diff options
Diffstat (limited to 'poky/meta/recipes-connectivity')
| -rw-r--r-- | poky/meta/recipes-connectivity/bluez5/bluez5.inc | 1 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch | 48 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch | 28 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/ofono/ofono_1.31.bb | 10 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/openssh/openssh_8.6p1.bb (renamed from poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb) | 2 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch | 17 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch | 123 | ||||
| -rw-r--r-- | poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb | 3 |
8 files changed, 219 insertions, 13 deletions
diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc index a7b628ce1..74b59e406 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc @@ -52,6 +52,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ file://0001-test-gatt-Fix-hung-issue.patch \ + file://0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch b/poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch new file mode 100644 index 000000000..d9067df02 --- /dev/null +++ b/poky/meta/recipes-connectivity/bluez5/bluez5/0001-audio-Rename-pause-funciton-to-avoid-shadowing-glibc.patch @@ -0,0 +1,48 @@ +From 8adab7f1e04948e78854953f9373cac741445a0f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Fri, 30 Apr 2021 21:09:33 -0700 +Subject: [PATCH] audio: Rename pause funciton to avoid shadowing glibc + defintions + +Fixes +profiles/audio/media.c:1284:13: error: static declaration of 'pause' follows non-static declaration +static bool pause(void *user_data) + ^ +/mnt/b/yoe/master/build/tmp/work/core2-64-yoe-linux/bluez5/5.56-r0/recipe-sysroot/usr/include/unistd.h:478:12: note: previous declaration is here +extern int pause (void); + ^ +../bluez-5.56/profiles/audio/media.c:1334:11: warning: incompatible function pointer types initializing 'bool (*)(void *)' with an expression of type 'int (void)' [-Wincompatible-function-pointer-types] + .pause = pause, + ^~~~~ + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + profiles/audio/media.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/profiles/audio/media.c b/profiles/audio/media.c +index c84bbe2..7110089 100644 +--- a/profiles/audio/media.c ++++ b/profiles/audio/media.c +@@ -1281,7 +1281,7 @@ static bool stop(void *user_data) + return media_player_send(mp, "Stop"); + } + +-static bool pause(void *user_data) ++static bool apause(void *user_data) + { + struct media_player *mp = user_data; + +@@ -1331,7 +1331,7 @@ static struct avrcp_player_cb player_cb = { + .set_volume = set_volume, + .play = play, + .stop = stop, +- .pause = pause, ++ .pause = apause, + .next = next, + .previous = previous, + }; +-- +2.31.1 + diff --git a/poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch b/poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch new file mode 100644 index 000000000..3655b3fd6 --- /dev/null +++ b/poky/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch @@ -0,0 +1,28 @@ +From 76e4054801350ebd4a44057379431a33d460ad0f Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Wed, 21 Apr 2021 11:01:34 +0000 +Subject: [PATCH] mbim: Fix build with ell-0.39 by restoring unlikely macro + from ell/util.h + +Upstream-Status: Pending + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + drivers/mbimmodem/mbim-private.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h +index 51693eae..d917312c 100644 +--- a/drivers/mbimmodem/mbim-private.h ++++ b/drivers/mbimmodem/mbim-private.h +@@ -30,6 +30,10 @@ + __result; }) + #endif + ++/* used to be part of ell/util.h before 0.39: ++ https://git.kernel.org/pub/scm/libs/ell/ell.git/commit/?id=2a682421b06e41c45098217a686157f576847021 */ ++#define unlikely(x) __builtin_expect(!!(x), 0) ++ + enum mbim_control_message { + MBIM_OPEN_MSG = 0x1, + MBIM_CLOSE_MSG = 0x2, diff --git a/poky/meta/recipes-connectivity/ofono/ofono_1.31.bb b/poky/meta/recipes-connectivity/ofono/ofono_1.31.bb index 7d0976ad7..2425ef76a 100644 --- a/poky/meta/recipes-connectivity/ofono/ofono_1.31.bb +++ b/poky/meta/recipes-connectivity/ofono/ofono_1.31.bb @@ -11,6 +11,7 @@ SRC_URI = "\ ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://ofono \ file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \ + file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ " SRC_URI[md5sum] = "1c26340e3c6ed132cc812595081bb3dc" SRC_URI[sha256sum] = "a15c5d28096c10eb30e47a68b6dc2e7c4a5a99d7f4cfedf0b69624f33d859e9b" @@ -30,9 +31,14 @@ PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5" EXTRA_OECONF += "--enable-test --enable-external-ell" +do_configure_prepend() { + bbnote "Removing bundled ell from ${S}/ell to prevent including it" + rm -rf ${S}/ell +} + do_install_append() { - install -d ${D}${sysconfdir}/init.d/ - install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono + install -d ${D}${sysconfdir}/init.d/ + install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono } PACKAGES =+ "${PN}-tests" diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.6p1.bb index 6a49cf71c..be56fe43b 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.5p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.6p1.bb @@ -25,7 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ " -SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25" +SRC_URI[sha256sum] = "c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae" # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded diff --git a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index 949c78834..003cfbc8d 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/poky/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -25,16 +25,19 @@ Signed-off-by: Martin Hundebøll <martin@geanix.com> Update to fix buildpaths qa issue for '-fmacro-prefix-map'. Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update to fix buildpaths qa issue for '-ffile-prefix-map'. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- Configurations/unix-Makefile.tmpl | 10 +++++++++- crypto/build.info | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 16af4d2087..54c162784c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +@@ -420,13 +420,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -49,6 +52,7 @@ index 16af4d2087..54c162784c 100644 +CFLAGS_Q={- for (@{$config{CFLAGS}}) { + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; + } + join(' ', @{$config{CFLAGS}}) -} + @@ -58,11 +62,9 @@ index 16af4d2087..54c162784c 100644 PERLASM_SCHEME= {- $target{perlasm_scheme} -} # For x86 assembler: Set PROCESSOR to 386 if you want to support -diff --git a/crypto/build.info b/crypto/build.info -index b515b7318e..8c9cee2a09 100644 --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl DEPEND[cversion.o]=buildinf.h @@ -71,6 +73,3 @@ index b515b7318e..8c9cee2a09 100644 DEPEND[buildinf.h]=../configdata.pm GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) --- -2.19.1 - diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch new file mode 100644 index 000000000..e2540fc26 --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 357c28634..16c591852 100644 --- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \ DEPENDS = "dbus libnl" RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli" -PACKAGECONFIG ??= "gnutls" +PACKAGECONFIG ??= "openssl" PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt" PACKAGECONFIG[openssl] = ",,openssl" @@ -32,6 +32,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ file://CVE-2021-0326.patch \ file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" |