diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-23 11:11:46 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-09-27 14:47:44 +0300 |
commit | bba38f38e7e41525c30116a2fe990d113b8157da (patch) | |
tree | 14a0d015f4b144a97c51c896e7a3135b600760a6 | |
parent | 36b84cde8facab568630eec811e483cf1fc50848 (diff) | |
download | openbmc-bba38f38e7e41525c30116a2fe990d113b8157da.tar.xz |
poky: sumo refresh 51872d3f99..3b8dc3a88e
Update poky to sumo HEAD.
Andrej Valek (1):
wpa-supplicant: fix CVE-2018-14526
Armin Kuster (2):
xserver-xorg: config: fix NULL value detection for ID_INPUT being unset
binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active.
Bruce Ashfield (3):
linux-yocto/4.12: update to v4.12.28
linux-yocto/4.14: update to v4.14.62
linux-yocto/4.14: update to v4.14.67
Changqing Li (6):
libexif: patch for CVE-2017-7544
squashfs-tools: patch for CVE-2015-4645(4646)
libcroco: patch for CVE-2017-7960
libid3tag: patch for CVE-2004-2779
libice: patch for CVE-2017-2626
apr-util: fix ptest fail problem
Chen Qi (2):
util-linux: upgrade 2.32 -> 2.32.1
busybox: move init related configs to init.cfg
Jagadeesh Krishnanjanappa (2):
libarchive: CVE-2017-14501
libcgroup: CVE-2018-14348
Jon Szymaniak (1):
cve-check.bbclass: detect CVE IDs listed on multiple lines
Joshua Lock (1):
os-release: fix to install in the expected location
Khem Raj (1):
serf: Fix Sconstruct build with python 3.7
Konstantin Shemyak (1):
cve-check.bbclass: do not download the CVE DB in package-specific tasks
Mike Looijmans (1):
busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail
Ross Burton (1):
lrzsz: fix CVE-2018-10195
Sinan Kaya (3):
busybox: CVE-2017-15874
libpng: CVE-2018-13785
sqlite3: CVE-2018-8740
Yadi.hu (1):
busybox: handle syslog
Yi Zhao (2):
blktrace: Security fix CVE-2018-10689
taglib: Security fix CVE-2018-11439
Zheng Ruoqin (1):
glibc: fix CVE-2018-11237
Change-Id: I2eb1fe6574638de745e4bfc106b86fe797b977c8
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
54 files changed, 1468 insertions, 60 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 537659df1..12ad3e5c5 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -146,15 +146,17 @@ def get_patches_cves(d): with open(patch_file, "r", encoding="iso8859-1") as f: patch_text = f.read() - # Search for the "CVE: " line - match = cve_match.search(patch_text) - if match: + # Search for one or more "CVE: " lines + text_match = False + for match in cve_match.finditer(patch_text): # Get only the CVEs without the "CVE: " tag cves = patch_text[match.start()+5:match.end()] for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) patched_cves.add(cve) - elif not fname_match: + text_match = True + + if not fname_match and not text_match: bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) return patched_cves @@ -177,7 +179,7 @@ def check_cves(d, patched_cves): cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) cve_cmd = "cve-check-tool" - cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] + cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] # If the recipe has been whitlisted we return empty lists if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): diff --git a/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch b/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch new file mode 100644 index 000000000..dea298634 --- /dev/null +++ b/poky/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/cve-2018-10195.patch @@ -0,0 +1,28 @@ +Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver. + +Patch taken from Fedora. + +CVE: CVE-2018-10195 +Upstream-Status: Inappropriate (dead upstream) +Signed-off-by: Ross Burton <ross.burton@intel.com> + +diff -urN lrzsz-0.12.20/src/zm.c lrzsz-0.12.20.new/src/zm.c +--- lrzsz-0.12.20/src/zm.c Tue Dec 29 09:48:38 1998 ++++ lrzsz-0.12.20.new/src/zm.c Tue Oct 8 12:46:58 2002 +@@ -431,10 +431,12 @@ + VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, + Zendnames[(frameend-ZCRCE)&3])); + crc = 0; +- do { +- zsendline(*buf); crc = updcrc((0377 & *buf), crc); +- buf++; +- } while (--length>0); ++ ++ for( ; length; length--) { ++ zsendline(*buf); crc = updcrc((0377 & *buf), crc); ++ buf++; ++ } ++ + xsendline(ZDLE); xsendline(frameend); + crc = updcrc(frameend, crc); +
\ No newline at end of file diff --git a/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb b/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb index 4b349be32..002c774c6 100644 --- a/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb +++ b/poky/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \ file://acdefine.patch \ file://lrzsz_fix_for_automake-1.12.patch \ file://lrzsz-check-locale.h.patch \ + file://cve-2018-10195.patch \ " SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4" diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch new file mode 100644 index 000000000..e800a410e --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/wpa_supplicant-CVE-2018-14526.patch @@ -0,0 +1,44 @@ +wpa_supplicant-2.6: Fix CVE-2018-14526 + +[No upstream tracking] -- https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt + +wpa: Ignore unauthenticated encrypted EAPOL-Key data + +Ignore unauthenticated encrypted EAPOL-Key data in supplicant +processing. When using WPA2, these are frames that have the Encrypted +flag set, but not the MIC flag. + +When using WPA2, EAPOL-Key frames that had the Encrypted flag set but +not the MIC flag, had their data field decrypted without first verifying +the MIC. In case the data field was encrypted using RC4 (i.e., when +negotiating TKIP as the pairwise cipher), this meant that +unauthenticated but decrypted data would then be processed. An adversary +could abuse this as a decryption oracle to recover sensitive information +in the data field of EAPOL-Key messages (e.g., the group key). + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/src/rsn_supp/wpa.c?id=3e34cfdff6b192fe337c6fb3f487f73e96582961] +CVE: CVE-2018-14526 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> + +diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c +index 3c47879..6bdf923 100644 +--- a/src/rsn_supp/wpa.c ++++ b/src/rsn_supp/wpa.c +@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, + + if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && + (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { ++ /* ++ * Only decrypt the Key Data field if the frame's authenticity ++ * was verified. When using AES-SIV (FILS), the MIC flag is not ++ * set, so this check should only be performed if mic_len != 0 ++ * which is the case in this code branch. ++ */ ++ if (!(key_info & WPA_KEY_INFO_MIC)) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); ++ goto out; ++ } + if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, + &key_data_len)) + goto out; diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb index e68453748..aa4c4c2da 100644 --- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb @@ -32,6 +32,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://key-replay-cve-multiple6.patch \ file://key-replay-cve-multiple7.patch \ file://key-replay-cve-multiple8.patch \ + file://wpa_supplicant-CVE-2018-14526.patch \ " SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c" SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450" diff --git a/poky/meta/recipes-core/busybox/busybox.inc b/poky/meta/recipes-core/busybox/busybox.inc index d1675c37a..8c6dbbaf9 100644 --- a/poky/meta/recipes-core/busybox/busybox.inc +++ b/poky/meta/recipes-core/busybox/busybox.inc @@ -315,20 +315,24 @@ do_install () { fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + if grep -q "CONFIG_KLOGD=y" ${B}/.config; then + install -d ${D}${systemd_unitdir}/system + sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \ + > ${D}${systemd_unitdir}/system/busybox-klogd.service + fi + if grep -q "CONFIG_SYSLOGD=y" ${B}/.config; then install -d ${D}${systemd_unitdir}/system sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-syslog.service.in \ > ${D}${systemd_unitdir}/system/busybox-syslog.service + if [ ! -e ${D}${systemd_unitdir}/system/busybox-klogd.service ] ; then + sed -i '/klog/d' ${D}${systemd_unitdir}/system/busybox-syslog.service + fi if [ -f ${WORKDIR}/busybox-syslog.default ] ; then install -d ${D}${sysconfdir}/default install -m 0644 ${WORKDIR}/busybox-syslog.default ${D}${sysconfdir}/default/busybox-syslog fi fi - if grep -q "CONFIG_KLOGD=y" ${B}/.config; then - install -d ${D}${systemd_unitdir}/system - sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \ - > ${D}${systemd_unitdir}/system/busybox-klogd.service - fi fi # Remove the sysvinit specific configuration file for systemd systems to avoid confusion diff --git a/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch new file mode 100644 index 000000000..67b4ed7e1 --- /dev/null +++ b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch @@ -0,0 +1,30 @@ +From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Fri, 27 Oct 2017 15:37:03 +0200 +Subject: [PATCH] unlzma: fix SEGV, closes 10436 + +Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b] +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + archival/libarchive/decompress_unlzma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c +index 29eee2a..41e492f 100644 +--- a/archival/libarchive/decompress_unlzma.c ++++ b/archival/libarchive/decompress_unlzma.c +@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate) + pos = buffer_pos - rep0; + if ((int32_t)pos < 0) { + pos += header.dict_size; ++ /* bug 10436 has an example file where this triggers: */ ++ if ((int32_t)pos < 0) ++ goto bad; ++ + /* see unzip_bad_lzma_2.zip: */ + if (pos >= buffer_size) + goto bad; +-- +2.19.0 + diff --git a/poky/meta/recipes-core/busybox/busybox/defconfig b/poky/meta/recipes-core/busybox/busybox/defconfig index fbb5fd852..59d93c707 100644 --- a/poky/meta/recipes-core/busybox/busybox/defconfig +++ b/poky/meta/recipes-core/busybox/busybox/defconfig @@ -468,21 +468,21 @@ CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y # CONFIG_BOOTCHARTD is not set # CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set # CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set -CONFIG_HALT=y -CONFIG_POWEROFF=y -CONFIG_REBOOT=y +# CONFIG_HALT is not set +# CONFIG_POWEROFF is not set +# CONFIG_REBOOT is not set # CONFIG_FEATURE_CALL_TELINIT is not set -CONFIG_TELINIT_PATH="" +# CONFIG_TELINIT_PATH is not set # CONFIG_INIT is not set # CONFIG_LINUXRC is not set # CONFIG_FEATURE_USE_INITTAB is not set # CONFIG_FEATURE_KILL_REMOVED is not set -CONFIG_FEATURE_KILL_DELAY=0 +# CONFIG_FEATURE_KILL_DELAY is not set # CONFIG_FEATURE_INIT_SCTTY is not set # CONFIG_FEATURE_INIT_SYSLOG is not set # CONFIG_FEATURE_INIT_QUIET is not set # CONFIG_FEATURE_INIT_COREDUMPS is not set -CONFIG_INIT_TERMINAL_TYPE="" +# CONFIG_INIT_TERMINAL_TYPE is not set # CONFIG_FEATURE_INIT_MODIFY_CMDLINE is not set # diff --git a/poky/meta/recipes-core/busybox/busybox/init.cfg b/poky/meta/recipes-core/busybox/busybox/init.cfg index 006d4c633..3c1fdd42b 100644 --- a/poky/meta/recipes-core/busybox/busybox/init.cfg +++ b/poky/meta/recipes-core/busybox/busybox/init.cfg @@ -1,3 +1,8 @@ CONFIG_INIT=y CONFIG_FEATURE_USE_INITTAB=y - +CONFIG_HALT=y +CONFIG_POWEROFF=y +CONFIG_REBOOT=y +CONFIG_FEATURE_KILL_DELAY=0 +CONFIG_TELINIT_PATH="" +CONFIG_INIT_TERMINAL_TYPE="" diff --git a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb index 1ce4823d4..bab29728e 100644 --- a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb @@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://busybox-CVE-2017-16544.patch \ file://busybox-fix-lzma-segfaults.patch \ file://umount-ignore-c.patch \ + file://CVE-2017-15874.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " diff --git a/poky/meta/recipes-core/busybox/files/mdev-mount.sh b/poky/meta/recipes-core/busybox/files/mdev-mount.sh index b4385a157..130e9472f 100644 --- a/poky/meta/recipes-core/busybox/files/mdev-mount.sh +++ b/poky/meta/recipes-core/busybox/files/mdev-mount.sh @@ -25,7 +25,7 @@ case "$ACTION" in fi # check for full-disk partition if [ "${DEVBASE}" = "${MDEV}" ] ; then - if [ -d /sys/block/${DEVBASE}/${DEVBASE}*1 ] ; then + if [ -f /sys/block/${DEVBASE}/${DEVBASE}*1/partition ] ; then # Partition detected, just quit exit 0 fi @@ -43,7 +43,7 @@ case "$ACTION" in then MOUNTPOINT="${MDEV_AUTOMOUNT_ROOT}/$MDEV" mkdir -p "$MOUNTPOINT" - mount -t auto /dev/$MDEV "$MOUNTPOINT" + mount -t auto /dev/$MDEV "$MOUNTPOINT" || rmdir "$MOUNTPOINT" fi ;; remove) diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 000000000..632aa565e --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch @@ -0,0 +1,82 @@ +From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Tue, 22 May 2018 10:37:59 +0200 +Subject: [PATCH] Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (bug 23196) + +When compiled as mempcpy, the return value is the end of the destination +buffer, thus it cannot be used to refer to the start of it. + +2018-05-23 Andreas Schwab <schwab@suse.de> + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + +CVE: CVE-2018-11237 +Upstream-Status: Backport +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + ChangeLog | 9 +++++++++ + string/test-mempcpy.c | 1 + + sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fa0a07c..bc09dec 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++2018-05-23 Andreas Schwab <schwab@suse.de> ++ ++ [BZ #23196] ++ CVE-2018-11237 ++ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++ (L(preloop_large)): Save initial destination pointer in %r11 and ++ use it instead of %rax after the loop. ++ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. ++ + 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #22786] +diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c +index c08fba8..d98ecdd 100644 +--- a/string/test-mempcpy.c ++++ b/string/test-mempcpy.c +@@ -18,6 +18,7 @@ + <http://www.gnu.org/licenses/>. */ + + #define MEMCPY_RESULT(dst, len) (dst) + (len) ++#define MIN_PAGE_SIZE 131072 + #define TEST_MAIN + #define TEST_NAME "mempcpy" + #include "test-string.h" +diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +index 23c0f7a..a55cf6f 100644 +--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +@@ -335,6 +335,7 @@ L(preloop_large): + ja L(preloop_large_bkw) + vmovups (%rsi), %zmm4 + vmovups 0x40(%rsi), %zmm5 ++ mov %rdi, %r11 + + /* Align destination for access with non-temporal stores in the loop. */ + mov %rdi, %r8 +@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): + cmp $256, %rdx + ja L(gobble_256bytes_nt_loop) + sfence +- vmovups %zmm4, (%rax) +- vmovups %zmm5, 0x40(%rax) ++ vmovups %zmm4, (%r11) ++ vmovups %zmm5, 0x40(%r11) + jmp L(check) + + L(preloop_large_bkw): +-- +2.7.4 + diff --git a/poky/meta/recipes-core/glibc/glibc_2.27.bb b/poky/meta/recipes-core/glibc/glibc_2.27.bb index 22a9881ea..adee494c2 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.27.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.27.bb @@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0030-plural_c_no_preprocessor_lines.patch \ file://CVE-2017-18269.patch \ file://CVE-2018-11236.patch \ + file://CVE-2018-11237.patch \ " NATIVESDKFIXES ?= "" diff --git a/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch new file mode 100644 index 000000000..d133703de --- /dev/null +++ b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch @@ -0,0 +1,37 @@ +From 0d88b73d189ea3440ccaab00418d6469f76fa590 Mon Sep 17 00:00:00 2001 +From: Michal Hocko <mhocko@suse.com> +Date: Wed, 18 Jul 2018 11:24:29 +0200 +Subject: [PATCH] cgrulesengd: remove umask(0) + +One of our partners has noticed that cgred daemon is creating a log file +(/var/log/cgred) with too wide permissions (0666) and that is seen as +a security bug because an untrusted user can write to otherwise +restricted area. CVE-2018-14348 has been assigned to this issue. + +CVE: CVE-2018-14348 +Upstream-Status: Backport [https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590] + +Signed-off-by: Michal Hocko <mhocko@suse.com> +Acked-by: Balbir Singh <bsingharora@gmail.com> +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + src/daemon/cgrulesengd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c +index ea51f11..0d288f3 100644 +--- a/src/daemon/cgrulesengd.c ++++ b/src/daemon/cgrulesengd.c +@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf, + } else if (pid > 0) { + exit(EXIT_SUCCESS); + } +- +- /* Change the file mode mask. */ +- umask(0); + } else { + flog(LOG_DEBUG, "Not using daemon mode\n"); + pid = getpid(); +-- +2.13.3 + diff --git a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb index 7ddc81e9b..92d7261b0 100644 --- a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb +++ b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb @@ -11,7 +11,8 @@ inherit autotools pkgconfig DEPENDS = "bison-native flex-native" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2 \ + file://CVE-2018-14348.patch" SRC_URI_append_libc-musl = " file://musl-decls-compat.patch" SRC_URI[md5sum] = "3dea9d50b8a5b73ff0bf1cdcb210f63f" diff --git a/poky/meta/recipes-core/os-release/os-release.bb b/poky/meta/recipes-core/os-release/os-release.bb index f98870475..bf4f815a1 100644 --- a/poky/meta/recipes-core/os-release/os-release.bb +++ b/poky/meta/recipes-core/os-release/os-release.bb @@ -1,7 +1,7 @@ inherit allarch SUMMARY = "Operating system identification" -DESCRIPTION = "The /etc/os-release file contains operating system identification data." +DESCRIPTION = "The /usr/lib/os-release file contains operating system identification data." LICENSE = "MIT" INHIBIT_DEFAULT_DEPS = "1" @@ -42,6 +42,9 @@ python do_compile () { do_compile[vardeps] += "${OS_RELEASE_FIELDS}" do_install () { - install -d ${D}${sysconfdir} - install -m 0644 os-release ${D}${sysconfdir}/ + install -d ${D}${libdir} ${D}${sysconfdir} + install -m 0644 os-release ${D}${libdir}/ + lnr ${D}${libdir}/os-release ${D}${sysconfdir}/os-release } + +FILES_${PN} += "${libdir}/os-release" diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb index 55cc98c20..455b9377b 100644 --- a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb +++ b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb @@ -15,8 +15,8 @@ SRC_URI += "file://configure-sbindir.patch \ file://display_testname_for_subtest.patch \ file://avoid_parallel_tests.patch \ " -SRC_URI[md5sum] = "e0d8a25853f88cd15ff557e5d8cb4ea7" -SRC_URI[sha256sum] = "6c7397abc764e32e8159c2e96042874a190303e77adceb4ac5bd502a272a4734" +SRC_URI[md5sum] = "9e5b1b8c1dc99455bdb6b462cf9436d9" +SRC_URI[sha256sum] = "86e6707a379c7ff5489c218cfaf1e3464b0b95acf7817db0bc5f179e356a67b2" CACHED_CONFIGUREVARS += "scanf_cv_alloc_modifier=ms" diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc index 37243db1b..35d7d9b93 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc @@ -47,6 +47,7 @@ SRC_URI = "\ file://CVE-2018-10372.patch \ file://CVE-2018-10535.patch \ file://CVE-2018-10534.patch \ + file://0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch b/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch new file mode 100644 index 000000000..8604e678d --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0001-Change-the-ARM-assembler-s-ADR-and-ADRl-pseudo-ops-s.patch @@ -0,0 +1,176 @@ +From fc6141f097056f830a412afebed8d81a9d72b696 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 20 Jun 2018 12:38:10 +0100 +Subject: [PATCH] Change the ARM assembler's ADR and ADRl pseudo-ops so that + they will only set the bottom bit of imported thumb function symbols if the + -mthumb-interwork option is active. + +For more information see the email thread starting here: +https://www.sourceware.org/ml/binutils/2018-05/msg00348.html + + PR 21458 + * tc-arm.c (do_adr): Only set the bottom bit of an imported thumb + function symbol address if -mthumb-interwork is active. + (do_adrl): Likewise. + * doc/c-arm.texi: Update descriptions of the -mthumb-interwork + option and the ADR and ADRL pseudo-ops. + * NEWS: Mention the new behaviour of the ADR and ADRL pseudo-ops. + * testsuite/gas/arm/pr21458.d: Add -mthumb-interwork option to + assembler command line. + * testsuite/gas/arm/adr.d: Likewise. + * testsuite/gas/arm/adrl.d: Likewise. +--- + gas/ChangeLog | 14 ++++++++++++++ + gas/NEWS | 4 ++++ + gas/config/tc-arm.c | 10 ++++++---- + gas/doc/c-arm.texi | 17 ++++++++++++++++- + gas/testsuite/gas/arm/adr.d | 1 + + gas/testsuite/gas/arm/adrl.d | 1 + + gas/testsuite/gas/arm/pr21458.d | 3 ++- + 7 files changed, 44 insertions(+), 6 deletions(-) + +Index: git/gas/config/tc-arm.c +=================================================================== +--- git.orig/gas/config/tc-arm.c ++++ git/gas/config/tc-arm.c +@@ -8410,11 +8410,12 @@ do_adr (void) + inst.reloc.pc_rel = 1; + inst.reloc.exp.X_add_number -= 8; + +- if (inst.reloc.exp.X_op == O_symbol ++ if (support_interwork ++ && inst.reloc.exp.X_op == O_symbol + && inst.reloc.exp.X_add_symbol != NULL + && S_IS_DEFINED (inst.reloc.exp.X_add_symbol) + && THUMB_IS_FUNC (inst.reloc.exp.X_add_symbol)) +- inst.reloc.exp.X_add_number += 1; ++ inst.reloc.exp.X_add_number |= 1; + } + + /* This is a pseudo-op of the form "adrl rd, label" to be converted +@@ -8434,11 +8435,12 @@ do_adrl (void) + inst.size = INSN_SIZE * 2; + inst.reloc.exp.X_add_number -= 8; + +- if (inst.reloc.exp.X_op == O_symbol ++ if (support_interwork ++ && inst.reloc.exp.X_op == O_symbol + && inst.reloc.exp.X_add_symbol != NULL + && S_IS_DEFINED (inst.reloc.exp.X_add_symbol) + && THUMB_IS_FUNC (inst.reloc.exp.X_add_symbol)) +- inst.reloc.exp.X_add_number += 1; ++ inst.reloc.exp.X_add_number |= 1; + } + + static void +Index: git/gas/doc/c-arm.texi +=================================================================== +--- git.orig/gas/doc/c-arm.texi ++++ git/gas/doc/c-arm.texi +@@ -317,7 +317,8 @@ instructions; that is, it should behave + @cindex @code{-mthumb-interwork} command line option, ARM + @item -mthumb-interwork + This option specifies that the output generated by the assembler should +-be marked as supporting interworking. ++be marked as supporting interworking. It also affects the behaviour ++of the @code{ADR} and @code{ADRL} pseudo opcodes. + + @cindex @code{-mimplicit-it} command line option, ARM + @item -mimplicit-it=never +@@ -1060,6 +1061,16 @@ out of range, or if it is not defined in + the ADR instruction, then an error will be generated. This instruction + will not make use of the literal pool. + ++If @var{label} is a thumb function symbol, and thumb interworking has ++been enabled via the @option{-mthumb-interwork} option then the bottom ++bit of the value stored into @var{register} will be set. This allows ++the following sequence to work as expected: ++ ++@smallexample ++ adr r0, thumb_function ++ blx r0 ++@end smallexample ++ + @cindex @code{ADRL reg,<label>} pseudo op, ARM + @item ADRL + @smallexample +@@ -1076,6 +1087,10 @@ If the label is out of range, or if it i + (and section) as the ADRL instruction, then an error will be generated. + This instruction will not make use of the literal pool. + ++If @var{label} is a thumb function symbol, and thumb interworking has ++been enabled via the @option{-mthumb-interwork} option then the bottom ++bit of the value stored into @var{register} will be set. ++ + @end table + + For information on the ARM or Thumb instruction sets, see @cite{ARM +Index: git/gas/testsuite/gas/arm/adr.d +=================================================================== +--- git.orig/gas/testsuite/gas/arm/adr.d ++++ git/gas/testsuite/gas/arm/adr.d +@@ -1,3 +1,4 @@ ++#as: -mthumb-interwork + #objdump: -dr --prefix-addresses --show-raw-insn + #name: ADR + +Index: git/gas/testsuite/gas/arm/adrl.d +=================================================================== +--- git.orig/gas/testsuite/gas/arm/adrl.d ++++ git/gas/testsuite/gas/arm/adrl.d +@@ -1,3 +1,4 @@ ++#as: -mthumb-interwork + #objdump: -dr --prefix-addresses --show-raw-insn + #name: ADRL + +Index: git/gas/ChangeLog +=================================================================== +--- git.orig/gas/ChangeLog ++++ git/gas/ChangeLog +@@ -1,3 +1,17 @@ ++2018-06-20 Nick Clifton <nickc@redhat.com> ++ ++ PR 21458 ++ * tc-arm.c (do_adr): Only set the bottom bit of an imported thumb ++ function symbol address if -mthumb-interwork is active. ++ (do_adrl): Likewise. ++ * doc/c-arm.texi: Update descriptions of the -mthumb-interwork ++ option and the ADR and ADRL pseudo-ops. ++ * NEWS: Mention the new behaviour of the ADR and ADRL pseudo-ops. ++ * testsuite/gas/arm/pr21458.d: Add -mthumb-interwork option to ++ assembler command line. ++ * testsuite/gas/arm/adr.d: Likewise. ++ * testsuite/gas/arm/adrl.d: Likewise. ++ + 2018-02-05 Nick Clifton <nickc@redhat.com> + + * po/ru.po: Updated Russian translation. +Index: git/gas/NEWS +=================================================================== +--- git.orig/gas/NEWS ++++ git/gas/NEWS +@@ -1,5 +1,9 @@ + -*- text -*- + ++* The ADR and ADRL pseudo-instructions supported by the ARM assembler ++ now only set the bottom bit of the address of thumb function symbols ++ if the -mthumb-interwork command line option is active. ++ + Changes in 2.30: + + * Add support for loaction views in DWARF debug line information. +Index: git/gas/testsuite/gas/arm/pr21458.d +=================================================================== +--- git.orig/gas/testsuite/gas/arm/pr21458.d ++++ git/gas/testsuite/gas/arm/pr21458.d +@@ -1,8 +1,9 @@ ++#as: -mthumb-interwork + #objdump: -d --prefix-addresses --show-raw-insn + #name: ADR(L) for Thumb functions + #skip: *-*-pe *-wince-* *-*-coff *-*-vxworks + +-# Test that using ADR(L) on thumb function symbols sets the T bit. ++# Test that using ADR(L) on thumb function symbols sets the T bit when -mthumb-interwork is active. + + .*: +file format .*arm.* + diff --git a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch new file mode 100644 index 000000000..2261ea94b --- /dev/null +++ b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch @@ -0,0 +1,47 @@ +From 3c0d67184d6edb63f3b7d6d5eb81531daa6388f3 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 28 Aug 2018 16:25:36 +0800 +Subject: [PATCH] squashfs-tools: patch for CVE-2015-4645(6) + +Upstream-Status: Backport[https://github.com/devttys0/sasquatch/pull/ + 5/commits/6777e08cc38bc780d27c69c1d8c272867b74524f] + +CVE: CVE-2015-4645 CVE-2015-4646 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + squashfs-tools/unsquash-4.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c +index ecdaac7..692ae25 100644 +--- a/squashfs-tools/unsquash-4.c ++++ b/squashfs-tools/unsquash-4.c +@@ -31,9 +31,9 @@ static unsigned int *id_table; + int read_fragment_table_4(long long *directory_table_end) + { + int res, i; +- int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); +- int indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments); +- long long fragment_table_index[indexes]; ++ size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); ++ size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments); ++ long long *fragment_table_index; + + TRACE("read_fragment_table: %d fragments, reading %d fragment indexes " + "from 0x%llx\n", sBlk.s.fragments, indexes, +@@ -43,6 +43,11 @@ int read_fragment_table_4(long long *directory_table_end) + *directory_table_end = sBlk.s.fragment_table_start; + return TRUE; + } ++ ++ fragment_table_index = malloc(indexes*sizeof(long long)); ++ if(fragment_table_index == NULL) ++ EXIT_UNSQUASH("read_fragment_table: failed to allocate " ++ "fragment table index\n"); + + fragment_table = malloc(bytes); + if(fragment_table == NULL) +-- +2.7.4 + diff --git a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb index a8baca51e..1eb0154fd 100644 --- a/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb +++ b/poky/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \ file://0001-mksquashfs.c-get-inline-functions-work-with-C99.patch;striplevel=2 \ file://squashfs-tools-4.3-sysmacros.patch;striplevel=2 \ file://fix-compat.patch \ + file://0001-squashfs-tools-patch-for-CVE-2015-4645-6.patch;striplevel=2 \ " UPSTREAM_CHECK_COMMITS = "1" SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759" diff --git a/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch new file mode 100644 index 000000000..1038102e6 --- /dev/null +++ b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch @@ -0,0 +1,79 @@ +From f9569c086ff29259c73790db9cbf39fe8fb9d862 Mon Sep 17 00:00:00 2001 +From: John Starks <jostarks@microsoft.com> +Date: Wed, 25 Jul 2018 12:16:34 -0700 +Subject: [PATCH] iso9660: validate directory record length + +CVE: CVE-2017-14501 +Upstream-Status: Backport [https://github.com/mmatuska/libarchive/commit/13e87dcd9c37b533127cceb9f3e1e5a38d95e784] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + libarchive/archive_read_support_format_iso9660.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index f01d37bf..089bb723 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -409,7 +409,8 @@ static int next_entry_seek(struct archive_read *, struct iso9660 *, + struct file_info **); + static struct file_info * + parse_file_info(struct archive_read *a, +- struct file_info *parent, const unsigned char *isodirrec); ++ struct file_info *parent, const unsigned char *isodirrec, ++ size_t reclen); + static int parse_rockridge(struct archive_read *a, + struct file_info *file, const unsigned char *start, + const unsigned char *end); +@@ -1022,7 +1023,7 @@ read_children(struct archive_read *a, struct file_info *parent) + if (*(p + DR_name_len_offset) == 1 + && *(p + DR_name_offset) == '\001') + continue; +- child = parse_file_info(a, parent, p); ++ child = parse_file_info(a, parent, p, b - p); + if (child == NULL) { + __archive_read_consume(a, skip_size); + return (ARCHIVE_FATAL); +@@ -1112,7 +1113,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) + */ + seenJoliet = iso9660->seenJoliet;/* Save flag. */ + iso9660->seenJoliet = 0; +- file = parse_file_info(a, NULL, block); ++ file = parse_file_info(a, NULL, block, vd->size); + if (file == NULL) + return (ARCHIVE_FATAL); + iso9660->seenJoliet = seenJoliet; +@@ -1144,7 +1145,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) + return (ARCHIVE_FATAL); + } + iso9660->seenJoliet = 0; +- file = parse_file_info(a, NULL, block); ++ file = parse_file_info(a, NULL, block, vd->size); + if (file == NULL) + return (ARCHIVE_FATAL); + iso9660->seenJoliet = seenJoliet; +@@ -1749,7 +1750,7 @@ archive_read_format_iso9660_cleanup(struct archive_read *a) + */ + static struct file_info * + parse_file_info(struct archive_read *a, struct file_info *parent, +- const unsigned char *isodirrec) ++ const unsigned char *isodirrec, size_t reclen) + { + struct iso9660 *iso9660; + struct file_info *file, *filep; +@@ -1763,7 +1764,11 @@ parse_file_info(struct archive_read *a, struct file_info *parent, + + iso9660 = (struct iso9660 *)(a->format->data); + +- dr_len = (size_t)isodirrec[DR_length_offset]; ++ if (reclen == 0 || reclen < (dr_len = (size_t)isodirrec[DR_length_offset])) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, ++ "Invalid directory record length"); ++ return (NULL); ++ } + name_len = (size_t)isodirrec[DR_name_len_offset]; + location = archive_le32dec(isodirrec + DR_extent_offset); + fsize = toi(isodirrec + DR_size_offset, DR_size_size); +-- +2.13.3 + diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb index 326971647..e3d90b276 100644 --- a/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb +++ b/poky/meta/recipes-extended/libarchive/libarchive_3.3.2.bb @@ -37,6 +37,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2017-14502.patch \ file://non-recursive-extract-and-list.patch \ file://CVE-2017-14503.patch \ + file://CVE-2017-14501.patch \ " SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27" diff --git a/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch b/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch new file mode 100644 index 000000000..20c6dda2e --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-lib/libice/CVE-2017-2626.patch @@ -0,0 +1,149 @@ +From ff5e59f32255913bb1cdf51441b98c9107ae165b Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Date: Tue, 4 Apr 2017 19:12:53 +0200 +Subject: Use getentropy() if arc4random_buf() is not available + +This allows to fix CVE-2017-2626 on Linux platforms without pulling in +libbsd. +The libc getentropy() is available since glibc 2.25 but also on OpenBSD. +For Linux, we need at least a v3.17 kernel. If the recommended +arc4random_buf() function is not available, emulate it by first trying +to use getentropy() on a supported glibc and kernel. If the call fails, +fall back to the current (partly vulnerable) code. + +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> +Reviewed-by: Mark Kettenis <kettenis@openbsd.org> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport[https://cgit.freedesktop.org/xorg/lib/libICE + /commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b] + +CVE: CVE-2017-2626 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + configure.ac | 2 +- + src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++----------------- + 2 files changed, 47 insertions(+), 20 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 458882a..c971ab6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type]) + + # Checks for library functions. + AC_CHECK_LIB([bsd], [arc4random_buf]) +-AC_CHECK_FUNCS([asprintf arc4random_buf]) ++AC_CHECK_FUNCS([asprintf arc4random_buf getentropy]) + + # Allow checking code with lint, sparse, etc. + XORG_WITH_LINT +diff --git a/src/iceauth.c b/src/iceauth.c +index ed31683..de4785b 100644 +--- a/src/iceauth.c ++++ b/src/iceauth.c +@@ -44,31 +44,19 @@ Author: Ralph Mor, X Consortium + + static int was_called_state; + +-/* +- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by +- * the SI. It is not part of standard ICElib. +- */ ++#ifndef HAVE_ARC4RANDOM_BUF + +- +-char * +-IceGenerateMagicCookie ( ++static void ++emulate_getrandom_buf ( ++ char *auth, + int len + ) + { +- char *auth; +-#ifndef HAVE_ARC4RANDOM_BUF + long ldata[2]; + int seed; + int value; + int i; +-#endif + +- if ((auth = malloc (len + 1)) == NULL) +- return (NULL); +- +-#ifdef HAVE_ARC4RANDOM_BUF +- arc4random_buf(auth, len); +-#else + #ifdef ITIMER_REAL + { + struct timeval now; +@@ -76,13 +64,13 @@ IceGenerateMagicCookie ( + ldata[0] = now.tv_sec; + ldata[1] = now.tv_usec; + } +-#else ++#else /* ITIMER_REAL */ + { + long time (); + ldata[0] = time ((long *) 0); + ldata[1] = getpid (); + } +-#endif ++#endif /* ITIMER_REAL */ + seed = (ldata[0]) + (ldata[1] << 16); + srand (seed); + for (i = 0; i < len; i++) +@@ -90,7 +78,46 @@ IceGenerateMagicCookie ( + value = rand (); + auth[i] = value & 0xff; + } +-#endif ++} ++ ++static void ++arc4random_buf ( ++ char *auth, ++ int len ++) ++{ ++ int ret; ++ ++#if HAVE_GETENTROPY ++ /* weak emulation of arc4random through the entropy libc */ ++ ret = getentropy (auth, len); ++ if (ret == 0) ++ return; ++#endif /* HAVE_GETENTROPY */ ++ ++ emulate_getrandom_buf (auth, len); ++} ++ ++#endif /* !defined(HAVE_ARC4RANDOM_BUF) */ ++ ++/* ++ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by ++ * the SI. It is not part of standard ICElib. ++ */ ++ ++ ++char * ++IceGenerateMagicCookie ( ++ int len ++) ++{ ++ char *auth; ++ ++ if ((auth = malloc (len + 1)) == NULL) ++ return (NULL); ++ ++ arc4random_buf (auth, len); ++ + auth[len] = '\0'; + return (auth); + } +-- +cgit v1.1 + diff --git a/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb b/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb index f069749ce..5ccd1d8c3 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libice_1.0.9.bb @@ -23,6 +23,8 @@ BBCLASSEXTEND = "native" SRC_URI[md5sum] = "addfb1e897ca8079531669c7c7711726" SRC_URI[sha256sum] = "8f7032f2c1c64352b5423f6b48a8ebdc339cc63064af34d66a6c9aa79759e202" +SRC_URI += "file://CVE-2017-2626.patch" + PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" PACKAGECONFIG[arc4] = "ac_cv_lib_bsd_arc4random_buf=yes,ac_cv_lib_bsd_arc4random_buf=no,libbsd" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch new file mode 100644 index 000000000..964d5dd4c --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch @@ -0,0 +1,40 @@ +From a309323328d9d6e0bf5d9ea1d75920e53b9beef3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Fri, 5 Jan 2018 11:58:42 +1000 +Subject: [PATCH] config: fix NULL value detection for ID_INPUT being unset + +Erroneous condition caused us to keep going with all devices that didn't have +ID_INPUT set. + +Fixes: 5aad81445c8c3d6 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104382 +Reviewed-by: Adam Jackson <ajax@redhat.com> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-status: Backport +https://patchwork.freedesktop.org/patch/196090/ +Affects: < 1.20.0 +[Yocto # 12899] + +Signed-off-by: Armin Kuster <akuser808@gmail.com> + +--- + config/udev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/udev.c b/config/udev.c +index e198e8609..3a73189e2 100644 +--- a/config/udev.c ++++ b/config/udev.c +@@ -135,7 +135,7 @@ device_added(struct udev_device *udev_device) + #endif + + value = udev_device_get_property_value(udev_device, "ID_INPUT"); +- if (value && !strcmp(value, "0")) { ++ if (!value || !strcmp(value, "0")) { + LogMessageVerb(X_INFO, 10, + "config/udev: ignoring device %s without " + "property ID_INPUT set\n", path); +-- +2.17.1 + diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb index c680cf9e8..7e8a9541c 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.19.6.bb @@ -5,6 +5,7 @@ SRC_URI += "file://musl-arm-inb-outb.patch \ file://0003-modesetting-Fix-16-bit-depth-bpp-mode.patch \ file://0003-Remove-check-for-useSIGIO-option.patch \ file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ + file://0001-config-fix-NULL-value-detection-for-ID_INPUT-being-u.patch \ " SRC_URI[md5sum] = "3e47777ff034a331aed2322b078694a8" SRC_URI[sha256sum] = "a732502f1db000cf36a376cd0c010ffdbf32ecdd7f1fa08ba7f5bdf9601cc197" diff --git a/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch new file mode 100644 index 000000000..7b58568d5 --- /dev/null +++ b/poky/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch @@ -0,0 +1,150 @@ +From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Wed, 2 May 2018 10:24:17 -0600 +Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow + +Herbo Zhang reports: + +I found a bug in blktrace/btt/devmap.c. The code is just as follows: + +https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757 + + struct devmap { + +struct list_head head; +char device[32], devno[32]; // #1 +}; + +LIST_HEAD(all_devmaps); + +static int dev_map_add(char *line) +{ +struct devmap *dmp; + +if (strstr(line, "Device") != NULL) +return 1; + +dmp = malloc(sizeof(struct devmap)); +if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2 +free(dmp); +return 1; +} + +list_add_tail(&dmp->head, &all_devmaps); +return 0; +} + +int dev_map_read(char *fname) +{ +char line[256]; // #3 +FILE *fp = my_fopen(fname, "r"); + +if (!fp) { +perror(fname); +return 1; +} + +while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) { +if (dev_map_add(line)) +break; +} + +fclose(fp); +return 0; +} + + The line length is 256, but the dmp->device, dmp->devno max length +is only 32. We can put strings longer than 32 into dmp->device and +dmp->devno , and then they will be overflowed. + + we can trigger this bug just as follows: + + $ python -c "print 'A'*256" > ./test + $ btt -M ./test + + *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 *** + ======= Backtrace: ========= + /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5] + /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a] + /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c] + btt(+0x32e0)[0x55ad7306f2e0] + btt(+0x2c5f)[0x55ad7306ec5f] + btt(+0x251f)[0x55ad7306e51f] + /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830] + btt(+0x26b9)[0x55ad7306e6b9] + ======= Memory map: ======== + 55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139 + /usr/bin/btt + 55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139 + /usr/bin/btt + 55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139 + /usr/bin/btt + 55ad73280000-55ad73285000 rw-p 00000000 00:00 0 + 55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0 + [heap] + 7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0 + 7f7f10021000-7f7f14000000 ---p 00000000 00:00 0 + 7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237 + /lib/x86_64-linux-gnu/libgcc_s.so.1 + 7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237 + /lib/x86_64-linux-gnu/libgcc_s.so.1 + 7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237 + /lib/x86_64-linux-gnu/libgcc_s.so.1 + 7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237 + /lib/x86_64-linux-gnu/libgcc_s.so.1 + 7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477 + /lib/x86_64-linux-gnu/libc-2.23.so + 7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477 + /lib/x86_64-linux-gnu/libc-2.23.so + 7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477 + /lib/x86_64-linux-gnu/libc-2.23.so + 7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477 + /lib/x86_64-linux-gnu/libc-2.23.so + 7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0 + 7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478 + /lib/x86_64-linux-gnu/ld-2.23.so + 7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0 + 7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0 + 7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478 + /lib/x86_64-linux-gnu/ld-2.23.so + 7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478 + /lib/x86_64-linux-gnu/ld-2.23.so + 7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0 + 7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0 + [stack] + 7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0 + [vvar] + 7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0 + [vdso] + ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 + [vsyscall] + [1] 6272 abort btt -M test + +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +Upstream-Status: Backport +[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7] + +CVE: CVE-2018-10689 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + btt/devmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/btt/devmap.c b/btt/devmap.c +index 0553a9e..5fc1cb2 100644 +--- a/btt/devmap.c ++++ b/btt/devmap.c +@@ -23,7 +23,7 @@ + + struct devmap { + struct list_head head; +- char device[32], devno[32]; ++ char device[PATH_MAX], devno[PATH_MAX]; + }; + + LIST_HEAD(all_devmaps); +-- +2.7.4 + diff --git a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb index 663de2ed5..2605ff916 100644 --- a/poky/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/poky/meta/recipes-kernel/blktrace/blktrace_git.bb @@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}" SRC_URI = "git://git.kernel.dk/blktrace.git \ file://ldflags.patch \ + file://CVE-2018-10689.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb index cf6a733ce..a6a8b60e1 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "7ba09f891939cbf2c58801a7a4a740365896d6ba" -SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587" +SRCREV_machine ?= "ef88c3326f62cec4b98340324ddbe7f7f7704fd5" +SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060" SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}" -LINUX_VERSION ?= "4.12.26" +LINUX_VERSION ?= "4.12.28" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb index 00671182d..d5b285e7b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "aeeb2d73f2a828a9c0b121b2aa3bb345009f5698" -SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8" +SRCREV_machine ?= "af1b926c9160b0dbf2bbe41b166a8a7b07191fd2" +SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}" -LINUX_VERSION ?= "4.14.48" +LINUX_VERSION ?= "4.14.67" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb index 9d5e1582b..cb4ef3a65 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb @@ -4,13 +4,13 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "4.12.26" +LINUX_VERSION ?= "4.12.28" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af" -SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587" +SRCREV_machine ?= "e562267bae5b518acca880c929fbbdf6be047e0a" +SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb index 58945f25d..c9e6e412b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb @@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "4.14.48" +LINUX_VERSION ?= "4.14.67" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" @@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "9e246607d5c23f8bb3b8800734b1707766e0b2b9" -SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8" +SRCREV_machine ?= "74ecbeb03ebfc2b9a73a6554924b043b903295f5" +SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb index ac98ca85f..0aea05b83 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb @@ -11,22 +11,22 @@ KBRANCH_qemux86 ?= "standard/base" KBRANCH_qemux86-64 ?= "standard/base" KBRANCH_qemumips64 ?= "standard/mti-malta64" -SRCREV_machine_qemuarm ?= "86b02dd23be1e3b3449885b38ed1b876ebec31e8" -SRCREV_machine_qemuarm64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af" -SRCREV_machine_qemumips ?= "67b93101c52504fd5077166c70baa296190e6166" -SRCREV_machine_qemuppc ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af" -SRCREV_machine_qemux86 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af" -SRCREV_machine_qemux86-64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af" -SRCREV_machine_qemumips64 ?= "38da8c72733da9619bbbddf14140204631faf488" -SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af" -SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587" +SRCREV_machine_qemuarm ?= "b84ecefc243a6ed67d8b6020394963de1240a9f0" +SRCREV_machine_qemuarm64 ?= "e562267bae5b518acca880c929fbbdf6be047e0a" +SRCREV_machine_qemumips ?= "15b1ab68f73fa60dd95a74c640e87e05fad1716d" +SRCREV_machine_qemuppc ?= "e562267bae5b518acca880c929fbbdf6be047e0a" +SRCREV_machine_qemux86 ?= "e562267bae5b518acca880c929fbbdf6be047e0a" +SRCREV_machine_qemux86-64 ?= "e562267bae5b518acca880c929fbbdf6be047e0a" +SRCREV_machine_qemumips64 ?= "57a3f72a020fc84f2da5b0b4c5de4cdbc22b3284" +SRCREV_machine ?= "e562267bae5b518acca880c929fbbdf6be047e0a" +SRCREV_meta ?= "2ae65226f64ed5c888d60eef76b6249db678d060" SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;name=machine;branch=${KBRANCH}; \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}" DEPENDS += "openssl-native util-linux-native" -LINUX_VERSION ?= "4.12.26" +LINUX_VERSION ?= "4.12.28" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb index 0449213d4..91a2845a7 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb @@ -11,20 +11,20 @@ KBRANCH_qemux86 ?= "v4.14/standard/base" KBRANCH_qemux86-64 ?= "v4.14/standard/base" KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "363723ef50c06df54e146c8fe78faa962e96a8c8" -SRCREV_machine_qemuarm64 ?= "798d15552a4d5d9355a300290ed6bf72106b7e96" -SRCREV_machine_qemumips ?= "6c2433d7c51c3e78b1be2c7d1fbfe840b13d04df" -SRCREV_machine_qemuppc ?= "c03babad17499489b20216576d608c94e7fddc5d" -SRCREV_machine_qemux86 ?= "65d1c849534179bbfa494f77947f8be615e9871a" -SRCREV_machine_qemux86-64 ?= "65d1c849534179bbfa494f77947f8be615e9871a" -SRCREV_machine_qemumips64 ?= "59f70381cbde371e41206b7902390ae78558c310" -SRCREV_machine ?= "65d1c849534179bbfa494f77947f8be615e9871a" -SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8" +SRCREV_machine_qemuarm ?= "93d58c0c59d1dcdba6ff76ef093de7de339414a8" +SRCREV_machine_qemuarm64 ?= "888066bc1b9cc5f596da8237cbf74417106e8f22" +SRCREV_machine_qemumips ?= "a9d862bb92707f39c0cf2b2cc6f1645e88a99eb9" +SRCREV_machine_qemuppc ?= "d8ced31602b65fb92487865502da595bd113a329" +SRCREV_machine_qemux86 ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b" +SRCREV_machine_qemux86-64 ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b" +SRCREV_machine_qemumips64 ?= "44e1719a8f4fe10e88c13b9ec6c1fa1d041efaed" +SRCREV_machine ?= "084af9624d268ddf4fd65b2f9e8e50ca2f22e62b" +SRCREV_meta ?= "c43c9e19a22367b48c0f62764c8555643d2a6844" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}" -LINUX_VERSION ?= "4.14.48" +LINUX_VERSION ?= "4.14.67" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch new file mode 100644 index 000000000..8d09ce7b6 --- /dev/null +++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch @@ -0,0 +1,33 @@ +libid3tag: patch for CVE-2004-2779 + +The patch comes from +https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch + +Upstream-Status: Pending + +CVE: CVE-2004-2779 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c +--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 ++++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 +@@ -282,5 +282,18 @@ + + free(utf16); + ++ if (end == *ptr && length % 2 != 0) ++ { ++ /* We were called with a bogus length. It should always ++ * be an even number. We can deal with this in a few ways: ++ * - Always give an error. ++ * - Try and parse as much as we can and ++ * - return an error if we're called again when we ++ * already tried to parse everything we can. ++ * - tell that we parsed it, which is what we do here. ++ */ ++ (*ptr)++; ++ } ++ + return ucs4; + } diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb index f6139d612..fe3164610 100644 --- a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb +++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb @@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \ file://addpkgconfig.patch \ file://obsolete_automake_macros.patch \ file://0001-Fix-gperf-3.1-incompatibility.patch \ + file://10_utf16.dpatch \ " UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/" UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$" diff --git a/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch new file mode 100644 index 000000000..84b1af1fb --- /dev/null +++ b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch @@ -0,0 +1,37 @@ +From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <ctruta@gmail.com> +Date: Sun, 17 Jun 2018 22:56:29 -0400 +Subject: [PATCH] [libpng16] Fix the calculation of row_factor in + png_check_chunk_length + +(Bug report by Thuan Pham, SourceForge issue #278) +Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2] +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + pngrutil.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/pngrutil.c b/pngrutil.c +index 95571b517..5ba995abf 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length) + { + png_alloc_size_t idat_limit = PNG_UINT_31_MAX; + size_t row_factor = +- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) +- + 1 + (png_ptr->interlaced? 6: 0)); ++ (size_t)png_ptr->width ++ * (size_t)png_ptr->channels ++ * (png_ptr->bit_depth > 8? 2: 1) ++ + 1 ++ + (png_ptr->interlaced? 6: 0); + if (png_ptr->height > PNG_UINT_32_MAX/row_factor) +- idat_limit=PNG_UINT_31_MAX; ++ idat_limit = PNG_UINT_31_MAX; + else + idat_limit = png_ptr->height * row_factor; + row_factor = row_factor > 32566? 32566 : row_factor; +-- +2.19.0 + diff --git a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb index e52d03228..3877d6cbf 100644 --- a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb +++ b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb @@ -8,7 +8,9 @@ DEPENDS = "zlib" LIBV = "16" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ + file://CVE-2018-13785.patch \ +" SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2" SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6" diff --git a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch new file mode 100644 index 000000000..57e745331 --- /dev/null +++ b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch @@ -0,0 +1,135 @@ +From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Wed, 12 Sep 2018 17:16:36 +0800 +Subject: [PATCH] Fix error handling in gdbm + +Only check for gdbm_errno if the return value of the called gdbm_* +function says so. This fixes apr-util with gdbm 1.14, which does not +seem to always reset gdbm_errno. + +Also make the gdbm driver return error codes starting with +APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is +what the berkleydb driver already does. + +Also ensure that dsize is 0 if dptr == NULL. + +Upstream-Status: Backport[https://svn.apache.org/viewvc? +view=revision&revision=1825311] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------ + 1 file changed, 29 insertions(+), 18 deletions(-) + +diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c +index 749447a..1c86327 100644 +--- a/dbm/apr_dbm_gdbm.c ++++ b/dbm/apr_dbm_gdbm.c +@@ -36,13 +36,25 @@ + static apr_status_t g2s(int gerr) + { + if (gerr == -1) { +- /* ### need to fix this */ +- return APR_EGENERAL; ++ if (gdbm_errno == GDBM_NO_ERROR) ++ return APR_SUCCESS; ++ return APR_OS_START_USEERR + gdbm_errno; + } + + return APR_SUCCESS; + } + ++static apr_status_t gdat2s(datum d) ++{ ++ if (d.dptr == NULL) { ++ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND) ++ return APR_SUCCESS; ++ return APR_OS_START_USEERR + gdbm_errno; ++ } ++ ++ return APR_SUCCESS; ++} ++ + static apr_status_t datum_cleanup(void *dptr) + { + if (dptr) +@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr) + + static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said) + { +- apr_status_t rv = APR_SUCCESS; + +- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */ ++ dbm->errcode = dbm_said; + +- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) { ++ if (dbm_said == APR_SUCCESS) + dbm->errmsg = NULL; +- } +- else { +- dbm->errmsg = gdbm_strerror(gdbm_errno); +- rv = APR_EGENERAL; /* ### need something better */ +- } +- +- /* captured it. clear it now. */ +- gdbm_errno = GDBM_NO_ERROR; ++ else ++ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR); + +- return rv; ++ return dbm_said; + } + + /* -------------------------------------------------------------------------- +@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname, + NULL); + + if (file == NULL) +- return APR_EGENERAL; /* ### need a better error */ ++ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */ + + /* we have an open database... return it */ + *pdb = apr_pcalloc(pool, sizeof(**pdb)); +@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key, + if (pvalue->dptr) + apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup, + apr_pool_cleanup_null); ++ else ++ pvalue->dsize = 0; + + /* store the error info into DBM, and return a status code. Also, note + that *pvalue should have been cleared on error. */ +- return set_error(dbm, APR_SUCCESS); ++ return set_error(dbm, gdat2s(rd)); + } + + static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key, +@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey) + if (pkey->dptr) + apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, + apr_pool_cleanup_null); ++ else ++ pkey->dsize = 0; + + /* store any error info into DBM, and return a status code. */ +- return set_error(dbm, APR_SUCCESS); ++ return set_error(dbm, gdat2s(rd)); + } + + static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) +@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) + if (pkey->dptr) + apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, + apr_pool_cleanup_null); ++ else ++ pkey->dsize = 0; + + /* store any error info into DBM, and return a status code. */ +- return set_error(dbm, APR_SUCCESS); ++ return set_error(dbm, gdat2s(rd)); + } + + static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data) +-- +2.7.4 + diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb index 88b4300f9..12d71cbb6 100644 --- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb +++ b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb @@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \ file://configfix.patch \ file://configure_fixes.patch \ file://run-ptest \ + file://0001-Fix-error-handling-in-gdbm.patch \ " SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f" diff --git a/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch new file mode 100644 index 000000000..f6f43c3d2 --- /dev/null +++ b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch @@ -0,0 +1,56 @@ +input: check end of input before reading a byte + +When reading bytes we weren't check that the index wasn't +out of bound and this could produce an invalid read which +could deal to a security bug. + +Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/ + commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394] + +CVE: CVE-2017-7960 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +diff --git a/src/cr-input.c b/src/cr-input.c +index 49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099 100644 +--- a/src/cr-input.c ++++ b/src/cr-input.c +@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) + *we should free buf here because it's own by CRInput. + *(see the last parameter of cr_input_new_from_buf(). + */ +- buf = NULL ; ++ buf = NULL; + } + + cleanup: +@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) + enum CRStatus + cr_input_read_byte (CRInput * a_this, guchar * a_byte) + { ++ gulong nb_bytes_left = 0; ++ + g_return_val_if_fail (a_this && PRIVATE (a_this) + && a_byte, CR_BAD_PARAM_ERROR); + +@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) + if (PRIVATE (a_this)->end_of_input == TRUE) + return CR_END_OF_INPUT_ERROR; + ++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this); ++ ++ if (nb_bytes_left < 1) { ++ return CR_END_OF_INPUT_ERROR; ++ } ++ + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; + + if (PRIVATE (a_this)->nb_bytes - +@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) + if (*a_char == '\n') { + PRIVATE (a_this)->end_of_line = TRUE; + } +- + } + + return status; diff --git a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb index d86ddd646..5b962ee73 100644 --- a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb +++ b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb @@ -16,5 +16,7 @@ BINCONFIG = "${bindir}/croco-0.6-config" inherit gnomebase gtk-doc binconfig-disabled +SRC_URI += "file://CVE-2017-7960.patch" + SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce" SRC_URI[archive.sha256sum] = "ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860" diff --git a/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch new file mode 100644 index 000000000..e49481ff8 --- /dev/null +++ b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch @@ -0,0 +1,40 @@ +From 8a92f964a66d476ca8907234359e92a70fc1325b Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 28 Aug 2018 15:12:10 +0800 +Subject: [PATCH] On saving makernotes, make sure the makernote container tags + has a type with 1 byte components. + +Fixes (at least): + https://sourceforge.net/p/libexif/bugs/130 + https://sourceforge.net/p/libexif/bugs/129 + +Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ +c39acd1692023b26290778a02a9232c873f9d71a#diff-830e348923810f00726700b083ec00cd] + +CVE: CVE-2017-7544 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + libexif/exif-data.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 67df4db..6bf89eb 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, + exif_mnote_data_set_offset (data->priv->md, *ds - 6); + exif_mnote_data_save (data->priv->md, &e->data, &e->size); + e->components = e->size; ++ if (exif_format_get_size (e->format) != 1) { ++ /* e->format is taken from input code, ++ * but we need to make sure it is a 1 byte ++ * entity due to the multiplication below. */ ++ e->format = EXIF_FORMAT_UNDEFINED; ++ } + } + } + +-- +2.7.4 + diff --git a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb index cff4caede..b550a1125 100644 --- a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb @@ -4,7 +4,8 @@ SECTION = "libs" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" -SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2" +SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ + file://CVE-2017-7544.patch" SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" diff --git a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch new file mode 100644 index 000000000..4a5832ac1 --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch @@ -0,0 +1,29 @@ +From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 10:50:08 -0700 +Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building + with most recent scons version. + +* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python + 3.0 and 2.7. + +Upstream-Status: Backport +[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + SConstruct | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SConstruct b/SConstruct +index 1670459..18a45fa 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help')) + + unknown = opts.UnknownVariables() + if unknown: +- print 'Warning: Used unknown variables:', ', '.join(unknown.keys()) ++ print('Warning: Used unknown variables:', ', '.join(unknown.keys())) + + apr = str(env['APR']) + apu = str(env['APU']) diff --git a/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch new file mode 100644 index 000000000..cec881ee1 --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch @@ -0,0 +1,27 @@ +From e51b4b37916dd20b13133cb7af16601b6bf3ace9 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 10:54:54 -0700 +Subject: [PATCH] SConstruct: Fix path quoting for .def generator + +Patch by: Martin Keller <m.keller{_AT_}codesys.com> +Upstream-Status: Backport +[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1807594&r2=1809132] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + SConstruct | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SConstruct b/SConstruct +index 18a45fa..571bdce 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -160,7 +160,7 @@ env = Environment(variables=opts, + + env.Append(BUILDERS = { + 'GenDef' : +- Builder(action = sys.executable + ' build/gen_def.py $SOURCES > $TARGET', ++ Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,), + suffix='.def', src_suffix='.h') + }) + diff --git a/poky/meta/recipes-support/serf/serf/0003-gen_def.patch b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch new file mode 100644 index 000000000..e37e9034b --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch @@ -0,0 +1,22 @@ +From 98e793d9f2250e7c1f9f1eb5dfd616a6a8829e9a Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 11:12:27 -0700 +Subject: [PATCH] gen_def + +--- + SConstruct | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/SConstruct b/SConstruct +index 571bdce..877731e 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -158,6 +158,8 @@ env = Environment(variables=opts, + ENV = os.environ, + ) + ++gen_def_script = env.File('build/gen_def.py').rstr() ++ + env.Append(BUILDERS = { + 'GenDef' : + Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,), diff --git a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch new file mode 100644 index 000000000..02fa9e3a0 --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch @@ -0,0 +1,29 @@ +From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 11:12:38 -0700 +Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and + Python3 + +* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid + TypeError: cannot use a string pattern on a bytes-like object + +Upstream-Status: Backport +[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + SConstruct | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SConstruct b/SConstruct +index 877731e..7678bb1 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -169,7 +169,7 @@ env.Append(BUILDERS = { + match = re.search('SERF_MAJOR_VERSION ([0-9]+).*' + 'SERF_MINOR_VERSION ([0-9]+).*' + 'SERF_PATCH_VERSION ([0-9]+)', +- env.File('serf.h').get_contents(), ++ env.File('serf.h').get_contents().decode('utf-8'), + re.DOTALL) + MAJOR, MINOR, PATCH = [int(x) for x in match.groups()] + env.Append(MAJOR=str(MAJOR)) diff --git a/poky/meta/recipes-support/serf/serf_1.3.9.bb b/poky/meta/recipes-support/serf/serf_1.3.9.bb index 2be5a069c..65a8114bb 100644 --- a/poky/meta/recipes-support/serf/serf_1.3.9.bb +++ b/poky/meta/recipes-support/serf/serf_1.3.9.bb @@ -1,7 +1,12 @@ SUMMARY = "High-Performance Asynchronous HTTP Client Library" SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://norpath.patch \ - file://env.patch" + file://env.patch \ + file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \ + file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \ + file://0003-gen_def.patch \ + file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \ + " SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57" SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc" diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch new file mode 100644 index 000000000..5d95e37af --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch @@ -0,0 +1,47 @@ +From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001 +From: Sinan Kaya <okaya@kernel.org> +Date: Fri, 21 Sep 2018 16:22:01 +0000 +Subject: [PATCH] Detect databases whose schema is corrupted using a CREATE TABLE AS statement and issue an appropriate error message + +Upstream-Status: Backport [ https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w] +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + sqlite3.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 73c69ef..6863bc6 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable( + p = pParse->pNewTable; + if( p==0 ) return; + +- assert( !db->init.busy || !pSelect ); +- + /* If the db->init.busy is 1 it means we are reading the SQL off the + ** "sqlite_master" or "sqlite_temp_master" table on the disk. + ** So do not write to the disk again. Extract the root page number +@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable( + ** table itself. So mark it read-only. + */ + if( db->init.busy ){ ++ if( pSelect ){ ++ sqlite3ErrorMsg(pParse, ""); ++ return; ++ } + p->tnum = db->init.newTnum; + if( p->tnum==1 ) p->tabFlags |= TF_Readonly; + } +@@ -117813,7 +117815,7 @@ static void corruptSchema( + char *z; + if( zObj==0 ) zObj = "?"; + z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj); +- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); ++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); + sqlite3DbFree(db, *pData->pzErrMsg); + *pData->pzErrMsg = z; + } +-- +2.19.0 + diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb index ef88659e9..b90f89886 100644 --- a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb +++ b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "\ http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \ + file://CVE-2018-8740.patch \ " SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d" SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612" diff --git a/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch new file mode 100644 index 000000000..cdd66e67f --- /dev/null +++ b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch @@ -0,0 +1,51 @@ +From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <github.scott@gmail.com> +Date: Mon, 4 Jun 2018 11:34:36 -0400 +Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) + +This CVE is caused by a failure to check the minimum length +of a ogg flac header. This header is detailed in full at: +https://xiph.org/flac/ogg_mapping.html. Added more strict checking +for entire header. + +Upstream-Status: Backport +[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278] + +CVE: CVE-2018-11439 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp +index 53d0450..07ea9dc 100644 +--- a/taglib/ogg/flac/oggflacfile.cpp ++++ b/taglib/ogg/flac/oggflacfile.cpp +@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() + + if(!metadataHeader.startsWith("fLaC")) { + // FLAC 1.1.2+ ++ // See https://xiph.org/flac/ogg_mapping.html for the header specification. ++ if(metadataHeader.size() < 13) ++ return; ++ ++ if(metadataHeader[0] != 0x7f) ++ return; ++ + if(metadataHeader.mid(1, 4) != "FLAC") + return; + +- if(metadataHeader[5] != 1) +- return; // not version 1 ++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0) ++ return; // not version 1.0 ++ ++ if(metadataHeader.mid(9, 4) != "fLaC") ++ return; + + metadataHeader = metadataHeader.mid(13); + } +-- +2.7.4 + diff --git a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb index 50439bc14..01dcf66d1 100644 --- a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb +++ b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb @@ -10,6 +10,7 @@ DEPENDS = "zlib" SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \ file://CVE-2017-12678.patch \ + file://CVE-2018-11439.patch \ " SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a" |