diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-10-05 18:10:57 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-10-05 18:11:45 +0300 |
| commit | 00e122a7b3a839f5ce8b819cb1bfe92cf3781eda (patch) | |
| tree | c0c5c46b2f5800ed27322d7da083f0cf438b243b /poky/meta/recipes-extended | |
| parent | 7fe5760ae59db49e4b8c350cbc192097ba4e5958 (diff) | |
| download | openbmc-00e122a7b3a839f5ce8b819cb1bfe92cf3781eda.tar.xz | |
poky: subtree update:81f9e815d3..03d4d9d68f
Adrian Bunk (1):
json-c: Don't --enable-rdrand
Alessio Igor Bogani (2):
wic: Using the right rootfs size during prepare_rootfs
rootfs-postcommands: Avoid use of an hard-coded value
Alexander Kanavin (1):
binutils: drop UPSTREAM_VERSION_UNKNOWN
Alexandre Bard (1):
systemd: Expose resolv-conf alternative only when resolved is built
Andre McCurdy (1):
ffmpeg: enable more verbose build logs
André Draszik (4):
ruby: drop long-merged CVE patches
ruby: configure mis-detects isnan/isinf on musl
ruby: fix non-IPv6 support
packagegroup: fix a comment regarding PACKAGE_ARCH
Bruce Ashfield (6):
linux-yocto/5.2: update to v5.2.13
linux-yocto/4.19: update to v4.19.72
linux-yocto/5.2: update to v5.2.14
linux-yocto/5.2: update to v5.2.16
linux-yocto/5.2: update to v5.2.17
yocto-bsps: update to v5.2.17
Böszörményi Zoltán via Openembedded-core (1):
classes/image-live.bbclass: Don't hardcode cpio.gz
Changqing Li (2):
devtool.py: change to do clean before remove-layer
devtool.py: fix buildclean test
Chen Qi (1):
systemd: fix NFS regression
Dan Tran (1):
unzip: Fix CVE-2019-13232
David Reyna (2):
bitbake: toaster: issues in import layer when clicking 'add layer'
bitbake: toaster: improve warnings when adding dependency to packages
Diego Rondini (2):
initramfs-framework: fix var name
initramfs-framework: support PARTLABEL option
Douglas Royds (1):
icecc: Don't use icecc when INHIBIT_DEFAULT_DEPS is set
He Zhe (1):
ltp: Fix hang of cve test cases
Heiko Schocher (1):
kernel.fitimage.bbclass: remove ramdisk_ctype
Jacob Kroon (1):
bitbake: tests/data: Test combinations of _append together with override
Joe Slater (1):
bash-completion: add image feature
Jonathan Marler (1):
package: Multiple shlib_providers for the same file should error
Joshua Watt (8):
classes/reproducible_build: Move SDE deploy to another directory
oeqa: Test multiconfig parsing
bitbake: cookerdata: Add mc conffiles hashes to cache hash
bitbake: hashserve: Add missing import
bitbake: siggen: Fix attribute error when hashserver fails
bitbake: hashserv: Don't daemonize server process
local.conf.sample: Add Hash Equivalence
classes/reproducible_build: Create SDE destination
Khem Raj (7):
musl: Fix riscv64 CAS functions
qemuriscv: Do not blacklist clang anymore
sdk: Install nativesdk locales for all TCLIBC variants
strace: Upgrade to 5.3
packagegroups: All groups are not allarch
musl: Fix __riscv_mc* containers to match glibc
core-image-sato-sdk-ptest: Remove valgrind ptests for riscv
Konrad Scherer (1):
gen-lockedsig-cache: Replace glob lookup with hash to filename lookup
Lei Maohui (1):
bluez5: update patch to fix do_patch error when PATCHTOOL = "patch".
Li Zhou (1):
shadow: use relaxed usernames for all
Limeng (1):
u-boot: add CVE patches for u-boot
Nathan Rossi (2):
oeqa/core/utils/concurrencytest.py: Handle exceptions and details
oeqa/core/case.py: Encode binary data of log
Niclas Svensson (1):
devtool: finish: Keep patches ordered when updating bbappend
Otavio Salvador (1):
mesa: Add freedreno PACKAGECONFIG option
Peter Kjellerstedt (3):
systemd: Make it build with hwdb disabled
devtool: finish: Add suppport for the --no-clean option
lib/oe/lsb: Make sure the distro ID is always lowercased
Randy MacLeod (1):
ffmpeg: update from 4.2 to 4.2.1
Richard Purdie (17):
Revert "meta-extsdk: Either an sstate task is a proper task or it isn't"
sstatesig: Fix hash equivlanency locked signature issues
oeqa/selftest/signing: Fix for hash equivlance server
lib/sstatesig: Fix class inheritance problems
populate_sdk_ext: Fix for hash equiv
bitbake: runqueue: Fix task migration problems
bitbake: siggen: Ensure setscenetasks list is available to worker context
bitbake: runqueue: Change task migration behaviour for rerunning setscene tasks
bitbake: siggen/runqueue: Fix signature mismatch issues
bitbake: siggen: Avoid writing misleading sigdata files
bitbake: runqueue: Save unihashes more frequently
bitbake: runqueue: Small performance optimisation
bitbake: siggen: Remove full path from unitaskhashes keys
bitbake: tests/runqueue: Fix hashserve shutdown race
base: Improve module import error message
sanity.conf: Bump minimum bitbake version
bitbake: bitbake: Bump verison 1.43.1 -> 1.43.2
Robert Yang (6):
cases/bbtests.py: test_bitbake_g(): Check base-files rather than busybox
expect: Fix configure error for nativesdk
net-tools: Fix installed-vs-shipped for nativesdk
expect: Fix buffer overflow error when build in long path
apr: Check for libtoolize rather than libtool
lttng-ust: Fix for --enable-python-agent
Ross Burton (12):
oeqa/selftest/reproducible: test ipkgs too
distcc: clean up the UI install logic
distcc: use --enable-tcp-insecure instead of --make-me-a-botnet
distcc: split into client and server packages
json-c: clean up recipe
json-c: use GitHub for upstream release checking
bitbake: fetch2/git: refactor check for git-lfs command
bitbake: tests/fetch: add test case for git-lfs handling
python3: move runpy to core
pango: fix the failing testiter test case
opkg: remove redundant systemd inherit
lttng-ust: update patch Signed-off-by
Trevor Gamblin (5):
python3-subunit: ensure runtime dependencies are present
python3-pip: ensure pickle is installed
lighttpd: remove fam as a PACKAGECONFIG option
tiff: fix CVE-2019-14973
opkg: remove pathfinder PACKAGECONFIG option
Wang Quanyang (1):
kexec-tools: fix arm kexec failure for __NR_kexec_file_load
Yi Zhao (1):
python: add tk-lib as runtime dependency for python-tkinter
Change-Id: I0570125d49f7e4bc3bbf70508cbfd7e10bdbc032
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-extended')
9 files changed, 581 insertions, 4 deletions
diff --git a/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.54.bb b/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.54.bb index 72990d02e..2e83c821a 100644 --- a/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.54.bb +++ b/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.54.bb @@ -39,14 +39,13 @@ PACKAGECONFIG[krb5] = "--with-krb5,--without-krb5,krb5" PACKAGECONFIG[pcre] = "--with-pcre,--without-pcre,libpcre" PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib" PACKAGECONFIG[bzip2] = "--with-bzip2,--without-bzip2,bzip2" -PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin" PACKAGECONFIG[webdav-props] = "--with-webdav-props,--without-webdav-props,libxml2 sqlite3" PACKAGECONFIG[webdav-locks] = "--with-webdav-locks,--without-webdav-locks,util-linux" PACKAGECONFIG[gdbm] = "--with-gdbm,--without-gdbm,gdbm" PACKAGECONFIG[memcache] = "--with-memcached,--without-memcached,libmemcached" PACKAGECONFIG[lua] = "--with-lua,--without-lua,lua" -EXTRA_OECONF += "--enable-lfs" +EXTRA_OECONF += "--enable-lfs --without-fam" inherit autotools pkgconfig update-rc.d gettext systemd diff --git a/poky/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch b/poky/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch new file mode 100644 index 000000000..cc4008130 --- /dev/null +++ b/poky/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch @@ -0,0 +1,64 @@ +From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001 +From: Mathias Fiedler <mathias.fiedler@aox-tech.de> +Date: Fri, 23 Aug 2019 12:46:48 +0200 +Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads + +According to manpage exit(3) calling exit is not thread-safe. +And with glibc 2.28 (and probably also with glibc >=2.27) sometimes +child processes created in fork_thread can get stuck on process exit in +glibc's __run_exit_handlers trying to acquire some lock which was in +locked state while the fork was created. This can happen when exit is +called in mmap_thread concurrently to the fork. +While the main process will still return with PASSED some of its +children are left behind. + +Comparing the source code with the original program as described in the +commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13 +the exits in mmap_thread and fork_thread should not be necessary to +trigger the original bug. + +Therefore those exit calls are removed. The mmap_thread and fork_thread +should still exit when their corresponding main thread in do_test_fork +calls exit_group. The remaining exit in do_test_fork will be called in +the main thread without any concurrent thread in the same process. + +Signed-off-by: Mathias Fiedler <mathias.fiedler@aox-tech.de> +Acked-by: Cyril Hrubis <chrubis@suse.cz> +Acked-by: Jan Stancek <jstancek@redhat.com> + +Upstream-Status: Backport +[https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4] + +CVE: CVE-2017-17052 + +Signed-off-by: He Zhe <zhe.he@windriver.com> +--- + testcases/cve/cve-2017-17052.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c +index d7da7e919..18cd2a6d7 100644 +--- a/testcases/cve/cve-2017-17052.c ++++ b/testcases/cve/cve-2017-17052.c +@@ -58,8 +58,6 @@ static void *mmap_thread(void *arg) + for (;;) { + SAFE_MMAP(NULL, 0x1000000, PROT_READ, + MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); +- if (*do_exit) +- exit(0); + } + + return arg; +@@ -67,9 +65,6 @@ static void *mmap_thread(void *arg) + + static void *fork_thread(void *arg) + { +- if (*do_exit) +- exit(0); +- + usleep(rand() % 10000); + SAFE_FORK(); + +-- +2.17.1 + diff --git a/poky/meta/recipes-extended/ltp/ltp_20190517.bb b/poky/meta/recipes-extended/ltp/ltp_20190517.bb index e9a588f49..465071560 100644 --- a/poky/meta/recipes-extended/ltp/ltp_20190517.bb +++ b/poky/meta/recipes-extended/ltp/ltp_20190517.bb @@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ file://0001-cve-meltdown.c-Fix-kernel-symbol-finding.patch \ file://0001-testcases-use-python3-everywhere-to-run-python-scrip.patch \ file://0001-syscall-rt_sigtimedwait01-Fix-wrong-sigset-length-fo.patch \ + file://0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-extended/net-tools/net-tools_1.60-26.bb b/poky/meta/recipes-extended/net-tools/net-tools_1.60-26.bb index b565fd093..5a376e72f 100644 --- a/poky/meta/recipes-extended/net-tools/net-tools_1.60-26.bb +++ b/poky/meta/recipes-extended/net-tools/net-tools_1.60-26.bb @@ -95,7 +95,7 @@ do_compile() { do_install() { # We don't need COPTS or LOPTS, but let's be consistent. - oe_runmake COPTS="$CFLAGS" LOPTS="$LDFLAGS" 'BASEDIR=${D}' install + oe_runmake COPTS="$CFLAGS" LOPTS="$LDFLAGS" BASEDIR=${D} INSTALLNLSDIR=${D}${datadir}/locale mandir=${mandir} install if [ "${base_bindir}" != "/bin" ]; then mkdir -p ${D}/${base_bindir} diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc index 7f8ee7871..af38b911d 100644 --- a/poky/meta/recipes-extended/shadow/shadow.inc +++ b/poky/meta/recipes-extended/shadow/shadow.inc @@ -14,12 +14,12 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. file://0001-Make-the-sp_lstchg-shadow-field-reproducible-re.-71.patch \ file://0001-configure.ac-fix-configure-error-with-dash.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://shadow-relaxed-usernames.patch \ " SRC_URI_append_class-target = " \ file://login_defs_pam.sed \ file://shadow-update-pam-conf.patch \ - file://shadow-relaxed-usernames.patch \ " SRC_URI_append_class-native = " \ diff --git a/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch b/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch new file mode 100644 index 000000000..d485a1bd6 --- /dev/null +++ b/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch @@ -0,0 +1,33 @@ +From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Mon, 27 May 2019 08:20:32 -0700 +Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the input + state. + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + fileio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fileio.c b/fileio.c +index 7605a29..14460f3 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -532,8 +532,10 @@ void undefer_input(__G) + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; +-- +2.22.0.vfs.1.1.57.gbaf16c8 diff --git a/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch b/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch new file mode 100644 index 000000000..41037a8e2 --- /dev/null +++ b/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch @@ -0,0 +1,356 @@ +From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Tue, 11 Jun 2019 22:01:18 -0700 +Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped entries. + +This detects an invalid zip file that has at least one entry that +overlaps with another entry or with the central directory to the +end of the file. A Fifield zip bomb uses overlapped local entries +to vastly increase the potential inflation ratio. Such an invalid +zip file is rejected. + +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's +analysis, construction, and examples of such zip bombs. + +The detection maintains a list of covered spans of the zip files +so far, where the central directory to the end of the file and any +bytes preceding the first entry at zip file offset zero are +considered covered initially. Then as each entry is decompressed +or tested, it is considered covered. When a new entry is about to +be processed, its initial offset is checked to see if it is +contained by a covered span. If so, the zip file is rejected as +invalid. + +This commit depends on a preceding commit: "Fix bug in +undefer_input() that misplaced the input state." + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + globals.c | 1 + + globals.h | 3 + + process.c | 10 +++ + unzip.h | 1 + + 5 files changed, 204 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 24db2a8..2bb72ba 100644 +--- a/extract.c ++++ b/extract.c +@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[] = + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ ++ ++ ++ ++ ++/* A growable list of spans. */ ++typedef zoff_t bound_t; ++typedef struct { ++ bound_t beg; /* start of the span */ ++ bound_t end; /* one past the end of the span */ ++} span_t; ++typedef struct { ++ span_t *span; /* allocated, distinct, and sorted list of spans */ ++ size_t num; /* number of spans in the list */ ++ size_t max; /* allocated number of spans (num <= max) */ ++} cover_t; ++ ++/* ++ * Return the index of the first span in cover whose beg is greater than val. ++ * If there is no such span, then cover->num is returned. ++ */ ++static size_t cover_find(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t lo = 0, hi = cover->num; ++ while (lo < hi) { ++ size_t mid = (lo + hi) >> 1; ++ if (val < cover->span[mid].beg) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ return hi; ++} ++ ++/* Return true if val lies within any one of the spans in cover. */ ++static int cover_within(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t pos = cover_find(cover, val); ++ return pos > 0 && val < cover->span[pos - 1].end; ++} ++ ++/* ++ * Add a new span to the list, but only if the new span does not overlap any ++ * spans already in the list. The new span covers the values beg..end-1. beg ++ * must be less than end. ++ * ++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for ++ * the list as needed. On success, 0 is returned. If the new span overlaps any ++ * existing spans, then 1 is returned and the new span is not added to the ++ * list. If the new span is invalid because beg is greater than or equal to ++ * end, then -1 is returned. If the list needs to be grown but the memory ++ * allocation fails, then -2 is returned. ++ */ ++static int cover_add(cover, beg, end) ++ cover_t *cover; ++ bound_t beg; ++ bound_t end; ++{ ++ size_t pos; ++ int prec, foll; ++ ++ if (beg >= end) ++ /* The new span is invalid. */ ++ return -1; ++ ++ /* Find where the new span should go, and make sure that it does not ++ overlap with any existing spans. */ ++ pos = cover_find(cover, beg); ++ if ((pos > 0 && beg < cover->span[pos - 1].end) || ++ (pos < cover->num && end > cover->span[pos].beg)) ++ return 1; ++ ++ /* Check for adjacencies. */ ++ prec = pos > 0 && beg == cover->span[pos - 1].end; ++ foll = pos < cover->num && end == cover->span[pos].beg; ++ if (prec && foll) { ++ /* The new span connects the preceding and following spans. Merge the ++ following span into the preceding span, and delete the following ++ span. */ ++ cover->span[pos - 1].end = cover->span[pos].end; ++ cover->num--; ++ memmove(cover->span + pos, cover->span + pos + 1, ++ (cover->num - pos) * sizeof(span_t)); ++ } ++ else if (prec) ++ /* The new span is adjacent only to the preceding span. Extend the end ++ of the preceding span. */ ++ cover->span[pos - 1].end = end; ++ else if (foll) ++ /* The new span is adjacent only to the following span. Extend the ++ beginning of the following span. */ ++ cover->span[pos].beg = beg; ++ else { ++ /* The new span has gaps between both the preceding and the following ++ spans. Assure that there is room and insert the span. */ ++ if (cover->num == cover->max) { ++ size_t max = cover->max == 0 ? 16 : cover->max << 1; ++ span_t *span = realloc(cover->span, max * sizeof(span_t)); ++ if (span == NULL) ++ return -2; ++ cover->span = span; ++ cover->max = max; ++ } ++ memmove(cover->span + pos + 1, cover->span + pos, ++ (cover->num - pos) * sizeof(span_t)); ++ cover->num++; ++ cover->span[pos].beg = beg; ++ cover->span[pos].end = end; ++ } ++ return 0; ++} + + + +@@ -376,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + ++ /* One more: initialize cover structure for bomb detection. Start with a ++ span that covers the central directory though the end of the file. */ ++ if (G.cover == NULL) { ++ G.cover = malloc(sizeof(cover_t)); ++ if (G.cover == NULL) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ ((cover_t *)G.cover)->span = NULL; ++ ((cover_t *)G.cover)->max = 0; ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.ziplen) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- + rectory lies at the end of the zipfile and the member files lie at the +@@ -593,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + if (error > error_in_archive) + error_in_archive = error; + /* ...and keep going (unless disk full or user break) */ +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || ++ error == PK_BOMB) { + /* clear reached_end to signal premature stop ... */ + reached_end = FALSE; + /* ... and cancel scanning the central directory */ +@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; ++ if (cover_within((cover_t *)G.cover, request)) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; + +@@ -1593,6 +1741,18 @@ reprompt: + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ if (error != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); + #endif +@@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + } + + undefer_input(__G); ++ ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ /* skip over data descriptor (harder than it sounds, due to signature ++ * ambiguity) ++ */ ++# define SIG 0x08074b50 ++# define LOW 0xffffffff ++ uch buf[12]; ++ unsigned shy = 12 - readbuf((char *)buf, 12); ++ ulg crc = shy ? 0 : makelong(buf); ++ ulg clen = shy ? 0 : makelong(buf + 4); ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ ++ if (crc == SIG && /* if not SIG, no signature */ ++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ ++ (clen == SIG && /* if not SIG, no signature */ ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ ++ (ulen == SIG && /* if not SIG, no signature */ ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ /* if not SIG, have signature */ ++ ))))) ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); ++ if (G.zip64) ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ if (shy) ++ error = PK_ERR; ++ } ++ + return error; + + } /* end function extract_or_test_member() */ +diff --git a/globals.c b/globals.c +index fa8cca5..1e0f608 100644 +--- a/globals.c ++++ b/globals.c +@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor() + # if (!defined(NO_TIMESTAMPS)) + uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ + # endif ++ G.cover = NULL; /* not allocated yet */ + #endif + + uO.lflag=(-1); +diff --git a/globals.h b/globals.h +index 11b7215..2bdcdeb 100644 +--- a/globals.h ++++ b/globals.h +@@ -260,12 +260,15 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + ++ int zip64; /* true if Zip64 info in extra field */ ++ + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ + int reported_backslash; /* extract.c static */ + int disk_full; + int newfile; ++ void **cover; /* used in extract.c for bomb detection */ + + int didCRlast; /* fileio static */ + ulg numlines; /* fileio static: number of lines printed */ +diff --git a/process.c b/process.c +index a3c1a4d..208619c 100644 +--- a/process.c ++++ b/process.c +@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ + } + #endif + ++ /* Free the cover span list and the cover structure. */ ++ if (G.cover != NULL) { ++ free(*(G.cover)); ++ free(G.cover); ++ G.cover = NULL; ++ } ++ + } /* end function free_G_buffers() */ + + +@@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff ++ G.zip64 = FALSE; + + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; +@@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); + offset += 4; + } ++ ++ G.zip64 = TRUE; + #if 0 + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ +diff --git a/unzip.h b/unzip.h +index 5b2a326..ed24a5b 100644 +--- a/unzip.h ++++ b/unzip.h +@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec { + #define PK_NOZIP 9 /* zipfile not found */ + #define PK_PARAM 10 /* bad or illegal parameters specified */ + #define PK_FIND 11 /* no files found */ ++#define PK_BOMB 12 /* likely zip bomb */ + #define PK_DISK 50 /* disk full */ + #define PK_EOF 51 /* unexpected EOF */ + +-- +2.22.0.vfs.1.1.57.gbaf16c8 diff --git a/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch new file mode 100644 index 000000000..fd26fdd83 --- /dev/null +++ b/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch @@ -0,0 +1,121 @@ +From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Thu, 25 Jul 2019 20:43:17 -0700 +Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central + directory. + +There is a zip-like file in the Firefox distribution, omni.ja, +which is a zip container with the central directory placed at the +start of the file instead of after the local entries as required +by the zip standard. This commit marks the actual location of the +central directory, as well as the end of central directory records, +as disallowed locations. This now permits such containers to not +raise a zip bomb alert, where in fact there are no overlaps. + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + extract.c | 25 +++++++++++++++++++------ + process.c | 6 ++++++ + unzpriv.h | 10 ++++++++++ + 3 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/extract.c b/extract.c +index 2bb72ba..a9dcca8 100644 +--- a/extract.c ++++ b/extract.c +@@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +diff --git a/process.c b/process.c +index 208619c..5f8f6c6 100644 +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +diff --git a/unzpriv.h b/unzpriv.h +index c8d3eab..5e177c7 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/poky/meta/recipes-extended/unzip/unzip_6.0.bb index daba72272..c1ea0a9a2 100644 --- a/poky/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/poky/meta/recipes-extended/unzip/unzip_6.0.bb @@ -22,6 +22,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://symlink.patch \ file://0001-unzip-fix-CVE-2018-1000035.patch \ file://CVE-2018-18384.patch \ + file://CVE-2019-13232_p1.patch \ + file://CVE-2019-13232_p2.patch \ + file://CVE-2019-13232_p3.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" |