diff options
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-connectivity')
11 files changed, 232 insertions, 47 deletions
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch new file mode 100644 index 000000000..54c405b53 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch @@ -0,0 +1,43 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +CVE: CVE-2021-0326 + +Upstream-Status: Backport + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae..5cbfc217f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch new file mode 100644 index 000000000..fedff76b1 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch @@ -0,0 +1,54 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +CVE: CVE-2021-27803 + +Upstream-Status: Backport + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f..05fd59349 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch new file mode 100644 index 000000000..e2540fc26 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 1f38eee0f..e58601868 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb @@ -13,6 +13,9 @@ SRC_URI = " \ file://hostapd.service \ file://CVE-2019-16275.patch \ file://CVE-2019-5061.patch \ + file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.26.6.bb b/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.28.2.bb index 6d60a6702..9be48b75f 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.26.6.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/libqmi/libqmi_1.28.2.bb @@ -14,7 +14,7 @@ inherit autotools pkgconfig bash-completion gobject-introspection SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "a71963bb1097a42665287e40a9a36f95b8f9d6d6a4b7a5de22d660328af97cb9" +SRC_URI[sha256sum] = "8c8c3ee719874d2529bce9b35b028fe435b36f003979a360d3ad0938449db783" PACKAGECONFIG ??= "udev mbim" PACKAGECONFIG[udev] = ",--without-udev,libgudev" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.14.10.bb b/meta-openembedded/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.16.2.bb index 2045e2a86..d1ba8e43e 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.14.10.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.16.2.bb @@ -12,7 +12,7 @@ inherit gnomebase gettext systemd vala gobject-introspection bash-completion DEPENDS = "glib-2.0 libgudev intltool-native libxslt-native" SRC_URI = "http://www.freedesktop.org/software/ModemManager/ModemManager-${PV}.tar.xz" -SRC_URI[sha256sum] = "4ea60b375a761e17e7bb095bca894579ed0e8e33b273dc698b5cbe03947f357f" +SRC_URI[sha256sum] = "efa9a963499e0885f3f163096d433334143c4937545134ecd682e0157fa591e3" S = "${WORKDIR}/ModemManager-${PV}" PACKAGECONFIG ??= "mbim qmi \ diff --git a/meta-openembedded/meta-oe/recipes-connectivity/phonet-utils/phonet-utils/0001-Include-limits.h-for-PATH_MAX.patch b/meta-openembedded/meta-oe/recipes-connectivity/phonet-utils/phonet-utils/0001-Include-limits.h-for-PATH_MAX.patch deleted file mode 100644 index 8bb7e5a18..000000000 --- a/meta-openembedded/meta-oe/recipes-connectivity/phonet-utils/phonet-utils/0001-Include-limits.h-for-PATH_MAX.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f7ad9a4471cee2324f216a0d82ba8097ec746c56 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sat, 15 Jul 2017 11:48:12 -0700 -Subject: [PATCH] Include limits.h for PATH_MAX - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/pnstat.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/pnstat.c b/src/pnstat.c -index 661a5bc..76068e6 100644 ---- a/src/pnstat.c -+++ b/src/pnstat.c -@@ -35,6 +35,7 @@ - #include <dirent.h> - #include <unistd.h> - #include <netinet/tcp.h> -+#include <limits.h> - - struct fd - { --- -2.13.3 - diff --git a/meta-openembedded/meta-oe/recipes-connectivity/phonet-utils/phonet-utils_git.bb b/meta-openembedded/meta-oe/recipes-connectivity/phonet-utils/phonet-utils_git.bb deleted file mode 100644 index 3c599950f..000000000 --- a/meta-openembedded/meta-oe/recipes-connectivity/phonet-utils/phonet-utils_git.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "This small package provides a few command line tools for Linux Phonet" -HOMEPAGE = "" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://gitorious.org/meego-cellular/phonet-utils.git;branch=master \ - file://0001-Include-limits.h-for-PATH_MAX.patch \ - " -PR = "r2" -S = "${WORKDIR}/git" -SRCREV = "4acfa720fd37d178a048fc2be17180137d4a70ea" -PV = "0.0.0+gitr${SRCPV}" - -inherit autotools-brokensep - -FILES_${PN} += "${base_libdir}/udev/rules.d/85-phonet-utils.rules" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.11.0.bb index 2ef6b187e..0cfd225cf 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.11.0.bb @@ -4,8 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53" LICENSE = "MIT" SRC_URI = "git://github.com/alanxz/rabbitmq-c.git" -# v0.10.0-master -SRCREV = "ffe918a5fcef72038a88054dca3c56762b1953d4" +# v0.11.0-master +SRCREV = "a64c08c68aff34d49a2ac152f04988cd921084f9" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb b/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb index 2b05c61a0..4d4e841f6 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb @@ -12,7 +12,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e413d83db6ee8f2c8e6055719096a48e" inherit autotools pkgconfig gettext gobject-introspection vala -EXTRA_OECONF = "--enable-vala-bindings" +# Respect GI_DATA_ENABLED value when enabling vala-bindings: +# configure: error: GObject-Introspection must be enabled for Vala bindings +EXTRA_OECONF = "${@bb.utils.contains('GI_DATA_ENABLED', 'True', '--enable-vala-bindings', '--disable-vala-bindings', d)}" FILES_${PN} += "${datadir}/telepathy \ ${datadir}/dbus-1" diff --git a/meta-openembedded/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.5.bb b/meta-openembedded/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb index 2bbfec9dc..37bb9a282 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.5.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb @@ -28,8 +28,8 @@ SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.2/${BPN}-${PV}.tar.gz file://zabbix-agent.service \ " -SRC_URI[md5sum] = "e90822716c5c241890f6fed1588b5451" -SRC_URI[sha256sum] = "ce0d9745a8b9154e87d6906edd0fce7b7ec298acd34a0543ea53d1a5f2f14bc5" +SRC_URI[md5sum] = "31dab3535a1fa212f5724902727f6d4d" +SRC_URI[sha256sum] = "76cb704f2a04fbc87bb3eff44fa71339c355d467f7bbd8fb53f8927c760e1680" inherit autotools-brokensep linux-kernel-base pkgconfig systemd useradd |