0,0 +1,97 @@ +Upstream-Status: Backport +CVE: CVE-2022-22707 +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 +From: povcfe <povcfe@qq.com> +Date: Wed, 5 Jan 2022 11:11:09 +0000 +Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) + +(thx povcfe) + +(edited: gstrauss) + +There is a potential remote denial of service in lighttpd mod_extforward +under specific, non-default and uncommon 32-bit lighttpd mod_extforward +configurations. + +Under specific, non-default and uncommon lighttpd mod_extforward +configurations, a remote attacker can trigger a 4-byte out-of-bounds +write of value '-1' to the stack. This is not believed to be exploitable +in any way beyond triggering a crash of the lighttpd server on systems +where the lighttpd server has been built 32-bit and with compiler flags +which enable a stack canary -- gcc/clang -fstack-protector-strong or +-fstack-protector-all, but bug not visible with only -fstack-protector. + +With standard lighttpd builds using -O2 optimization on 64-bit x86_64, +this bug has not been observed to cause adverse behavior, even with +gcc/clang -fstack-protector-strong. + +For the bug to be reachable, the user must be using a non-default +lighttpd configuration which enables mod_extforward and configures +mod_extforward to accept and parse the "Forwarded" header from a trusted +proxy. At this time, support for RFC7239 Forwarded is not common in CDN +providers or popular web server reverse proxies. It bears repeating that +for the user to desire to configure lighttpd mod_extforward to accept +"Forwarded", the user must also be using a trusted proxy (in front of +lighttpd) which understands and actively modifies the "Forwarded" header +sent to lighttpd. + +lighttpd natively supports RFC7239 "Forwarded" +hiawatha natively supports RFC7239 "Forwarded" + +nginx can be manually configured to add a "Forwarded" header +https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ + +A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) +in front of another 32-bit lighttpd will detect and reject a malicious +"Forwarded" request header, thereby thwarting an attempt to trigger +this bug in an upstream 32-bit lighttpd. + +The following servers currently do not natively support RFC7239 Forwarded: +nginx +apache2 +caddy +node.js +haproxy +squid +varnish-cache +litespeed + +Given the general dearth of support for RFC7239 Forwarded in popular +CDNs and web server reverse proxies, and given the prerequisites in +lighttpd mod_extforward needed to reach this bug, the number of lighttpd +servers vulnerable to this bug is estimated to be vanishingly small. +Large systems using reverse proxies are likely running 64-bit lighttpd, +which is not known to be adversely affected by this bug. + +In the future, it is desirable for more servers to implement RFC7239 +Forwarded. lighttpd developers would like to thank povcfe for reporting +this bug so that it can be fixed before more CDNs and web servers +implement RFC7239 Forwarded. + +x-ref: + "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" + https://redmine.lighttpd.net/issues/3134 + (not yet written or published) + CVE-2022-22707 +--- + src/mod_extforward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_extforward.c b/src/mod_extforward.c +index ba957e04..fdaef7f6 100644 +--- a/src/mod_extforward.c ++++ b/src/mod_extforward.c +@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c + while (s[i] == ' ' || s[i] == '\t') ++i; + if (s[i] == ';') { ++i; continue; } + if (s[i] == ',') { +- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; ++ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; + offsets[++j] = -1; /*("offset" separating params from next proxy)*/ + ++i; + continue; +-- +2.25.1 + diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb index 8cb3a9a18c..12d3db937d 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb @@ -14,6 +14,7 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \ lighttpd-module-accesslog" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ + file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ diff --git a/meta/recipes-extended/ltp/ltp_20210524.bb b/meta/recipes-extended/ltp/ltp_20210524.bb index 20e2deffa5..0636cb92cb 100644 --- a/meta/recipes-extended/ltp/ltp_20210524.bb +++ b/meta/recipes-extended/ltp/ltp_20210524.bb @@ -29,7 +29,7 @@ CFLAGS:append:powerpc64 = " -D__SANE_USERSPACE_TYPES__" CFLAGS:append:mipsarchn64 = " -D__SANE_USERSPACE_TYPES__" SRCREV = "0fb171f2beddaf64bd27597577c206c0f892b3cd" -SRC_URI = "git://github.com/linux-test-project/ltp.git \ +SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=https \ file://0001-Remove-OOM-tests-from-runtest-mm.patch \ file://0001-syscalls-ioctl_ns05.c-ioctl_ns06.c-Fix-too-small-buf.patch \ " diff --git a/meta/recipes-extended/mc/files/0001-Ticket-4200-fix-FTBFS-with-ncurses-build-with-disabl.patch b/meta/recipes-extended/mc/files/0001-Ticket-4200-fix-FTBFS-with-ncurses-build-with-disabl.patch new file mode 100644 index 0000000000..408473664f --- /dev/null +++ b/meta/recipes-extended/mc/files/0001-Ticket-4200-fix-FTBFS-with-ncurses-build-with-disabl.patch @@ -0,0 +1,87 @@ +From e7bbf72544ab62db9c92bfe7bd1155227e78c621 Mon Sep 17 00:00:00 2001 +From: Andrew Borodin <aborodin@vmail.ru> +Date: Sat, 28 Aug 2021 11:46:53 +0300 +Subject: [PATCH] Ticket #4200: fix FTBFS with ncurses build with + --disable-widec. + +Upstream-Status: Accepted [https://github.com/MidnightCommander/mc/commit/e7bbf72544] +Signed-off-by: Andrew Borodin <aborodin@vmail.ru> +--- + lib/tty/tty-ncurses.c | 8 ++++++++ + lib/tty/tty-ncurses.h | 5 +++++ + lib/tty/tty-slang.h | 2 ++ + src/filemanager/boxes.c | 2 ++ + 4 files changed, 17 insertions(+) + +diff --git a/lib/tty/tty-ncurses.c b/lib/tty/tty-ncurses.c +index f619c0a7bf31..13058a624208 100644 +--- a/lib/tty/tty-ncurses.c ++++ b/lib/tty/tty-ncurses.c +@@ -560,6 +560,7 @@ tty_fill_region (int y, int x, int rows, int cols, unsigned char ch) + void + tty_colorize_area (int y, int x, int rows, int cols, int color) + { ++#ifdef ENABLE_SHADOWS + cchar_t *ctext; + wchar_t wch[10]; /* TODO not sure if the length is correct */ + attr_t attrs; +@@ -585,6 +586,13 @@ tty_colorize_area (int y, int x, int rows, int cols, int color) + } + + g_free (ctext); ++#else ++ (void) y; ++ (void) x; ++ (void) rows; ++ (void) cols; ++ (void) color; ++#endif /* ENABLE_SHADOWS */ + } + + /* --------------------------------------------------------------------------------------------- */ +diff --git a/lib/tty/tty-ncurses.h b/lib/tty/tty-ncurses.h +index d75df9533ab9..8feb17ccd045 100644 +--- a/lib/tty/tty-ncurses.h ++++ b/lib/tty/tty-ncurses.h +@@ -30,6 +30,11 @@ + #define NCURSES_CONST const + #endif + ++/* do not draw shadows if NCurses is built with --disable-widec */ ++#if defined(NCURSES_WIDECHAR) && NCURSES_WIDECHAR ++#define ENABLE_SHADOWS 1 ++#endif ++ + /*** typedefs(not structures) and defined constants **********************************************/ + + /*** enums ***************************************************************************************/ +diff --git a/lib/tty/tty-slang.h b/lib/tty/tty-slang.h +index 5b12c6512853..eeaade388af4 100644 +--- a/lib/tty/tty-slang.h ++++ b/lib/tty/tty-slang.h +@@ -23,6 +23,8 @@ + #define COLS SLtt_Screen_Cols + #define LINES SLtt_Screen_Rows + ++#define ENABLE_SHADOWS 1 ++ + /*** enums ***************************************************************************************/ + + enum +diff --git a/src/filemanager/boxes.c b/src/filemanager/boxes.c +index 3eb525be4a9b..98df5ff2ed9a 100644 +--- a/src/filemanager/boxes.c ++++ b/src/filemanager/boxes.c +@@ -280,7 +280,9 @@ appearance_box_callback (Widget * w, Widget * sender, widget_msg_t msg, int parm + switch (msg) + { + case MSG_INIT: ++#ifdef ENABLE_SHADOWS + if (!tty_use_colors ()) ++#endif + { + Widget *shadow; + +-- +2.34.1 + diff --git a/meta/recipes-extended/mc/mc_4.8.27.bb b/meta/recipes-extended/mc/mc_4.8.27.bb index 546e615d1d..e877780ea0 100644 --- a/meta/recipes-extended/mc/mc_4.8.27.bb +++ b/meta/recipes-extended/mc/mc_4.8.27.bb @@ -11,6 +11,7 @@ RRECOMMENDS:${PN} = "ncurses-terminfo" SRC_URI = "http://www.midnight-commander.org/downloads/${BPN}-${PV}.tar.bz2 \ file://0001-mc-replace-perl-w-with-use-warnings.patch \ file://nomandate.patch \ + file://0001-Ticket-4200-fix-FTBFS-with-ncurses-build-with-disabl.patch \ " SRC_URI[sha256sum] = "2f52dd9c75c20d8eac7701bd3a8c6c125aaf8cdd9cf12b78ca50a0102b543407" @@ -27,7 +28,9 @@ PACKAGECONFIG ??= "" PACKAGECONFIG[smb] = "--enable-vfs-smb,--disable-vfs-smb,samba," PACKAGECONFIG[sftp] = "--enable-vfs-sftp,--disable-vfs-sftp,libssh2," -CFLAGS:append:libc-musl = ' -DNCURSES_WIDECHAR=1 ' +# enable NCURSES_WIDECHAR=1 only if ENABLE_WIDEC has not been explicitly disabled (e.g. by the distro config). +# When compiling against the ncurses library, NCURSES_WIDECHAR needs to explicitly set to 0 in this case. +CFLAGS:append:libc-musl = "${@' -DNCURSES_WIDECHAR=1' if bb.utils.to_boolean((d.getVar('ENABLE_WIDEC') or 'True')) else ' -DNCURSES_WIDECHAR=0'}" EXTRA_OECONF = "--with-screen=ncurses --without-gpm-mouse --without-x --disable-configure-args" EXTRANATIVEPATH += "file-native" diff --git a/meta/recipes-extended/net-tools/net-tools_2.10.bb b/meta/recipes-extended/net-tools/net-tools_2.10.bb index 00caccd4b8..eb5881356c 100644 --- a/meta/recipes-extended/net-tools/net-tools_2.10.bb +++ b/meta/recipes-extended/net-tools/net-tools_2.10.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ifconfig.c;beginline=11;endline=15;md5=d1ca372080ad5401e23ca0afc35cf9ba" SRCREV = "80d7b95067f1f22fece9537dea6dff53081f4886" -SRC_URI = "git://git.code.sf.net/p/net-tools/code;protocol=https \ +SRC_URI = "git://git.code.sf.net/p/net-tools/code;protocol=https;branch=master \ file://net-tools-config.h \ file://net-tools-config.make \ file://Add_missing_headers.patch \ diff --git a/meta/recipes-extended/newt/libnewt_0.52.21.bb b/meta/recipes-extended/newt/libnewt_0.52.21.bb index 84d327ca88..86301b95eb 100644 --- a/meta/recipes-extended/newt/libnewt_0.52.21.bb +++ b/meta/recipes-extended/newt/libnewt_0.52.21.bb @@ -29,7 +29,7 @@ SRC_URI[sha256sum] = "265eb46b55d7eaeb887fca7a1d51fe115658882dfe148164b6c49fccac S = "${WORKDIR}/newt-${PV}" -inherit autotools-brokensep python3native python3-dir +inherit autotools-brokensep python3native python3-dir python3targetconfig EXTRA_OECONF = "--without-tcl --with-python" diff --git a/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch b/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch new file mode 100644 index 0000000000..9c301f2054 --- /dev/null +++ b/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch @@ -0,0 +1,50 @@ +From 65986f3d12d434b9bc428ceb6fcb1f6eeeb2c47d Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Mon, 17 Jan 2022 15:36:56 +0800 +Subject: [PATCH] Fix bug when combining -l with -d. + +Though it makes no sense to do pigz -ld, that is implicit when +doing unpigz -l. This commit fixes a bug for that combination. + +Upstream-Status: Backport [https://github.com/madler/pigz/commit/326bba44aa102c707dd6ebcd2fc3f413b3119db0] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + pigz.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/pigz.c b/pigz.c +index f90157f..d648216 100644 +--- a/pigz.c ++++ b/pigz.c +@@ -4007,6 +4007,13 @@ local void process(char *path) { + } + SET_BINARY_MODE(g.ind); + ++ // if requested, just list information about the input file ++ if (g.list && g.decode != 2) { ++ list_info(); ++ load_end(); ++ return; ++ } ++ + // if decoding or testing, try to read gzip header + if (g.decode) { + in_init(); +@@ -4048,13 +4055,6 @@ local void process(char *path) { + } + } + +- // if requested, just list information about input file +- if (g.list) { +- list_info(); +- load_end(); +- return; +- } +- + // create output file out, descriptor outd + if (path == NULL || g.pipeout) { + // write to stdout +-- +2.17.1 + diff --git a/meta/recipes-extended/pigz/pigz_2.6.bb b/meta/recipes-extended/pigz/pigz_2.6.bb index 3566e18b7e..d490a6a722 100644 --- a/meta/recipes-extended/pigz/pigz_2.6.bb +++ b/meta/recipes-extended/pigz/pigz_2.6.bb @@ -8,7 +8,8 @@ SECTION = "console/utils" LICENSE = "Zlib & Apache-2.0" LIC_FILES_CHKSUM = "file://pigz.c;md5=9ae6dee8ceba9610596ed0ada493d142;beginline=7;endline=21" -SRC_URI = "http://zlib.net/${BPN}/fossils/${BP}.tar.gz" +SRC_URI = "http://zlib.net/${BPN}/fossils/${BP}.tar.gz \ + file://0001-Fix-bug-when-combining-l-with-d.patch" SRC_URI[sha256sum] = "2eed7b0d7449d1d70903f2a62cd6005d262eb3a8c9e98687bc8cbb5809db2a7d" PROVIDES:class-native += "gzip-native" diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb index 64a2d154b6..9366ec99aa 100644 --- a/meta/recipes-extended/procps/procps_3.3.17.bb +++ b/meta/recipes-extended/procps/procps_3.3.17.bb @@ -12,7 +12,7 @@ DEPENDS = "ncurses" inherit autotools gettext pkgconfig update-alternatives -SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https \ +SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ file://sysctl.conf \ file://0001-w.c-correct-musl-builds.patch \ file://0002-proc-escape.c-add-missing-include.patch \ diff --git a/meta/recipes-extended/psmisc/psmisc_23.4.bb b/meta/recipes-extended/psmisc/psmisc_23.4.bb index 894443f4ef..89fe8a709c 100644 --- a/meta/recipes-extended/psmisc/psmisc_23.4.bb +++ b/meta/recipes-extended/psmisc/psmisc_23.4.bb @@ -2,7 +2,7 @@ require psmisc.inc LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https \ +SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https;branch=master \ file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \ " SRCREV = "5fab6b7ab385080f1db725d6803136ec1841a15f" diff --git a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb index 678632a814..c08e9d52c3 100644 --- a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb +++ b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb @@ -19,7 +19,7 @@ PV = "1.4.2" SRCREV = "6f54e54455c073d08a56ea627c6cd2355a40eb53" -SRC_URI = "git://github.com/thkukuk/${BPN} \ +SRC_URI = "git://github.com/thkukuk/${BPN};branch=master;protocol=https \ file://0001-Use-cross-compiled-rpcgen.patch \ " diff --git a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch index 95728bcd3f..628db42136 100644 --- a/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch +++ b/meta/recipes-extended/shadow/files/0001-Disable-use-of-syslog-for-sysroot.patch @@ -1,124 +1,52 @@ -From 30a3906a0a21120fa6bbc918b6258ab9303fbeaa Mon Sep 17 00:00:00 2001 -From: Scott Garman <scott.a.garman@intel.com> -Date: Thu, 14 Apr 2016 12:28:57 +0200 -Subject: [PATCH] Disable use of syslog for sysroot +From 8b845fff891798a03bdf21354b52e4487c2c0200 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Thu, 14 Apr 2022 23:11:53 +0000 +Subject: [PATCH] Disable use of syslog for shadow-native tools Disable use of syslog to prevent sysroot user and group additions from writing entries to the host's syslog. This patch should only be used with the shadow-native recipe. -Upstream-Status: Inappropriate [disable feature] - -Signed-off-by: Scott Garman <scott.a.garman@intel.com> +Upstream-Status: Inappropriate [OE specific configuration] +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- - src/groupadd.c | 3 +++ - src/groupdel.c | 3 +++ - src/groupmems.c | 3 +++ - src/groupmod.c | 3 +++ - src/useradd.c | 3 +++ - src/userdel.c | 4 ++++ - src/usermod.c | 3 +++ - 7 files changed, 22 insertions(+) + configure.ac | 2 +- + src/login_nopam.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) -diff --git a/src/groupadd.c b/src/groupadd.c -index d7f68b1..5fe5f43 100644 ---- a/src/groupadd.c -+++ b/src/groupadd.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <getopt.h> -diff --git a/src/groupdel.c b/src/groupdel.c -index 5c89312..2aefc5a 100644 ---- a/src/groupdel.c -+++ b/src/groupdel.c -@@ -34,6 +34,9 @@ - +diff --git a/configure.ac b/configure.ac +index 5dcae19..b2c58f5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -204,7 +204,7 @@ AC_DEFINE_UNQUOTED(PASSWD_PROGRAM, "$shadow_cv_passwd_dir/passwd", + [Path to passwd program.]) + + dnl XXX - quick hack, should disappear before anyone notices :). +-AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().]) ++#AC_DEFINE(USE_SYSLOG, 1, [Define to use syslog().]) + if test "$ac_cv_func_ruserok" = "yes"; then + AC_DEFINE(RLOGIN, 1, [Define if login should support the -r flag for rlogind.]) + AC_DEFINE(RUSEROK, 0, [Define to the ruserok() "success" return value (0 or 1).]) +diff --git a/src/login_nopam.c b/src/login_nopam.c +index df6ba88..fc24e13 100644 +--- a/src/login_nopam.c ++++ b/src/login_nopam.c +@@ -29,7 +29,6 @@ + #ifndef USE_PAM #ident "$Id$" -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <grp.h> -diff --git a/src/groupmems.c b/src/groupmems.c -index 654a8f3..6b2026b 100644 ---- a/src/groupmems.c -+++ b/src/groupmems.c -@@ -32,6 +32,9 @@ - - #include <config.h> - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <fcntl.h> - #include <getopt.h> - #include <grp.h> -diff --git a/src/groupmod.c b/src/groupmod.c -index acd6f35..a2c5247 100644 ---- a/src/groupmod.c -+++ b/src/groupmod.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <ctype.h> - #include <fcntl.h> - #include <getopt.h> -diff --git a/src/useradd.c b/src/useradd.c -index 127177e..b80e505 100644 ---- a/src/useradd.c -+++ b/src/useradd.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" - -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <ctype.h> - #include <errno.h> -diff --git a/src/userdel.c b/src/userdel.c -index 79a7c89..c1e010a 100644 ---- a/src/userdel.c -+++ b/src/userdel.c -@@ -31,6 +31,10 @@ - */ - - #include <config.h> -+ -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG -+ - #include <assert.h> - #include <dirent.h> - #include <errno.h> -diff --git a/src/usermod.c b/src/usermod.c -index 03bb9b9..e15fdd4 100644 ---- a/src/usermod.c -+++ b/src/usermod.c -@@ -34,6 +34,9 @@ - - #ident "$Id$" +-#include "prototypes.h" + /* + * This module implements a simple but effective form of login access + * control based on login names and on host (or domain) names, internet +@@ -57,6 +56,8 @@ + #include <netinet/in.h> + #include <arpa/inet.h> /* for inet_ntoa() */ -+/* Disable use of syslog since we're running this command against a sysroot */ -+#undef USE_SYSLOG ++#include "prototypes.h" + - #include <assert.h> - #include <ctype.h> - #include <errno.h> + #if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64) + #undef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 diff --git a/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch new file mode 100644 index 0000000000..21a410f605 --- /dev/null +++ b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch @@ -0,0 +1,26 @@ +From 2386cd8f907b379ae5cc1ce2888abef7d30e709a Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Sat, 23 Oct 2021 20:20:59 +0200 +Subject: [PATCH] Makefile: do not write the timestamp into compressed manpage. + +This helps reproducibility. + +Upstream-Status: Submitted [https://github.com/ColinIanKing/stress-ng/pull/156] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 886018f9..f4290f9c 100644 +--- a/Makefile ++++ b/Makefile +@@ -468,7 +468,7 @@ git-commit-id.h: + $(OBJS): stress-ng.h Makefile + + stress-ng.1.gz: stress-ng.1 +- $(V)gzip -c $< > $@ ++ $(V)gzip -n -c $< > $@ + + .PHONY: dist + dist: diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.13.00.bb b/meta/recipes-extended/stress-ng/stress-ng_0.13.00.bb index 198f7e87c7..f01e7b2433 100644 --- a/meta/recipes-extended/stress-ng/stress-ng_0.13.00.bb +++ b/meta/recipes-extended/stress-ng/stress-ng_0.13.00.bb @@ -1,14 +1,16 @@ SUMMARY = "System load testing utility" DESCRIPTION = "Deliberately simple workload generator for POSIX systems. It \ imposes a configurable amount of CPU, memory, I/O, and disk stress on the system." -HOMEPAGE = "https://kernel.ubuntu.com/~cking/stress-ng/" +HOMEPAGE = "https://github.com/ColinIanKing/stress-ng#readme" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \ +SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \ file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \ + file://0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch \ " -SRC_URI[sha256sum] = "1cefe4a3057c1522b146e62f61b80ce6e2e99da2d85ebe25bc03fc45228e58cd" +SRCREV = "61b454b4a3a9d052e63c78a9574ccf8a650575dc" +S = "${WORKDIR}/git" DEPENDS = "coreutils-native" diff --git a/meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb b/meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb index eca531d05d..f4ecb7d459 100644 --- a/meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb +++ b/meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5b4be4b2549338526758ef479c040943 \ inherit update-rc.d update-alternatives systemd autotools -SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1 \ +SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1;protocol=https \ file://sysklogd \ " diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb index 3488a6c955..5a415c775a 100644 --- a/meta/recipes-extended/tar/tar_1.34.bb +++ b/meta/recipes-extended/tar/tar_1.34.bb @@ -63,6 +63,6 @@ NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" BBCLASSEXTEND = "native nativesdk" -# These are both specific to the NPM package node-tar -CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804" -CVE_CHECK_WHITELIST += "CVE-2021-37701 CVE-2021-37712 CVE-2021-37713" +# Avoid false positives from CVEs in node-tar package +# For example CVE-2021-{32803,32804,37701,37712,37713} +CVE_PRODUCT = "gnu:tar" diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index c7d4965cb8..43d14d7f12 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc @@ -6,7 +6,7 @@ SECTION = "base" LICENSE = "PD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2021a" +PV = "2021e" SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ @@ -14,5 +14,6 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" -SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0" -SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08" +SRC_URI[tzcode.sha256sum] = "584666393a5424d13d27ec01183da17703273664742e049d4f62f62dab631775" +SRC_URI[tzdata.sha256sum] = "07ec42b737d0d3c6be9c337f8abb5f00554a0f9cc4fcf01a703d69403b6bb2b1" + diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch @@ -0,0 +1,67 @@ +From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 +From: Nils Bars <nils.bars@t-online.de> +Date: Mon, 17 Jan 2022 16:53:16 +0000 +Subject: [PATCH] Fix null pointer dereference and use of uninitialized data + +This fixes a bug that causes use of uninitialized heap data if `readbuf` fails +to read as many bytes as indicated by the extra field length attribute. +Furthermore, this fixes a null pointer dereference if an archive contains an +`EF_UNIPATH` extra field but does not have a filename set. +--- + fileio.c | 5 ++++- + process.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) +--- + +Patch from: +https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 +https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch +Regenerated to apply without offsets. + +CVE: CVE-2021-4217 + +Upstream-Status: Pending [infozip upstream inactive] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + + +diff --git a/fileio.c b/fileio.c +index 14460f3..1dc319e 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); ++ if (bytes_read == 0) + return PK_EOF; ++ if (bytes_read != length) ++ return PK_ERR; + /* Looks like here is where extra fields are read */ + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { +diff --git a/process.c b/process.c +index 5f8f6c6..de843a5 100644 +--- a/process.c ++++ b/process.c +@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full)); + +-- +2.32.0 + diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 0bc6abcd4b..d074db37b4 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -27,6 +27,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://CVE-2019-13232_p2.patch \ file://CVE-2019-13232_p3.patch \ file://unzip_optimization.patch \ + file://CVE-2021-4217.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index da051c119f..e64494e54e 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=55c5fdf02cfcca3fc9621b6f2ceae10f" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" -SRC_URI = "git://github.com/openSUSE/xinetd.git;protocol=https \ +SRC_URI = "git://github.com/openSUSE/xinetd.git;protocol=https;branch=master \ file://xinetd.init \ file://xinetd.default \ file://xinetd.service \ diff --git a/meta/recipes-extended/xz/xz/CVE-2022-1271.patch b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch new file mode 100644 index 0000000000..e43e73cf12 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch @@ -0,0 +1,96 @@ +From dc932a1e9c0d9f1db71be11a9b82496e3a72f112 Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \<newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. + +Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch] +CVE: CVE-2022-1271 + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + src/scripts/xzgrep.in | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in +index 9db5c3a..f64dddb 100644 +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -179,22 +179,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- diff --git a/meta/recipes-extended/xz/xz_5.2.5.bb b/meta/recipes-extended/xz/xz_5.2.5.bb index 8021ebd9bc..200af0e672 100644 --- a/meta/recipes-extended/xz/xz_5.2.5.bb +++ b/meta/recipes-extended/xz/xz_5.2.5.bb @@ -23,7 +23,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=97d554a32881fee0aa283d96e47cb24a \ file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ " -SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz" +SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz \ + file://CVE-2022-1271.patch \ + " SRC_URI[md5sum] = "0d270c997aff29708c74d53f599ef717" SRC_URI[sha256sum] = "f6f4910fd033078738bd82bfba4f49219d03b17eb0794eb91efbae419f4aba10" UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch b/meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch new file mode 100644 index 0000000000..02253f968c --- /dev/null +++ b/meta/recipes-extended/zip/zip-3.0/0001-configure-use-correct-CPP.patch @@ -0,0 +1,47 @@ +From 7a2729ee7f5d9b9d4a0d9b83fe641a2ab03c4ee0 Mon Sep 17 00:00:00 2001 +From: Joe Slater <joe.slater@windriver.com> +Date: Thu, 24 Feb 2022 17:36:59 -0800 +Subject: [PATCH 1/2] configure: use correct CPP + +configure uses CPP to test that two assembler routines +can be built. Unfortunately, it will use /usr/bin/cpp +if it exists, invalidating the tests. We use the $CC +passed to configure. + +Upstream-Status: Inappropriate [openembedded specific] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + unix/configure | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/unix/configure b/unix/configure +index 73ba803..7e21070 100644 +--- a/unix/configure ++++ b/unix/configure +@@ -220,13 +220,16 @@ fi + echo Check for the C preprocessor + # on SVR4, cc -E does not produce correct assembler files. Need /lib/cpp. + CPP="${CC} -E" ++ ++# We should not change CPP for yocto builds. ++# + # solaris as(1) needs -P, maybe others as well ? +-[ -f /usr/ccs/lib/cpp ] && CPP="/usr/ccs/lib/cpp -P" +-[ -f /usr/lib/cpp ] && CPP=/usr/lib/cpp +-[ -f /lib/cpp ] && CPP=/lib/cpp +-[ -f /usr/bin/cpp ] && CPP=/usr/bin/cpp +-[ -f /xenix ] && CPP="${CC} -E" +-[ -f /lynx.os ] && CPP="${CC} -E" ++# [ -f /usr/ccs/lib/cpp ] && CPP="/usr/ccs/lib/cpp -P" ++# [ -f /usr/lib/cpp ] && CPP=/usr/lib/cpp ++# [ -f /lib/cpp ] && CPP=/lib/cpp ++# [ -f /usr/bin/cpp ] && CPP=/usr/bin/cpp ++# [ -f /xenix ] && CPP="${CC} -E" ++# [ -f /lynx.os ] && CPP="${CC} -E" + + echo "#include <stdio.h>" > conftest.c + $CPP conftest.c >/dev/null 2>/dev/null || CPP="${CC} -E" +-- +2.24.1 + diff --git a/meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch b/meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch new file mode 100644 index 0000000000..6e0879616a --- /dev/null +++ b/meta/recipes-extended/zip/zip-3.0/0002-configure-support-PIC-code-build.patch @@ -0,0 +1,34 @@ +From b0492506d2c28581193906e9d260d4f0451e2c39 Mon Sep 17 00:00:00 2001 +From: Joe Slater <joe.slater@windriver.com> +Date: Thu, 24 Feb 2022 17:46:03 -0800 +Subject: [PATCH 2/2] configure: support PIC code build + +Disable building match.S. The code requires +relocation in .text. + +Upstream-Status: Inappropriate [openembedded specific] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + unix/configure | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/unix/configure b/unix/configure +index 7e21070..1bc698b 100644 +--- a/unix/configure ++++ b/unix/configure +@@ -242,8 +242,9 @@ if eval "$CPP match.S > _match.s 2>/dev/null"; then + if test ! -s _match.s || grep error < _match.s > /dev/null; then + : + elif eval "$CC -c _match.s >/dev/null 2>/dev/null" && [ -f _match.o ]; then +- CFLAGS="${CFLAGS} -DASMV" +- OBJA="match.o" ++ # disable match.S for PIC code ++ # CFLAGS="${CFLAGS} -DASMV" ++ # OBJA="match.o" + echo "int foo() { return 0;}" > conftest.c + $CC -c conftest.c >/dev/null 2>/dev/null + echo Check if compiler generates underlines +-- +2.24.1 + diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 18b5d8648e..f8e0b6e259 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb @@ -14,6 +14,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar. file://fix-security-format.patch \ file://10-remove-build-date.patch \ file://zipnote-crashes-with-segfault.patch \ + file://0001-configure-use-correct-CPP.patch \ + file://0002-configure-support-PIC-code-build.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/meta/recipes-extended/zstd/zstd_1.5.0.bb b/meta/recipes-extended/zstd/zstd_1.5.0.bb index 978812fddb..51305d0562 100644 --- a/meta/recipes-extended/zstd/zstd_1.5.0.bb +++ b/meta/recipes-extended/zstd/zstd_1.5.0.bb @@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \ file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" -SRC_URI = "git://github.com/facebook/zstd.git;branch=release \ +SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https \ file://0001-Makefile-sort-all-wildcard-file-list-expansions.patch \ file://0001-MinGW-Build-Fixes.patch \ " |