5 files changed, 78 insertions, 2 deletions

diff --git a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2019.3.bb b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2019.4.bb
index 1fe7dcf21..505c9fccc 100644
--- a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2019.3.bb
+++ b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2019.4.bb
@@ -28,7 +28,7 @@ SRC_URI = " \
     file://0001-Always-enable-trivial-httpd-for-tests.patch \
     file://0002-Gate-ostree-trivial-httpd-on-BUILDOPT_TRIVIAL_HTTPD.patch \
 "
-SRCREV = "5c1697da78ebf6250a7130b8b9e6cbfbeaa34296"
+SRCREV = "9d39e7d91e8497987cad69a3fbed5c5fc91eebdc"
 
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+)"
 
diff --git a/meta-openembedded/meta-oe/recipes-extended/polkit/polkit-group-rule.inc b/meta-openembedded/meta-oe/recipes-extended/polkit/polkit-group-rule.inc
index 06ab10642..8ced8abe5 100644
--- a/meta-openembedded/meta-oe/recipes-extended/polkit/polkit-group-rule.inc
+++ b/meta-openembedded/meta-oe/recipes-extended/polkit/polkit-group-rule.inc
@@ -8,6 +8,6 @@ inherit useradd
 
 do_install_prepend() {
     install -m 700 -d ${D}${sysconfdir}/polkit-1/rules.d
-    chown polkitd:polkitd ${D}${sysconfdir}/polkit-1/rules.d
+    chown polkitd:root ${D}/${sysconfdir}/polkit-1/rules.d
 }
 USERADD_PARAM_${PN}_prepend = "--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;"
diff --git a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-Out-of-bounds-issue.patch b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-Out-of-bounds-issue.patch
new file mode 100644
index 000000000..b494ca687
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-Out-of-bounds-issue.patch
@@ -0,0 +1,31 @@
+From b0894088b680666035a3418326e13bc99d4fed49 Mon Sep 17 00:00:00 2001
+From: Philippe Duveau <pduveau@users.noreply.github.com>
+Date: Tue, 24 Sep 2019 20:45:25 +0200
+Subject: [PATCH] Out of bounds issue
+
+Add a new sanity check after determining the level len.
+---
+ contrib/pmdb2diag/pmdb2diag.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Upstream-Status: Backport [https://github.com/rsyslog/rsyslog/commit/b0894088b6]
+CVE: CVE-2019-17040
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+diff --git a/contrib/pmdb2diag/pmdb2diag.c b/contrib/pmdb2diag/pmdb2diag.c
+index 2b5916301..5810eb4df 100644
+--- a/contrib/pmdb2diag/pmdb2diag.c
++++ b/contrib/pmdb2diag/pmdb2diag.c
+@@ -134,6 +134,10 @@ CODESTARTparse2
+ 		ABORT_FINALIZE(0);
+ 	}
+ 
++	/* let recheck with the real level len */
++	if(pMsg->iLenRawMsg - (int)pMsg->offAfterPRI < pInst->levelpos+lvl_len)
++		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
++
+ 	DBGPRINTF("db2parse Level %d\n", pMsg->iSeverity);
+ 
+ 	end = (char*)pMsg->pszRawMsg + pMsg->iLenRawMsg ;
+-- 
+2.17.1
+
diff --git a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch
new file mode 100644
index 000000000..0b32766a5
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog/0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch
@@ -0,0 +1,43 @@
+From 10549ba915556c557b22b3dac7e4cb73ad22d3d8 Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerhards@adiscon.com>
+Date: Fri, 27 Sep 2019 13:36:02 +0200
+Subject: [PATCH] pmaixforwardedfrom bugfix: potential misadressing
+
+---
+ contrib/pmaixforwardedfrom/pmaixforwardedfrom.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+Upstream-Status: Backport [https://github.com/rsyslog/rsyslog/pull/3884]
+CVE: CVE-2019-17041
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+diff --git a/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c b/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c
+index 37157c7d4..ebf12ebbe 100644
+--- a/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c
++++ b/contrib/pmaixforwardedfrom/pmaixforwardedfrom.c
+@@ -109,6 +109,10 @@ CODESTARTparse
+ 	/* bump the message portion up by skipLen(23 or 5) characters to overwrite the "Message forwarded from
+ " or "From " with the hostname */
+ 	lenMsg -=skipLen;
++	if(lenMsg < 2) {
++		dbgprintf("not a AIX message forwarded from message has nothing after header\n");
++		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
++	}
+ 	memmove(p2parse, p2parse + skipLen, lenMsg);
+ 	*(p2parse + lenMsg) = '\n';
+ 	*(p2parse + lenMsg + 1)  = '\0';
+@@ -120,6 +124,11 @@ really an AIX log, but has a similar preamble */
+ 		--lenMsg;
+ 		++p2parse;
+ 	}
++	if (lenMsg < 1) {
++		dbgprintf("not a AIX message forwarded from message has nothing after colon "
++			"or no colon at all\n");
++		ABORT_FINALIZE(RS_RET_COULD_NOT_PARSE);
++	}
+ 	if (lenMsg && *p2parse != ':') {
+ 	DBGPRINTF("not a AIX message forwarded from mangled log but similar enough that the preamble has "
+ 		"been removed\n");
+-- 
+2.17.1
+
diff --git a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb
index bbb4b119a..f9e44421d 100644
--- a/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb
+++ b/meta-openembedded/meta-oe/recipes-extended/rsyslog/rsyslog_8.1908.0.bb
@@ -23,6 +23,8 @@ SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.t
            file://rsyslog.logrotate \
            file://use-pkgconfig-to-check-libgcrypt.patch \
            file://run-ptest \
+           file://0001-Out-of-bounds-issue.patch \
+           file://0001-pmaixforwardedfrom-bugfix-potential-misadressing.patch \
 "
 
 SRC_URI_append_libc-musl = " \