From 4ed12e16f882008388c007c6e86be3ce038d8751 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 5 Jun 2020 18:00:41 -0500 Subject: poky: subtree update:a35bf0e5d3..b66b9f7548 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit backport: meson 0.54.2: backport upstream patch for boost libs Adrian Bunk (1): libubootenv: Remove the DEPENDS on mtd-utils Alex Kiernan (2): openssh: Upgrade 8.2p1 -> 8.3p1 systemd: upgrade v245.5 -> v245.6 Alexander Kanavin (68): btrfs-tools: upgrade 5.4.1 -> 5.6.1 build-compare: upgrade to latest revision ccache: upgrade 3.7.7 -> 3.7.9 createrepo-c: upgrade 0.15.7 -> 0.15.10 dpkg: upgrade 1.19.7 -> 1.20.0 librepo: upgrade 1.11.2 -> 1.11.3 python3-numpy: upgrade 1.18.3 -> 1.18.4 python3-cython: upgrade 0.29.16 -> 0.29.19 python3-gitdb: upgrade 4.0.4 -> 4.0.5 python3-mako: upgrade 1.1.1 -> 1.1.3 python3-pygments: upgrade 2.5.2 -> 2.6.1 python3-smmap: upgrade 2.0.5 -> 3.0.4 python3-subunit: upgrade 1.3.0 -> 1.4.0 python3-testtools: upgrade 2.3.0 -> 2.4.0 python3: upgrade 3.8.2 -> 3.8.3 strace: upgrade 5.5 -> 5.6 vala: upgrade 0.46.6 -> 0.48.6 cups: upgrade 2.3.1 -> 2.3.3 gawk: upgrade 5.0.1 -> 5.1.0 libsolv: upgrade 0.7.10 -> 0.7.14 man-pages: upgrade 5.05 -> 5.06 msmtp: upgrade 1.8.8 -> 1.8.10 stress-ng: upgrade 0.11.01 -> 0.11.12 stress-ng: mark as incompatible with musl sudo: upgrade 1.8.31 -> 1.9.0 adwaita-icon-theme: upgrade 3.34.3 -> 3.36.1 gtk+3: upgrade 3.24.14 -> 3.24.20 cogl-1.0: upgrade 1.22.4 -> 1.22.6 mesa: upgrade 20.0.2 -> 20.0.7 mesa: merge the .bb content into .inc piglit: upgrade to latest revision waffle: upgrade 1.6.0 -> 1.6.1 pixman: upgrade 0.38.4 -> 0.40.0 kmod: upgrade 26 -> 27 powertop: upgrade 2.10 -> 2.12 alsa-plugins: upgrade 1.2.1 -> 1.2.2 alsa-tools: upgrade 1.1.7 -> 1.2.2 alsa-utils: split the content into .inc alsa-topology/ucm-conf: update to 1.2.2 x264: upgrade to latest revision puzzles: upgrade to latest revision libcap: upgrade 2.33 -> 2.34 libical: upgrade 3.0.7 -> 3.0.8 libunwind: upgrade 1.3.1 -> 1.4.0 rng-tools: upgrade 6.9 -> 6.10 babeltrace: correct the git SRC_URI libexif: update to 0.6.22 ppp: update 2.4.7 -> 2.4.8 gettext: update 0.20.1 -> 0.20.2 ptest-runner: fix upstream version check automake: 1.16.1 -> 1.16.2 bison: 3.5.4 -> 3.6.2 cmake: update 3.16.5 -> 3.17.3 gnu-config: update to latest revision jquery: update to 3.5.1 json-c: update 0.13.1 - > 0.14 libmodulemd: update 2.9.2 -> 2.9.4 meson: upgrade 0.53.2 -> 0.54.2 shared-mime-info: fix upstream version check mpg123: fix upstream version check ethtool: upgrade 5.4 -> 5.6 libcpre2: update 10.34 -> 10.35 help2man-native: update to 1.47.15 apt: update to 1.8.2.1 asciidoc: bump PV to 8.6.10 pulseaudio: exclude pre-releases from version checks xinetd: switch to a maintained opensuse fork lz4: disable static library Andreas Müller (1): vte: Pack ${libexecdir}/vte-urlencode-cwd to vte-prompt Anuj Mittal (1): linux-yocto: bump genericx86 kernel version to v5.4.40 Bruce Ashfield (5): linux-yocto/5.4: update to v5.4.42 linux-yocto-rt/5.4: update to rt24 linux-yocto/5.4: temporarily revert IKHEADERS in standard kernels linux-yocto: gather reproducibility configs into a fragment linux-yocto/5.4: update to v5.4.43 Christian Eggers (2): librsvg: Extend for nativesdk tiff: Extend for nativesdk Hongxu Jia (1): rpm: fix rpm -Kv xxx.rpm failed if signature header is larger than 64KB Jacob Kroon (1): bitbake: doc: More explanation to tasks that recursively depend on themselves Jan Luebbe (1): classes/buildhistory: capture package config Jens Rehsack (2): initscripts/init-system-helpers: fix mountnfs.sh dependency init-system-helpers: avoid superfluous update-rc.d Joshua Watt (2): layer.conf: Bump OE-Core layer version wic: Add --offset argument for partitions Junling Zheng (3): buildstats.bbclass: Remove useless variables buildstats.bbclass: Do not recalculate build start time security_flags: Remove stack protector flag from LDFLAGS Kai Kang (1): bitbake: bitbake-user-manual-metadata.xml: fix a minor error Khem Raj (4): make-mod-scripts: Fix a rare build race condition go-1.14: Update to 1.14.3 minor release armv8/tunes: Set TUNE_PKGARCH_64 based on ARMPKGARCH ltp: Disable sigwaitinfo tests relying on undefined behavior Konrad Weihmann (8): qemurunner: fix ip fallback detection sysfsutils: rem leftover settings for libsysfs-dev debianutils: whitespace fixes libjpeg-turbo: whitespace fixes cairo: remove trailing whitespace gtk-doc: remove trailing whitespace libxt: fix whitespaces cogl: point to correct HOMEPAGE Lee Chee Yang (4): re2c: fix CVE-2020-11958 bind: fix CVE-2020-8616/7 glib-2.0: 2.64.2 -> 2.64.3 glib-networking: 2.64.2 -> 2.64.3 Marco Felsch (1): util-linux: alternatify rtcwake Mark Hatle (1): sstate.bbclass: When siginfo or sig files are missing, stop fetcher errors Martin Jansa (6): devtool: use -f and don't use --exclude-standard when adding files to workspace meta-selftest: add test of .gitignore in tarball lib/oe/patch: prevent applying patches without any subject lib/oe/patch: GitApplyTree: save 1 echo in commit-msg hook Revert "lib/oe/patch: fix handling of patches with no header" meta-selftest: add test for .patch file with long filename and without subject Mauro Queirós (3): bitbake: git.py: skip smudging if lfs=0 is set bitbake: git.py: LFS bitbake note should not be printed if need_lfs is not set. bitbake: git.py: Use the correct branch to check if the repository has LFS objects. Ming Liu (2): u-boot.inc: fix some inconsistent coding style u-boot: introduce UBOOT_INITIAL_ENV Paul Barker (5): archiver: Fix test case for srpm archiver mode oe-selftest: Allow overriding the build directory used for tests oe-selftest: Support verbose log output oe-selftest: Recursively patch test case paths bitbake: fetch2: Add the ability to list expanded URL data Peter Kjellerstedt (1): cairo: Do not try to remove nonexistent directories Pierre-Jean Texier (1): diffoscope: upgrade 144 -> 146 Ralph Siemsen (1): cve-check: include epoch in product version output Richard Purdie (7): lib/classextend: Drop unneeded comment poky.ent: Update UBUNTU_HOST_PACKAGES_ESSENTIAL to match recent changes maintainers: Update Ross' email address logrotate: Drop obsolete setting/comment oeqa/targetcontrol: Rework exception handling to avoid warnings patchelf: Add patch to address corrupt shared library issue poky.ent: Update XXX_HOST_PACKAGES_ESSENTIAL to include mesa for other distros Robert P. J. Day (1): bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable Tim Orling (1): bitbake: toaster-requirements.txt: require Django 2.2 Trevor Gamblin (1): qemuarm: check serial consoles vs /proc/consoles Wang Mingyu (13): less: upgrade 551 -> 562 liburcu: upgrade 0.12.0 -> 0.12.1 alsa-lib: upgrade 1.2.1.2 -> 1.2.2 alsa-utils: upgrade 1.2.1 -> 1.2.2 python3-six: upgrade 1.14.0 -> 1.15.0 util-linux: upgrade 2.35.1 -> 2.35.2 xf86-input-libinput: upgrade 0.29.0 -> 0.30.0 ca-certificates: upgrade 20190110 -> 20200601 dbus: upgrade 1.12.16 -> 1.12.18 libyaml: upgrade 0.2.4 -> 0.2.5 sqlite: upgrade 3.31.1 -> 3.32.1 valgrind: upgrade 3.15.0 -> 3.16.0 dbus-test: upgrade 1.12.16 -> 1.12.18 akuster (2): poky.ent: Update OPENSUSE_HOST_PACKAGES_ESSENTIAL to include mesa-dri-devel yocto-docs: Add SPDX headers in scripts and Makefile hongxu (1): core-image-minimal-initramfs: keep restriction with initramfs-module-install zangrc (3): python3-pycairo:upgrade 1.19.0 -> 1.19.1 python3-pygobject:upgrade 3.34.0 -> 3.36.1 python3-setuptools:upgrade 45.2.0 -> 47.1.1 zhengruoqin (2): gdb: upgrade 9.1 -> 9.2 libyaml: upgrade 0.2.2 -> 0.2.4 Signed-off-by: Andrew Geissler Signed-off-by: Patrick Williams Change-Id: I60e616be0c30904f8cfc947089ed2e4f5e84bc60 --- .../bind/bind/CVE-2020-8616.patch | 206 +++++++++++++++++++++ .../bind/bind/CVE-2020-8617.patch | 29 +++ .../meta/recipes-connectivity/bind/bind_9.11.13.bb | 2 + 3 files changed, 237 insertions(+) create mode 100644 poky/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch (limited to 'poky/meta/recipes-connectivity/bind') diff --git a/poky/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/poky/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch new file mode 100644 index 000000000..8f0023191 --- /dev/null +++ b/poky/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch @@ -0,0 +1,206 @@ +Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch] +CVE: CVE-2020-8616 +Signed-off-by: Lee Chee Yang +--- +diff --git a/lib/dns/adb.c b/lib/dns/adb.c +index 058495f6a5..6b8a9537f0 100644 +--- a/lib/dns/adb.c ++++ b/lib/dns/adb.c +@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) + */ + #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) + #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) +-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ +- != 0) +-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ +- != 0) +-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) +-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) +-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) +-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) ++#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) ++#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) ++#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) ++#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) ++#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) ++#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) + + /* + * These are currently used on simple unsigned ints, so they are +@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + * Listen to negative cache hints, and don't start + * another query. + */ +- if (NCACHE_RESULT(result) || AUTH_NX(result)) ++ if (NCACHE_RESULT(result) || AUTH_NX(result)) { + goto fetch; ++ } + +- if (!NAME_FETCH_V6(adbname)) ++ if (!NAME_FETCH_V6(adbname)) { + wanted_fetches |= DNS_ADBFIND_INET6; ++ } + } + + fetch: + if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || + (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) ++ { + have_address = true; +- else ++ } else { + have_address = false; +- if (wanted_fetches != 0 && +- ! (FIND_AVOIDFETCHES(find) && have_address)) { ++ } ++ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && ++ !FIND_NOFETCH(find)) ++ { + /* + * We're missing at least one address family. Either the + * caller hasn't instructed us to avoid fetches, or we don't +@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + * be acceptable so we have to launch fetches. + */ + +- if (FIND_STARTATZONE(find)) ++ if (FIND_STARTATZONE(find)) { + start_at_zone = true; ++ } + + /* + * Start V4. +diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h +index 63a13c4e41..edf6e54935 100644 +--- a/lib/dns/include/dns/adb.h ++++ b/lib/dns/include/dns/adb.h +@@ -207,6 +207,10 @@ struct dns_adbfind { + * lame for this query. + */ + #define DNS_ADBFIND_OVERQUOTA 0x00000400 ++/*% ++ * Don't perform a fetch even if there are no address records available. ++ */ ++#define DNS_ADBFIND_NOFETCH 0x00000800 + + /*% + * The answers to queries come back as a list of these. +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 7c44478a26..0a40859d08 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -172,6 +172,14 @@ + #define DEFAULT_MAX_QUERIES 75 + #endif + ++/* ++ * After NS_FAIL_LIMIT attempts to fetch a name server address, ++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, ++ * stop trying to fetch, in order to avoid wasting resources. ++ */ ++#define NS_FAIL_LIMIT 4 ++#define NS_RR_LIMIT 5 ++ + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS + #define RES_DOMAIN_BUCKETS 523 +@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { + static void + findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, + unsigned int options, unsigned int flags, isc_stdtime_t now, +- bool *overquota, bool *need_alternate) +-{ ++ bool *overquota, bool *need_alternate, unsigned int *no_addresses) { + dns_adbaddrinfo_t *ai; + dns_adbfind_t *find; + dns_resolver_t *res; +@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, + find->result_v6 != DNS_R_NXDOMAIN) || + (res->dispatches6 == NULL && + find->result_v4 != DNS_R_NXDOMAIN))) ++ { + *need_alternate = true; ++ } ++ if (no_addresses != NULL) { ++ (*no_addresses)++; ++ } + } else { + if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { + if (overquota != NULL) +@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + dns_rdata_ns_t ns; + bool need_alternate = false; + bool all_spilled = true; ++ unsigned int no_addresses = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + * Extract the name from the NS record. + */ + result = dns_rdata_tostruct(&rdata, &ns, NULL); +- if (result != ISC_R_SUCCESS) ++ if (result != ISC_R_SUCCESS) { + continue; ++ } + +- findname(fctx, &ns.name, 0, stdoptions, 0, now, +- &overquota, &need_alternate); ++ if (no_addresses > NS_FAIL_LIMIT && ++ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) ++ { ++ stdoptions |= DNS_ADBFIND_NOFETCH; ++ } ++ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, ++ &need_alternate, &no_addresses); + +- if (!overquota) ++ if (!overquota) { + all_spilled = false; ++ } + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); + } +- if (result != ISC_R_NOMORE) ++ if (result != ISC_R_NOMORE) { + return (result); ++ } + + /* + * Do we need to use 6 to 4? +@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (!a->isaddress) { + findname(fctx, &a->_u._n.name, a->_u._n.port, + stdoptions, FCTX_ADDRINFO_FORWARDER, +- now, NULL, NULL); ++ now, NULL, NULL, NULL); + continue; + } + if (isc_sockaddr_pf(&a->_u.addr) != family) +@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { + } + } + +- if (dns_name_countlabels(&fctx->domain) > 2) { +- result = isc_counter_increment(fctx->qc); +- if (result != ISC_R_SUCCESS) { +- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), +- "exceeded max queries resolving '%s'", +- fctx->info); +- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); +- return; +- } ++ result = isc_counter_increment(fctx->qc); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), ++ "exceeded max queries resolving '%s'", ++ fctx->info); ++ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); ++ return; + } + + bucketnum = fctx->bucketnum; diff --git a/poky/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch b/poky/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch new file mode 100644 index 000000000..d8769c45c --- /dev/null +++ b/poky/meta/recipes-connectivity/bind/bind/CVE-2020-8617.patch @@ -0,0 +1,29 @@ +Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch] +CVE: CVE-2020-8617 +Signed-off-by: Lee Chee Yang +--- +diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c +index b597a18d49..6357a3a486 100644 +--- a/lib/dns/tsig.c ++++ b/lib/dns/tsig.c +@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + goto cleanup_context; + } + msg->verified_sig = 1; +- } else if (tsig.error != dns_tsigerror_badsig && +- tsig.error != dns_tsigerror_badkey) { ++ } else if (!response || (tsig.error != dns_tsigerror_badsig && ++ tsig.error != dns_tsigerror_badkey)) ++ { + tsig_log(msg->tsigkey, 2, "signature was empty"); + return (DNS_R_TSIGVERIFYFAILURE); + } +@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, + } + } + +- if (tsig.error != dns_rcode_noerror) { ++ if (response && tsig.error != dns_rcode_noerror) { + msg->tsigstatus = tsig.error; + if (tsig.error == dns_tsigerror_badtime) + ret = DNS_R_CLOCKSKEW; diff --git a/poky/meta/recipes-connectivity/bind/bind_9.11.13.bb b/poky/meta/recipes-connectivity/bind/bind_9.11.13.bb index 4e64171cc..8f2d702dc 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.11.13.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.11.13.bb @@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2020-8616.patch \ + file://CVE-2020-8617.patch \ " SRC_URI[md5sum] = "17de0d024ab1eac377f1c2854dc25057" -- cgit v1.2.3