diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-05-04 05:37:45 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-05-04 05:38:27 +0300 |
commit | 841583d6ba5918b60868b708ff0b89cf0409efa7 (patch) | |
tree | 49e155d7d6c2ea5a7081fc4dcbc51cb0a522e120 /meta-openembedded/meta-oe/recipes-support | |
parent | 61a2d43a172b70aa34fd7ec33fc048a211fa5c4c (diff) | |
download | openbmc-841583d6ba5918b60868b708ff0b89cf0409efa7.tar.xz |
subtree updates
poky: 90a6f6a110..a631bfc3a3:
Alban Bedel (1):
systemd: Fix systemd when used with busybox less
Alex Kiernan (1):
openssl: upgrade 1.1.1q to 1.1.1s
Alexander Kanavin (12):
tzdata: update to 2022d
linux-firmware: upgrade 20220913 -> 20221012
tzdata: update 2022d -> 2022g
linux-firmware: upgrade 20221109 -> 20221214
selftest/virgl: use pkg-config from the host
oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with a signal
vim: update 9.0.1211 -> 9.0.1293 to resolve open CVEs
linux-firmware: upgrade 20221214 -> 20230117
linux-firmware: upgrade 20230117 -> 20230210
wireless-regdb: upgrade 2022.08.12 -> 2023.02.13
apr: update 1.7.0 -> 1.7.2
apr-util: update 1.6.1 -> 1.6.3
Alexey Smirnov (1):
classes: make TOOLCHAIN more permissive for kernel
Andrej Valek (1):
libarchive: fix CVE-2022-26280
Antonin Godard (2):
busybox: always start do_compile with orig config files
busybox: rm temporary files if do_compile was interrupted
Bartosz Golaszewski (1):
bluez5: add dbus to RDEPENDS
Benoît Mauduit (1):
lib/oe/reproducible: Use git log without gpg signature
Bhabu Bindu (4):
libxml2: Fix CVE-2022-40303
libxml2: Fix CVE-2022-40304
ffmpeg: Fix CVE-2022-3109
ffmpeg: fix for CVE-2022-3341
Bruce Ashfield (12):
linux-yocto/5.4: update to v5.4.216
linux-yocto/5.4: update to v5.4.219
linux-yocto/5.4: update to v5.4.221
linux-yocto/5.4: update to v5.4.224
linux-yocto/5.4: update to v5.4.225
linux-yocto/5.4: update to v5.4.228
linux-yocto/5.4: update to v5.4.229
linux-yocto/5.4: update to v5.4.230
linux-yocto/5.4: update to v5.4.231
linux-yocto/5.4: update to v5.4.233
linux-yocto/5.4: update to v5.4.234
linux-yocto/5.4: update to v5.4.237
Changqing Li (1):
base.bbclass: Fix way to check ccache path
Charlie Davies (1):
bitbake: bitbake: fetch/git: use shlex.quote() to support spaces in SRC_URI url
Chee Yang Lee (6):
libksba: fix CVE-2022-47629
tiff: fix multiple CVEs
ghostscript: add CVE tag for check-stack-limits-after-function-evalution.patch
libksba: fix CVE-2022-3515
qemu: fix multple CVEs
git: ignore CVE-2023-22743
Chen Qi (3):
kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
psplash: consider the situation of psplash not exist for systemd
bc: extend to nativesdk
Christoph Lauer (1):
populate_sdk_base: add zip options
Daniel McGregor (1):
coreutils: add openssl PACKAGECONFIG
Dmitry Baryshkov (3):
linux-firmware: upgrade 20221012 -> 20221109
linux-firmware: properly set license for all Qualcomm firmware
linux-firmware: add yamato fw files to qcom-adreno-a2xx package
Frank de Brabander (1):
cve-update-db-native: add timeout to urlopen() calls
Gaurav Gupta (1):
qemu: fix build error introduced by CVE-2021-3929 fix
Geoffrey GIRY (1):
cve-check: Fix false negative version issue
Harald Seiler (1):
opkg: Set correct info_dir and status_file in opkg.conf
Hitendra Prajapati (21):
dhcp: Fix CVE-2022-2928 & CVE-2022-2929
qemu: CVE-2021-3750 hcd-ehci: DMA reentrancy issue leads to use-after-free
golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters
libX11: CVE-2022-3554 Fix memory leak
bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c
sudo: CVE-2022-43995 heap-based overflow with very small passwords
libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c
sysstat: fix CVE-2022-39377
golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be loaded
grub2: Fix CVE-2022-2601 & CVE-2022-3775
xserver-xorg: Fix Multiple CVEs
git: CVE-2022-23521 gitattributes parsing integer overflow
curl: fix CVE-2022-43552 Use-after-free triggered by an HTTP proxy deny response
QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read
curl: CVE-2023-23916 HTTP multi-header compression denial of service
qemu: fix compile error which imported by CVE-2022-4144
ruby: CVE-2023-28756 ReDoS vulnerability in Time
curl: CVE-2023-27534 SFTP path ~ resolving discrepancy
curl: CVE-2023-27538 fix SSH connection too eager reuse
screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
Hugo SIMELIERE (2):
bluez5: Exclude CVE-2022-39177 from cve-check
openssl: upgrade 1.1.1s to 1.1.1t
Jagadeesh Krishnanjanappa (1):
qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel image
Jan Kircher (1):
toolchain-scripts: compatibility with unbound variable protection
Jermain Horsman (1):
cve-check: write the cve manifest to IMGDEPLOYDIR
John Edward Broadbent (1):
externalsrc: git submodule--helper list unsupported
Joshua Watt (6):
sudo: Use specific BSD license variant
classes/create-spdx: Backport
classes/package: Add extended packaged data
licenses: Add GPL+ licenses to map
create-spdx: Use gzip for compression
classes/package: Use gzip for extended package data
Kenfe-Mickael Laventure (3):
buildtools-tarball: Handle spaces within user $PATH
toolchain-scripts: Handle spaces within user $PATH
populate_sdk_ext: Handle spaces within user $PATH
Khem Raj (3):
libtirpc: Check if file exists before operating on it
apr: Use correct strerror_r implementation based on libc type
apr: Cache configure tests which use AC_TRY_RUN
Lee Chee Yang (1):
dropbear: fix CVE-2021-36369
Luis (1):
rm_work.bbclass: use HOSTTOOLS 'rm' binary exclusively
Manuel Leonhardt (1):
sstate: Account for reserved characters when shortening sstate filenames
Marek Vasut (2):
bitbake: fetch2/git: Prevent git fetcher from fetching gitlab repository metadata
bitbake: fetch2/git: Clarify the meaning of namespace
Marta Rybczynska (1):
cve-update-db-native: avoid incomplete updates
Martin Jansa (3):
externalsrc.bbclass: fix git repo detection
meta: remove True option to getVar and getVarFlag calls (again)
bmap-tools: switch to main branch
Mathieu Dubois-Briand (1):
curl: Fix CVE CVE-2022-35260
Mauro Queiros (1):
image.bbclass: print all QA functions exceptions
Michael Halstead (1):
uninative: Upgrade to 3.7 to work with glibc 2.36
Michael Opdenacker (4):
dev-manual: update session about multiconfig
ref-manual: document SSTATE_EXCLUDEDEPS_SYSROOT
profile-manual: update WireShark hyperlinks
overview-manual: update patchwork instance URL
Mike Crowe (1):
kernel: improve transformation from KERNEL_IMAGETYPE_FOR_MAKE
Mikko Rapeli (2):
oeqa context.py: fix --target-ip comment to include ssh port number
oeqa rtc.py: skip if read-only-rootfs
Ming Liu (1):
linux: inherit pkgconfig in kernel.bbclass
Minjae Kim (2):
xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553
ppp: fix CVE-2022-4603
Nikhil R (1):
openssl: Fix CVE-2023-0464
Niko Mauno (2):
systemd: Consider PACKAGECONFIG in RRECOMMENDS
Fix missing leading whitespace with ':append'
Omkar (2):
dbus: upgrade 1.12.22 -> 1.12.24
python3: Fix CVE-2022-45061
Omkar Patil (3):
sudo: Fix CVE-2023-22809
openssl: Fix CVE-2023-0465
openssl: Fix CVE-2023-0466
Paul Eggleton (1):
classes/kernel-fitimage: add ability to add additional signing options
Pavel Zhukov (1):
oeqa/rpm.py: Increase timeout and add debug output
Pawan Badganchi (1):
python3: Fix CVE-2022-37454
Pawel Zalewski (1):
classes/fs-uuid: Fix command output decoding issue
Peter Kjellerstedt (2):
externalsrc.bbclass: Remove a trailing slash from ${B}
devshell: Do not add scripts/git-intercept to PATH
Peter Marko (2):
externalsrc: fix lookup for .gitmodules
go: ignore CVE-2022-41716
Piotr Łobacz (1):
systemd: fix wrong nobody-group assignment
Qiu, Zheng (1):
vim: upgrade 9.0.0820 -> 9.0.0947
Quentin Schulz (2):
cairo: update patch for CVE-2019-6461 with upstream solution
cairo: fix CVE patches assigned wrong CVE number
Ralph Siemsen (11):
golang: fix CVE-2021-33195
golang: fix CVE-2021-33198
golang: fix CVE-2021-44716
golang: fix CVE-2022-24291
golang: fix CVE-2022-28131
golang: fix CVE-2022-28327
golang: ignore CVE-2022-29804
golang: ignore CVE-2021-33194
golang: ignore CVE-2021-41772
golang: ignore CVE-2022-30580
golang: ignore CVE-2022-30630
Randy MacLeod (2):
vim: upgrade 9.0.0947 -> 9.0.1211
vim: upgrade 9.0.1403 -> 9.0.1429
Ranjitsinh Rathod (3):
expat: Fix CVE-2022-43680 for expat
systemd: Fix CVE-2022-3821 issue
libsdl2: Add fix for CVE-2022-4743
Ravula Adhitya Siddartha (1):
linux-yocto/5.4: update genericx86* machines to v5.4.219
Richard Purdie (28):
bitbake: tests/fetch: Allow handling of a file:// url within a submodule
qemu: Avoid accidental librdmacm linkage
build-appliance-image: Update to dunfell head revision
bitbake: utils: Handle lockfile filenames that are too long for filesystems
bitbake: utils: Fix lockfile path length issues
build-appliance-image: Update to dunfell head revision
oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file()
build-appliance-image: Update to dunfell head revision
build-appliance-image: Update to dunfell head revision
bitbake: runqueue: Fix multiconfig deferred task sstate validity caching issue
bitbake: runqueue: Handle deferred task rehashing in multiconfig builds
bitbake: runqueue: Improve multiconfig deferred task issues
bitbake: runqueue: Avoid deadlock avoidance task graph corruption
bitbake: runqueue: Fix issues with multiconfig deferred task deadlock messages
bitbake: runqueue: Ensure deferred tasks are sorted by multiconfig
bitbake: cooker: Drop sre_constants usage
nativesdk: Handle chown/chgrp calls in nativesdk do_install tasks
make-mod-scripts: Ensure kernel build output is deterministic
libc-locale: Fix on target locale generation
apr: Fix to work with autoconf 2.70
apr-util: Fix CFLAGS used in build
oeqa/selftest/prservice: Improve debug output for failure
build-appliance-image: Update to dunfell head revision
staging: Separate out different multiconfig manifests
staging/multilib: Fix manifest corruption
glibc: Add missing binutils dependency
base-files: Drop localhost.localdomain from hosts file
pybootchartui: Fix python syntax issue
Riyaz Khan (1):
rpm: Fix rpm CVE CVE-2021-3521
Robert Andersson (1):
go-crosssdk: avoid host contamination by GOCACHE
Rodolfo Quesada Zumbado (1):
tar: CVE-2022-48303
Ross Burton (14):
sanity: check for GNU tar specifically
pixman: backport fix for CVE-2022-44638
lib/buildstats: fix parsing of trees with reduced_proc_pressure directories
bitbake: bb/utils: include SSL certificate paths in export_proxies
cve-update-db-native: add more logging when fetching
cve-update-db-native: show IP on failure
quilt: fix intermittent failure in faildiff.test
quilt: use upstreamed faildiff.test fix
git: ignore CVE-2022-41953
shadow: ignore CVE-2016-15024
vim: add missing pkgconfig inherit
vim: upgrade to 9.0.1403
vim: set modified-by to the recipe MAINTAINER
lib/resulttool: fix typo breaking resulttool log --ptest
Shubham Kulkarni (5):
glibc: Security fix for CVE-2023-0687
go-runtime: Security fix for CVE-2022-41723
go-runtime: Security fix for CVE-2022-41722
go: Security fix for CVE-2020-29510
go: Ignore CVE-2022-1705
Siddharth Doshi (1):
harfbuzz: Security fix for CVE-2023-25193
Steve Sakoman (30):
selftest: skip virgl test on ubuntu 22.04
qemu: Avoid accidental libvdeplug linkage
qemu: Add PACKAGECONFIG for rbd
devtool: add HostKeyAlgorithms option to ssh and scp commands
selftest: skip virgl test on all Alma Linux
documentation: update for 3.1.21
poky.conf: bump version for 3.1.21
maintainers: update gcc version to 9.5
documentation: update for 3.1.22
poky.conf: bump version for 3.1.22
ovmf: fix gcc12 warning in GenFfs
ovmf: fix gcc12 warning in LzmaEnc
ovmf: fix gcc12 warning for device path handling
documentation: update for 3.1.23
python3: fix packaging of Windows distutils installer stubs
lttng-modules: update 2.11.6 -> 2.11.7
lttng-modules: update 2.11.7 -> 2.11.8
lttng-modules: update 2.11.8 -> 2.11.9
lttng-modules: fix build with 5.4.229 kernel
poky.conf: bump version for 3.1.23
poky.conf: Update SANITY_TESTED_DISTROS to match autobuilder
ref-system-requirements.rst: add Fedora 35, Fedora 36, and Ubuntu 22.04 to list of supported distros
ref-system-requirements.rst: add AlmaLinux 8.7 to list of supported distros
qemu: Fix slirp determinism issue
documentation: update for 3.1.24
poky.conf: bump version for 3.1.24
bitbake: tests/fetch.py: fix link to project documentation
documentation: update for 3.1.25
poky.conf: bump version for 3.1.25
build-appliance-image: Update to dunfell head revision
Sundeep KOKKONDA (3):
binutils: stable 2.34 branch updates
glibc : stable 2.31 branch updates.
gcc: upgrade to v9.5
Sunil Kumar (1):
go: Security Fix for CVE-2022-2879
Teoh Jay Shen (1):
vim: Upgrade 9.0.0598 -> 9.0.0614
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Tim Orling (2):
python3: upgrade 3.8.13 -> 3.8.14
vim: upgrade 9.0.0614 -> 9.0.0820
Ulrich Ölmann (1):
kernel-yocto: fix kernel-meta data detection
Vijay Anusuri (4):
git: Security fix for CVE-2022-41903
git: Security fix for CVE-2023-22490 and CVE-2023-23946
sudo: Security fix for CVE-2023-28486 and CVE-2023-28487
curl: Security fix CVE-2023-27533, CVE-2023-27535 and CVE-2023-27536
Virendra Thakur (2):
gcc: Fix inconsistent noexcept specifier for valarray in libstdc++
qemu: Whitelist CVE-2023-0664
Vivek Kumbhar (13):
curl: fix CVE-2022-32221 POST following PUT
qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write
libtasn1: fix CVE-2021-46848 off-by-one in asn1_encode_simple_der
qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead to guest crash
go: fix CVE-2022-41717 Excessive memory use in got server
rsync: fix CVE-2022-29154 remote arbitrary files write inside the directories of connecting peers
libx11: fix CVE-2022-3555 memory leak in _XFreeX11XCBStructure() of xcb_disp.c
qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data transfers
go: fix CVE-2022-1962 go/parser stack exhaustion in all Parse* functions
qemu: fix CVE-2021-3929 nvme DMA reentrancy issue leads to use-after-free
gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code
go: fix CVE-2023-24537 Infinite loop in parsing
go: fix CVE-2023-24534 denial of service from excessive memory allocation
Wang Mingyu (1):
mobile-broadband-provider-info: upgrade 20220725 -> 20221107
Xiaobing Luo (1):
devtool: Fix _copy_file() TypeError
ciarancourtney (1):
wic: swap partitions are not added to fstab
jan (1):
cve-update-db-native: Allow to overrule the URL in a bbappend.
rajmohan r (1):
systemd: Fix CVE-2023-26604
wangmy (1):
dbus: upgrade 1.12.20 -> 1.12.22
meta-openembedded: 6792ebdd96..7007d14c25:
Armin Kuster (1):
mariadb: Update to latest lts 10.4.28
Chris Rogers (1):
xterm: Remove undeclared variables introduced by backport
Colin Finck (1):
[dunfell] wireguard: Upgrade to 1.0.20220627 (module) and 1.0.20210914 (tools)
Hitendra Prajapati (9):
postgresql: CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox
dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relay
nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module
postgresql: Fix CVE-2022-2625
proftpd: CVE-2021-46854 memory disclosure to radius server
net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception
krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsing
postgresql: CVE-2022-41862 Client memory disclosure when connecting with Kerberos to modified server
syslog-ng: CVE-2022-38725 An integer overflow in the RFC3164 parser
Ivan Stepic (1):
flatbuffers: adapt for cross-compilation environments
Mathieu Dubois-Briand (4):
networkmanager: Update to 1.22.16
nss: Add missing CVE product
nss: Whitelist CVEs related to libnssdbm
nss: Fix CVE-2020-25648
Omkar Patil (1):
ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3
Poonam Jadhav (4):
nodejs: Fix CVE-2022-32212
nodejs: Fix CVE-2022-35255
nodejs: Fix CVE-2022-43548
nodejs: Fix CVEs for nodejs
Priyal Doshi (1):
open-vm-tools: Security fix for CVE-2022-31676
Ranjitsinh Rathod (1):
strongswan: Fix CVE-2022-40617
Roger Knecht (1):
zeromq: 4.3.2 -> 4.3.4
Shubham Kulkarni (1):
python3-pillow: Security fix for CVE-2022-45198
Siddharth Doshi (1):
xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063
Valeria Petrov (1):
php: update 7.4.28 -> 7.4.33
Virendra Thakur (2):
capnproto: Fix CVE-2022-46149
nss: Fix CVE CVE-2023-0767
Wang Mingyu (2):
apache2: upgrade 2.4.54 -> 2.4.55
apache2: upgrade 2.4.55 -> 2.4.56
Yi Zhao (1):
postfix: upgrade 3.4.23 -> 3.4.27
vkumbhar (2):
dnsmasq: fix CVE-2023-28450 default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232
mariadb: fix CVE-2022-47015 NULL pointer dereference in spider_db_mbase::print_warnings()
wangmy (1):
apache2: upgrade 2.4.53 -> 2.4.54
meta-security: c62970fda8..eb631c12be:
Hitendra Prajapati (1):
sssd: CVE-2022-4254 libsss_certmap fails to sanitise certificate data used in LDAP filters
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0ebec73eb7e68d1ca95866bc758e49990731c8bf
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-support')
7 files changed, 965 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch new file mode 100644 index 0000000000..f30d4d32cd --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch @@ -0,0 +1,163 @@ +# HG changeset patch +# User Daiki Ueno <dueno@redhat.com> +# Date 1602524521 0 +# Node ID 57bbefa793232586d27cee83e74411171e128361 +# Parent 6e3bc17f05086854ffd2b06f7fae9371f7a0c174 +Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt + +This makes the server reject CCS when the client doesn't indicate the +use of the middlebox compatibility mode with a non-empty +ClientHello.legacy_session_id, or it sends multiple CCS in a row. + +Differential Revision: https://phabricator.services.mozilla.com/D79994 + +Upstream-Status: Backport +CVE: CVE-2020-25648 +Reference to upstream patch: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 +Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> + +diff --color -Naur nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +--- nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:05:47.447142660 +0100 ++++ nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:12:32.645932052 +0100 +@@ -348,6 +348,85 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + ++// The server rejects a ChangeCipherSpec if the client advertises an ++// empty session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The server rejects multiple ChangeCipherSpec even if the client ++// indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ // Send CCS twice in a row ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS. ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects a ChangeCipherSpec if it advertises an empty ++// session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // Send CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects multiple ChangeCipherSpec in a row even if the ++// client indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // the ServerHello is followed by CCS ++ // Send another CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ + // If we negotiate 1.2, we abort. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) { + EnsureTlsSetup(); +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/ssl3con.c nss-3.51.1/nss/lib/ssl/ssl3con.c +--- nss-3.51.1_old/nss/lib/ssl/ssl3con.c 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/ssl3con.c 2022-12-08 16:12:42.037994262 +0100 +@@ -6711,7 +6711,11 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- return sidMatch; ++ if (sidMatch) { ++ ss->ssl3.hs.allowCcs = PR_TRUE; ++ return PR_TRUE; ++ } ++ return PR_FALSE; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8730,6 +8734,7 @@ + errCode = PORT_GetError(); + goto alert_loser; + } ++ ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13058,8 +13063,15 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- /* Ignore the CCS. */ +- return SECSuccess; ++ if (ss->ssl3.hs.allowCcs) { ++ /* Ignore the first CCS. */ ++ ss->ssl3.hs.allowCcs = PR_FALSE; ++ return SECSuccess; ++ } ++ ++ /* Compatibility mode is not negotiated. */ ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + + if (IS_DTLS(ss) || +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/sslimpl.h nss-3.51.1/nss/lib/ssl/sslimpl.h +--- nss-3.51.1_old/nss/lib/ssl/sslimpl.h 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/sslimpl.h 2022-12-08 16:12:45.106014567 +0100 +@@ -711,6 +711,10 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ ++ PRBool allowCcs; /* A server allows ChangeCipherSpec ++ * as the middlebox compatibility mode ++ * is explicitly indicarted by ++ * legacy_session_id in TLS 1.3 ClientHello. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch new file mode 100644 index 0000000000..ec3b4a092a --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch @@ -0,0 +1,124 @@ + +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1675974326 0 +# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18 +# Parent 52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4 +Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D167443 + +CVE: CVE-2023-0767 +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz] +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c +--- a/nss/lib/pkcs12/p12d.c ++++ b/nss/lib/pkcs12/p12d.c +@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind) + { + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + + /* notify function for decoding safeBags. This function is + * used to filter safeBag types which are not supported, + * initiate the decoding of nested safe contents, and decode +diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h +--- a/nss/lib/pkcs12/p12t.h ++++ b/nss/lib/pkcs12/p12t.h +@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr { + /* Dependent upon the type of bag being used. */ + union { + SECKEYPrivateKeyInfo *pkcs8KeyBag; + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ + SECOidData *bagTypeTag; + PLArenaPool *arena; + unsigned int nAttribs; +diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c +--- a/nss/lib/pkcs12/p12tmpl.c ++++ b/nss/lib/pkcs12/p12tmpl.c +@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr + if (src_or_dest == NULL) { + return NULL; + } + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + theTemplate = sec_PKCS12PointerToCertBagTemplate; + break; + case SEC_OID_PKCS12_V1_CRL_BAG_ID: + diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb index 8b59f7ea8f..1de2a40094 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -39,8 +39,10 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://CVE-2020-6829_12400.patch \ file://CVE-2020-12403_1.patch \ file://CVE-2020-12403_2.patch \ + file://CVE-2020-25648.patch \ file://CVE-2021-43527.patch \ file://CVE-2022-22747.patch \ + file://CVE-2023-0767.patch \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" @@ -291,5 +293,11 @@ RDEPENDS_${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" +CVE_PRODUCT += "network_security_services" + # CVE-2006-5201 affects only Sun Solaris CVE_CHECK_WHITELIST += "CVE-2006-5201" + +# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect +# the legacy db (libnssdbm), only compiled with --enable-legacy-db. +CVE_CHECK_WHITELIST += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" diff --git a/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch b/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch new file mode 100644 index 0000000000..1c6657ae9f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch @@ -0,0 +1,39 @@ +From d16eda269413bdb04e85c242fa28db264697c45f Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwolfe@vmware.com> +Date: Sun, 21 Aug 2022 07:56:49 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests. + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 +CVE: CVE-2022-31676 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c +index f097fb6..0ebaa7b 100644 +--- a/open-vm-tools/vgauth/serviceImpl/proto.c ++++ b/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2016,2019-2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnection *conn, + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. +-- +2.7.4 diff --git a/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb b/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb index 3cf0aa8292..9a1b3f4c80 100644 --- a/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb @@ -43,6 +43,7 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste file://0002-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0001-utilBacktrace-Ignore-Warray-bounds.patch;patchdir=.. \ file://0001-hgfsmounter-Makefile.am-support-usrmerge.patch;patchdir=.. \ + file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ " SRCREV = "d3edfd142a81096f9f58aff17d84219b457f4987" diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch new file mode 100644 index 0000000000..4a09c8c7fa --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch @@ -0,0 +1,629 @@ +From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= + <laszlo.varady@protonmail.com> +Date: Sat, 20 Aug 2022 12:42:38 +0200 +Subject: [PATCH] CVE-2022-38725 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: László Várady <laszlo.varady@protonmail.com> +Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> + +Upstream-Status: Backport from [https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8 && https://github.com/syslog-ng/syslog-ng/commit/81a07263f1e522a376d3a30f96f51df3f2879f8a && https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d && https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37 && https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321 && https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4 && https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 && https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d] +CVE: CVE-2022-38725 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/timeutils/scan-timestamp.c | 68 +++++---- + lib/timeutils/tests/test_scan-timestamp.c | 133 ++++++++++++++++-- + modules/syslogformat/CMakeLists.txt | 2 + + modules/syslogformat/Makefile.am | 2 + + modules/syslogformat/syslog-format.c | 12 +- + modules/syslogformat/tests/CMakeLists.txt | 1 + + modules/syslogformat/tests/Makefile.am | 9 ++ + .../syslogformat/tests/test_syslog_format.c | 104 ++++++++++++++ + 8 files changed, 284 insertions(+), 47 deletions(-) + create mode 100644 modules/syslogformat/tests/CMakeLists.txt + create mode 100644 modules/syslogformat/tests/Makefile.am + create mode 100644 modules/syslogformat/tests/test_syslog_format.c + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 41ead1a..ec9746b 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -34,41 +34,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) + { + *wday = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'S': +- if (strncasecmp(*buf, "Sun", 3) == 0) ++ if (strncasecmp(*buf, "Sun", abbrev_length) == 0) + *wday = 0; +- else if (strncasecmp(*buf, "Sat", 3) == 0) ++ else if (strncasecmp(*buf, "Sat", abbrev_length) == 0) + *wday = 6; + break; + case 'M': +- if (strncasecmp(*buf, "Mon", 3) == 0) ++ if (strncasecmp(*buf, "Mon", abbrev_length) == 0) + *wday = 1; + break; + case 'T': +- if (strncasecmp(*buf, "Tue", 3) == 0) ++ if (strncasecmp(*buf, "Tue", abbrev_length) == 0) + *wday = 2; +- else if (strncasecmp(*buf, "Thu", 3) == 0) ++ else if (strncasecmp(*buf, "Thu", abbrev_length) == 0) + *wday = 4; + break; + case 'W': +- if (strncasecmp(*buf, "Wed", 3) == 0) ++ if (strncasecmp(*buf, "Wed", abbrev_length) == 0) + *wday = 3; + break; + case 'F': +- if (strncasecmp(*buf, "Fri", 3) == 0) ++ if (strncasecmp(*buf, "Fri", abbrev_length) == 0) + *wday = 5; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -77,57 +79,59 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) + { + *mon = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'J': +- if (strncasecmp(*buf, "Jan", 3) == 0) ++ if (strncasecmp(*buf, "Jan", abbrev_length) == 0) + *mon = 0; +- else if (strncasecmp(*buf, "Jun", 3) == 0) ++ else if (strncasecmp(*buf, "Jun", abbrev_length) == 0) + *mon = 5; +- else if (strncasecmp(*buf, "Jul", 3) == 0) ++ else if (strncasecmp(*buf, "Jul", abbrev_length) == 0) + *mon = 6; + break; + case 'F': +- if (strncasecmp(*buf, "Feb", 3) == 0) ++ if (strncasecmp(*buf, "Feb", abbrev_length) == 0) + *mon = 1; + break; + case 'M': +- if (strncasecmp(*buf, "Mar", 3) == 0) ++ if (strncasecmp(*buf, "Mar", abbrev_length) == 0) + *mon = 2; +- else if (strncasecmp(*buf, "May", 3) == 0) ++ else if (strncasecmp(*buf, "May", abbrev_length) == 0) + *mon = 4; + break; + case 'A': +- if (strncasecmp(*buf, "Apr", 3) == 0) ++ if (strncasecmp(*buf, "Apr", abbrev_length) == 0) + *mon = 3; +- else if (strncasecmp(*buf, "Aug", 3) == 0) ++ else if (strncasecmp(*buf, "Aug", abbrev_length) == 0) + *mon = 7; + break; + case 'S': +- if (strncasecmp(*buf, "Sep", 3) == 0) ++ if (strncasecmp(*buf, "Sep", abbrev_length) == 0) + *mon = 8; + break; + case 'O': +- if (strncasecmp(*buf, "Oct", 3) == 0) ++ if (strncasecmp(*buf, "Oct", abbrev_length) == 0) + *mon = 9; + break; + case 'N': +- if (strncasecmp(*buf, "Nov", 3) == 0) ++ if (strncasecmp(*buf, "Nov", abbrev_length) == 0) + *mon = 10; + break; + case 'D': +- if (strncasecmp(*buf, "Dec", 3) == 0) ++ if (strncasecmp(*buf, "Dec", abbrev_length) == 0) + *mon = 11; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -302,7 +306,7 @@ __parse_usec(const guchar **data, gint *length) + src++; + (*length)--; + } +- while (isdigit(*src)) ++ while (*length > 0 && isdigit(*src)) + { + src++; + (*length)--; +@@ -316,19 +320,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -338,8 +344,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +@@ -393,7 +401,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, WallClockTime *wct) + if (!scan_pix_timestamp((const gchar **) &src, &left, wct)) + return FALSE; + +- if (*src == ':') ++ if (left && *src == ':') + { + src++; + left--; +@@ -444,7 +452,7 @@ scan_rfc3164_timestamp(const guchar **data, gint *length, WallClockTime *wct) + * looking at you, skip that as well, so we can reliably detect IPv6 + * addresses as hostnames, which would be using ":" as well. */ + +- if (*src == ':') ++ if (left && *src == ':') + { + ++src; + --left; +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 4508139..ad657c6 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -49,17 +49,21 @@ fake_time_add(time_t diff) + } + + static gboolean +-_parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc3164(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + +- ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc3164_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -70,16 +74,21 @@ _parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc5424(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc5424_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -90,31 +99,60 @@ _parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_rfc3164_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc3164_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc3164(ts, converted)); ++ cr_assert(_parse_rfc3164(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + static gboolean +-_rfc5424_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc5424_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc5424(ts, converted)); ++ cr_assert(_parse_rfc5424(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + #define _expect_rfc3164_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc3164_timestamp_eq(ts, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc3164_timestamp_eq(ts, -1, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc3164_timestamp_eq(ts, len, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc3164_timestamp(&data, &length, &wct)); \ + }) + + #define _expect_rfc5424_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc5424_timestamp_eq(ts, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc5424_timestamp_eq(ts, -1, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc5424_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc5424_timestamp_eq(ts, len, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ + }) + ++#define _expect_rfc5424_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc5424_timestamp(&data, &length, &wct)); \ ++ }) ++ ++ + Test(parse_timestamp, standard_bsd_format) + { + _expect_rfc3164_timestamp_eq("Oct 1 17:46:12", "2017-10-01T17:46:12.000+02:00"); +@@ -148,6 +186,75 @@ Test(parse_timestamp, standard_bsd_format_year_in_the_past) + _expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00"); + } + ++Test(parse_timestamp, non_zero_terminated_rfc3164_iso_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc3164_bsd_pix_or_asa_input_is_handled_properly) ++{ ++ gchar *ts = "Aug 17 2022 05:02:28: whatever"; ++ gint ts_len = 21; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.000+02:00"); ++ ++ /* no ":" at the end, that's a problem, unrecognized */ ++ _expect_rfc3164_fails(ts, ts_len - 1); ++ ++ for (gint i = 1; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc5424_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc5424_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { +diff --git a/modules/syslogformat/CMakeLists.txt b/modules/syslogformat/CMakeLists.txt +index fb55ea4..a2a92bb 100644 +--- a/modules/syslogformat/CMakeLists.txt ++++ b/modules/syslogformat/CMakeLists.txt +@@ -24,4 +24,6 @@ target_include_directories(syslogformat + ) + target_link_libraries(syslogformat PRIVATE syslog-ng) + ++add_test_subdirectory(tests) ++ + install(TARGETS syslogformat LIBRARY DESTINATION lib/syslog-ng/) +diff --git a/modules/syslogformat/Makefile.am b/modules/syslogformat/Makefile.am +index f13f88c..14cdf58 100644 +--- a/modules/syslogformat/Makefile.am ++++ b/modules/syslogformat/Makefile.am +@@ -31,3 +31,5 @@ modules_syslogformat_libsyslogformat_la_DEPENDENCIES = \ + modules/syslogformat modules/syslogformat/ mod-syslogformat: \ + modules/syslogformat/libsyslogformat.la + .PHONY: modules/syslogformat/ mod-syslogformat ++ ++include modules/syslogformat/tests/Makefile.am +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index 6d53a32..a69f39f 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -200,7 +200,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + + /* if the next char is not space, then we may try to read a date */ + +- if (*src != ' ') ++ if (!left || *src != ' ') + return; + + log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); +@@ -216,6 +216,9 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + const guchar *src = *data; + gint left = *length; + ++ if (!left) ++ return; ++ + /* Cisco timestamp extensions, the first '*' indicates that the clock is + * unsynced, '.' if it is known to be synced */ + if (G_UNLIKELY(src[0] == '*')) +@@ -564,7 +567,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + open_sd++; + do + { +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + /* read sd_id */ + pos = 0; +@@ -598,7 +601,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + strcpy(sd_value_name, logmsg_sd_prefix); + /* this strcat is safe, as sd_id_name is at most 32 chars */ + strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len); +- if (*src == ']') ++ ++ if (left && *src == ']') + { + log_msg_set_value_by_name(self, sd_value_name, "", 0); + } +@@ -615,7 +619,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + else + goto error; + +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + + /* read sd-param */ +diff --git a/modules/syslogformat/tests/CMakeLists.txt b/modules/syslogformat/tests/CMakeLists.txt +new file mode 100644 +index 0000000..2e45b71 +--- /dev/null ++++ b/modules/syslogformat/tests/CMakeLists.txt +@@ -0,0 +1 @@ ++add_unit_test(CRITERION TARGET test_syslog_format DEPENDS syslogformat) +diff --git a/modules/syslogformat/tests/Makefile.am b/modules/syslogformat/tests/Makefile.am +new file mode 100644 +index 0000000..7ee66a5 +--- /dev/null ++++ b/modules/syslogformat/tests/Makefile.am +@@ -0,0 +1,9 @@ ++modules_syslogformat_tests_TESTS = \ ++ modules/syslogformat/tests/test_syslog_format ++ ++check_PROGRAMS += ${modules_syslogformat_tests_TESTS} ++ ++EXTRA_DIST += modules/syslogformat/tests/CMakeLists.txt ++ ++modules_syslogformat_tests_test_syslog_format_CFLAGS = $(TEST_CFLAGS) -I$(top_srcdir)/modules/syslogformat ++modules_syslogformat_tests_test_syslog_format_LDADD = $(TEST_LDADD) $(PREOPEN_SYSLOGFORMAT) +diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c +new file mode 100644 +index 0000000..d0f5b40 +--- /dev/null ++++ b/modules/syslogformat/tests/test_syslog_format.c +@@ -0,0 +1,104 @@ ++/* ++ * Copyright (c) 2022 One Identity ++ * Copyright (c) 2022 László Várady ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 as published ++ * by the Free Software Foundation, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ * As an additional exemption you are allowed to compile & link against the ++ * OpenSSL libraries as published by the OpenSSL project. See the file ++ * COPYING for details. ++ * ++ */ ++ ++#include <criterion/criterion.h> ++ ++#include "apphook.h" ++#include "cfg.h" ++#include "syslog-format.h" ++#include "logmsg/logmsg.h" ++#include "msg-format.h" ++#include "scratch-buffers.h" ++ ++#include <string.h> ++ ++GlobalConfig *cfg; ++MsgFormatOptions parse_options; ++ ++static void ++setup(void) ++{ ++ app_startup(); ++ syslog_format_init(); ++ ++ cfg = cfg_new_snippet(); ++ msg_format_options_defaults(&parse_options); ++} ++ ++static void ++teardown(void) ++{ ++ scratch_buffers_explicit_gc(); ++ app_shutdown(); ++ cfg_free(cfg); ++} ++ ++TestSuite(syslog_format, .init = setup, .fini = teardown); ++ ++Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeout = 10) ++{ ++ const gchar *data = "<182>2022-08-17T05:02:28.217 mymachine su: 'su root' failed for lonvick on /dev/pts/8"; ++ /* chosen carefully to reproduce a bug */ ++ gsize data_length = 27; ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, cisco_sequence_id_non_zero_termination) ++{ ++ const gchar *data = "<189>65536: "; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name) ++{ ++ const gchar *data = "<189>65536"; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb index 10bf00fdce..6e90dabd14 100644 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb @@ -9,6 +9,7 @@ SRC_URI += " \ file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \ file://shebang.patch \ file://syslog-ng-tmp.conf \ + file://CVE-2022-38725.patch \ " SRC_URI[md5sum] = "ef9de066793f7358af7312b964ac0450" |