From 7dd3ed26ca09df0e582be8cc2780bba588bdd11e Mon Sep 17 00:00:00 2001 From: P Dheeraj Srujan Kumar Date: Fri, 2 Dec 2022 23:23:31 +0530 Subject: Update to internal 1-0.92 Signed-off-by: P Dheeraj Srujan Kumar --- ...rintf_s-compilation-issue-for-safec-3.5.1.patch | 4 +- .../busybox/busybox/CVE-2022-28391_1.patch | 40 +++ .../busybox/busybox/CVE-2022-28391_2.patch | 68 +++++ .../recipes-core/busybox/busybox_%.bbappend | 2 + .../expat/expat/CVE-2022-40674_1.patch | 49 +++ .../expat/expat/CVE-2022-40674_2.patch | 104 +++++++ .../meta-common/recipes-core/expat/expat_2.4.5.bb | 2 + ...integer-overflows-in-xmlBuf-and-xmlBuffer.patch | 340 +++++++++++++++++++++ .../recipes-core/libxml/libxml2_%.bbappend | 1 + ...0002-Fix-added-to-mitigate-CVE-2022-29458.patch | 65 ++++ .../recipes-core/ncurses/ncurses_%.bbappend | 4 +- .../recipes-core/systemd/systemd_%.bbappend | 4 + .../recipes-core/zlib/zlib/CVE-2022-37434_1.patch | 32 ++ .../recipes-core/zlib/zlib/CVE-2022-37434_2.patch | 29 ++ .../meta-common/recipes-core/zlib/zlib_%.bbappend | 2 + 15 files changed, 743 insertions(+), 3 deletions(-) create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch (limited to 'meta-openbmc-mods/meta-common/recipes-core') diff --git a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch index 943ffb4a8..f1e7971eb 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch +++ b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch @@ -7,9 +7,9 @@ A missing macro was defined to ensure sprintf_s macro defintion is set when safe_str_lib.h is included. Test: -Remove openbmc-meta-intel/meta-common/recipes-core/safec/safec_3.4.bb +Remove meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb Compile at-scale-debug using devtool -ASD Sanity finished successfully(SPR). +ASD Sanity finished successfully. Signed-off-by: Ernesto Corona Change-Id: Idd94b4ba9ff8b4194317a045b140ce90db2ee860 diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch new file mode 100644 index 000000000..1d1716e3b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch @@ -0,0 +1,40 @@ +From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Sun, 3 Apr 2022 12:14:33 +0000 +Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are + returned for the hostname part + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill +--- + libbb/xconnect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libbb/xconnect.c b/libbb/xconnect.c +index 0e0b247b8..02c061e67 100644 +--- a/libbb/xconnect.c ++++ b/libbb/xconnect.c +@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + ); + if (rc) + return NULL; ++ /* ensure host contains only printable characters */ + if (flags & IGNORE_PORT) +- return xstrdup(host); ++ return xstrdup(printable_string(host)); + #if ENABLE_FEATURE_IPV6 + if (sa->sa_family == AF_INET6) { + if (strchr(host, ':')) /* heh, it's not a resolved hostname */ +@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + #endif + /* For now we don't support anything else, so it has to be INET */ + /*if (sa->sa_family == AF_INET)*/ +- return xasprintf("%s:%s", host, serv); ++ return xasprintf("%s:%s", printable_string(host), serv); + /*return xstrdup(host);*/ + } + +-- +2.35.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch new file mode 100644 index 000000000..01c45c9ba --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch @@ -0,0 +1,68 @@ +From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Sun, 3 Apr 2022 12:16:45 +0000 +Subject: [PATCH 2/2] nslookup: sanitize all printed strings with + printable_string + +Otherwise, terminal sequences can be injected, which enables various terminal injection +attacks from DNS results. + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill +--- + networking/nslookup.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/networking/nslookup.c b/networking/nslookup.c +index 6da97baf4..4bdcde1b8 100644 +--- a/networking/nslookup.c ++++ b/networking/nslookup.c +@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Unable to uncompress domain: %s\n", strerror(errno)); + return -1; + } +- printf(format, ns_rr_name(rr), dname); ++ printf(format, ns_rr_name(rr), printable_string(dname)); + break; + + case ns_t_mx: +@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); + return -1; + } +- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); ++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); + break; + + case ns_t_txt: +@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + if (n > 0) { + memset(dname, 0, sizeof(dname)); + memcpy(dname, ns_rr_rdata(rr) + 1, n); +- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); ++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); + } + break; + +@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + } + + printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr), +- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname); ++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname)); + break; + + case ns_t_soa: +@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + return -1; + } + +- printf("\tmail addr = %s\n", dname); ++ printf("\tmail addr = %s\n", printable_string(dname)); + cp += n; + + printf("\tserial = %lu\n", ns_get32(cp)); +-- +2.35.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend index ee6330b69..42a52e0d7 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend @@ -2,6 +2,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ file://disable.cfg \ file://enable.cfg \ + file://CVE-2022-28391_1.patch \ + file://CVE-2022-28391_2.patch \ " SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch new file mode 100644 index 000000000..80ddcb4f2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch @@ -0,0 +1,49 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. +--- + lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 7bcabf7f4..d73f419cf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch new file mode 100644 index 000000000..affd97faf --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch @@ -0,0 +1,104 @@ +From a7ce80a013f2a08cb1ac4aac368f2250eea03ebf Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 11 Sep 2022 19:34:33 +0200 +Subject: [PATCH 1/2] tests: Cover heap use-after-free issue in doContent + +--- + tests/runtests.c | 74 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index ea371b42f..ab3aff65b 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -4990,6 +4990,78 @@ START_TEST(test_suspend_resume_internal_entity) { + } + END_TEST + ++void ++suspending_comment_handler(void *userData, const XML_Char *data) { ++ UNUSED_P(data); ++ XML_Parser parser = (XML_Parser)userData; ++ XML_StopParser(parser, XML_TRUE); ++} ++ ++START_TEST(test_suspend_resume_internal_entity_issue_629) { ++ const char *const text ++ = "a'>]>&e;\n" ++ "<" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "/>" ++ ""; ++ const size_t firstChunkSizeBytes = 54; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCommentHandler(parser, suspending_comment_handler); ++ ++ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE) ++ != XML_STATUS_SUSPENDED) ++ xml_failure(parser); ++ if (XML_ResumeParser(parser) != XML_STATUS_OK) ++ xml_failure(parser); ++ if (XML_Parse(parser, text + firstChunkSizeBytes, ++ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test syntax error is caught at parse resumption */ + START_TEST(test_resume_entity_with_syntax_error) { + const char *text = " +Date: Tue, 8 Mar 2022 20:10:02 +0100 +Subject: [PATCH] [CVE-2022-29824] Fix integer overflows + +In several places, the code handling string buffers didn't check for +integer overflow or used wrong types for buffer sizes. This could +result in out-of-bounds writes or other memory errors when working on +large, multi-gigabyte buffers. + +Thanks to Felix Wilhelm for the report. +--- + buf.c | 86 +++++++++++++++++++++++----------------------------------- + tree.c | 72 ++++++++++++++++++------------------------------ + 2 files changed, 61 insertions(+), 97 deletions(-) + +diff --git a/buf.c b/buf.c +index 24368d37..40a5ee06 100644 +--- a/buf.c ++++ b/buf.c +@@ -30,6 +30,10 @@ + #include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) -1) ++#endif ++ + #define WITH_BUFFER_COMPAT + + /** +@@ -156,6 +160,8 @@ xmlBufPtr + xmlBufCreateSize(size_t size) { + xmlBufPtr ret; + ++ if (size == SIZE_MAX) ++ return(NULL); + ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf)); + if (ret == NULL) { + xmlBufMemoryError(NULL, "creating buffer"); +@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) { + ret->error = 0; + ret->buffer = NULL; + ret->alloc = xmlBufferAllocScheme; +- ret->size = (size ? size+2 : 0); /* +1 for ending null */ +- ret->compat_size = (int) ret->size; ++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */ ++ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size); + if (ret->size){ + ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); + if (ret->content == NULL) { +@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); +- if (buf->use + len < buf->size) ++ if (len < buf->size - buf->use) + return(buf->size - buf->use); ++ if (len > SIZE_MAX - buf->use) ++ return(0); + +- /* +- * Windows has a BIG problem on realloc timing, so we try to double +- * the buffer size (if that's enough) (bug 146697) +- * Apparently BSD too, and it's probably best for linux too +- * On an embedded system this may be something to change +- */ +-#if 1 +- if (buf->size > (size_t) len) +- size = buf->size * 2; +- else +- size = buf->use + len + 100; +-#else +- size = buf->use + len + 100; +-#endif ++ if (buf->size > (size_t) len) { ++ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; ++ } else { ++ size = buf->use + len; ++ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100; ++ } + + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* +@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf) + int + xmlBufResize(xmlBufPtr buf, size_t size) + { +- unsigned int newSize; ++ size_t newSize; + xmlChar* rebuf = NULL; + size_t start_buf; + +@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size) + case XML_BUFFER_ALLOC_IO: + case XML_BUFFER_ALLOC_DOUBLEIT: + /*take care of empty case*/ +- newSize = (buf->size ? buf->size*2 : size + 10); ++ if (buf->size == 0) { ++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); ++ } else { ++ newSize = buf->size; ++ } + while (size > newSize) { +- if (newSize > UINT_MAX / 2) { ++ if (newSize > SIZE_MAX / 2) { + xmlBufMemoryError(buf, "growing buffer"); + return 0; + } +@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + } + break; + case XML_BUFFER_ALLOC_EXACT: +- newSize = size+10; ++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); + break; + case XML_BUFFER_ALLOC_HYBRID: + if (buf->use < BASE_BUFFER_SIZE) + newSize = size; + else { +- newSize = buf->size * 2; ++ newSize = buf->size; + while (size > newSize) { +- if (newSize > UINT_MAX / 2) { ++ if (newSize > SIZE_MAX / 2) { + xmlBufMemoryError(buf, "growing buffer"); + return 0; + } +@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size) + break; + + default: +- newSize = size+10; ++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); + break; + } + +@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size) + */ + int + xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { +- unsigned int needSize; ++ size_t needSize; + + if ((str == NULL) || (buf == NULL) || (buf->error)) + return -1; +@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + if (len < 0) return -1; + if (len == 0) return 0; + +- needSize = buf->use + len + 2; +- if (needSize > buf->size){ ++ if ((size_t) len >= buf->size - buf->use) { ++ if ((size_t) len >= SIZE_MAX - buf->use) ++ return(-1); ++ needSize = buf->use + len + 1; + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits +@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) { + */ + int + xmlBufCCat(xmlBufPtr buf, const char *str) { +- const char *cur; +- +- if ((buf == NULL) || (buf->error)) +- return(-1); +- CHECK_COMPAT(buf) +- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1; +- if (str == NULL) { +-#ifdef DEBUG_BUFFER +- xmlGenericError(xmlGenericErrorContext, +- "xmlBufCCat: str == NULL\n"); +-#endif +- return -1; +- } +- for (cur = str;*cur != 0;cur++) { +- if (buf->use + 10 >= buf->size) { +- if (!xmlBufResize(buf, buf->use+10)){ +- xmlBufMemoryError(buf, "growing buffer"); +- return XML_ERR_NO_MEMORY; +- } +- } +- buf->content[buf->use++] = *cur; +- } +- buf->content[buf->use] = 0; +- UPDATE_COMPAT(buf) +- return 0; ++ return xmlBufCat(buf, (const xmlChar *) str); + } + + /** +diff --git a/tree.c b/tree.c +index 9d94aa42..86afb7d6 100644 +--- a/tree.c ++++ b/tree.c +@@ -7104,6 +7104,8 @@ xmlBufferPtr + xmlBufferCreateSize(size_t size) { + xmlBufferPtr ret; + ++ if (size >= UINT_MAX) ++ return(NULL); + ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer)); + if (ret == NULL) { + xmlTreeErrMemory("creating buffer"); +@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) { + } + ret->use = 0; + ret->alloc = xmlBufferAllocScheme; +- ret->size = (size ? size+2 : 0); /* +1 for ending null */ ++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */ + if (ret->size){ + ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); + if (ret->content == NULL) { +@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) { + + if ((mem == NULL) || (size == 0)) + return(NULL); ++ if (size > UINT_MAX) ++ return(NULL); + + ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer)); + if (ret == NULL) { +@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) { + */ + int + xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { +- int size; ++ unsigned int size; + xmlChar *newbuf; + + if (buf == NULL) return(-1); + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); +- if (len + buf->use < buf->size) return(0); ++ if (len < buf->size - buf->use) ++ return(0); ++ if (len > UINT_MAX - buf->use) ++ return(-1); + +- /* +- * Windows has a BIG problem on realloc timing, so we try to double +- * the buffer size (if that's enough) (bug 146697) +- * Apparently BSD too, and it's probably best for linux too +- * On an embedded system this may be something to change +- */ +-#if 1 +- if (buf->size > len) +- size = buf->size * 2; +- else +- size = buf->use + len + 100; +-#else +- size = buf->use + len + 100; +-#endif ++ if (buf->size > (size_t) len) { ++ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2; ++ } else { ++ size = buf->use + len; ++ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100; ++ } + + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; +@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + case XML_BUFFER_ALLOC_IO: + case XML_BUFFER_ALLOC_DOUBLEIT: + /*take care of empty case*/ +- newSize = (buf->size ? buf->size : size + 10); ++ if (buf->size == 0) ++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10); ++ else ++ newSize = buf->size; + while (size > newSize) { + if (newSize > UINT_MAX / 2) { + xmlTreeErrMemory("growing buffer"); +@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + } + break; + case XML_BUFFER_ALLOC_EXACT: +- newSize = size+10; ++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);; + break; + case XML_BUFFER_ALLOC_HYBRID: + if (buf->use < BASE_BUFFER_SIZE) +@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + break; + + default: +- newSize = size+10; ++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);; + break; + } + +@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) { + if (len < 0) return -1; + if (len == 0) return 0; + +- needSize = buf->use + len + 2; +- if (needSize > buf->size){ ++ if ((unsigned) len >= buf->size - buf->use) { ++ if ((unsigned) len >= UINT_MAX - buf->use) ++ return XML_ERR_NO_MEMORY; ++ needSize = buf->use + len + 1; + if (!xmlBufferResize(buf, needSize)){ + xmlTreeErrMemory("growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) { + */ + int + xmlBufferCCat(xmlBufferPtr buf, const char *str) { +- const char *cur; +- +- if (buf == NULL) +- return(-1); +- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1; +- if (str == NULL) { +-#ifdef DEBUG_BUFFER +- xmlGenericError(xmlGenericErrorContext, +- "xmlBufferCCat: str == NULL\n"); +-#endif +- return -1; +- } +- for (cur = str;*cur != 0;cur++) { +- if (buf->use + 10 >= buf->size) { +- if (!xmlBufferResize(buf, buf->use+10)){ +- xmlTreeErrMemory("growing buffer"); +- return XML_ERR_NO_MEMORY; +- } +- } +- buf->content[buf->use++] = *cur; +- } +- buf->content[buf->use] = 0; +- return 0; ++ return xmlBufferCat(buf, (const xmlChar *) str); + } + + /** +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend index d26a47f4c..4011c8759 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend @@ -1,4 +1,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2022-23308-Use-after-free-of-ID-and-IDREF.patch \ + file://CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch new file mode 100644 index 000000000..1cef2e810 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch @@ -0,0 +1,65 @@ +From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001 +From: ankita prasad +Date: Tue, 12 Jul 2022 17:51:01 +0000 +Subject: [PATCH] Fix added to mitigate CVE-2022-29458 + +ncurses 6.3 before patch 20220416 has an out-of-bounds read +and segmentation violation in convert_strings in tinfo/read_entry.c +in the terminfo library. +The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605 +for the file tinfo/read_entry.c. + +Signed-off-by: Ankita Prasad +--- + ncurses/tinfo/read_entry.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 5b570b0f..06c0c437 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ + if (VALID_STRING(Strings[i])) { +- for (p = Strings[i]; p <= table + size; p++) ++ for (p = Strings[i]; p < table + size; p++) + if (*p == '\0') + break; + /* if there is no NUL, ignore the string */ +- if (p > table + size) ++ if (p >= table + size) + Strings[i] = ABSENT_STRING; + } + } +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend index e60bd9a6b..7f1ce36c2 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend @@ -1,2 +1,4 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" -SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch" +SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch \ + file://0002-Fix-added-to-mitigate-CVE-2022-29458.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend index 6b7cc8a0d..262f557e0 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend @@ -10,3 +10,7 @@ SRC_URI += "file://0002-Add-event-log-for-system-time-synchronization.patch \ PACKAGECONFIG:remove = "kmod" # Add systemd-logind service to get shutdown inhibition support PACKAGECONFIG:append = " logind" + +do_install:append() { + sed -i -e"s/Also=systemd-networkd-wait-online.service//g" ${D}${systemd_system_unitdir}/systemd-networkd.service +} diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch new file mode 100644 index 000000000..dc84d3a1d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch @@ -0,0 +1,32 @@ +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7be8c6366..7a7289749 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch new file mode 100644 index 000000000..c5c95a92b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch @@ -0,0 +1,29 @@ +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7a7289749..2a3c4fe98 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend index 09dea7c00..482197c4f 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend @@ -2,4 +2,6 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ file://CVE-2018-25032.patch \ + file://CVE-2022-37434_1.patch \ + file://CVE-2022-37434_2.patch \ " -- cgit v1.2.3