From 220d5534d34c16d996dd3eb9c3dcc94591f5ded4 Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Tue, 14 Aug 2018 00:59:39 +0100 Subject: poky: sumo refresh 874976b..45ef387 Update poky to sumo HEAD. Alexander Kanavin (1): openssl: fix upstream version check for 1.0 version Andre McCurdy (19): openssl_1.1: avoid using += with an over-ride openssl_1.1: minor recipe formatting tweaks etc openssl_1.0: merge openssl10.inc into the openssl_1.0.2o.bb recipe openssl_1.0: minor recipe formatting tweaks etc openssl_1.0: drop curly brackets from shell local variables openssl_1.0: fix cryptodev-linux PACKAGECONFIG support openssl_1.0: drop leading "-" from no-ssl3 config option openssl_1.0: avoid running make twice for target do_compile() openssl: remove uclibc remnants openssl: support musl-x32 build openssl: minor indent fixes openssl_1.0: drop obsolete ca.patch openssl_1.0: drop obsolete exporting of AS, EX_LIBS and DIRS openssl_1.0: drop unmaintained darwin support openssl_1.0: add PACKAGECONFIG option to control manpages openssl_1.0: squash whitespace in CC_INFO openssl: fix missing dependency on hostperl-runtime-native openssl_1.0: drop unnecessary dependency on makedepend-native openssl_1.0: drop unnecessary call to perlpath.pl from do_configure() Andrej Valek (3): openssl-1.1: fix c_rehash perl errors openssl: update 1.0.2o -> 1.0.2p openssl: update 1.1.0h -> 1.1.0i Anuj Mittal (1): wic/qemux86: don't pass ip parameter to kernel in wks Changqing Li (1): unzip: fix CVE-2018-1000035 Hongxu Jia (2): nasm: fix CVE-2018-8883 & CVE-2018-8882 & CVE-2018-10316 patch: fix CVE-2018-6952 Jagadeesh Krishnanjanappa (19): libvorbis: CVE-2017-14160 CVE-2018-10393 libvorbis: CVE-2018-10392 flac: CVE-2017-6888 libarchive: CVE-2017-14503 libsndfile1: CVE-2017-14245 CVE-2017-14246 libsndfile1: CVE-2017-14634 coreutils: CVE-2017-18018 libgcrypt: CVE-2018-0495 git: CVE-2018-11235 gnupg: CVE-2018-12020 shadow: CVE-2018-7169 procps: CVE-2018-1124 python: CVE-2018-1000030 qemu: CVE-2018-7550 qemu: CVE-2018-12617 perl: CVE-2018-6798 perl: CVE-2018-6797 perl: CVE-2018-6913 perl: CVE-2018-12015 Joshua Watt (2): alsa-lib: Cleanup packaging swig: Remove superfluous python dependency Ovidiu Panait (1): openssl-nativesdk: Fix "can't open config file" warning Ross Burton (6): bzip2: use Yocto Project mirror for SRC_URI classes: sanity-check LIC_FILES_CHKSUM openssl: disable ccache usage unzip: fix symlink problem bitbake: utils/md5_file: don't iterate line-by-line bitbake: checksum: sanity check path when recursively checksumming Change-Id: I262a451f483cb276343ae6f02c272af053d33d7a Signed-off-by: Brad Bishop --- ...t-we-are-not-reading-past-end-of-a-buffer.patch | 65 ++++++++++++++++++++++ .../0001-assemble-Check-global-line-limit.patch | 50 +++++++++++++++++ .../nasm/nasm/0001-fix-CVE-2018-8882.patch | 30 ++++++++++ poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb | 3 + 4 files changed, 148 insertions(+) create mode 100644 poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch create mode 100644 poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch create mode 100644 poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch (limited to 'poky/meta/recipes-devtools/nasm') diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch new file mode 100644 index 000000000..a56a08b5a --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch @@ -0,0 +1,65 @@ +From c5785fdf1d660eaefb9711284414262d0cfe8843 Mon Sep 17 00:00:00 2001 +From: Adam Majer +Date: Fri, 17 Aug 2018 14:48:17 +0800 +Subject: [PATCH] Verify that we are not reading past end of a buffer + +Simple reproducer is just, + + ret &d:ep + +which triggers a buffer overread due to parsing of an invalid +segment override. + +Signed-off-by: Adam Majer + +Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392447] +CVE: CVE-2018-8883 +Signed-off-by: Hongxu Jia +--- + include/opflags.h | 2 +- + include/tables.h | 1 + + x86/regs.pl | 3 ++- + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/opflags.h b/include/opflags.h +index ef2838c1..8d4b6b1e 100644 +--- a/include/opflags.h ++++ b/include/opflags.h +@@ -166,7 +166,7 @@ + #define REG_CLASS_BND GEN_REG_CLASS(9) + + #define is_class(class, op) (!((opflags_t)(class) & ~(opflags_t)(op))) +-#define is_reg_class(class, reg) is_class((class), nasm_reg_flags[(reg)]) ++#define is_reg_class(class, reg) is_class((class), ((reg) < nasm_reg_flags_size ? nasm_reg_flags[(reg)] : 0)) + + #define IS_SREG(reg) is_reg_class(REG_SREG, (reg)) + #define IS_FSGS(reg) is_reg_class(REG_FSGS, (reg)) +diff --git a/include/tables.h b/include/tables.h +index 24a665e2..458752ce 100644 +--- a/include/tables.h ++++ b/include/tables.h +@@ -64,6 +64,7 @@ extern const char * const nasm_reg_names[]; + typedef uint64_t opflags_t; + typedef uint16_t decoflags_t; + extern const opflags_t nasm_reg_flags[]; ++extern const size_t nasm_reg_flags_size; + /* regvals.c */ + extern const int nasm_regvals[]; + +diff --git a/x86/regs.pl b/x86/regs.pl +index 3a1b56f5..cb5cea68 100755 +--- a/x86/regs.pl ++++ b/x86/regs.pl +@@ -158,7 +158,8 @@ if ( $fmt eq 'h' ) { + printf " %-15s /* %-5s */\n", + $regs{$reg}.',', $reg; + } +- print "};\n"; ++ print "};\n\n"; ++ print "const size_t nasm_reg_flags_size = sizeof(nasm_reg_flags) / sizeof(opflags_t);\n"; + } elsif ( $fmt eq 'vc' ) { + # Output regvals.c + print "/* automatically generated from $file - do not edit */\n\n"; +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch new file mode 100644 index 000000000..682d4c727 --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch @@ -0,0 +1,50 @@ +From 7a46d6b9e3a1d8a0ab0d816ef1bf194ad285e082 Mon Sep 17 00:00:00 2001 +From: "Chang S. Bae" +Date: Fri, 17 Aug 2018 14:26:03 +0800 +Subject: [PATCH] assemble: Check global line limit + +Without the limit, the while loop opens to semi-infinite +that will exhaustively consume the heap space. Also, the +index value gets into the garbage. + +https://bugzilla.nasm.us/show_bug.cgi?id=3392474 + +Reported-by : Dongliang Mu +Signed-off-by: Chang S. Bae +Signed-off-by: Cyrill Gorcunov + +Upstream-Status: Backport from upstream [http://repo.or.cz/nasm.git] +CVE: CVE-2018-10316 +Signed-off-by: Hongxu Jia +--- + asm/nasm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 8497ec9..81f6cee 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -99,6 +99,8 @@ static char outname[FILENAME_MAX]; + static char listname[FILENAME_MAX]; + static char errname[FILENAME_MAX]; + static int globallineno; /* for forward-reference tracking */ ++#define GLOBALLINENO_MAX INT32_MAX ++ + /* static int pass = 0; */ + const struct ofmt *ofmt = &OF_DEFAULT; + const struct ofmt_alias *ofmt_alias = NULL; +@@ -1360,7 +1362,10 @@ static void assemble_file(char *fname, StrList **depend_ptr) + location.offset = offs = get_curr_offs(); + + while ((line = preproc->getline())) { +- globallineno++; ++ if (globallineno++ == GLOBALLINENO_MAX) ++ nasm_error(ERR_FATAL, ++ "overall line number reaches the maximum %d\n", ++ GLOBALLINENO_MAX); + + /* + * Here we parse our directives; this is not handled by the +-- +2.7.4 + diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch new file mode 100644 index 000000000..bc706c3f1 --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch @@ -0,0 +1,30 @@ +From 33438037e00ec750bff020578b1a5b6f75f60555 Mon Sep 17 00:00:00 2001 +From: Adam Majer +Date: Fri, 17 Aug 2018 14:41:02 +0800 +Subject: [PATCH] fix CVE-2018-8882 + +https://bugzilla.nasm.us/show_bug.cgi?id=3392445 + +Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392445] +CVE: CVE-2018-8882 +Signed-off-by: Hongxu Jia +--- + asm/float.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/asm/float.c b/asm/float.c +index dcf69fea..2965d3db 100644 +--- a/asm/float.c ++++ b/asm/float.c +@@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i) + if (offs) + for (j = MANT_LIMBS-1; j >= offs; j--) + mant[j] = mant[j-offs]; ++ } else if (MANT_LIMBS-1-offs < 0) { ++ j = MANT_LIMBS-1; + } else { + n = mant[MANT_LIMBS-1-offs] >> sr; + for (j = MANT_LIMBS-1; j > offs; j--) { +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb b/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb index 236d7e5e3..6a02df485 100644 --- a/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb +++ b/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb @@ -5,6 +5,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-asmlib-Drop-pure-function-attribute-from-seg_init.patch \ + file://0001-assemble-Check-global-line-limit.patch \ + file://0001-fix-CVE-2018-8882.patch \ + file://0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch \ " SRC_URI[md5sum] = "0c581d482f39d5111879ca9601938f74" -- cgit v1.2.3