From 7f53998bd3726c808abf8b0c4950e25db29d9ea2 Mon Sep 17 00:00:00 2001 From: P Dheeraj Srujan Kumar Date: Sat, 8 Jul 2023 03:35:27 +0530 Subject: Update to internal 1-1.11-1 Signed-off-by: P Dheeraj Srujan Kumar --- .../u-boot/u-boot-aspeed-sdk_%.bbappend | 6 +- .../meta-common/classes/github-releases.bbclass | 3 + .../classes/obmc-phosphor-image-common.bbclass | 1 - .../avahi/avahi/CVE-2023-1981.patch | 53 + .../recipes-connectivity/avahi/avahi_%.bbappend | 1 + ...-support-for-io_pgetevents_time64-syscall.patch | 62 + ...-support-for-io_pgetevents_time64-syscall.patch | 99 ++ .../recipes-connectivity/openssl/openssl_1.1.1l.bb | 215 --- .../recipes-connectivity/openssl/openssl_1.1.1u.bb | 252 ++++ .../busybox/busybox/CVE-2022-30065.patch | 48 + .../recipes-core/busybox/busybox_%.bbappend | 1 + .../recipes-core/dbus/dbus/CVE-2022-42010.patch | 114 ++ .../recipes-core/dbus/dbus/CVE-2022-42011.patch | 55 + .../recipes-core/dbus/dbus/CVE-2022-42012.patch | 71 + .../meta-common/recipes-core/dbus/dbus_%.bbappend | 6 + .../recipes-core/expat/expat/CVE-2022-43680.patch | 109 ++ .../meta-common/recipes-core/expat/expat_2.4.5.bb | 1 + .../recipes-core/glibc/glibc/CVE-2021-3998.patch | 173 +++ .../recipes-core/glibc/glibc/CVE-2023-0687.patch | 77 ++ .../recipes-core/glibc/glibc_%.bbappend | 2 + .../libxml/libxml2/CVE-2022-40303.patch | 618 +++++++++ .../libxml/libxml2/CVE-2022-40304.patch | 101 ++ .../recipes-core/libxml/libxml2_%.bbappend | 2 + .../meta-common/recipes-core/ncurses/ncurses.inc | 327 +++++ ...001-Fix-heap-buffer-overflow-in-captoinfo.patch | 47 - .../0001-patch-20230408-CVE-2023-29491.patch | 1432 ++++++++++++++++++++ .../ncurses/ncurses/0001-tic-hang.patch | 43 + ...0002-Fix-added-to-mitigate-CVE-2022-29458.patch | 65 - .../ncurses/0002-configure-reproducible.patch | 33 + ...ig.in-Do-not-include-LDFLAGS-in-generated.patch | 30 + .../ncurses/ncurses/exit_prototype.patch | 32 + .../recipes-core/ncurses/ncurses_%.bbappend | 4 - .../recipes-core/ncurses/ncurses_6.4.bb | 20 + .../systemd/systemd/CVE-2022-3821.patch | 24 + .../recipes-core/systemd/systemd_%.bbappend | 1 + .../recipes-devtools/python/python3_%.bbappend | 4 + .../libpwquality/libpwquality/pwquality.conf | 7 + .../libpwquality/libpwquality_%.bbappend | 15 + ...1-run-xtests.sh-check-whether-files-exist.patch | 65 + .../meta-common/recipes-extended/pam/libpam/99_pam | 1 + .../pam/libpam/CVE-2022-28321-0002.patch | 205 +++ .../pam/libpam/convert-pam-configs.service | 10 + .../pam/libpam/convert-pam-configs.sh | 48 + .../recipes-extended/pam/libpam/faillock.conf | 2 + .../pam/libpam/libpam-xtests.patch | 37 + .../recipes-extended/pam/libpam/pam-volatiles.conf | 1 + .../pam/libpam/pam.d/common-account | 27 + .../recipes-extended/pam/libpam/pam.d/common-auth | 26 + .../pam/libpam/pam.d/common-password | 27 + .../pam/libpam/pam.d/common-session | 19 + .../pam/libpam/pam.d/common-session-noninteractive | 19 + .../recipes-extended/pam/libpam/pam.d/other | 24 + .../recipes-extended/pam/libpam/run-ptest | 32 + .../recipes-extended/pam/libpam_%.bbappend | 74 +- .../recipes-extended/pam/libpam_1.5.2.bb | 186 +++ .../rsyslog/rsyslog/CVE-2022-24903.patch | 164 +++ .../recipes-extended/rsyslog/rsyslog_%.bbappend | 6 +- .../shadow/shadow/CVE-2023-29383_1.patch | 42 + .../shadow/shadow/CVE-2023-29383_2.patch | 58 + .../recipes-extended/shadow/shadow_%.bbappend | 4 + ...aspeed-lpc-mbox-Don-t-allow-partial-reads.patch | 40 + ...T4_INODE_HAS_XATTR_SPACE-macro-in-xattr-h.patch | 42 + .../linux/linux-aspeed/CVE-2020-36516.patch | 62 + .../linux/linux-aspeed/CVE-2022-2978.patch | 62 + .../linux/linux-aspeed/CVE-2022-3543.patch | 97 ++ .../linux/linux-aspeed/CVE-2022-3623.patch | 175 +++ .../linux/linux-aspeed/CVE-2022-42703.patch | 169 +++ .../linux/linux-aspeed/CVE-2022-4378-1.patch | 107 ++ .../linux/linux-aspeed/CVE-2022-4378-2.patch | 40 + .../linux/linux-aspeed/CVE-2023-0394.patch | 43 + .../linux/linux-aspeed/CVE-2023-1073.patch | 34 + .../linux/linux-aspeed/CVE-2023-1077.patch | 50 + .../linux/linux-aspeed/CVE-2023-1252.patch | 89 ++ .../linux/linux-aspeed/CVE-2023-1582.patch | 228 ++++ .../linux/linux-aspeed/CVE-2023-2269.patch | 56 + .../linux/linux-aspeed/CVE-2023-2513.patch | 120 ++ .../recipes-kernel/linux/linux-aspeed_%.bbappend | 17 +- ...mic-threshold-configuration-for-SOLUM-PSU.patch | 90 ++ .../configuration/entity-manager_%.bbappend | 1 + ...Associations-endpoints-change-delay-timer.patch | 978 +++++++++++++ .../dbus/phosphor-mapper_%.bbappend | 2 + ...001-Avoid-negated-postcode-write-to-D-Bus.patch | 58 + .../host/phosphor-host-postd_%.bbappend | 9 + .../host/phosphor-host-postd_git.bbappend | 4 - .../0009-virtual_media-Fix-for-bmcweb-crash.patch | 47 + .../recipes-phosphor/interfaces/bmcweb_%.bbappend | 1 + .../meta-common/recipes-phosphor/pmci/mctpd.bb | 2 +- ...ensor-Determine-PSU-threshold-dynamically.patch | 160 +++ .../sensors/dbus-sensors_%.bbappend | 1 + ...-Change-to-pam_faillock-and-pam-pwquality.patch | 492 +++++++ .../users/phosphor-user-manager_%.bbappend | 1 + ...-password-input-in-change-password-screen.patch | 135 ++ .../recipes-phosphor/webui/webui-vue_%.bbappend | 1 + .../0001-replace-krb5-config-with-pkg-config.patch | 44 - .../curl/CVE-2022-32205-cookie-apply-limits.patch | 171 --- ...eturn-error-on-too-many-compression-steps.patch | 48 - ...d-Curl_fopen-for-better-overwriting-of-fi.patch | 280 ---- ...b5-return-error-properly-on-decode-errors.patch | 64 - .../recipes-support/curl/curl/disable-tests | 28 + .../recipes-support/curl/curl/run-ptest | 6 + .../recipes-support/curl/curl_7.83.1.bb | 93 -- .../meta-common/recipes-support/curl/curl_8.1.0.bb | 116 ++ ...XATTR_NAME_CAPS-is-defined-when-it-is-use.patch | 32 + ...ibcap-Raise-the-size-of-arrays-containing.patch | 34 + .../0002-tests-do-not-run-target-executables.patch | 30 + .../recipes-support/libcap/libcap_2.69.bb | 79 ++ 106 files changed, 8624 insertions(+), 1045 deletions(-) create mode 100644 meta-openbmc-mods/meta-common/classes/github-releases.bbclass create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-tic-hang.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-configure-reproducible.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/exit_prototype.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_6.4.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/CVE-2022-3821.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/python/python3_%.bbappend create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/0001-run-xtests.sh-check-whether-files-exist.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/99_pam create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.service create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/faillock.conf create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/libpam-xtests.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam-volatiles.conf create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-account create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-password create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-session-noninteractive create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/other create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/run-ptest create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/rsyslog/rsyslog/CVE-2022-24903.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-29383_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-29383_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0004-soc-aspeed-lpc-mbox-Don-t-allow-partial-reads.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/0005-ext4-add-EXT4_INODE_HAS_XATTR_SPACE-macro-in-xattr-h.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-36516.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2978.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3543.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-3623.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-42703.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-4378-1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-4378-2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0394.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-1073.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-1077.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-1252.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-1582.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2269.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2513.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/configuration/entity-manager/0008-dynamic-threshold-configuration-for-SOLUM-PSU.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/dbus/phosphor-mapper/0001-add-Associations-endpoints-change-delay-timer.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/host/phosphor-host-postd/0001-Avoid-negated-postcode-write-to-D-Bus.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/host/phosphor-host-postd_%.bbappend delete mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/host/phosphor-host-postd_git.bbappend create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/vm/0009-virtual_media-Fix-for-bmcweb-crash.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0017-psusensor-Determine-PSU-threshold-dynamically.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/users/phosphor-user-manager/0001-Change-to-pam_faillock-and-pam-pwquality.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0001-Old-password-input-in-change-password-screen.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/0001-replace-krb5-config-with-pkg-config.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.1.0.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-support/libcap/files/0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/libcap/files/0002-tests-do-not-run-target-executables.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/libcap/libcap_2.69.bb diff --git a/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/u-boot-aspeed-sdk_%.bbappend b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/u-boot-aspeed-sdk_%.bbappend index 22f2eb540..d1b1ca9bc 100644 --- a/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/u-boot-aspeed-sdk_%.bbappend +++ b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/u-boot-aspeed-sdk_%.bbappend @@ -41,7 +41,6 @@ SRC_URI:append:intel-ast2600 = " \ file://0034-Implement-the-IPMI-commands-in-FFUJ-mode-in-u-boot.patch \ file://0036-Disable-BMC-MMIO-Decode-on-VGA-SCU-register-bit.patch \ file://0037-Enable-I2C-clock-stretching-and-multi-master-support.patch \ - file://0038-Disabling-serial-console-if-FFUJ-is-enabled.patch \ file://0044-Enable-WDT2-for-causing-reset-in-Kernel-u-boot-hang.patch \ " @@ -103,12 +102,13 @@ PFR_SRC_URI = " \ file://0045-PFR-Skip-counting-WDT2-event-when-EXTRST-is-set.patch \ " -AUTOBOOT_SRC_URI = " \ +U_BOOT_RELEASE_FEATURE = " \ file://0035-Remove-u-boot-delay-before-autoboot-in-release-image.patch \ + file://0038-Disabling-serial-console-if-FFUJ-is-enabled.patch \ " SRC_URI:append:intel-ast2600 += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', PFR_SRC_URI, '', d)}" -SRC_URI:append:intel-ast2600 += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', AUTOBOOT_SRC_URI, d)}" +SRC_URI:append:intel-ast2600 += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', U_BOOT_RELEASE_FEATURE, d)}" do_install:append () { install -m 0644 ${WORKDIR}/fw_env.config ${D}${sysconfdir}/fw_env.config diff --git a/meta-openbmc-mods/meta-common/classes/github-releases.bbclass b/meta-openbmc-mods/meta-common/classes/github-releases.bbclass new file mode 100644 index 000000000..ed83b8373 --- /dev/null +++ b/meta-openbmc-mods/meta-common/classes/github-releases.bbclass @@ -0,0 +1,3 @@ +GITHUB_BASE_URI ?= "https://github.com/${BPN}/${BPN}/releases/" +UPSTREAM_CHECK_URI ?= "${GITHUB_BASE_URI}" +UPSTREAM_CHECK_REGEX ?= "releases/tag/v?(?P\d+(\.\d+)+)" diff --git a/meta-openbmc-mods/meta-common/classes/obmc-phosphor-image-common.bbclass b/meta-openbmc-mods/meta-common/classes/obmc-phosphor-image-common.bbclass index b0227e381..fe1e2b30d 100644 --- a/meta-openbmc-mods/meta-common/classes/obmc-phosphor-image-common.bbclass +++ b/meta-openbmc-mods/meta-common/classes/obmc-phosphor-image-common.bbclass @@ -76,7 +76,6 @@ IMAGE_INSTALL:append = " \ configure-usb-c \ zip \ peci-pcie \ - collectd \ " IMAGE_INSTALL:append = " ${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'pfr-manager', '', d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch new file mode 100644 index 000000000..d1f05b7b7 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-1981.patch @@ -0,0 +1,53 @@ +From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 17 Nov 2022 01:51:53 +0100 +Subject: [PATCH] Emit error if requested service is not found + +It currently just crashes instead of replying with error. Check return +value and emit error instead of passing NULL pointer to reply. + +Fixes #375 +--- + avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c +index 70d7687bc..406d0b441 100644 +--- a/avahi-daemon/dbus-protocol.c ++++ b/avahi-daemon/dbus-protocol.c +@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM + } + + t = avahi_alternative_host_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); ++ } + } + + static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) { +@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB + } + + t = avahi_alternative_service_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); ++ } + } + + static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) { diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend index fa58d9726..06343a29d 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend @@ -1,4 +1,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ + file://CVE-2023-1981.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..d62b9344c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,62 @@ +From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Thu, 29 Aug 2019 13:56:21 -0700 +Subject: [PATCH] Add support for io_pgetevents_time64 syscall + +32-bit architectures that are y2038 safe don't include syscalls that use +32-bit time_t. Instead these architectures have suffixed syscalls that +always use a 64-bit time_t. In the case of the io_getevents syscall the +syscall has been replaced with the io_pgetevents_time64 syscall instead. + +This patch changes the io_getevents() function to use the correct +syscall based on the avaliable syscalls and the time_t size. We will +only use the new 64-bit time_t syscall if the architecture is using a +64-bit time_t. This is to avoid having to deal with 32/64-bit +conversions and relying on a 64-bit timespec struct on 32-bit time_t +platforms. As of Linux 5.3 there are no 32-bit time_t architectures +without __NR_io_getevents. In the future if a 32-bit time_t architecture +wants to use the 64-bit syscalls we can handle the conversion. + +This fixes build failures on 32-bit RISC-V. + +Signed-off-by: Alistair Francis + +Reviewed-by: Richard Levitte +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/9819) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index dacbe358cb..99516cb1bb 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_getevents) + return syscall(__NR_io_getevents, ctx, min, max, events, timeout); ++#elif defined(__NR_io_pgetevents_time64) ++ /* Let's only support the 64 suffix syscalls for 64-bit time_t. ++ * This simplifies the code for us as we don't need to use a 64-bit ++ * version of timespec with a 32-bit time_t and handle converting ++ * between 64-bit and 32-bit times and check for overflows. ++ */ ++ if (sizeof(timeout->tv_sec) == 8) ++ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ else { ++ errno = ENOSYS; ++ return -1; ++ } ++#else ++# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." ++#endif + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch new file mode 100644 index 000000000..c8bc6f5c6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch @@ -0,0 +1,99 @@ +From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Thu, 4 Mar 2021 12:10:11 -0500 +Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall + +This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc +"Add support for io_pgetevents_time64 syscall" that didn't correctly +work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V. + +For a full discussion of the issue see: +https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc + +Signed-off-by: Alistair Francis + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/14432) +Upstream-Status: Accepted +--- + engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 42 insertions(+), 13 deletions(-) + +diff --git a/engines/e_afalg.c b/engines/e_afalg.c +index 9480d7c24b..4e9d67db2d 100644 +--- a/engines/e_afalg.c ++++ b/engines/e_afalg.c +@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) + return syscall(__NR_io_submit, ctx, n, iocb); + } + ++/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */ ++struct __timespec32 ++{ ++ __kernel_long_t tv_sec; ++ __kernel_long_t tv_nsec; ++}; ++ + static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, + struct io_event *events, + struct timespec *timeout) + { ++#if defined(__NR_io_pgetevents_time64) ++ /* Check if we are a 32-bit architecture with a 64-bit time_t */ ++ if (sizeof(*timeout) != sizeof(struct __timespec32)) { ++ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events, ++ timeout, NULL); ++ if (ret == 0 || errno != ENOSYS) ++ return ret; ++ } ++#endif ++ + #if defined(__NR_io_getevents) +- return syscall(__NR_io_getevents, ctx, min, max, events, timeout); +-#elif defined(__NR_io_pgetevents_time64) +- /* Let's only support the 64 suffix syscalls for 64-bit time_t. +- * This simplifies the code for us as we don't need to use a 64-bit +- * version of timespec with a 32-bit time_t and handle converting +- * between 64-bit and 32-bit times and check for overflows. +- */ +- if (sizeof(timeout->tv_sec) == 8) +- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); ++ if (sizeof(*timeout) == sizeof(struct __timespec32)) ++ /* ++ * time_t matches our architecture length, we can just use ++ * __NR_io_getevents ++ */ ++ return syscall(__NR_io_getevents, ctx, min, max, events, timeout); + else { +- errno = ENOSYS; +- return -1; ++ /* ++ * We don't have __NR_io_pgetevents_time64, but we are using a ++ * 64-bit time_t on a 32-bit architecture. If we can fit the ++ * timeout value in a 32-bit time_t, then let's do that ++ * and then use the __NR_io_getevents syscall. ++ */ ++ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) { ++ struct __timespec32 ts32; ++ ++ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; ++ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; ++ ++ return syscall(__NR_io_getevents, ctx, min, max, events, ts32); ++ } else { ++ return syscall(__NR_io_getevents, ctx, min, max, events, NULL); ++ } + } +-#else +-# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." + #endif ++ ++ errno = ENOSYS; ++ return -1; + } + + static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, +-- +2.30.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb deleted file mode 100644 index dc2a8ccff..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ /dev/null @@ -1,215 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -# "openssl" here actually means both OpenSSL and SSLeay licenses apply -# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" - -DEPENDS = "hostperl-runtime-native" - -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ - file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ - file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ - file://reproducible.patch \ - file://CVE-2022-0778.patch \ - file://CVE-2022-1292-Fix-openssl-c_rehash.patch \ - file://CVE-2022-2068-Fix-file-operations-in-c_rehash.patch \ - file://CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch \ - " - -SRC_URI:append:class-nativesdk = " \ - file://environment.d-openssl.sh \ - " - -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" - -inherit lib_package multilib_header multilib_script ptest -MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" - -PACKAGECONFIG ?= "" -PACKAGECONFIG:class-native = "" -PACKAGECONFIG:class-nativesdk = "" - -PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" - -B = "${WORKDIR}/build" -do_configure[cleandirs] = "${B}" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF:append:libc-musl = " no-async" -EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" - -# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions -# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) -EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" -EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" - -# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" - -do_configure () { - os=${HOST_OS} - case $os in - linux-gnueabi |\ - linux-gnuspe |\ - linux-musleabi |\ - linux-muslspe |\ - linux-musl ) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm*) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-i?86 | linux-viac3) - target=linux-x86 - ;; - linux-gnux32-x86_64 | linux-muslx32-x86_64 ) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips | linux-mipsel) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-powerpc64le) - target=linux-ppc64le - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-sparc | linux-supersparc) - target=linux-sparcv9 - ;; - esac - - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the - # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target - perl ${B}/configdata.pm --dump -} - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - - oe_multilib_header openssl/opensslconf.h - - # Create SSL structure for packages such as ca-certificates which - # contain hard-coded paths to /etc/ssl. Debian does the same. - install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ - ${D}${sysconfdir}/ssl/ - - # Although absolute symlinks would be OK for the target, they become - # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf -} - -do_install:append:class-native () { - create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-1.1 -} - -do_install:append:class-nativesdk () { - mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh -} - -PTEST_BUILD_HOST_FILES += "configdata.pm" -PTEST_BUILD_HOST_PATTERN = "perl_version =" -do_install_ptest () { - # Prune the build tree - rm -f ${B}/fuzz/*.* ${B}/test/*.* - - cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} - cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} - - # For test_shlibload - ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ - ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ - - install -d ${D}${PTEST_PATH}/apps - ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps - install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps - install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps - - install -d ${D}${PTEST_PATH}/engines - install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines -} - -# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto -# package RRECOMMENDS on this package. This will enable the configuration -# file to be installed for both the openssl-bin package and the libcrypto -# package since the openssl-bin package depends on the libcrypto package. - -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" - -FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES:libssl = "${libdir}/libssl${SOLIBS}" -FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -FILES:${PN}-engines = "${libdir}/engines-1.1" -FILES:${PN}-misc = "${libdir}/ssl-1.1/misc" -FILES:${PN} =+ "${libdir}/ssl-1.1/*" -FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" - -CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" - -RRECOMMENDS:libcrypto += "openssl-conf" -RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "openssl:openssl" - -# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 -# Apache in meta-webserver is already recent enough -CVE_CHECK_WHITELIST += "CVE-2019-0190" diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb new file mode 100644 index 000000000..6e0ad9ac4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1u.bb @@ -0,0 +1,252 @@ +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +# "openssl" here actually means both OpenSSL and SSLeay licenses apply +# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" + +DEPENDS = "hostperl-runtime-native" + +PV = "1.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +SRCREV = "3f499b24f3bcd66db022074f7e8b4f6ee266a3ae" + +SRC_URI = "git://github.com/openssl/openssl.git;branch=OpenSSL_1_1_1-stable;protocol=https \ + file://run-ptest \ + file://0001-skip-test_symbol_presence.patch \ + file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ + file://afalg.patch \ + file://reproducible.patch \ + " + +SRC_URI:append:class-nativesdk = " \ + file://environment.d-openssl.sh \ + " + +SRC_URI:append:riscv32 = " \ + file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \ + file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ + " + +inherit lib_package multilib_header multilib_script ptest +MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" + +PACKAGECONFIG ?= "" +PACKAGECONFIG:class-native = "" +PACKAGECONFIG:class-nativesdk = "" + +PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" +PACKAGECONFIG[no-tls1] = "no-tls1" +PACKAGECONFIG[no-tls1_1] = "no-tls1_1" + +B = "${WORKDIR}/build" +do_configure[cleandirs] = "${B}" + +#| ./libcrypto.so: undefined reference to `getcontext' +#| ./libcrypto.so: undefined reference to `setcontext' +#| ./libcrypto.so: undefined reference to `makecontext' +EXTRA_OECONF:append:libc-musl = " no-async" +EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" + +# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions +# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) +EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" +EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" + +# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. +CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" + +# Disable deprecated crypto algorithms +# Retained for compatibilty +# des (curl) +# dh (python-ssl) +# dsa (rpm) +# md4 (cyrus-sasl freeradius hostapd) +# bf (wvstreams postgresql x11vnc crda znc cfengine) +# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php) +# rc2 (mailx) +# psk (qt5) +# srp (libest) +# whirlpool (qca) +DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4" + +do_configure () { + os=${HOST_OS} + case $os in + linux-gnueabi |\ + linux-gnuspe |\ + linux-musleabi |\ + linux-muslspe |\ + linux-musl ) + os=linux + ;; + *) + ;; + esac + target="$os-${HOST_ARCH}" + case $target in + linux-arm*) + target=linux-armv4 + ;; + linux-aarch64*) + target=linux-aarch64 + ;; + linux-i?86 | linux-viac3) + target=linux-x86 + ;; + linux-gnux32-x86_64 | linux-muslx32-x86_64 ) + target=linux-x32 + ;; + linux-gnu64-x86_64) + target=linux-x86_64 + ;; + linux-mips | linux-mipsel) + # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags + target="linux-mips32 ${TARGET_CC_ARCH}" + ;; + linux-gnun32-mips*) + target=linux-mips64 + ;; + linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) + target=linux64-mips64 + ;; + linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + target=linux-generic32 + ;; + linux-powerpc) + target=linux-ppc + ;; + linux-powerpc64) + target=linux-ppc64 + ;; + linux-powerpc64le) + target=linux-ppc64le + ;; + linux-riscv32) + target=linux-generic32 + ;; + linux-riscv64) + target=linux-generic64 + ;; + linux-sparc | linux-supersparc) + target=linux-sparcv9 + ;; + mingw32-x86_64) + target=mingw64 + ;; + esac + + useprefix=${prefix} + if [ "x$useprefix" = "x" ]; then + useprefix=/ + fi + # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the + # environment variables set by bitbake. Adjust the environment variables instead. + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${B}/configdata.pm --dump +} + +do_install () { + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + + oe_multilib_header openssl/opensslconf.h + + # Create SSL structure for packages such as ca-certificates which + # contain hard-coded paths to /etc/ssl. Debian does the same. + install -d ${D}${sysconfdir}/ssl + mv ${D}${libdir}/ssl-1.1/certs \ + ${D}${libdir}/ssl-1.1/private \ + ${D}${libdir}/ssl-1.1/openssl.cnf \ + ${D}${sysconfdir}/ssl/ + + # Although absolute symlinks would be OK for the target, they become + # invalid if native or nativesdk are relocated from sstate. + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf +} + +do_install:append:class-native () { + create_wrapper ${D}${bindir}/openssl \ + OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ + SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ + OPENSSL_ENGINES=${libdir}/engines-1.1 +} + +do_install:append:class-nativesdk () { + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh +} + +PTEST_BUILD_HOST_FILES += "configdata.pm" +PTEST_BUILD_HOST_PATTERN = "perl_version =" +do_install_ptest () { + # Prune the build tree + rm -f ${B}/fuzz/*.* ${B}/test/*.* + + cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} + cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} + + # For test_shlibload + ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ + ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ + + install -d ${D}${PTEST_PATH}/apps + ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps + install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps + install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps + + install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines + + # seems to be needed with perl 5.32.1 + install -d ${D}${PTEST_PATH}/util/perl/recipes + cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ +} + +# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto +# package RRECOMMENDS on this package. This will enable the configuration +# file to be installed for both the openssl-bin package and the libcrypto +# package since the openssl-bin package depends on the libcrypto package. + +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" + +FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES:libssl = "${libdir}/libssl${SOLIBS}" +FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ + ${libdir}/ssl-1.1/openssl.cnf* \ + " +FILES:${PN}-engines = "${libdir}/engines-1.1" +# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) +FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-1_1" +FILES:${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" +FILES:${PN} =+ "${libdir}/ssl-1.1/*" +FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" + +CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" + +RRECOMMENDS:libcrypto += "openssl-conf" +RDEPENDS:${PN}-misc = "perl" +RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" + +RDEPENDS:${PN}-bin += "openssl-conf" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "openssl:openssl" + +CVE_VERSION_SUFFIX = "alphabetical" + +# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 +# Apache in meta-webserver is already recent enough +CVE_CHECK_WHITELIST += "CVE-2019-0190" diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch new file mode 100644 index 000000000..2f23931be --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-30065.patch @@ -0,0 +1,48 @@ +From 4bae4300986d0ed3d43f92600bd291ae3d302a99 Mon Sep 17 00:00:00 2001 +From: Yaswanth Reddy M +Date: Fri, 5 May 2023 08:55:31 +0000 +Subject: [PATCH] Subject: awk: fix use after free (CVE-2022-30065) + +fixes https://bugs.busybox.net/show_bug.cgi?id=14781 + +function old new delta +evaluate 3343 3357 +14 + +Signed-off-by: Yaswanth Reddy M +--- + editors/awk.c | 3 +++ + testsuite/awk.tests | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/editors/awk.c b/editors/awk.c +index 3adbca7..43a17c0 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -3094,6 +3094,9 @@ static var *evaluate(node *op, var *res) + + case XC( OC_MOVE ): + debug_printf_eval("MOVE\n"); ++ /* make sure that we never return a temp var */ ++ if (L.v == TMPVAR0) ++ L.v = res; + /* if source is a temporary string, jusk relink it to dest */ + if (R.v == TMPVAR1 + && !(R.v->type & VF_NUMBER) +diff --git a/testsuite/awk.tests b/testsuite/awk.tests +index dc2ae2e..072c8fc 100755 +--- a/testsuite/awk.tests ++++ b/testsuite/awk.tests +@@ -462,5 +462,10 @@ testing "awk \"cmd\" | getline" \ + "awk 'BEGIN { \"echo HELLO\" | getline; print }'" \ + "HELLO\n" \ + '' '' ++testing 'awk assign while test' \ ++ "awk '\$1==\$1=\"foo\" {print \$1}'" \ ++ "foo\n" \ ++ "" \ ++ "foo" + + exit $FAILCOUNT +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend index 42a52e0d7..b9c654068 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend @@ -4,6 +4,7 @@ SRC_URI += " \ file://enable.cfg \ file://CVE-2022-28391_1.patch \ file://CVE-2022-28391_2.patch \ + file://CVE-2022-30065.patch \ " SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch new file mode 100644 index 000000000..d2693ed69 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch @@ -0,0 +1,114 @@ +From 9d07424e9011e3bbe535e83043d335f3093d2916 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Tue, 13 Sep 2022 15:10:22 +0100 +Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest +correctly + +In debug builds with assertions enabled, a signature with incorrectly +nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result +in an assertion failure. + +In production builds without assertions enabled, a signature with +incorrectly nested `()` and `{}` could potentially result in a crash +or incorrect message parsing, although we do not have a concrete example +of either of these failure modes. + +Thanks: Evgeny Vereshchagin +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 +Resolves: CVE-2022-42010 +Signed-off-by: Simon McVittie +--- + dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index 4d492f3f3..ae68414dd 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + int element_count; + DBusList *element_count_stack; ++ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; ++ char last_bracket; + + result = DBUS_VALID; + element_count_stack = NULL; +@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + + while (p != end) + { ++ _dbus_assert (struct_depth + dict_entry_depth >= 0); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); ++ + switch (*p) + { + case DBUS_TYPE_BYTE: +@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; + break; + + case DBUS_STRUCT_END_CHAR: +@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + _dbus_list_pop_last (&element_count_stack); + + struct_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + break; + + case DBUS_DICT_ENTRY_BEGIN_CHAR: +@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + goto out; + } + ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); ++ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; + break; + + case DBUS_DICT_ENTRY_END_CHAR: +@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, + result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; + goto out; + } +- ++ ++ _dbus_assert (struct_depth + dict_entry_depth >= 1); ++ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); ++ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; ++ ++ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) ++ { ++ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; ++ goto out; ++ } ++ + dict_entry_depth -= 1; ++ opened_brackets[struct_depth + dict_entry_depth] = '\0'; + + element_count = + _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch new file mode 100644 index 000000000..9284dd666 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch @@ -0,0 +1,55 @@ +From 079bbf16186e87fb0157adf8951f19864bc2ed69 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 12 Sep 2022 13:14:18 +0100 +Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of + fixed-length items + +This fast-path previously did not check that the array was made up +of an integer number of items. This could lead to assertion failures +and out-of-bounds accesses during subsequent message processing (which +assumes that the message has already been validated), particularly after +the addition of _dbus_header_remove_unknown_fields(), which makes it +more likely that dbus-daemon will apply non-trivial edits to messages. + +Thanks: Evgeny Vereshchagin +Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 +Resolves: CVE-2022-42011 +Signed-off-by: Simon McVittie +--- + dbus/dbus-marshal-validate.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c +index ae68414dd..7d0d6cf72 100644 +--- a/dbus/dbus-marshal-validate.c ++++ b/dbus/dbus-marshal-validate.c +@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, + */ + if (dbus_type_is_fixed (array_elem_type)) + { ++ /* Note that fixed-size types all have sizes equal to ++ * their alignments, so this is really the item size. */ ++ alignment = _dbus_type_get_alignment (array_elem_type); ++ _dbus_assert (alignment == 1 || alignment == 2 || ++ alignment == 4 || alignment == 8); ++ ++ /* Because the alignment is a power of 2, this is ++ * equivalent to: (claimed_len % alignment) != 0, ++ * but avoids slower integer division */ ++ if ((claimed_len & (alignment - 1)) != 0) ++ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; ++ + /* bools need to be handled differently, because they can + * have an invalid value + */ + if (array_elem_type == DBUS_TYPE_BOOLEAN) + { + dbus_uint32_t v; +- alignment = _dbus_type_get_alignment (array_elem_type); + + while (p < array_end) + { +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch new file mode 100644 index 000000000..53b0e92ff --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch @@ -0,0 +1,71 @@ +From 236f16e444e88a984cf12b09225e0f8efa6c5b44 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 30 Sep 2022 13:46:31 +0100 +Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed + +When a D-Bus message includes attached file descriptors, the body of the +message contains unsigned 32-bit indexes pointing into an out-of-band +array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to +these indexes as "handles" for the associated fds (not to be confused +with a Windows HANDLE, which is a kernel object). + +The assertion message removed by this commit is arguably correct up to +a point: fd-passing is only reasonable on a local machine, and no known +operating system allows processes of differing endianness even on a +multi-endian ARM or PowerPC CPU, so it makes little sense for the sender +to specify a byte-order that differs from the byte-order of the recipient. + +However, this doesn't account for the fact that a malicious sender +doesn't have to restrict itself to only doing things that make sense. +On a system with untrusted local users, a message sender could crash +the system dbus-daemon (a denial of service) by sending a message in +the opposite endianness that contains handles to file descriptors. + +Before this commit, if assertions are enabled, attempting to byteswap +a fd index would cleanly crash the message recipient with an assertion +failure. If assertions are disabled, attempting to byteswap a fd index +would silently do nothing without advancing the pointer p, causing the +message's type and the pointer into its contents to go out of sync, which +can result in a subsequent crash (the crash demonstrated by fuzzing was +a use-after-free, but other failure modes might be possible). + +In principle we could resolve this by rejecting wrong-endianness messages +from a local sender, but it's actually simpler and less code to treat +wrong-endianness messages as valid and byteswap them. + +Thanks: Evgeny Vereshchagin +Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" +Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 +Resolves: CVE-2022-42012 +Signed-off-by: Simon McVittie +--- + dbus/dbus-marshal-byteswap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c +index e9de6f02a..9dd1246f9 100644 +--- a/dbus/dbus-marshal-byteswap.c ++++ b/dbus/dbus-marshal-byteswap.c +@@ -62,6 +62,7 @@ byteswap_body_helper (DBusTypeReader *reader, + case DBUS_TYPE_BOOLEAN: + case DBUS_TYPE_INT32: + case DBUS_TYPE_UINT32: ++ case DBUS_TYPE_UNIX_FD: + { + p = _DBUS_ALIGN_ADDRESS (p, 4); + *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); +@@ -192,11 +193,6 @@ byteswap_body_helper (DBusTypeReader *reader, + } + break; + +- case DBUS_TYPE_UNIX_FD: +- /* fds can only be passed on a local machine, so byte order must always match */ +- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); +- break; +- + default: + _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); + break; +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend new file mode 100644 index 000000000..af073e92a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" +SRC_URI += " \ + file://CVE-2022-42010.patch \ + file://CVE-2022-42011.patch \ + file://CVE-2022-42012.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch new file mode 100644 index 000000000..b19647736 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch @@ -0,0 +1,109 @@ +From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Tue, 20 Sep 2022 02:44:34 +0200 +Subject: [PATCH 1/3] lib: Fix overeager DTD destruction in + XML_ExternalEntityParserCreate + +--- + lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index aacd6e7fc..57bf103cc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName, + parserInit(parser, encodingName); + + if (encodingName && ! parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } + +From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Sep 2022 18:16:15 +0200 +Subject: [PATCH 2/3] tests: Cover overeager DTD destruction in + XML_ExternalEntityParserCreate + +--- + tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index 245fe9bda..acb744dd4 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) { + } + END_TEST + ++static int XMLCALL ++external_entity_parser_create_alloc_fail_handler(XML_Parser parser, ++ const XML_Char *context, ++ const XML_Char *base, ++ const XML_Char *systemId, ++ const XML_Char *publicId) { ++ UNUSED_P(base); ++ UNUSED_P(systemId); ++ UNUSED_P(publicId); ++ ++ if (context != NULL) ++ fail("Unexpected non-NULL context"); ++ ++ // The following number intends to fail the upcoming allocation in line ++ // "parser->m_protocolEncodingName = copyString(encodingName, ++ // &(parser->m_mem));" in function parserInit. ++ allocation_count = 3; ++ ++ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL ++ const XML_Parser ext_parser ++ = XML_ExternalEntityParserCreate(parser, context, encodingName); ++ if (ext_parser != NULL) ++ fail( ++ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); ++ ++ allocation_count = ALLOC_ALWAYS_SUCCEED; ++ return XML_STATUS_ERROR; ++} ++ ++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { ++ const char *const text = ""; ++ ++ XML_SetExternalEntityRefHandler( ++ g_parser, external_entity_parser_create_alloc_fail_handler); ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ fail("Call to parse was expected to fail"); ++ ++ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) ++ fail("Call to parse was expected to fail from the external entity handler"); ++ ++ XML_ParserReset(g_parser, NULL); ++} ++END_TEST ++ + static void + nsalloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12401,6 +12448,8 @@ make_suite(void) { + tcase_add_test(tc_alloc, test_alloc_long_public_id); + tcase_add_test(tc_alloc, test_alloc_long_entity_value); + tcase_add_test(tc_alloc, test_alloc_long_notation); ++ tcase_add_test__ifdef_xml_dtd( ++ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); + + suite_add_tcase(s, tc_nsalloc); + tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); + + diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb index 852ba0baf..616838aa3 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb @@ -12,6 +12,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA file://run-ptest \ file://CVE-2022-40674_1.patch \ file://CVE-2022-40674_2.patch \ + file://CVE-2022-43680.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch new file mode 100644 index 000000000..8a6533070 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2021-3998.patch @@ -0,0 +1,173 @@ +From a48cfb100aa47d349cd1b80d0efcca3231b6bfcd Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Thu, 13 Jan 2022 11:28:36 +0530 +Subject: [PATCH 1/2] realpath: Set errno to ENAMETOOLONG for result larger + than PATH_MAX [BZ #28770] + +realpath returns an allocated string when the result exceeds PATH_MAX, +which is unexpected when its second argument is not NULL. This results +in the second argument (resolved) being uninitialized and also results +in a memory leak since the caller expects resolved to be the same as the +returned value. + +Return NULL and set errno to ENAMETOOLONG if the result exceeds +PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. + +Reviewed-by: Adhemerval Zanella +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) +(cherry picked from commit f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 + with conflict resoluation in stdlib/Makefile and NEWS) +--- + NEWS | 4 +++ + stdlib/Makefile | 2 +- + stdlib/canonicalize.c | 12 +++++++-- + stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 3 deletions(-) + create mode 100644 stdlib/tst-realpath-toolong.c + +diff --git a/NEWS b/NEWS +index 028ed04ca2..0c3b1c2556 100644 +--- a/NEWS ++++ b/NEWS +@@ -210,6 +210,10 @@ Security related changes: + legacy function could result in a stack-based buffer overflow when + using the "unix" protocol. Reported by Martin Sebor. + ++ CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath ++ function could result in a memory leak and potential access of ++ uninitialized memory. Reported by Qualys. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 7c15549caf..22de3867be 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -88,7 +88,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ + tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ + tst-setcontext6 tst-setcontext7 tst-setcontext8 \ + tst-setcontext9 tst-bz20544 tst-canon-bz26341 \ +- tst-realpath ++ tst-realpath tst-realpath-toolong + + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ + tst-tls-atexit tst-tls-atexit-nodelete +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index cac1f73d74..20033b4885 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved, + + error: + *dest++ = '\0'; +- if (resolved != NULL && dest - rname <= get_path_max ()) +- rname = strcpy (resolved, rname); ++ if (resolved != NULL) ++ { ++ if (dest - rname <= get_path_max ()) ++ rname = strcpy (resolved, rname); ++ else ++ { ++ failed = true; ++ __set_errno (ENAMETOOLONG); ++ } ++ } + + error_nomem: + scratch_buffer_free (&extra_buffer); +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c +new file mode 100644 +index 0000000000..8bed772460 +--- /dev/null ++++ b/stdlib/tst-realpath-toolong.c +@@ -0,0 +1,49 @@ ++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds ++ NAME_MAX. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define BASENAME "tst-realpath-toolong." ++ ++int ++do_test (void) ++{ ++ char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ char buf[PATH_MAX + 1]; ++ const char *res = realpath (".", buf); ++ ++ /* canonicalize.c states that if the real path is >= PATH_MAX, then ++ realpath returns NULL and sets ENAMETOOLONG. */ ++ TEST_VERIFY (res == NULL); ++ TEST_VERIFY (errno == ENAMETOOLONG); ++ ++ free (base); ++ return 0; ++} ++ ++#include +-- +2.25.1 + + +From a4bc5841640e57f8d216e818b07cdd4c74f62815 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Mon, 24 Jan 2022 21:36:41 +0530 +Subject: [PATCH 2/2] realpath: Avoid overwriting preexisting error + (CVE-2021-3998) + +Set errno and failure for paths that are too long only if no other error +occurred earlier. + +Related: BZ #28770 + +Reviewed-by: Andreas Schwab +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit 84d2d0fe20bdf94feed82b21b4d7d136db471f03) +(cherry picked from commit d084965adc7baa8ea804427cccf973cea556d697) +--- + stdlib/canonicalize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index 20033b4885..fdeca42b83 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -404,7 +404,7 @@ error: + { + if (dest - rname <= get_path_max ()) + rname = strcpy (resolved, rname); +- else ++ else if (!failed) + { + failed = true; + __set_errno (ENAMETOOLONG); +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch new file mode 100644 index 000000000..da0e43686 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-0687.patch @@ -0,0 +1,77 @@ +From 801af9fafd4689337ebf27260aa115335a0cb2bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?= + =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= +Date: Sat, 4 Feb 2023 14:41:38 +0300 +Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `__monstartup()` allocates a buffer used to store all the data +accumulated by the monitor. + +The size of this buffer depends on the size of the internal structures +used and the address range for which the monitor is activated, as well +as on the maximum density of call instructions and/or callable functions +that could be potentially on a segment of executable code. + +In particular a hash table of arcs is placed at the end of this buffer. +The size of this hash table is calculated in bytes as + p->fromssize = p->textsize / HASHFRACTION; + +but actually should be + p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + +This results in writing beyond the end of the allocated buffer when an +added arc corresponds to a call near from the end of the monitored +address range, since `_mcount()` check the incoming caller address for +monitored range but not the intermediate result hash-like index that +uses to write into the table. + +It should be noted that when the results are output to `gmon.out`, the +table is read to the last element calculated from the allocated size in +bytes, so the arcs stored outside the buffer boundary did not fall into +`gprof` for analysis. Thus this "feature" help me to found this bug +during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 + +Just in case, I will explicitly note that the problem breaks the +`make test t=gmon/tst-gmon-dso` added for Bug 29438. +There, the arc of the `f3()` call disappears from the output, since in +the DSO case, the call to `f3` is located close to the end of the +monitored range. + +Signed-off-by: Леонид Юрьев (Leonid Yuriev) + +Another minor error seems a related typo in the calculation of +`kcountsize`, but since kcounts are smaller than froms, this is +actually to align the p->froms data. + +Co-authored-by: DJ Delorie +Reviewed-by: Carlos O'Donell +--- + gmon/gmon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/gmon/gmon.c b/gmon/gmon.c +index dee64803ada..bf76358d5b1 100644 +--- a/gmon/gmon.c ++++ b/gmon/gmon.c +@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc) + p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->textsize = p->highpc - p->lowpc; ++ /* This looks like a typo, but it's here to align the p->froms ++ section. */ + p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms)); + p->hashfraction = HASHFRACTION; + p->log_hashfraction = -1; +@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc) + instead of integer division. Precompute shift amount. */ + p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1; + } +- p->fromssize = p->textsize / HASHFRACTION; ++ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + p->tolimit = p->textsize * ARCDENSITY / 100; + if (p->tolimit < MINARCS) + p->tolimit = MINARCS; + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend index be793e5e8..96c4947ad 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend @@ -8,4 +8,6 @@ SRC_URI += " \ file://0001-CVE-2022-23219.patch \ file://0002-CVE-2022-23219.patch \ file://CVE-2021-43396.patch \ + file://CVE-2021-3998.patch \ + file://CVE-2023-0687.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 000000000..ecb134edf --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40303.patch @@ -0,0 +1,618 @@ +From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 25 Aug 2022 17:43:08 +0200 +Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE + +Also impose size limits when XML_PARSE_HUGE is set. Limit size of names +to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to +XML_MAX_HUGE_LENGTH (1 billion bytes). + +Move some the length checks to the end of the respective loop to make +them strict. + +xmlParseEntityValue didn't have a length limitation at all. But without +XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. + +Thanks to Maddie Stone working with Google Project Zero for the report! +--- + parser.c | 233 +++++++++++++++++++++++++++++-------------------------- + 1 file changed, 121 insertions(+), 112 deletions(-) + +diff --git a/parser.c b/parser.c +index 93f031be..79479979 100644 +--- a/parser.c ++++ b/parser.c +@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); + * * + ************************************************************************/ + ++#define XML_MAX_HUGE_LENGTH 1000000000 ++ + #define XML_PARSER_BIG_ENTITY 1000 + #define XML_PARSER_LOT_ENTITY 5000 + +@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + errmsg = "Malformed declaration expecting version"; + break; + case XML_ERR_NAME_TOO_LONG: +- errmsg = "Name too long use XML_PARSE_HUGE option"; ++ errmsg = "Name too long"; + break; + #if 0 + case: +@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNameComplex++; +@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } +@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3338,7 +3344,10 @@ const xmlChar * + xmlParseName(xmlParserCtxtPtr ctxt) { + const xmlChar *in; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + GROW; + +@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { + in++; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + size_t startPosition = 0; + + #ifdef DEBUG +@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ + (xmlIsNameChar(ctxt, c) && (c != ':'))) { + if (count++ > XML_PARSER_CHUNK_SIZE) { +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- return(NULL); +- } + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + if (c == 0) { +@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3459,7 +3465,10 @@ static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { + const xmlChar *in, *e; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNCName++; +@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + const xmlChar *cur = *str; + int len = 0, l; + int c; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseStringName++; +@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + COPY_BUF(l,buffer,len,c); + cur += l; + c = CUR_SCHAR(cur, l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + *str = cur; + return(buffer); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNmToken++; +@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((max > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + COPY_BUF(l,buffer,len,c); + NEXTL(l); + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + return(buffer); +@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + } + if (len == 0) + return(NULL); +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); + return(NULL); + } +@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int c, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlChar stop; + xmlChar *ret = NULL; + const xmlChar *cur = NULL; +@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + GROW; + c = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, ++ "entity value too long\n"); ++ goto error; ++ } + } + buf[len] = 0; + if (ctxt->instate == XML_PARSER_EOF) +@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar *rep = NULL; + size_t len = 0; + size_t buf_size = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + while (((NXT(0) != limit) && /* checked */ + (IS_CHAR(c)) && (c != '<')) && + (ctxt->instate != XML_PARSER_EOF)) { +- /* +- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE +- * special option is given +- */ +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } + if (c == '&') { + in_space = 0; + if (NXT(1) == '#') { +@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + GROW; + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue length too long\n"); ++ goto mem_error; ++ } + } + if (ctxt->instate == XML_PARSER_EOF) + goto error; +@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else + NEXT; + +- /* +- * There we potentially risk an overflow, don't allow attribute value of +- * length more than INT_MAX it is a very reasonable assumption ! +- */ +- if (len >= INT_MAX) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } +- + if (attlen != NULL) *attlen = (int) len; + return(buf); + +@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int cur, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar stop; + int state = ctxt->instate; + int count = 0; +@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); +- xmlFree(buf); +- ctxt->instate = (xmlParserInputState) state; +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); ++ xmlFree(buf); ++ ctxt->instate = (xmlParserInputState) state; ++ return(NULL); ++ } + } + buf[len] = 0; + ctxt->instate = (xmlParserInputState) state; +@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar cur; + xmlChar stop; + int count = 0; +@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + if (len + 1 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); +- xmlFree(buf); +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR; + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); ++ xmlFree(buf); ++ return(NULL); ++ } + } + buf[len] = 0; + if (cur != stop) { +@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + int r, rl; + int cur, l; + size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int inputid; + + inputid = ctxt->input->id; +@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + if ((r == '-') && (q == '-')) { + xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment too big found", NULL); +- xmlFree (buf); +- return; +- } + if (len + 5 >= size) { + xmlChar *new_buf; + size_t new_size; +@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + GROW; + cur = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment too big found", NULL); ++ xmlFree (buf); ++ return; ++ } + } + buf[len] = 0; + if (cur == 0) { +@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t size = XML_PARSER_BUFFER_SIZE; + size_t len = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlParserInputState state; + const xmlChar *in; + size_t nbchar = 0; +@@ -4958,8 +4975,7 @@ get_more: + buf[len] = 0; + } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment too big found", NULL); + xmlFree (buf); +@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t len = 0; + size_t size = XML_PARSER_BUFFER_SIZE; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int cur, l; + const xmlChar *target; + xmlParserInputState state; +@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + return; + } + count = 0; +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + } + COPY_BUF(l,buf,len,cur); + NEXTL(l); +@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + GROW; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, ++ "PI %s too big found", target); ++ xmlFree(buf); ++ ctxt->instate = state; ++ return; ++ } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + buf[len] = 0; + if (cur != '?') { + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + const xmlChar *in = NULL, *start, *end, *last; + xmlChar *ret = NULL; + int line, col; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + GROW; + in = (xmlChar *) CUR_PTR; +@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + start = in; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + if ((*in++ == 0x20) && (*in == 0x20)) break; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + last = last + delta; + } + end = ctxt->input->end; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); + } + } + } +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + col++; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + } + } + last = in; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + int s, sl; + int cur, l; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + /* Check 2.6.0 was NXT(0) not RAW */ + if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { +@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, +- "CData section too big found", NULL); +- xmlFree (buf); +- return; +- } + tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); + if (tmp == NULL) { + xmlFree(buf); +@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + } + NEXTL(l); + cur = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, ++ "CData section too big found\n"); ++ xmlFree(buf); ++ return; ++ } + } + buf[len] = 0; + ctxt->instate = XML_PARSER_CONTENT; +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 000000000..b6a48587d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch @@ -0,0 +1,101 @@ +From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 31 Aug 2022 22:11:25 +0200 +Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity + reference cycles + +When an entity reference cycle is detected, the entity content is +cleared by setting its first byte to zero. But the entity content might +be allocated from a dict. In this case, the dict entry becomes corrupted +leading to all kinds of logic errors, including memory errors like +double-frees. + +Stop storing entity content, orig, ExternalID and SystemID in a dict. +These values are unlikely to occur multiple times in a document, so they +shouldn't have been stored in a dict in the first place. + +Thanks to Ned Williamson and Nathan Wachholz working with Google Project +Zero for the report! +--- + entities.c | 55 ++++++++++++++++-------------------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +diff --git a/entities.c b/entities.c +index 84435515..d4e5412e 100644 +--- a/entities.c ++++ b/entities.c +@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) + if ((entity->children) && (entity->owner == 1) && + (entity == (xmlEntityPtr) entity->children->parent)) + xmlFreeNodeList(entity->children); +- if (dict != NULL) { +- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) +- xmlFree((char *) entity->name); +- if ((entity->ExternalID != NULL) && +- (!xmlDictOwns(dict, entity->ExternalID))) +- xmlFree((char *) entity->ExternalID); +- if ((entity->SystemID != NULL) && +- (!xmlDictOwns(dict, entity->SystemID))) +- xmlFree((char *) entity->SystemID); +- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) +- xmlFree((char *) entity->URI); +- if ((entity->content != NULL) +- && (!xmlDictOwns(dict, entity->content))) +- xmlFree((char *) entity->content); +- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) +- xmlFree((char *) entity->orig); +- } else { +- if (entity->name != NULL) +- xmlFree((char *) entity->name); +- if (entity->ExternalID != NULL) +- xmlFree((char *) entity->ExternalID); +- if (entity->SystemID != NULL) +- xmlFree((char *) entity->SystemID); +- if (entity->URI != NULL) +- xmlFree((char *) entity->URI); +- if (entity->content != NULL) +- xmlFree((char *) entity->content); +- if (entity->orig != NULL) +- xmlFree((char *) entity->orig); +- } ++ if ((entity->name != NULL) && ++ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) ++ xmlFree((char *) entity->name); ++ if (entity->ExternalID != NULL) ++ xmlFree((char *) entity->ExternalID); ++ if (entity->SystemID != NULL) ++ xmlFree((char *) entity->SystemID); ++ if (entity->URI != NULL) ++ xmlFree((char *) entity->URI); ++ if (entity->content != NULL) ++ xmlFree((char *) entity->content); ++ if (entity->orig != NULL) ++ xmlFree((char *) entity->orig); + xmlFree(entity); + } + +@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, + ret->SystemID = xmlStrdup(SystemID); + } else { + ret->name = xmlDictLookup(dict, name, -1); +- if (ExternalID != NULL) +- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); +- if (SystemID != NULL) +- ret->SystemID = xmlDictLookup(dict, SystemID, -1); ++ ret->ExternalID = xmlStrdup(ExternalID); ++ ret->SystemID = xmlStrdup(SystemID); + } + if (content != NULL) { + ret->length = xmlStrlen(content); +- if ((dict != NULL) && (ret->length < 5)) +- ret->content = (xmlChar *) +- xmlDictLookup(dict, content, ret->length); +- else +- ret->content = xmlStrndup(content, ret->length); ++ ret->content = xmlStrndup(content, ret->length); + } else { + ret->length = 0; + ret->content = NULL; +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend index 4011c8759..1d2993a8d 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend @@ -2,4 +2,6 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2022-23308-Use-after-free-of-ID-and-IDREF.patch \ file://CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch \ + file://CVE-2022-40303.patch \ + file://CVE-2022-40304.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc new file mode 100644 index 000000000..367f3b19f --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses.inc @@ -0,0 +1,327 @@ +SUMMARY = "The New Curses library" +DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo tools including tic, infocmp, captoinfo. Supports color, multiple highlights, forms-drawing characters, and automatic recognition of keypad and function-key sequences. Extensions include resizable windows and mouse support on both xterm and Linux console using the gpm library." +HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=c5a4600fdef86384c41ca33ecc70a4b8;endline=27" +SECTION = "libs" +DEPENDS = "ncurses-native" +DEPENDS:class-native = "" + +BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \ + ${bindir}/ncurses6-config ${bindir}/ncursesw6-config" + +inherit autotools binconfig-disabled multilib_header pkgconfig + +# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ +SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master" + +EXTRA_AUTORECONF = "-I m4" + +CACHED_CONFIGUREVARS = "cf_cv_func_nanosleep=yes" +CACHED_CONFIGUREVARS:append:linux = " cf_cv_working_poll=yes" + +EXTRASITECONFIG = "CFLAGS='${CFLAGS} -I${SYSROOT_DESTDIR}${includedir}'" + +# Whether to enable separate widec libraries; must be 'true' or 'false' +# +# TODO: remove this variable when widec is supported in every setup? +ENABLE_WIDEC ?= "true" + +# _GNU_SOURCE is required for widec stuff and is detected automatically +# for target objects. But it must be set manually for native and sdk +# builds. +BUILD_CPPFLAGS += "-D_GNU_SOURCE" + +# natives don't generally look in base_libdir +base_libdir:class-native = "${libdir}" + +# Display corruption occurs on 64 bit hosts without these settings +# This was derrived from the upstream debian ncurses which uses +# these settings for 32 and 64 bit hosts. +EXCONFIG_ARGS = "" +EXCONFIG_ARGS:class-native = " \ + --disable-lp64 \ + --with-chtype='long' \ + --with-mmask-t='long'" +EXCONFIG_ARGS:class-nativesdk = " \ + --disable-lp64 \ + --with-chtype='long' \ + --with-mmask-t='long'" + +PACKAGES_DYNAMIC = "^${PN}-lib.*" + +# Fall back to the host termcap / terminfo for -nativesdk and -native +# The reality is a work around for strange problems with things like +# "bitbake -c menuconfig busybox" where it cannot find the terminfo +# because the sstate had a hard coded search path. Until this is fixed +# another way this is deemed good enough. +EX_TERMCAP = "" +EX_TERMCAP:class-native = ":/etc/termcap:/usr/share/misc/termcap" +EX_TERMCAP:class-nativesdk = ":/etc/termcap:/usr/share/misc/termcap" +EX_TERMINFO = "" +EX_TERMINFO:class-native = ":/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo" +EX_TERMINFO:class-nativesdk = ":/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo" +EX_TERMLIB ?= "tinfo" + +# Helper function for do_configure to allow multiple configurations +# $1 the directory to run configure in +# $@ the arguments to pass to configure +ncurses_configure() { + mkdir -p $1 + cd $1 + shift + oe_runconf \ + --without-debug \ + --without-ada \ + --without-gpm \ + --enable-hard-tabs \ + --enable-xmc-glitch \ + --enable-colorfgbg \ + --with-termpath='${sysconfdir}/termcap:${datadir}/misc/termcap${EX_TERMCAP}' \ + --with-terminfo-dirs='${sysconfdir}/terminfo:${datadir}/terminfo${EX_TERMINFO}' \ + --with-shared \ + --disable-big-core \ + --program-prefix= \ + --with-ticlib \ + --with-termlib=${EX_TERMLIB} \ + --enable-sigwinch \ + --enable-pc-files \ + --disable-rpath-hack \ + ${EXCONFIG_ARGS} \ + --with-manpage-format=normal \ + --without-manpage-renames \ + --disable-stripping \ + "$@" || return 1 + cd .. +} + +# Override the function from the autotools class; ncurses requires a +# patched autoconf213 to generate the configure script. This autoconf +# is not available so that the shipped script will be used. +do_configure() { + #Remove ${includedir} from CPPFLAGS, need for cross compile + sed -i 's#-I${cf_includedir}##g' ${S}/configure || die "sed CPPFLAGS" + + # The --enable-pc-files requires PKG_CONFIG_LIBDIR existed + mkdir -p ${PKG_CONFIG_LIBDIR} + ( cd ${S}; gnu-configize --force ) + ncurses_configure "narrowc" || \ + return 1 + ! ${ENABLE_WIDEC} || \ + ncurses_configure "widec" "--enable-widec" "--without-progs" + +} + +do_compile() { + oe_runmake -C narrowc libs + oe_runmake -C narrowc/progs + + ! ${ENABLE_WIDEC} || \ + oe_runmake -C widec libs +} + +# set of expected differences between narrowc and widec header +# +# TODO: the NCURSES_CH_T difference can cause real problems :( +_unifdef_cleanup = " \ + -e '\!/\* \$Id: curses.wide,v!,\!/\* \$Id: curses.tail,v!d' \ + -e '/^#define NCURSES_CH_T /d' \ + -e '/^#include /d' \ + -e '\!^/\* .* \*/!d' \ +" + +do_test[depends] = "unifdef-native:do_populate_sysroot" +do_test[dirs] = "${S}" +do_test() { + ${ENABLE_WIDEC} || return 0 + + # make sure that the narrow and widec header are compatible + # and differ only in minor details. + unifdef -k narrowc/include/curses.h | \ + sed ${_unifdef_cleanup} > curses-narrowc.h + unifdef -k widec/include/curses.h | \ + sed ${_unifdef_cleanup} > curses-widec.h + + diff curses-narrowc.h curses-widec.h +} + +# Split original _install_opts to two parts. +# One is the options to install contents, the other is the parameters \ +# when running command "make install" +# Note that install.libs will also implicitly install header files, +# so we do not need to explicitly specify install.includes. +# Doing so could in fact result in a race condition, as both targets +# (install.libs and install.includes) would install the same headers +# at the same time + +_install_opts = " install.libs install.man " + +_install_cfgs = "\ + DESTDIR='${D}' \ + PKG_CONFIG_LIBDIR='${libdir}/pkgconfig' \ +" + +do_install() { + # Order of installation is important; widec installs a 'curses.h' + # header with more definitions and must be installed last hence. + # Compatibility of these headers will be checked in 'do_test()'. + oe_runmake -C narrowc ${_install_cfgs} ${_install_opts} \ + install.progs + + # The install.data should run after install.libs, otherwise + # there would be a race issue in a very critical conditon, since + # tic will be run by install.data, and tic needs libtinfo.so + # which would be regenerated by install.libs. + oe_runmake -C narrowc ${_install_cfgs} \ + install.data + + + ! ${ENABLE_WIDEC} || \ + oe_runmake -C widec ${_install_cfgs} ${_install_opts} + + cd narrowc + + # include some basic terminfo files + # stolen ;) from gentoo and modified a bit + for x in ansi console dumb linux rxvt screen screen-256color sun vt52 vt100 vt102 vt200 vt220 xterm-color xterm-xfree86 xterm-256color + do + local termfile="$(find "${D}${datadir}/terminfo/" -name "${x}" 2>/dev/null)" + local basedir="$(basename $(dirname "${termfile}"))" + + if [ -n "${termfile}" ] + then + install -d ${D}${sysconfdir}/terminfo/${basedir} + mv ${termfile} ${D}${sysconfdir}/terminfo/${basedir}/ + ln -s /etc/terminfo/${basedir}/${x} \ + ${D}${datadir}/terminfo/${basedir}/${x} + fi + done + # i think we can use xterm-color as default xterm + if [ -e ${D}${sysconfdir}/terminfo/x/xterm-color ] + then + ln -sf xterm-color ${D}${sysconfdir}/terminfo/x/xterm + fi + + # When changing ${libdir} to e.g. /usr/lib/myawesomelib/ ncurses + # still installs '/usr/lib/terminfo', so try to rm both + # the proper path and a slightly hardcoded one + rm -f ${D}${libdir}/terminfo ${D}${prefix}/lib/terminfo + + # create linker scripts for libcurses.so and libncurses to + # link against -ltinfo when needed. Some builds might break + # else when '-Wl,--no-copy-dt-needed-entries' has been set in + # linker flags. + for i in libncurses libncursesw; do + f=${D}${libdir}/$i.so + test -h $f || continue + rm -f $f + echo '/* GNU ld script */' >$f + echo "INPUT($i.so.5 AS_NEEDED(-ltinfo))" >>$f + done + + # Make sure that libcurses is linked so that it gets -ltinfo + # also, this should be addressed upstream really. + ln -sf libncurses.so ${D}${libdir}/libcurses.so + + # create libtermcap.so linker script for backward compatibility + f=${D}${libdir}/libtermcap.so + echo '/* GNU ld script */' >$f + echo 'INPUT(AS_NEEDED(-ltinfo))' >>$f + + if [ ! -d "${D}${base_libdir}" ]; then + # Setting base_libdir to libdir as is done in the -native + # case will skip this code + mkdir -p ${D}${base_libdir} + mv ${D}${libdir}/libncurses.so.* ${D}${base_libdir} + ! ${ENABLE_WIDEC} || \ + mv ${D}${libdir}/libncursesw.so.* ${D}${base_libdir} + + mv ${D}${libdir}/libtinfo.so.* ${D}${base_libdir} + rm ${D}${libdir}/libtinfo.so + + # Use ln -rs to ensure this is a relative link despite absolute paths + # (as we can't know the relationship between base_libdir and libdir). + ln -rs ${D}${base_libdir}/libtinfo.so.5 ${D}${libdir}/libtinfo.so + fi + if [ -d "${D}${includedir}/ncurses" ]; then + for f in `find ${D}${includedir}/ncurses -name "*.h"` + do + f=`basename $f` + test -e ${D}${includedir}/$f && continue + ln -sf ncurses/$f ${D}${includedir}/$f + done + fi + oe_multilib_header curses.h +} + +python populate_packages:prepend () { + libdir = d.expand("${libdir}") + base_libdir = d.expand("${base_libdir}") + pnbase = d.expand("${PN}-lib%s") + do_split_packages(d, libdir, r'^lib(.*)\.so\..*', pnbase, 'ncurses %s library', prepend=True, extra_depends = '', allow_links=True) + if libdir is not base_libdir: + do_split_packages(d, base_libdir, r'^lib(.*)\.so\..*', pnbase, 'ncurses %s library', prepend=True, extra_depends = '', allow_links=True) +} + + +inherit update-alternatives + +ALTERNATIVE_PRIORITY = "100" + +ALTERNATIVE:ncurses-tools:class-target = "clear reset" +ALTERNATIVE:ncurses-terminfo:class-target = "st st-256color" + +ALTERNATIVE_LINK_NAME[st] = "${datadir}/terminfo/s/st" + +ALTERNATIVE_LINK_NAME[st-256color] = "${datadir}/terminfo/s/st-256color" + +BBCLASSEXTEND = "native nativesdk" + +PACKAGES += " \ + ${PN}-tools \ + ${PN}-terminfo-base \ + ${PN}-terminfo \ +" + +FILES:${PN} = "\ + ${bindir}/tput \ + ${bindir}/tset \ + ${bindir}/ncurses5-config \ + ${bindir}/ncursesw5-config \ + ${bindir}/ncurses6-config \ + ${bindir}/ncursesw6-config \ + ${datadir}/tabset \ +" + +# This keeps only tput/tset in ncurses +# clear/reset are in already busybox +FILES:${PN}-tools = "\ + ${bindir}/tic \ + ${bindir}/toe \ + ${bindir}/infotocap \ + ${bindir}/captoinfo \ + ${bindir}/infocmp \ + ${bindir}/clear${@['', '.${BPN}']['${CLASSOVERRIDE}' == 'class-target']} \ + ${bindir}/reset${@['', '.${BPN}']['${CLASSOVERRIDE}' == 'class-target']} \ + ${bindir}/tack \ + ${bindir}/tabs \ +" + +# 'reset' is a symlink to 'tset' which is in the 'ncurses' package +RDEPENDS:${PN}-tools = "${PN} ${PN}-terminfo-base" + +FILES:${PN}-terminfo = "\ + ${datadir}/terminfo \ +" + +FILES:${PN}-terminfo-base = "\ + ${sysconfdir}/terminfo \ +" + +RSUGGESTS:${PN}-libtinfo = "${PN}-terminfo" +RRECOMMENDS:${PN}-libtinfo = "${PN}-terminfo-base" + +# Putting terminfo into the sysroot adds around 2800 files to +# each recipe specific sysroot. We can live without this, particularly +# as many recipes may have native and target copies. +SYSROOT_DIRS:remove = "${datadir}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch deleted file mode 100644 index 420a19b41..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-Fix-heap-buffer-overflow-in-captoinfo.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ad135388ac66b7c8276b0899d9b43433e2faffa6 Mon Sep 17 00:00:00 2001 -From: P Dheeraj Srujan Kumar -Date: Tue, 7 Dec 2021 23:58:53 +0000 -Subject: [PATCH] Fix heap-buffer-overflow in captoinfo - -This has been picked up from http://cvsweb.netbsd.org/ -bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/ -patch-ncurses_tinfo_captoinfo.c -?rev=1.1&content-type=text/x-cvsweb-markup - -Thomas Dickey is the owner of this patch. -This fix is a part of -https://github.com/ThomasDickey/ncurses-snapshots/ -commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff- -7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340 - -Signed-off-by: P Dheeraj Srujan Kumar ---- - ncurses/tinfo/captoinfo.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ncurses/tinfo/captoinfo.c b/ncurses/tinfo/captoinfo.c -index 8b3b83d1..c9741405 100644 ---- a/ncurses/tinfo/captoinfo.c -+++ b/ncurses/tinfo/captoinfo.c -@@ -216,12 +216,15 @@ cvtchar(register const char *sp) - } - break; - case '^': -+ len = 2; - c = UChar(*++sp); -- if (c == '?') -+ if (c == '?') { - c = 127; -- else -+ } else if (c == '\0') { -+ len = 1; -+ } else { - c &= 0x1f; -- len = 2; -+ } - break; - default: - c = UChar(*sp); --- -2.17.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch new file mode 100644 index 000000000..6e4301e35 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0001-patch-20230408-CVE-2023-29491.patch @@ -0,0 +1,1432 @@ +From 50dd6dac94847a1aec06deb324eedef627f1829c Mon Sep 17 00:00:00 2001 +From: Saravanan Palanisamy +Date: Wed, 24 May 2023 12:45:20 +0000 +Subject: [PATCH] ncurses 6.4 - patch 20230408 (for CVE-2023-29491) + +From eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" +Date: Sun, 9 Apr 2023 00:08:25 +0000 +Subject: [PATCH 1/1] ncurses 6.4 - patch 20230408 + ++ document limitations of tparm, and error-returns in curs_terminfo.3x ++ document limitations of tgoto, and error-returns in curs_termcap.3x ++ add xterm+focus to alacritty+common (patch by Christian Duerr). ++ add "-v" option to tput, to show warnings. +> improve checks for malformed terminfo data (report/analysis by + Jonathan Bar Or, Michael Pearse, Emanuele Cozzi). + + make the parameter type/count checks in _nc_tiparm() more stringent + + update tgoto() to account for _nc_tiparm() changes + + add checks in tparm() and tiparm() for misuse of string parameters + + add special cases in tput to handle extensions Cs/Ms parameters + + ignore compiled-terminfo where the array sizes exceed the standard + +Note: +Did not cherrypick below changes from original patch as it is not applicable +Intel OpenBMC: + package/debian-mingw/changelog + package/debian-mingw64/changelog + package/debian/changelog + package/mingw-ncurses.nsi + package/mingw-ncurses.spec +--- + NEWS | 15 ++- + VERSION | 2 +- + dist.mk | 4 +- + doc/html/man/adacurses6-config.1.html | 2 +- + doc/html/man/captoinfo.1m.html | 2 +- + doc/html/man/clear.1.html | 2 +- + doc/html/man/curs_termcap.3x.html | 141 +++++++++++++++----------- + doc/html/man/curs_terminfo.3x.html | 41 +++++++- + doc/html/man/form.3x.html | 2 +- + doc/html/man/infocmp.1m.html | 2 +- + doc/html/man/infotocap.1m.html | 2 +- + doc/html/man/menu.3x.html | 2 +- + doc/html/man/ncurses.3x.html | 2 +- + doc/html/man/ncurses6-config.1.html | 2 +- + doc/html/man/panel.3x.html | 2 +- + doc/html/man/tabs.1.html | 2 +- + doc/html/man/terminfo.5.html | 2 +- + doc/html/man/tic.1m.html | 2 +- + doc/html/man/toe.1m.html | 2 +- + doc/html/man/tput.1.html | 2 +- + doc/html/man/tset.1.html | 2 +- + man/curs_termcap.3x | 26 ++++- + man/curs_terminfo.3x | 41 +++++++- + misc/terminfo.src | 9 +- + ncurses/tinfo/lib_tgoto.c | 14 ++- + ncurses/tinfo/lib_tparm.c | 120 +++++++++++++++++++--- + ncurses/tinfo/read_entry.c | 7 +- + package/ncurses.spec | 2 +- + package/ncursest.spec | 2 +- + progs/tic.c | 10 +- + progs/tparm_type.c | 13 ++- + progs/tparm_type.h | 6 +- + progs/tput.c | 61 +++++++++-- + 33 files changed, 418 insertions(+), 128 deletions(-) + +diff --git a/NEWS b/NEWS +index 66e63a39..ab0c10a2 100644 +--- a/NEWS ++++ b/NEWS +@@ -26,7 +26,7 @@ + -- sale, use or other dealings in this Software without prior written -- + -- authorization. -- + ------------------------------------------------------------------------------- +--- $Id: NEWS,v 1.3895 2022/12/31 20:43:21 tom Exp $ ++-- $Id: NEWS,v 1.3929 2023/04/08 22:24:09 tom Exp $ + ------------------------------------------------------------------------------- + + This is a log of changes that ncurses has gone through since Zeyd started +@@ -46,6 +46,19 @@ See the AUTHORS file for the corresponding full names. + Changes through 1.9.9e did not credit all contributions; + it is not possible to add this information. + ++20230408 ++ + document limitations of tparm, and error-returns in curs_terminfo.3x ++ + document limitations of tgoto, and error-returns in curs_termcap.3x ++ + add xterm+focus to alacritty+common (patch by Christian Duerr). ++ + add "-v" option to tput, to show warnings. ++ > improve checks for malformed terminfo data (report/analysis by ++ Jonathan Bar Or, Michael Pearse, Emanuele Cozzi). ++ + make the parameter type/count checks in _nc_tiparm() more stringent ++ + update tgoto() to account for _nc_tiparm() changes ++ + add checks in tparm() and tiparm() for misuse of string parameters ++ + add special cases in tput to handle extensions Cs/Ms parameters ++ + ignore compiled-terminfo where the array sizes exceed the standard ++ + 20221231 6.4 release for upload to ftp.gnu.org + + update release notes + + regenerate llib-* files. +diff --git a/VERSION b/VERSION +index e2dff67c..78269eab 100644 +--- a/VERSION ++++ b/VERSION +@@ -1 +1 @@ +-5:0:10 6.4 20221231 ++5:0:10 6.4 20230408 +diff --git a/dist.mk b/dist.mk +index ee07796b..a2986a57 100644 +--- a/dist.mk ++++ b/dist.mk +@@ -26,7 +26,7 @@ + # use or other dealings in this Software without prior written # + # authorization. # + ############################################################################## +-# $Id: dist.mk,v 1.1519 2022/12/31 20:43:21 tom Exp $ ++# $Id: dist.mk,v 1.1534 2023/04/08 13:33:20 tom Exp $ + # Makefile for creating ncurses distributions. + # + # This only needs to be used directly as a makefile by developers, but +@@ -38,7 +38,7 @@ SHELL = /bin/sh + # These define the major/minor/patch versions of ncurses. + NCURSES_MAJOR = 6 + NCURSES_MINOR = 4 +-NCURSES_PATCH = 20221231 ++NCURSES_PATCH = 20230408 + + # We don't append the patch to the version, since this only applies to releases + VERSION = $(NCURSES_MAJOR).$(NCURSES_MINOR) +diff --git a/doc/html/man/adacurses6-config.1.html b/doc/html/man/adacurses6-config.1.html +index 90587e45..fe563fe2 100644 +--- a/doc/html/man/adacurses6-config.1.html ++++ b/doc/html/man/adacurses6-config.1.html +@@ -126,7 +126,7 @@ +

SEE ALSO

+        curses(3x)
+ 
+-       This describes ncurses version 6.4 (patch 20221231).
++       This describes ncurses version 6.4 (patch 20230408).
+ 
+ 
+ 
+diff --git a/doc/html/man/captoinfo.1m.html b/doc/html/man/captoinfo.1m.html
+index ab99a7cf..2c914951 100644
+--- a/doc/html/man/captoinfo.1m.html
++++ b/doc/html/man/captoinfo.1m.html
+@@ -199,7 +199,7 @@
+

SEE ALSO

+        infocmp(1m), curses(3x), terminfo(5)
+ 
+-       This describes ncurses version 6.4 (patch 20221231).
++       This describes ncurses version 6.4 (patch 20230408).
+ 
+ 
+

AUTHOR

+diff --git a/doc/html/man/clear.1.html b/doc/html/man/clear.1.html
+index 74f5198b..243d57ed 100644
+--- a/doc/html/man/clear.1.html
++++ b/doc/html/man/clear.1.html
+@@ -150,7 +150,7 @@
+

SEE ALSO

+        tput(1), terminfo(5), xterm(1).
+ 
+-       This describes ncurses version 6.4 (patch 20221231).
++       This describes ncurses version 6.4 (patch 20230408).
+ 
+ 
+ 
+diff --git a/doc/html/man/curs_termcap.3x.html b/doc/html/man/curs_termcap.3x.html
+index 9cd555ec..32699b3c 100644
+--- a/doc/html/man/curs_termcap.3x.html
++++ b/doc/html/man/curs_termcap.3x.html
+@@ -1,6 +1,6 @@
+ 
+ 
+ 
+@@ -148,27 +148,32 @@
+            first parameter is merely a placeholder.
+ 
+        o   Normally the ncurses library is compiled with terminfo support.  In
+-           that case, tgoto uses tparm(3x) (a more capable formatter).
++           that  case, tgoto uses an internal version of tparm(3x) (a more ca-
++           pable formatter).
+ 
+-           However,  tparm  is not a termcap feature, and portable termcap ap-
++           With terminfo support, tgoto is able to use some  of  the  terminfo
++           features,  but  not all.  In particular, it allows only numeric pa-
++           rameters; tparm supports string parameters.
++
++           However, tparm is not a termcap feature, and portable  termcap  ap-
+            plications should not rely upon its availability.
+ 
+-       The tputs routine is described on the  curs_terminfo(3x)  manual  page.
++       The  tputs  routine  is described on the curs_terminfo(3x) manual page.
+        It can retrieve capabilities by either termcap or terminfo name.
+ 
+ 
+

Global Variables

+-       The  variables PC, UP and BC are set by tgetent to the terminfo entry's
++       The variables PC, UP and BC are set by tgetent to the terminfo  entry's
+        data for pad_char, cursor_up and backspace_if_not_bs, respectively.  UP
+-       is  not used by ncurses.  PC is used in the tdelay_output function.  BC
+-       is used in the tgoto emulation.  The variable ospeed is set by  ncurses
++       is not used by ncurses.  PC is used in the tdelay_output function.   BC
++       is  used in the tgoto emulation.  The variable ospeed is set by ncurses
+        in a system-specific coding to reflect the terminal speed.
+ 
+ 
+

Releasing Memory

+-       The  termcap  functions  provide  no  means for freeing memory, because
+-       legacy termcap implementations used only the buffer areas  provided  by
+-       the  caller  via tgetent and tgetstr.  Those buffers are unused in ter-
++       The termcap functions provide no  means  for  freeing  memory,  because
++       legacy  termcap  implementations used only the buffer areas provided by
++       the caller via tgetent and tgetstr.  Those buffers are unused  in  ter-
+        minfo.
+ 
+        On the other hand, terminfo allocates memory.  It uses setupterm to re-
+@@ -178,41 +183,55 @@
+             del_curterm(cur_term);
+ 
+ 
+-       to free this memory, but  there  is  an  additional  complication  with
+-       ncurses.   It uses a fixed-size pool of storage locations, one per set-
+-       ting of the TERM variable when tgetent is called.  The  screen(1)  pro-
++       to  free  this  memory,  but  there  is an additional complication with
++       ncurses.  It uses a fixed-size pool of storage locations, one per  set-
++       ting  of  the TERM variable when tgetent is called.  The screen(1) pro-
+        gram relies upon this arrangement, to improve its performance.
+ 
+-       An  application  which  uses only the low-level termcap functions could
++       An application which uses only the low-level  termcap  functions  could
+        free the memory using del_curterm, because the pool is freed using oth-
+        er functions (see curs_memleaks(3x)).
+ 
+ 
+

RETURN VALUE

+-       Except  where  explicitly noted, routines that return an integer return
+-       ERR upon failure and OK (SVr4 only specifies "an  integer  value  other
++       Except where explicitly noted, routines that return an  integer  return
++       ERR  upon  failure  and OK (SVr4 only specifies "an integer value other
+        than ERR") upon successful completion.
+ 
+        Routines that return pointers return NULL on error.
+ 
++       A few special cases apply:
++
++       o   If the terminal database has not been initialized, these return  an
++           error.
++
++       o   The  calls  with  a  string  parameter  (tgoto, tputs) check if the
++           string is null, or cancelled.  Those return an error.
++
++       o   A call to tgoto using a capability with string parameters is an er-
++           ror.
++
++       o   A call to tgoto using a capability with no parameters, or more than
++           two is an error.
++
+ 
+

BUGS

+-       If  you  call tgetstr to fetch ca or any other parameterized string, be
+-       aware that it will be returned in terminfo notation, not the older  and
++       If you call tgetstr to fetch ca or any other parameterized  string,  be
++       aware  that it will be returned in terminfo notation, not the older and
+        not-quite-compatible termcap notation.  This will not cause problems if
+-       all you do with it is call tgoto or tparm, which both expand  terminfo-
+-       style  strings as terminfo.  (The tgoto function, if configured to sup-
+-       port termcap, will check if the  string  is  indeed  terminfo-style  by
+-       looking  for  "%p"  parameters or "$<..>" delays, and invoke a termcap-
++       all  you do with it is call tgoto or tparm, which both expand terminfo-
++       style strings as terminfo.  (The tgoto function, if configured to  sup-
++       port  termcap,  will  check  if  the string is indeed terminfo-style by
++       looking for "%p" parameters or "$<..>" delays, and  invoke  a  termcap-
+        style parser if the string does not appear to be terminfo).
+ 
+-       Because terminfo conventions for representing padding in  string  capa-
++       Because  terminfo  conventions for representing padding in string capa-
+        bilities differ from termcap's, users can be surprised:
+ 
+        o   tputs("50") in a terminfo system will put out a literal "50" rather
+            than busy-waiting for 50 milliseconds.
+ 
+-       o   However, if ncurses is configured to support termcap, it  may  also
++       o   However,  if  ncurses is configured to support termcap, it may also
+            have been configured to support the BSD-style padding.
+ 
+            In that case, tputs inspects strings passed to it, looking for dig-
+@@ -221,9 +240,9 @@
+            tputs("50") in a termcap system may wait for 50 milliseconds rather
+            than put out a literal "50"
+ 
+-       Note  that termcap has nothing analogous to terminfo's sgr string.  One
+-       consequence of this is that termcap applications  assume  me  (terminfo
+-       sgr0)  does not reset the alternate character set.  This implementation
++       Note that termcap has nothing analogous to terminfo's sgr string.   One
++       consequence  of  this  is that termcap applications assume me (terminfo
++       sgr0) does not reset the alternate character set.  This  implementation
+        checks for, and modifies the data shown to the termcap interface to ac-
+        commodate termcap's limitation in this respect.
+ 
+@@ -231,22 +250,22 @@
+

PORTABILITY

+ 
+

Standards

+-       These  functions  are  provided for supporting legacy applications, and
++       These functions are provided for supporting  legacy  applications,  and
+        should not be used in new programs:
+ 
+        o   The XSI Curses standard, Issue 4 describes these functions.  Howev-
+-           er,  they  are  marked TO BE WITHDRAWN and may be removed in future
++           er, they are marked TO BE WITHDRAWN and may be  removed  in  future
+            versions.
+ 
+        o   X/Open Curses, Issue 5 (December 2007) marked the termcap interface
+            (along with vwprintw and vwscanw) as withdrawn.
+ 
+-       Neither  the  XSI Curses standard nor the SVr4 man pages documented the
+-       return values of tgetent correctly, though all three were in  fact  re-
+-       turned  ever  since SVr1.  In particular, an omission in the XSI Curses
+-       documentation has been misinterpreted to mean that tgetent  returns  OK
+-       or  ERR.  Because the purpose of these functions is to provide compati-
+-       bility with the termcap library, that is a defect in XCurses, Issue  4,
++       Neither the XSI Curses standard nor the SVr4 man pages  documented  the
++       return  values  of tgetent correctly, though all three were in fact re-
++       turned ever since SVr1.  In particular, an omission in the  XSI  Curses
++       documentation  has  been misinterpreted to mean that tgetent returns OK
++       or ERR.  Because the purpose of these functions is to provide  compati-
++       bility  with the termcap library, that is a defect in XCurses, Issue 4,
+        Version 2 rather than in ncurses.
+ 
+ 
+@@ -254,68 +273,68 @@
+        External variables are provided for support of certain termcap applica-
+        tions.  However, termcap applications' use of those variables is poorly
+        documented, e.g., not distinguishing between input and output.  In par-
+-       ticular, some applications are reported to declare  and/or  modify  os-
++       ticular,  some  applications  are reported to declare and/or modify os-
+        peed.
+ 
+-       The  comment that only the first two characters of the id parameter are
++       The comment that only the first two characters of the id parameter  are
+        used escapes many application developers.  The original BSD 4.2 termcap
+        library (and historical relics thereof) did not require a trailing null
+-       NUL on the parameter name passed  to  tgetstr,  tgetnum  and  tgetflag.
+-       Some  applications  assume  that the termcap interface does not require
++       NUL  on  the  parameter  name  passed to tgetstr, tgetnum and tgetflag.
++       Some applications assume that the termcap interface  does  not  require
+        the trailing NUL for the parameter name.  Taking into account these is-
+        sues:
+ 
+-       o   As  a  special  case,  tgetflag  matched against a single-character
+-           identifier provided that was at the end of  the  terminal  descrip-
++       o   As a special case,  tgetflag  matched  against  a  single-character
++           identifier  provided  that  was at the end of the terminal descrip-
+            tion.  You should not rely upon this behavior in portable programs.
+-           This implementation disallows matches against single-character  ca-
++           This  implementation disallows matches against single-character ca-
+            pability names.
+ 
+-       o   This  implementation  disallows  matches  by  the termcap interface
++       o   This implementation disallows  matches  by  the  termcap  interface
+            against extended capability names which are longer than two charac-
+            ters.
+ 
+        The BSD termcap function tgetent returns the text of a termcap entry in
+-       the buffer passed as an argument.  This library  (like  other  terminfo
++       the  buffer  passed  as an argument.  This library (like other terminfo
+        implementations) does not store terminal descriptions as text.  It sets
+        the buffer contents to a null-terminated string.
+ 
+ 
+

Other Compatibility

+-       This library includes a termcap.h header, for compatibility with  other
+-       implementations.   But  the header is rarely used because the other im-
++       This  library includes a termcap.h header, for compatibility with other
++       implementations.  But the header is rarely used because the  other  im-
+        plementations are not strictly compatible.
+ 
+        The original BSD termcap (through 4.3BSD) had no header file which gave
+        function prototypes, because that was a feature of ANSI C.  BSD termcap
+-       was written several years before C was  standardized.   However,  there
++       was  written  several  years before C was standardized.  However, there
+        were two different termcap.h header files in the BSD sources:
+ 
+-       o   One  was used internally by the jove editor in 2BSD through 4.4BSD.
++       o   One was used internally by the jove editor in 2BSD through  4.4BSD.
+            It defined global symbols for the termcap variables which it used.
+ 
+-       o   The other appeared in 4.4BSD Lite Release 2 (mid-1993) as  part  of
++       o   The  other  appeared in 4.4BSD Lite Release 2 (mid-1993) as part of
+            libedit (also known as the editline library).  The CSRG source his-
+-           tory shows that this was added in  mid-1992.   The  libedit  header
+-           file  was used internally, as a convenience for compiling the edit-
++           tory  shows  that  this  was added in mid-1992.  The libedit header
++           file was used internally, as a convenience for compiling the  edit-
+            line library.  It declared function prototypes, but no global vari-
+            ables.
+ 
+-       The  header  file from libedit was added to NetBSD's termcap library in
++       The header file from libedit was added to NetBSD's termcap  library  in
+        mid-1994.
+ 
+-       Meanwhile, GNU termcap was under development, starting  in  1990.   The
+-       first  release  (termcap 1.0) in 1991 included a termcap.h header.  The
+-       second release (termcap 1.1) in September 1992 modified the  header  to
++       Meanwhile,  GNU  termcap  was under development, starting in 1990.  The
++       first release (termcap 1.0) in 1991 included a termcap.h  header.   The
++       second  release  (termcap 1.1) in September 1992 modified the header to
+        use const for the function prototypes in the header where one would ex-
+-       pect the parameters to be read-only.  This was a difference versus  the
+-       original  BSD  termcap.   The prototype for tputs also differed, but in
++       pect  the parameters to be read-only.  This was a difference versus the
++       original BSD termcap.  The prototype for tputs also  differed,  but  in
+        that instance, it was libedit which differed from BSD termcap.
+ 
+        A copy of GNU termcap 1.3 was bundled with bash in mid-1993, to support
+        the readline(3) library.
+ 
+-       A  termcap.h  file was provided in ncurses 1.8.1 (November 1993).  That
++       A termcap.h file was provided in ncurses 1.8.1 (November  1993).   That
+        reflected influence by emacs(1) (rather than jove(1)) and GNU termcap:
+ 
+        o   it provided declarations for a few global symbols used by emacs
+@@ -325,8 +344,8 @@
+        o   a prototype for tparam (a GNU termcap feature) was provided.
+ 
+        Later (in mid-1996) the tparam function was removed from ncurses.  As a
+-       result,  there are differences between any of the four implementations,
+-       which must be taken into account by programs which can  work  with  all
++       result, there are differences between any of the four  implementations,
++       which  must  be  taken into account by programs which can work with all
+        termcap library interfaces.
+ 
+ 
+diff --git a/doc/html/man/curs_terminfo.3x.html b/doc/html/man/curs_terminfo.3x.html
+index c50d7db3..480cafce 100644
+--- a/doc/html/man/curs_terminfo.3x.html
++++ b/doc/html/man/curs_terminfo.3x.html
+@@ -1,6 +1,6 @@
+