diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2021-08-30 23:17:28 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2021-08-30 23:18:26 +0300 |
commit | d767d3fb1ba70f03e0e212c24f41404f1248f660 (patch) | |
tree | 4d4edb47d2feadc58ecb1556be3ef484b8559ac8 /poky/meta | |
parent | 8c7c9f834fb9bcc6eaf21e509c7627f13086b5a7 (diff) | |
download | openbmc-hardknott.tar.xz |
subtree updateshardknott
poky: 14c5392fde..b89bb2651d:
Alexander Kanavin (3):
devtool: correctly handle non-standard source tree locations in upgrades
devtool: print a warning on upgrades if PREFERRED_VERSION is set
nettle: update 3.7.2 -> 3.7.3
Alexandre Belloni (1):
oeqa/runtime/cases: make date.DateTest.test_date more reliable
Anton Blanchard (1):
kmod: use nonarch_base_libdir for depmod.d and modprobe.d
Armin Kuster (1):
gnutls: Enable seccomp if FEATURE is set
Bruce Ashfield (17):
linux-yocto: add vfat KERNEL_FEATURE when MACHINE_FEATURES include vfat
linux-yocto/5.10: update to v5.10.49
linux-yocto/5.4: update to v5.4.131
linux-yocto/5.10: update to v5.10.50
linux-yocto/5.4: update to v5.4.132
linux-yocto/5.10: update to v5.10.52
linux-yocto/5.4: update to v5.4.134
linux-yocto/5.10: update to v5.10.53
linux-yocto/5.4: update to v5.4.135
linux-yocto-rt/5.10: update to -rt47
linux-yocto/5.10: enable TYPEC_TCPCI in usbc fragment
linux-yocto/5.10: update to v5.10.55
linux-yocto/5.4: update to v5.4.137
linux-yocto/5.4: update to v5.4.139
linux-yocto/5.10: update to v5.10.57
kernel-devsrc: 5.14+ updates
kernel-devsrc: fix 5.14+ objtool compilation
Changqing Li (1):
archiver.bbclass: fix do_ar_configured failure for kernel
Chen Qi (2):
systemd: fix CVE-2020-13529
zstd: fix CVE_PRODUCT
Damian Wrobel (1):
gobject-introspection: Fix the license (add MIT)
Dmitry Baryshkov (1):
linux-firmware: add more Qualcomm firmware packages
Joe Slater (2):
util-linux: fix CVE 2021-37600
terminal.bbclass: force bash for devshell
Jon Mason (1):
parselogs.py: qemuarm should be qemuarmv5
Jose Quaresma (1):
sstate.bbclass: fix error handling when sstate mirrors is ro
Khairul Rohaizzat Jamaluddin (1):
glibc: Fix CVE-2021-33574
Khem Raj (4):
ovmf: Fix VLA warnings with GCC 11
stress-ng: Drop defining daddr_t
gnutls: Point to staging area for finding seccomp libs and includes
sdk: Enable do_populate_sdk with multilibs
Lee Chee Yang (2):
aspell: fix CVE-2019-25051
qemu: fix CVE-2021-3527
Marek Vasut (1):
update-rc.d: update SRCREV to pull in fix for non-bash shell support
Marta Rybczynska (1):
lzo: add CVE_PRODUCT
Matthias Klein (1):
runqemu: Fix typo in error message
Matthias Schiffer (1):
initscripts: fix creation order for /var/log with VOLATILE_LOG_DIR=true
Michael Opdenacker (4):
oe-setup-builddir: update YP docs and OE URLs
cve-check: fix comments
cve-check: update link to NVD website for CVE details
cve-check: improve comment about CVE patch file names
Mingli Yu (3):
netbase: use git fetcher
curl: fix CVE-2021-22925
curl: fix CVES
Nicolas Dechesne (4):
yocto-check-layer: improve missed dependencies
checklayer: new function get_layer_dependencies()
checklayer: rename _find_layer_depends
yocto-check-layer: ensure that all layer dependencies are tested too
Oleksandr Kravchuk (1):
bitbake.conf: change GNOME_MIRROR to new one
Oleksandr Popovych (1):
utils: Reduce the number of calls to the "dirname" command
Patrick Williams (1):
pixman: re-disable iwmmxt
Ralph Siemsen (1):
oeqa/manual/toaster: fix small typo
Richard Purdie (6):
pseudo: Add uninative configuration sanity check
pseudo: Update to latest version including statx fix
sstate: Drop pseudo exclusion
sstate: Fix rebuilds when changing layer config
license: Exclude COPYING.MIT from pseudo
oeqa/runtime/cases/ptest: Increase test timeout from 300s to 450s
Ross Burton (9):
parted: improve ptest execution
parted: fix ptest RRECOMMENDS
parted: skip tests that need vfat support
avahi: fix CVE-2021-36217, crash on pinging '.local'
glew: fix Makefile race
qemu: fix virtio vhost-user-gpu CVEs
tar: ignore node-tar CVEs
e2fsprogs: ensure small images have 256-byte inodes
wic: don't forcibly pass -T default
Sakib Sajal (5):
go: fix CVE-2020-29509, CVE-2020-29511
qemu: fix CVE-2021-3582
qemu: fix CVE-2021-3607
qemu: fix CVE-2021-3608
go: upgrade 1.16.5 -> 1.16.7
Tony Tascioglu (6):
valgrind: skip flaky ptest fb_test_amd64
ffmpeg: fix CVE-2020-20446
ffmpeg: fix CVE-2020-20453
ffmpeg: fix CVE-2020-22015
ffmpeg: fix CVE-2020-22021
ffmpeg: fix CVE-2020-22019 and CVE-2020-22033
Trevor Gamblin (1):
python3-pip: fix CVE-2021-3572
Ulrich Ölmann (2):
initramfs-framework: fix whitespace issue
initramfs-framework/setup-live: fix shebang
Vinay Kumar (2):
glibc: Fix CVE-2021-35942
glibc: Fix CVE-2021-38604
hongxu (2):
createrepo-c: fix createrepo-c failed in nativesdk
sdk: fix relocate symlink failed
leimaohui (1):
archiver.bbclass: Fix patch error for recipes that inherit dos2unix.
wangmy (1):
gnutls: upgrade 3.7.1 -> 3.7.2
meta-openembedded: 5a4b2ab29d..5741b949a8:
Anastasios Kavoukis (1):
pm-qa: fix paths for shell scripts
Armin Kuster (1):
wireshark: update to 3.4.7
Changqing Li (2):
ndpi: fix CVE-2021-36082
linuxptp: upgrade 3.1 -> 3.1.1
Devendra Tewari (1):
Suppress eol in functionfs setup scripts (#147)
Gianfranco (1):
vboxguestdrivers: upgrade 6.1.22 -> 6.1.24
Joe Slater (1):
php: move to version 7.4.21
Kai Kang (1):
libdbi-perl: fix CVE-2014-10402
Khem Raj (2):
fvwm: Package extra files and man pages
fvwm: Fix build time paths in target perl/python scripts
Li Wang (1):
openlldp: fix segfault
Michael Opdenacker (1):
bigbuckbunny-1080p: fix sample video URL
Mingli Yu (3):
mariadb: redefine log-error item
mariadb: Update SRC_URI
polkit: fix CVE-2021-3560
Paulo Neves (1):
htop: Add ncurses-terminfo-base to RDEPENDS
Roland Hieber (2):
curlpp: fix override syntax
ldns: fix override syntax
Sakib Sajal (1):
gd: fix CVE-2021-38115
Tony Battersby (3):
net-snmp: fix QA Issue after LDFLAGS change
curlpp: fix QA Issue after LDFLAGS change
ldns: fix QA Issue after LDFLAGS change
Tony Tascioglu (1):
redis: fix CVE-2021-32625
wangmy (2):
nghttp2: upgrade 1.43.0 -> 1.44.0
libtalloc: upgrade 2.3.2 -> 2.3.3
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I12cf9ce6cd256bd08bd4e97856ba45ccb993ddc4
Diffstat (limited to 'poky/meta')
103 files changed, 3244 insertions, 131 deletions
diff --git a/poky/meta/classes/archiver.bbclass b/poky/meta/classes/archiver.bbclass index a3962306b1..dd31dc0cd8 100644 --- a/poky/meta/classes/archiver.bbclass +++ b/poky/meta/classes/archiver.bbclass @@ -281,7 +281,10 @@ python do_ar_configured() { # ${STAGING_DATADIR}/aclocal/libtool.m4, so we can't re-run the # do_configure, we archive the already configured ${S} to # instead of. - elif pn != 'libtool-native': + # The kernel class functions require it to be on work-shared, we + # don't unpack, patch, configure again, just archive the already + # configured ${S} + elif not (pn == 'libtool-native' or is_work_shared(d)): def runTask(task): prefuncs = d.getVarFlag(task, 'prefuncs') or '' for func in prefuncs.split(): @@ -483,6 +486,9 @@ python do_unpack_and_patch() { src_orig = '%s.orig' % src oe.path.copytree(src, src_orig) + if bb.data.inherits_class('dos2unix', d): + bb.build.exec_func('do_convert_crlf_to_lf', d) + # Make sure gcc and kernel sources are patched only once if not (d.getVar('SRC_URI') == "" or is_work_shared(d)): bb.build.exec_func('do_patch', d) diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 112ee3379d..4fa1a64f85 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -20,7 +20,7 @@ # the only method to check against CVEs. Running this tool # doesn't guarantee your packages are free of CVEs. -# The product name that the CVE database uses. Defaults to BPN, but may need to +# The product name that the CVE database uses defaults to BPN, but may need to # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" @@ -56,11 +56,11 @@ CVE_CHECK_WHITELIST ?= "" # Layers to be excluded CVE_CHECK_LAYER_EXCLUDELIST ??= "" -# Layers to be included +# Layers to be included CVE_CHECK_LAYER_INCLUDELIST ??= "" -# set to "alphabetical" for version using single alphabetical character as increament release +# set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" python cve_save_summary_handler () { @@ -166,9 +166,12 @@ def get_patches_cves(d): pn = d.getVar("PN") cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") - # Matches last CVE-1234-211432 in the file name, also if written - # with small letters. Not supporting multiple CVE id's in a single - # file name. + # Matches the last "CVE-YYYY-ID" in the file name, also if written + # in lowercase. Possible to have multiple CVE IDs in a single + # file name, but only the last one will be detected from the file name. + # However, patch files contents addressing multiple CVE IDs are supported + # (cve_match regular expression) + cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") patched_cves = set() @@ -230,7 +233,7 @@ def check_cves(d, patched_cves): return ([], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - # If the recipe has been whitlisted we return empty lists + # If the recipe has been whitelisted we return empty lists if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], [], []) @@ -355,7 +358,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): if include_layers and layer not in include_layers: return - nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" + nvd_link = "https://nvd.nist.gov/vuln/detail/" write_string = "" unpatched_cves = [] bb.utils.mkdirhier(os.path.dirname(cve_file)) diff --git a/poky/meta/classes/license.bbclass b/poky/meta/classes/license.bbclass index f7978e266b..0d0faa28d7 100644 --- a/poky/meta/classes/license.bbclass +++ b/poky/meta/classes/license.bbclass @@ -31,7 +31,7 @@ python do_populate_lic() { f.write("%s: %s\n" % (key, info[key])) } -PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}" +PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}" # it would be better to copy them in do_install_append, but find_license_filesa is python python perform_packagecopy_prepend () { enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d) diff --git a/poky/meta/classes/multilib.bbclass b/poky/meta/classes/multilib.bbclass index 9f726e4537..2ef75c0d16 100644 --- a/poky/meta/classes/multilib.bbclass +++ b/poky/meta/classes/multilib.bbclass @@ -105,7 +105,6 @@ python __anonymous () { d.setVar("LINGUAS_INSTALL", "") # FIXME, we need to map this to something, not delete it! d.setVar("PACKAGE_INSTALL_ATTEMPTONLY", "") - bb.build.deltask('do_populate_sdk', d) bb.build.deltask('do_populate_sdk_ext', d) return } diff --git a/poky/meta/classes/populate_sdk_base.bbclass b/poky/meta/classes/populate_sdk_base.bbclass index 33ba3fc3c1..f8072a9d37 100644 --- a/poky/meta/classes/populate_sdk_base.bbclass +++ b/poky/meta/classes/populate_sdk_base.bbclass @@ -66,7 +66,7 @@ python () { SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}" SDK_DEPENDS = "virtual/fakeroot-native ${SDK_ARCHIVE_DEPENDS} cross-localedef-native nativesdk-qemuwrapper-cross ${@' '.join(["%s-qemuwrapper-cross" % m for m in d.getVar("MULTILIB_VARIANTS").split()])} qemuwrapper-cross" -PATH_prepend = "${STAGING_DIR_HOST}${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:" +PATH_prepend = "${WORKDIR}/recipe-sysroot/${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:" SDK_DEPENDS += "nativesdk-glibc-locale" # We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 2b5d94dd1f..4bf087b4e8 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -123,8 +123,6 @@ SSTATE_HASHEQUIV_REPORT_TASKDATA[doc] = "Report additional useful data to the \ python () { if bb.data.inherits_class('native', d): d.setVar('SSTATE_PKGARCH', d.getVar('BUILD_ARCH', False)) - if d.getVar("PN") == "pseudo-native": - d.appendVar('SSTATE_PKGARCH', '_${ORIGNATIVELSBSTRING}') elif bb.data.inherits_class('crosssdk', d): d.setVar('SSTATE_PKGARCH', d.expand("${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS}")) elif bb.data.inherits_class('cross', d): @@ -707,6 +705,7 @@ def sstate_package(ss, d): pass except OSError as e: # Handle read-only file systems gracefully + import errno if e.errno != errno.EROFS: raise e @@ -1020,6 +1019,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True, bb.parse.siggen.checkhashes(sq_data, missed, found, d) return found +setscene_depvalid[vardepsexclude] = "SSTATE_EXCLUDEDEPS_SYSROOT" BB_SETSCENE_DEPVALID = "setscene_depvalid" @@ -1153,6 +1153,7 @@ python sstate_eventhandler() { pass except OSError as e: # Handle read-only file systems gracefully + import errno if e.errno != errno.EROFS: raise e diff --git a/poky/meta/classes/terminal.bbclass b/poky/meta/classes/terminal.bbclass index 6059ae95e0..a564ee7494 100644 --- a/poky/meta/classes/terminal.bbclass +++ b/poky/meta/classes/terminal.bbclass @@ -26,6 +26,9 @@ def emit_terminal_func(command, envdata, d): bb.utils.mkdirhier(os.path.dirname(runfile)) with open(runfile, 'w') as script: + # Override the shell shell_trap_code specifies. + # If our shell is bash, we might well face silent death. + script.write("#!/bin/bash\n") script.write(bb.build.shell_trap_code()) bb.data.emit_func(cmd_func, script, envdata) script.write(cmd_func) @@ -37,7 +40,7 @@ def emit_terminal_func(command, envdata, d): def oe_terminal(command, title, d): import oe.data import oe.terminal - + envdata = bb.data.init() for v in os.environ: diff --git a/poky/meta/classes/utils.bbclass b/poky/meta/classes/utils.bbclass index 120bcc64a6..072ea1f63c 100644 --- a/poky/meta/classes/utils.bbclass +++ b/poky/meta/classes/utils.bbclass @@ -214,7 +214,7 @@ create_cmdline_wrapper () { #!/bin/bash realpath=\`readlink -fn \$0\` realdir=\`dirname \$realpath\` -exec -a \`dirname \$realpath\`/$cmdname \`dirname \$realpath\`/$cmdname.real $cmdoptions "\$@" +exec -a \$realdir/$cmdname \$realdir/$cmdname.real $cmdoptions "\$@" END chmod +x $cmd } diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf index 385fc7dd55..5b52e9307e 100644 --- a/poky/meta/conf/bitbake.conf +++ b/poky/meta/conf/bitbake.conf @@ -638,7 +638,7 @@ APACHE_MIRROR = "https://archive.apache.org/dist" DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool" GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles" GNOME_GIT = "git://gitlab.gnome.org/GNOME" -GNOME_MIRROR = "https://ftp.gnome.org/pub/GNOME/sources" +GNOME_MIRROR = "https://download.gnome.org/sources/" GNU_MIRROR = "https://ftp.gnu.org/gnu" GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt" GPE_MIRROR = "http://gpe.linuxtogo.org/download/source" diff --git a/poky/meta/files/toolchain-shar-relocate.sh b/poky/meta/files/toolchain-shar-relocate.sh index 5433741296..ba873373e2 100644 --- a/poky/meta/files/toolchain-shar-relocate.sh +++ b/poky/meta/files/toolchain-shar-relocate.sh @@ -72,7 +72,7 @@ fi # change all symlinks pointing to @SDKPATH@ for l in $($SUDO_EXEC find $native_sysroot -type l); do - $SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:") $l + $SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$SDK_BUILD_PATH:$target_sdk_dir:") $l if [ $? -ne 0 ]; then echo "Failed to setup symlinks. Relocate script failed. Abort!" exit 1 diff --git a/poky/meta/lib/oeqa/manual/toaster-managed-mode.json b/poky/meta/lib/oeqa/manual/toaster-managed-mode.json index 12374c7c64..9566d9d10e 100644 --- a/poky/meta/lib/oeqa/manual/toaster-managed-mode.json +++ b/poky/meta/lib/oeqa/manual/toaster-managed-mode.json @@ -136,7 +136,7 @@ "expected_results": "" }, "3": { - "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASES - package_rpm \n SSTATE_DIR - /homeDirectory/poky/sstate-cache \n\n", + "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASSES - package_rpm \n SSTATE_DIR - /homeDirectory/poky/sstate-cache \n\n", "expected_results": "" }, "4": { diff --git a/poky/meta/lib/oeqa/runtime/cases/date.py b/poky/meta/lib/oeqa/runtime/cases/date.py index e14322911d..bd6537400e 100644 --- a/poky/meta/lib/oeqa/runtime/cases/date.py +++ b/poky/meta/lib/oeqa/runtime/cases/date.py @@ -28,14 +28,13 @@ class DateTest(OERuntimeTestCase): self.assertEqual(status, 0, msg=msg) oldDate = output - sampleDate = '"2016-08-09 10:00:00"' - (status, output) = self.target.run("date -s %s" % sampleDate) + sampleTimestamp = 1488800000 + (status, output) = self.target.run("date -s @%d" % sampleTimestamp) self.assertEqual(status, 0, msg='Date set failed, output: %s' % output) - (status, output) = self.target.run("date -R") - p = re.match('Tue, 09 Aug 2016 10:00:.. \+0000', output) + (status, output) = self.target.run('date +"%s"') msg = 'The date was not set correctly, output: %s' % output - self.assertTrue(p, msg=msg) + self.assertTrue(int(output) - sampleTimestamp < 300, msg=msg) (status, output) = self.target.run('date -s "%s"' % oldDate) msg = 'Failed to reset date, output: %s' % output diff --git a/poky/meta/lib/oeqa/runtime/cases/parselogs.py b/poky/meta/lib/oeqa/runtime/cases/parselogs.py index 1bb0425521..e06f92727e 100644 --- a/poky/meta/lib/oeqa/runtime/cases/parselogs.py +++ b/poky/meta/lib/oeqa/runtime/cases/parselogs.py @@ -121,7 +121,7 @@ ignore_errors = { 'synth uevent: /devices/vio: failed to send uevent', 'PCI 0000:00 Cannot reserve Legacy IO [io 0x10000-0x10fff]', ] + common_errors, - 'qemuarm' : [ + 'qemuarmv5' : [ 'mmci-pl18x: probe of fpga:05 failed with error -22', 'mmci-pl18x: probe of fpga:0b failed with error -22', 'Failed to load module "glx"', @@ -135,6 +135,7 @@ ignore_errors = { 'OF: amba_device_add() failed (-19) for /amba/fpga/sci@a000', 'Failed to initialize \'/amba/timer@101e3000\': -22', 'jitterentropy: Initialization failed with host not compliant with requirements: 2', + 'clcd-pl11x: probe of 10120000.display failed with error -2', ] + common_errors, 'qemuarm64' : [ 'Fatal server error:', diff --git a/poky/meta/lib/oeqa/runtime/cases/ptest.py b/poky/meta/lib/oeqa/runtime/cases/ptest.py index 0800f3c27f..00742da2b5 100644 --- a/poky/meta/lib/oeqa/runtime/cases/ptest.py +++ b/poky/meta/lib/oeqa/runtime/cases/ptest.py @@ -57,7 +57,7 @@ class PtestRunnerTest(OERuntimeTestCase): ptest_dirs = [ '/usr/lib' ] if not libdir in ptest_dirs: ptest_dirs.append(libdir) - status, output = self.target.run('ptest-runner -d \"{}\"'.format(' '.join(ptest_dirs)), 0) + status, output = self.target.run('ptest-runner -t 450 -d \"{}\"'.format(' '.join(ptest_dirs)), 0) os.makedirs(ptest_log_dir) with open(ptest_runner_log, 'w') as f: f.write(output) diff --git a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb index a07cdbd03c..69ac35ee07 100644 --- a/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/poky/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV} file://initscript.patch \ file://0001-Fix-opening-etc-resolv.conf-error.patch \ file://handle-hup.patch \ + file://local-ping.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" diff --git a/poky/meta/recipes-connectivity/avahi/files/local-ping.patch b/poky/meta/recipes-connectivity/avahi/files/local-ping.patch new file mode 100644 index 0000000000..94116ad1f3 --- /dev/null +++ b/poky/meta/recipes-connectivity/avahi/files/local-ping.patch @@ -0,0 +1,152 @@ +CVE: CVE-2021-36217 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001 +From: Tommi Rantala <tommi.t.rantala@nokia.com> +Date: Mon, 8 Feb 2021 11:04:43 +0200 +Subject: [PATCH] Fix NULL pointer crashes from #175 + +avahi-daemon is crashing when running "ping .local". +The crash is due to failing assertion from NULL pointer. +Add missing NULL pointer checks to fix it. + +Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd +--- + avahi-core/browse-dns-server.c | 5 ++++- + avahi-core/browse-domain.c | 5 ++++- + avahi-core/browse-service-type.c | 3 +++ + avahi-core/browse-service.c | 3 +++ + avahi-core/browse.c | 3 +++ + avahi-core/resolve-address.c | 5 ++++- + avahi-core/resolve-host-name.c | 5 ++++- + avahi-core/resolve-service.c | 5 ++++- + 8 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c +index 049752e9..c2d914fa 100644 +--- a/avahi-core/browse-dns-server.c ++++ b/avahi-core/browse-dns-server.c +@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new( + AvahiSDNSServerBrowser* b; + + b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_dns_server_browser_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c +index f145d56a..06fa70c0 100644 +--- a/avahi-core/browse-domain.c ++++ b/avahi-core/browse-domain.c +@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new( + AvahiSDomainBrowser *b; + + b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_domain_browser_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c +index fdd22dcd..b1fc7af8 100644 +--- a/avahi-core/browse-service-type.c ++++ b/avahi-core/browse-service-type.c +@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new( + AvahiSServiceTypeBrowser *b; + + b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_service_type_browser_start(b); + + return b; +diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c +index 5531360c..63e0275a 100644 +--- a/avahi-core/browse-service.c ++++ b/avahi-core/browse-service.c +@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new( + AvahiSServiceBrowser *b; + + b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_service_browser_start(b); + + return b; +diff --git a/avahi-core/browse.c b/avahi-core/browse.c +index 2941e579..e8a915e9 100644 +--- a/avahi-core/browse.c ++++ b/avahi-core/browse.c +@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new( + AvahiSRecordBrowser *b; + + b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_record_browser_start_query(b); + + return b; +diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c +index ac0b29b1..e61dd242 100644 +--- a/avahi-core/resolve-address.c ++++ b/avahi-core/resolve-address.c +@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new( + AvahiSAddressResolver *b; + + b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_address_resolver_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c +index 808b0e72..4e8e5973 100644 +--- a/avahi-core/resolve-host-name.c ++++ b/avahi-core/resolve-host-name.c +@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new( + AvahiSHostNameResolver *b; + + b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_host_name_resolver_start(b); + + return b; +-} +\ No newline at end of file ++} +diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c +index 66bf3cae..43771763 100644 +--- a/avahi-core/resolve-service.c ++++ b/avahi-core/resolve-service.c +@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new( + AvahiSServiceResolver *b; + + b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata); ++ if (!b) ++ return NULL; ++ + avahi_s_service_resolver_start(b); + + return b; +-} +\ No newline at end of file ++} diff --git a/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch new file mode 100644 index 0000000000..8a52ac957c --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch @@ -0,0 +1,40 @@ +From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <npv1310@gmail.com> +Date: Mon, 9 Aug 2021 20:17:34 +0530 +Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213) + +Helper thread frees copied attribute on NOTIFY_REMOVED message +received from the OS kernel. Unfortunately, it fails to check whether +copied attribute actually exists (data.attr != NULL). This worked +earlier because free() checks passed pointer before actually +attempting to release corresponding memory. But +__pthread_attr_destroy assumes pointer is not NULL. + +So passing NULL pointer to __pthread_attr_destroy will result in +segmentation fault. This scenario is possible if +notification->sigev_notify_attributes == NULL (which means default +thread attributes should be used). + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8] +CVE: CVE-2021-38604 + +Signed-off-by: Nikita Popov <npv1310@gmail.com> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + sysdeps/unix/sysv/linux/mq_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index 6f46d29d1d..1714e1cc5f 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -132,7 +132,7 @@ helper_thread (void *arg) + to wait until it is done with it. */ + (void) __pthread_barrier_wait (¬ify_barrier); + } +- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) ++ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL) + { + /* The only state we keep is the copy of the thread attributes. */ + pthread_attr_destroy (data.attr); diff --git a/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch new file mode 100644 index 0000000000..b654cdfecb --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch @@ -0,0 +1,147 @@ +From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <npv1310@gmail.com> +Date: Thu, 12 Aug 2021 16:09:50 +0530 +Subject: [PATCH] librt: add test (bug 28213) + +This test implements following logic: +1) Create POSIX message queue. + Register a notification with mq_notify (using NULL attributes). + Then immediately unregister the notification with mq_notify. + Helper thread in a vulnerable version of glibc + should cause NULL pointer dereference after these steps. +2) Once again, register the same notification. + Try to send a dummy message. + Test is considered successfulif the dummy message + is successfully received by the callback function. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641] +CVE: CVE-2021-38604 + +Signed-off-by: Nikita Popov <npv1310@gmail.com> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + rt/Makefile | 1 + + rt/tst-bz28213.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+) + create mode 100644 rt/tst-bz28213.c + +diff --git a/rt/Makefile b/rt/Makefile +index 7b374f2073..c87d95793a 100644 +--- a/rt/Makefile ++++ b/rt/Makefile +@@ -44,6 +44,7 @@ tests := tst-shm tst-timer tst-timer2 \ + tst-aio7 tst-aio8 tst-aio9 tst-aio10 \ + tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \ + tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \ ++ tst-bz28213 \ + tst-timer3 tst-timer4 tst-timer5 \ + tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \ + tst-shm-cancel +diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c +new file mode 100644 +index 0000000000..0c096b5a0a +--- /dev/null ++++ b/rt/tst-bz28213.c +@@ -0,0 +1,101 @@ ++/* Bug 28213: test for NULL pointer dereference in mq_notify. ++ Copyright (C) The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <fcntl.h> ++#include <unistd.h> ++#include <mqueue.h> ++#include <signal.h> ++#include <stdlib.h> ++#include <string.h> ++#include <support/check.h> ++ ++static mqd_t m = -1; ++static const char msg[] = "hello"; ++ ++static void ++check_bz28213_cb (union sigval sv) ++{ ++ char buf[sizeof (msg)]; ++ ++ (void) sv; ++ ++ TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL) ++ == sizeof (buf)); ++ TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0); ++ ++ exit (0); ++} ++ ++static void ++check_bz28213 (void) ++{ ++ struct sigevent sev; ++ ++ memset (&sev, '\0', sizeof (sev)); ++ sev.sigev_notify = SIGEV_THREAD; ++ sev.sigev_notify_function = check_bz28213_cb; ++ ++ /* Step 1: Register & unregister notifier. ++ Helper thread should receive NOTIFY_REMOVED notification. ++ In a vulnerable version of glibc, NULL pointer dereference follows. */ ++ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0); ++ TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0); ++ ++ /* Step 2: Once again, register notification. ++ Try to send one message. ++ Test is considered successful, if the callback does exit (0). */ ++ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0); ++ TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0); ++ ++ /* Wait... */ ++ pause (); ++} ++ ++static int ++do_test (void) ++{ ++ static const char m_name[] = "/bz28213_queue"; ++ struct mq_attr m_attr; ++ ++ memset (&m_attr, '\0', sizeof (m_attr)); ++ m_attr.mq_maxmsg = 1; ++ m_attr.mq_msgsize = sizeof (msg); ++ ++ m = mq_open (m_name, ++ O_RDWR | O_CREAT | O_EXCL, ++ 0600, ++ &m_attr); ++ ++ if (m < 0) ++ { ++ if (errno == ENOSYS) ++ FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n"); ++ FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n"); ++ } ++ ++ TEST_VERIFY_EXIT (mq_unlink (m_name) == 0); ++ ++ check_bz28213 (); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..21f07ac303 --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch @@ -0,0 +1,76 @@ +From 709674ec86c3c6da4f0995897f6b0205c16d049d Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@linux-m68k.org> +Date: Thu, 27 May 2021 12:49:47 +0200 +Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) + +Make a deep copy of the pthread attribute object to remove a potential +use-after-free issue. + +Upstream-Status: Backport +[https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb] + +CVE: +CVE-2021-33574 + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + NEWS | 4 ++++ + sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/NEWS b/NEWS +index 71f5d20324..017d656433 100644 +--- a/NEWS ++++ b/NEWS +@@ -118,6 +118,10 @@ Security related changes: + CVE-2019-25013: A buffer overflow has been fixed in the iconv function when + invoked with EUC-KR input containing invalid multibyte input sequences. + ++ CVE-2021-33574: The mq_notify function has a potential use-after-free ++ issue when using a notification type of SIGEV_THREAD and a thread ++ attribute with a non-default affinity mask. ++ + The following bugs are resolved with this release: + + [10635] libc: realpath portability patches +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index cc575a0cdd..f7ddfe5a6c 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -133,8 +133,11 @@ helper_thread (void *arg) + (void) __pthread_barrier_wait (¬ify_barrier); + } + else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) +- /* The only state we keep is the copy of the thread attributes. */ +- free (data.attr); ++ { ++ /* The only state we keep is the copy of the thread attributes. */ ++ pthread_attr_destroy (data.attr); ++ free (data.attr); ++ } + } + return NULL; + } +@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + if (data.attr == NULL) + return -1; + +- memcpy (data.attr, notification->sigev_notify_attributes, +- sizeof (pthread_attr_t)); ++ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); + } + + /* Construct the new request. */ +@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + + /* If it failed, free the allocated memory. */ + if (__glibc_unlikely (retval != 0)) +- free (data.attr); ++ { ++ pthread_attr_destroy (data.attr); ++ free (data.attr); ++ } + + return retval; + } diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..befccd7ac7 --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch @@ -0,0 +1,61 @@ +From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Tue, 1 Jun 2021 17:51:41 +0200 +Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) + +__pthread_attr_copy can fail and does not initialize the attribute +structure in that case. + +If __pthread_attr_copy is never called and there is no allocated +attribute, pthread_attr_destroy should not be called, otherwise +there is a null pointer dereference in rt/tst-mqueue6. + +Fixes commit 42d359350510506b87101cf77202fefcbfc790cb +("Use __pthread_attr_copy in mq_notify (bug 27896)"). + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> + +Upstream-Status: Backport +[https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091] + +CVE: +CVE-2021-33574 + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index f7ddfe5a6c..6f46d29d1d 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + if (data.attr == NULL) + return -1; + +- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); ++ int ret = __pthread_attr_copy (data.attr, ++ notification->sigev_notify_attributes); ++ if (ret != 0) ++ { ++ free (data.attr); ++ __set_errno (ret); ++ return -1; ++ } + } + + /* Construct the new request. */ +@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); + + /* If it failed, free the allocated memory. */ +- if (__glibc_unlikely (retval != 0)) ++ if (retval != 0 && data.attr != NULL) + { + pthread_attr_destroy (data.attr); + free (data.attr); +-- +2.27.0 + diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch new file mode 100644 index 0000000000..5cae1bc91c --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch @@ -0,0 +1,44 @@ +From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@linux-m68k.org> +Date: Fri, 25 Jun 2021 15:02:47 +0200 +Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug + 28011) + +Use strtoul instead of atoi so that overflow can be detected. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c] +CVE: CVE-2021-35942 +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + posix/wordexp-test.c | 1 + + posix/wordexp.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c +index f93a546d7e..9df02dbbb3 100644 +--- a/posix/wordexp-test.c ++++ b/posix/wordexp-test.c +@@ -183,6 +183,7 @@ struct test_case_struct + { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, + { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, + { 0, NULL, "", 0, 0, { NULL, }, IFS }, ++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, + + /* Flags not already covered (testit() has special handling for these) */ + { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, +diff --git a/posix/wordexp.c b/posix/wordexp.c +index bcbe96e48d..1f3b09f721 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -1399,7 +1399,7 @@ envsubst: + /* Is it a numeric parameter? */ + else if (isdigit (env[0])) + { +- int n = atoi (env); ++ unsigned long n = strtoul (env, NULL, 10); + + if (n >= __libc_argc) + /* Substitute NULL. */ +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glibc/glibc_2.33.bb b/poky/meta/recipes-core/glibc/glibc_2.33.bb index 75a1f36d6b..57a60cb9d8 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.33.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.33.bb @@ -61,6 +61,11 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \ file://CVE-2021-27645.patch \ file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \ + file://CVE-2021-33574_1.patch \ + file://CVE-2021-33574_2.patch \ + file://CVE-2021-35942.patch \ + file://0001-CVE-2021-38604.patch \ + file://0002-CVE-2021-38604.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" diff --git a/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live b/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live index 4c79f41285..7e92f93322 100644 --- a/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live +++ b/poky/meta/recipes-core/initrdscripts/initramfs-framework/setup-live @@ -1,4 +1,4 @@ -#/bin/sh +#!/bin/sh # Copyright (C) 2011 O.S. Systems Software LTDA. # Licensed on MIT diff --git a/poky/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb b/poky/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb index c53a0c03ae..fe24215b46 100644 --- a/poky/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb +++ b/poky/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb @@ -31,7 +31,7 @@ do_install() { install -m 0755 ${WORKDIR}/rootfs ${D}/init.d/90-rootfs install -m 0755 ${WORKDIR}/finish ${D}/init.d/99-finish - # exec + # exec install -m 0755 ${WORKDIR}/exec ${D}/init.d/89-exec # mdev diff --git a/poky/meta/recipes-core/initscripts/initscripts_1.0.bb b/poky/meta/recipes-core/initscripts/initscripts_1.0.bb index 5e994f2b7f..65f9c0ae8d 100644 --- a/poky/meta/recipes-core/initscripts/initscripts_1.0.bb +++ b/poky/meta/recipes-core/initscripts/initscripts_1.0.bb @@ -106,7 +106,8 @@ do_install () { install -m 0755 ${WORKDIR}/save-rtc.sh ${D}${sysconfdir}/init.d install -m 0644 ${WORKDIR}/volatiles ${D}${sysconfdir}/default/volatiles/00_core if [ ${@ oe.types.boolean('${VOLATILE_LOG_DIR}') } = True ]; then - echo "l root root 0755 /var/log /var/volatile/log" >> ${D}${sysconfdir}/default/volatiles/00_core + sed -i -e '\@^d root root 0755 /var/volatile/log none$@ a\l root root 0755 /var/log /var/volatile/log' \ + ${D}${sysconfdir}/default/volatiles/00_core fi install -m 0755 ${WORKDIR}/dmesg.sh ${D}${sysconfdir}/init.d install -m 0644 ${WORKDIR}/logrotate-dmesg.conf ${D}${sysconfdir}/ diff --git a/poky/meta/recipes-core/netbase/netbase_6.2.bb b/poky/meta/recipes-core/netbase/netbase_6.2.bb index a54d2e7764..c016d32dd3 100644 --- a/poky/meta/recipes-core/netbase/netbase_6.2.bb +++ b/poky/meta/recipes-core/netbase/netbase_6.2.bb @@ -6,11 +6,12 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://debian/copyright;md5=3dd6192d306f582dee7687da3d8748ab" PE = "1" -SRC_URI = "${DEBIAN_MIRROR}/main/n/${BPN}/${BPN}_${PV}.tar.xz" +SRC_URI = "git://salsa.debian.org/md/netbase.git;protocol=https" +SRCREV = "1c892c96a078ef28ec1a94681b3a0da7a3d545f7" inherit allarch -SRC_URI[sha256sum] = "309a24146a06347d654b261e9e07a82fab844b173674a42e223803dd8258541e" +S = "${WORKDIR}/git" UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netbase/" diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch new file mode 100644 index 0000000000..d658123b81 --- /dev/null +++ b/poky/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch @@ -0,0 +1,51 @@ +From 498627ebda6271b59920f43a0b9b6187edeb7b09 Mon Sep 17 00:00:00 2001 +From: Adrian Herrera <adr.her.arc.95@gmail.com> +Date: Mon, 22 Mar 2021 21:06:47 +0000 +Subject: [PATCH] Fix VLA parameter warning + +Make VLA buffer types consistent in declarations and definitions. +Resolves build crash when using -Werror due to "vla-parameter" warning. + +Upstream-Status: Submitted [https://github.com/google/brotli/pull/893] +Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com> +--- + c/dec/decode.c | 6 ++++-- + c/enc/encode.c | 5 +++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +index 114c505..bb6f1ab 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c ++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( + } + + BrotliDecoderResult BrotliDecoderDecompress( +- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, +- uint8_t* decoded_buffer) { ++ size_t encoded_size, ++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], ++ size_t* decoded_size, ++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { + BrotliDecoderState s; + BrotliDecoderResult result; + size_t total_out = 0; +diff --git a/c/enc/encode.c b/c/enc/encode.c +index 68548ef..ab0a490 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c ++++ c/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( + + BROTLI_BOOL BrotliEncoderCompress( + int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t* input_buffer, size_t* encoded_size, +- uint8_t* encoded_buffer) { ++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], ++ size_t* encoded_size, ++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { + BrotliEncoderState* s; + size_t out_size = *encoded_size; + const uint8_t* input_start = input_buffer; +-- +2.31.1 + diff --git a/poky/meta/recipes-core/ovmf/ovmf_git.bb b/poky/meta/recipes-core/ovmf/ovmf_git.bb index 896b3b6320..9a1bfbd69c 100644 --- a/poky/meta/recipes-core/ovmf/ovmf_git.bb +++ b/poky/meta/recipes-core/ovmf/ovmf_git.bb @@ -17,6 +17,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ file://0004-ovmf-Update-to-latest.patch \ file://zero.patch \ + file://0001-Fix-VLA-parameter-warning.patch \ " PV = "edk2-stable202102" diff --git a/poky/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch b/poky/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch new file mode 100644 index 0000000000..ff877d9175 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch @@ -0,0 +1,172 @@ +From ac6c7f2d2389c5c0ae90554a58f1c75f60cc8e5a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 24 Jun 2021 00:48:23 +0900 +Subject: [PATCH] sd-dhcp-client: check error earlier and reduce indentation + +Upstream-Status: Backport +CVE: CVE-2020-13529 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/libsystemd-network/sd-dhcp-client.c | 128 ++++++++++++------------ + 1 file changed, 64 insertions(+), 64 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index d472fcd941..86bc3c6181 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -1770,21 +1770,21 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + case DHCP_STATE_SELECTING: + + r = client_handle_offer(client, message, len); +- if (r >= 0) { ++ if (r == -ENOMSG) ++ return 0; /* invalid message, let's ignore it */ ++ if (r < 0) ++ goto error; + +- client->state = DHCP_STATE_REQUESTING; +- client->attempt = 0; ++ client->state = DHCP_STATE_REQUESTING; ++ client->attempt = 0; + +- r = event_reset_time(client->event, &client->timeout_resend, +- clock_boottime_or_monotonic(), +- 0, 0, +- client_timeout_resend, client, +- client->event_priority, "dhcp4-resend-timer", true); +- if (r < 0) +- goto error; +- } else if (r == -ENOMSG) +- /* invalid message, let's ignore it */ +- return 0; ++ r = event_reset_time(client->event, &client->timeout_resend, ++ clock_boottime_or_monotonic(), ++ 0, 0, ++ client_timeout_resend, client, ++ client->event_priority, "dhcp4-resend-timer", true); ++ if (r < 0) ++ goto error; + + break; + +@@ -1794,47 +1794,9 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + case DHCP_STATE_REBINDING: + + r = client_handle_ack(client, message, len); +- if (r >= 0) { +- client->start_delay = 0; +- (void) event_source_disable(client->timeout_resend); +- client->receive_message = +- sd_event_source_unref(client->receive_message); +- client->fd = safe_close(client->fd); +- +- if (IN_SET(client->state, DHCP_STATE_REQUESTING, +- DHCP_STATE_REBOOTING)) +- notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; +- else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) +- notify_event = r; +- +- client->state = DHCP_STATE_BOUND; +- client->attempt = 0; +- +- client->last_addr = client->lease->address; +- +- r = client_set_lease_timeouts(client); +- if (r < 0) { +- log_dhcp_client(client, "could not set lease timeouts"); +- goto error; +- } +- +- r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type); +- if (r < 0) { +- log_dhcp_client(client, "could not bind UDP socket"); +- goto error; +- } +- +- client->fd = r; +- +- client_initialize_io_events(client, client_receive_message_udp); +- +- if (notify_event) { +- client_notify(client, notify_event); +- if (client->state == DHCP_STATE_STOPPED) +- return 0; +- } +- +- } else if (r == -EADDRNOTAVAIL) { ++ if (r == -ENOMSG) ++ return 0; /* invalid message, let's ignore it */ ++ if (r == -EADDRNOTAVAIL) { + /* got a NAK, let's restart the client */ + client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED); + +@@ -1853,21 +1815,59 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC); + + return 0; +- } else if (r == -ENOMSG) +- /* invalid message, let's ignore it */ +- return 0; ++ } ++ if (r < 0) ++ goto error; ++ ++ client->start_delay = 0; ++ (void) event_source_disable(client->timeout_resend); ++ client->receive_message = sd_event_source_unref(client->receive_message); ++ client->fd = safe_close(client->fd); ++ ++ if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING)) ++ notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; ++ else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) ++ notify_event = r; ++ ++ client->state = DHCP_STATE_BOUND; ++ client->attempt = 0; ++ ++ client->last_addr = client->lease->address; ++ ++ r = client_set_lease_timeouts(client); ++ if (r < 0) { ++ log_dhcp_client(client, "could not set lease timeouts"); ++ goto error; ++ } ++ ++ r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type); ++ if (r < 0) { ++ log_dhcp_client(client, "could not bind UDP socket"); ++ goto error; ++ } ++ ++ client->fd = r; ++ ++ client_initialize_io_events(client, client_receive_message_udp); ++ ++ if (notify_event) { ++ client_notify(client, notify_event); ++ if (client->state == DHCP_STATE_STOPPED) ++ return 0; ++ } + + break; + + case DHCP_STATE_BOUND: + r = client_handle_forcerenew(client, message, len); +- if (r >= 0) { +- r = client_timeout_t1(NULL, 0, client); +- if (r < 0) +- goto error; +- } else if (r == -ENOMSG) +- /* invalid message, let's ignore it */ +- return 0; ++ if (r == -ENOMSG) ++ return 0; /* invalid message, let's ignore it */ ++ if (r < 0) ++ goto error; ++ ++ r = client_timeout_t1(NULL, 0, client); ++ if (r < 0) ++ goto error; + + break; + diff --git a/poky/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch b/poky/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch new file mode 100644 index 0000000000..41d0c7b1e4 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch @@ -0,0 +1,66 @@ +From 875f3773e383d99e7d43020f02acad7681a05914 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 24 Jun 2021 00:51:52 +0900 +Subject: [PATCH] sd-dhcp-client: shorten code a bit + +Upstream-Status: Backport +CVE: CVE-2020-13529 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/libsystemd-network/sd-dhcp-client.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index 86bc3c6181..ef3a7d2c6b 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) { + static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) { + DHCP_CLIENT_DONT_DESTROY(client); + char time_string[FORMAT_TIMESPAN_MAX]; +- int r = 0, notify_event = 0; ++ int r, notify_event = 0; + + assert(client); + assert(client->event); +@@ -1783,9 +1783,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + 0, 0, + client_timeout_resend, client, + client->event_priority, "dhcp4-resend-timer", true); +- if (r < 0) +- goto error; +- + break; + + case DHCP_STATE_REBOOTING: +@@ -1813,7 +1810,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + + client->start_delay = CLAMP(client->start_delay * 2, + RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC); +- + return 0; + } + if (r < 0) +@@ -1866,19 +1862,18 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + goto error; + + r = client_timeout_t1(NULL, 0, client); +- if (r < 0) +- goto error; +- + break; + + case DHCP_STATE_INIT: + case DHCP_STATE_INIT_REBOOT: +- ++ r = 0; + break; + + case DHCP_STATE_STOPPED: + r = -EINVAL; + goto error; ++ default: ++ assert_not_reached("invalid state"); + } + + error: diff --git a/poky/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch b/poky/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch new file mode 100644 index 0000000000..07c7da8c21 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch @@ -0,0 +1,69 @@ +From 0ad3b0fffe622bffbe9f380c3e4cb99b0961bef5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 24 Jun 2021 01:14:12 +0900 +Subject: [PATCH] sd-dhcp-client: logs when dhcp client unexpectedly gains a + new lease + +Previously, such situation is handled silently. + +Upstream-Status: Backport +CVE: CVE-2020-13529 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/libsystemd-network/sd-dhcp-client.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index ef3a7d2c6b..04a75c6966 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) { + static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) { + DHCP_CLIENT_DONT_DESTROY(client); + char time_string[FORMAT_TIMESPAN_MAX]; +- int r, notify_event = 0; ++ int r, notify_event; + + assert(client); + assert(client->event); +@@ -1815,16 +1815,16 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + if (r < 0) + goto error; + ++ if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING)) ++ notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; ++ else ++ notify_event = r; ++ + client->start_delay = 0; + (void) event_source_disable(client->timeout_resend); + client->receive_message = sd_event_source_unref(client->receive_message); + client->fd = safe_close(client->fd); + +- if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING)) +- notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; +- else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) +- notify_event = r; +- + client->state = DHCP_STATE_BOUND; + client->attempt = 0; + +@@ -1846,12 +1846,13 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + + client_initialize_io_events(client, client_receive_message_udp); + +- if (notify_event) { ++ if (IN_SET(client->state, DHCP_STATE_RENEWING, DHCP_STATE_REBINDING) && ++ notify_event == SD_DHCP_CLIENT_EVENT_IP_ACQUIRE) ++ /* FIXME: hmm, maybe this is a bug... */ ++ log_dhcp_client(client, "client_handle_ack() returned SD_DHCP_CLIENT_EVENT_IP_ACQUIRE while DHCP client is %s the address, skipping callback.", ++ client->state == DHCP_STATE_RENEWING ? "renewing" : "rebinding"); ++ else + client_notify(client, notify_event); +- if (client->state == DHCP_STATE_STOPPED) +- return 0; +- } +- + break; + + case DHCP_STATE_BOUND: diff --git a/poky/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch b/poky/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch new file mode 100644 index 0000000000..c65fb45ab9 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch @@ -0,0 +1,42 @@ +From ae18277a6cfd04af8a914780f04a867254ab2341 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 24 Jun 2021 01:22:07 +0900 +Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command + +This makes DHCP client ignore FORCERENEW requests, as unauthenticated +FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). + +Let's re-enable this after RFC3118 (Authentication for DHCP Messages) +and/or RFC6704 (Forcerenew Nonce Authentication) are implemented. + +Fixes #16774. + +Upstream-Status: Backport +CVE: CVE-2020-13529 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index 04a75c6966..54eb3a2ab0 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -1536,9 +1536,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force, + if (r != DHCP_FORCERENEW) + return -ENOMSG; + ++#if 0 + log_dhcp_client(client, "FORCERENEW"); + + return 0; ++#else ++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP ++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW ++ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */ ++ log_dhcp_client(client, "Received FORCERENEW, ignoring."); ++ return -ENOMSG; ++#endif + } + + static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) { diff --git a/poky/meta/recipes-core/systemd/systemd_247.6.bb b/poky/meta/recipes-core/systemd/systemd_247.6.bb index 32afa159ec..f1db1e922b 100644 --- a/poky/meta/recipes-core/systemd/systemd_247.6.bb +++ b/poky/meta/recipes-core/systemd/systemd_247.6.bb @@ -27,6 +27,10 @@ SRC_URI += "file://touchscreen.rules \ file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \ file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \ file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \ + file://0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch \ + file://0002-sd-dhcp-client-shorten-code-a-bit.patch \ + file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \ + file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \ " # patches needed by musl diff --git a/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb index 75632d9434..da716674c3 100644 --- a/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb +++ b/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb @@ -7,7 +7,7 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9" SRC_URI = "git://git.yoctoproject.org/update-rc.d" -SRCREV = "4b150b25b38de688d25cde2b2d22c268ed65a748" +SRCREV = "8636cf478d426b568c1be11dbd9346f67e03adac" UPSTREAM_CHECK_COMMITS = "1" diff --git a/poky/meta/recipes-core/util-linux/util-linux.inc b/poky/meta/recipes-core/util-linux/util-linux.inc index 6b47f417aa..b21d6d46d2 100644 --- a/poky/meta/recipes-core/util-linux/util-linux.inc +++ b/poky/meta/recipes-core/util-linux/util-linux.inc @@ -36,5 +36,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin file://display_testname_for_subtest.patch \ file://avoid_parallel_tests.patch \ file://Automake-use-EXTRA_LTLIBRARIES-instead-of-noinst_LTL.patch \ + file://CVE-2021-37600.patch \ " SRC_URI[sha256sum] = "f7516ba9d8689343594356f0e5e1a5f0da34adfbc89023437735872bb5024c5f" diff --git a/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch new file mode 100644 index 0000000000..11934eee8d --- /dev/null +++ b/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch @@ -0,0 +1,38 @@ +From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Tue, 27 Jul 2021 11:58:31 +0200 +Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64 + nmembs + +Fix: https://github.com/karelzak/util-linux/issues/1395 +Signed-off-by: Karel Zak <kzak@redhat.com> + +CVE: CVE-2021-37600 + +after version 2.37.1 +https://github.com/karelzak/util-linux.git 1c9143d0c1d... +unmodified + +Upstream-Status: Backport + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + sys-utils/ipcutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c +index e784c4d..18868cf 100644 +--- a/sys-utils/ipcutils.c ++++ b/sys-utils/ipcutils.c +@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p) + { + size_t i; + +- if (!p || !p->sem_nsems || p->sem_perm.id < 0) ++ if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0) + return; + + p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem)); +-- +2.7.4 + diff --git a/poky/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb b/poky/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb index e0433806b2..7480affbc0 100644 --- a/poky/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb +++ b/poky/meta/recipes-devtools/createrepo-c/createrepo-c_0.17.0.bb @@ -33,8 +33,8 @@ do_install_append_class-native() { do_install_append_class-nativesdk() { create_wrapper ${D}/${bindir}/createrepo_c \ RPM_CONFIGDIR=${SDKPATHNATIVE}${libdir_nativesdk}/rpm \ - MAGIC=${SDKPATHNATIVE}${datadir}/misc/magic.mgc + MAGIC=${datadir}/misc/magic.mgc create_wrapper ${D}/${bindir}/modifyrepo_c \ - MAGIC=${SDKPATHNATIVE}${datadir}/misc/magic.mgc + MAGIC=${datadir}/misc/magic.mgc rm -rf ${D}/etc } diff --git a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch new file mode 100644 index 0000000000..caeb560d32 --- /dev/null +++ b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch @@ -0,0 +1,22 @@ +Ensure "small" file systems also have the default inode size (256 bytes) so that +can store 64-bit timestamps and work past 2038. + +The "small" type is any size >3MB and <512MB, which covers a lot of relatively +small filesystems built by OE, especially when they're sized to fit the contents +and expand to the storage on boot. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@arm.com> + +diff --git a/misc/mke2fs.conf.in b/misc/mke2fs.conf.in +index 01e35cf8..29f41dc0 100644 +--- a/misc/mke2fs.conf.in ++++ b/misc/mke2fs.conf.in +@@ -16,7 +16,6 @@ + } + small = { + blocksize = 1024 +- inode_size = 128 + inode_ratio = 4096 + } + floppy = { diff --git a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.1.bb b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.1.bb index be8b67c35d..ddc9bfec90 100644 --- a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.1.bb +++ b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.1.bb @@ -8,6 +8,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \ SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ file://quiet-debugfs.patch \ + file://big-inodes-for-small-fs.patch \ " diff --git a/poky/meta/recipes-devtools/go/go-1.16.5.inc b/poky/meta/recipes-devtools/go/go-1.16.7.inc index bd928e44f8..ed2d94671b 100644 --- a/poky/meta/recipes-devtools/go/go-1.16.5.inc +++ b/poky/meta/recipes-devtools/go/go-1.16.7.inc @@ -1,7 +1,7 @@ require go-common.inc GO_BASEVERSION = "1.16" -PV = "1.16.5" +PV = "1.16.7" FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -16,5 +16,6 @@ SRC_URI += "\ file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ + file://0001-encoding-xml-handle-leading-trailing-or-double-colon.patch \ " -SRC_URI[main.sha256sum] = "7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80" +SRC_URI[main.sha256sum] = "1a9f2894d3d878729f7045072f30becebe243524cf2fce4e0a7b248b1e0654ac" diff --git a/poky/meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch b/poky/meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch new file mode 100644 index 0000000000..3c47157d1a --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.16/0001-encoding-xml-handle-leading-trailing-or-double-colon.patch @@ -0,0 +1,123 @@ +From 4d014e723165f28b34458edb4aa9136e0fb4c702 Mon Sep 17 00:00:00 2001 +From: Filippo Valsorda <filippo@golang.org> +Date: Tue, 27 Oct 2020 00:17:15 +0100 +Subject: [PATCH] encoding/xml: handle leading, trailing, or double colons in + names + +Before this change, <:name> would parse as <name>, which could cause +issues in applications that rely on the parse-encode cycle to +round-trip. Similarly, <x name:=""> would parse as expected but then +have the attribute dropped when serializing because its name was empty. +Finally, <a:b:c> would parse and get serialized incorrectly. All these +values are invalid XML, but to minimize the impact of this change, we +parse them whole into Name.Local. + +This issue was reported by Juho Nurminen of Mattermost as it leads to +round-trip mismatches. See #43168. It's not being fixed in a security +release because round-trip stability is not a currently supported +security property of encoding/xml, and we don't believe these fixes +would be sufficient to reliably guarantee it in the future. + +Fixes CVE-2020-29509 +Fixes CVE-2020-29511 +Updates #43168 + +Change-Id: I68321c4d867305046f664347192948a889af3c7f +Reviewed-on: https://go-review.googlesource.com/c/go/+/277892 +Run-TryBot: Filippo Valsorda <filippo@golang.org> +TryBot-Result: Go Bot <gobot@golang.org> +Trust: Filippo Valsorda <filippo@golang.org> +Reviewed-by: Katie Hockman <katie@golang.org> + +CVE: CVE-2020-29509 CVE-2020-29511 +Upstream-Status: Backport [4d014e723165f28b34458edb4aa9136e0fb4c702] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/encoding/xml/xml.go | 5 ++-- + src/encoding/xml/xml_test.go | 56 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 2 deletions(-) + +diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go +index 384d6ad4b8..c902f1295a 100644 +--- a/src/encoding/xml/xml.go ++++ b/src/encoding/xml/xml.go +@@ -1156,8 +1156,9 @@ func (d *Decoder) nsname() (name Name, ok bool) { + if !ok { + return + } +- i := strings.Index(s, ":") +- if i < 0 { ++ if strings.Count(s, ":") > 1 { ++ name.Local = s ++ } else if i := strings.Index(s, ":"); i < 1 || i > len(s)-2 { + name.Local = s + } else { + name.Space = s[0:i] +diff --git a/src/encoding/xml/xml_test.go b/src/encoding/xml/xml_test.go +index 5a10f5309d..47d0c39167 100644 +--- a/src/encoding/xml/xml_test.go ++++ b/src/encoding/xml/xml_test.go +@@ -1003,3 +1003,59 @@ func TestTokenUnmarshaler(t *testing.T) { + d := NewTokenDecoder(tokReader{}) + d.Decode(&Failure{}) + } ++ ++func testRoundTrip(t *testing.T, input string) { ++ d := NewDecoder(strings.NewReader(input)) ++ var tokens []Token ++ var buf bytes.Buffer ++ e := NewEncoder(&buf) ++ for { ++ tok, err := d.Token() ++ if err == io.EOF { ++ break ++ } ++ if err != nil { ++ t.Fatalf("invalid input: %v", err) ++ } ++ if err := e.EncodeToken(tok); err != nil { ++ t.Fatalf("failed to re-encode input: %v", err) ++ } ++ tokens = append(tokens, CopyToken(tok)) ++ } ++ if err := e.Flush(); err != nil { ++ t.Fatal(err) ++ } ++ ++ d = NewDecoder(&buf) ++ for { ++ tok, err := d.Token() ++ if err == io.EOF { ++ break ++ } ++ if err != nil { ++ t.Fatalf("failed to decode output: %v", err) ++ } ++ if len(tokens) == 0 { ++ t.Fatalf("unexpected token: %#v", tok) ++ } ++ a, b := tokens[0], tok ++ if !reflect.DeepEqual(a, b) { ++ t.Fatalf("token mismatch: %#v vs %#v", a, b) ++ } ++ tokens = tokens[1:] ++ } ++ if len(tokens) > 0 { ++ t.Fatalf("lost tokens: %#v", tokens) ++ } ++} ++ ++func TestRoundTrip(t *testing.T) { ++ tests := map[string]string{ ++ "leading colon": `<::Test ::foo="bar"><:::Hello></:::Hello><Hello></Hello></::Test>`, ++ "trailing colon": `<foo abc:="x"></foo>`, ++ "double colon": `<x:y:foo></x:y:foo>`, ++ } ++ for name, input := range tests { ++ t.Run(name, func(t *testing.T) { testRoundTrip(t, input) }) ++ } ++} +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.16.5.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.16.7.bb index b3e2b6a60e..cb54c2868e 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.16.7.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061" -SRC_URI[go_linux_arm64.sha256sum] = "d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799" +SRC_URI[go_linux_amd64.sha256sum] = "7fe7a73f55ba3e2285da36f8b085e5c0159e9564ef5f63ee0ed6b818ade8ef04" +SRC_URI[go_linux_arm64.sha256sum] = "63d6b53ecbd2b05c1f0e9903c92042663f2f68afdbb67f4d0d12700156869bac" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.7.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.7.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.16.5.bb b/poky/meta/recipes-devtools/go/go-cross_1.16.7.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.16.7.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.5.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.7.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.7.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.16.5.bb b/poky/meta/recipes-devtools/go/go-native_1.16.7.bb index f14892cdb0..f14892cdb0 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.16.7.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.16.5.bb b/poky/meta/recipes-devtools/go/go-runtime_1.16.7.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.16.7.bb diff --git a/poky/meta/recipes-devtools/go/go_1.16.5.bb b/poky/meta/recipes-devtools/go/go_1.16.7.bb index 4e9e0ebec8..4e9e0ebec8 100644 --- a/poky/meta/recipes-devtools/go/go_1.16.5.bb +++ b/poky/meta/recipes-devtools/go/go_1.16.7.bb diff --git a/poky/meta/recipes-devtools/pseudo/pseudo.inc b/poky/meta/recipes-devtools/pseudo/pseudo.inc index 65d6e5068d..e6512bc6e6 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo.inc +++ b/poky/meta/recipes-devtools/pseudo/pseudo.inc @@ -112,6 +112,19 @@ do_compile_prepend_class-nativesdk () { fi } +do_compile_append_class-native () { + if [ '${@bb.data.inherits_class('uninative', d)}' = 'True' ]; then + for i in PSEUDO_PORT_UNIX_SYNCFS PSEUDO_PORT_UIDS_GENERIC PSEUDO_PORT_LINUX_NEWCLONE PSEUDO_PORT_LINUX_XATTR PSEUDO_PORT_LINUX_STATVFS; do + grep $i.1 ${S}/pseudo_ports.h + if [ $? != 0 ]; then + echo "$i not enabled in pseudo which is incompatible with uninative" + exit 1 + fi + done + fi +} + + do_install () { oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install } diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index 4eab133128..0ba460f3e6 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ file://fallback-group \ " -SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20" +SRCREV = "b988b0a6b8afd8d459bc9a2528e834f63a3d59b2" S = "${WORKDIR}/git" PV = "1.9.0+git${SRCPV}" diff --git a/poky/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch b/poky/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch new file mode 100644 index 0000000000..f85353668a --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-pip/0001-Don-t-split-git-references-on-unicode-separators.patch @@ -0,0 +1,40 @@ +From 25c1b92b1add0b81afe2fc6f9e82f66738a2d800 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamblin@windriver.com> +Date: Thu, 22 Jul 2021 09:57:53 -0400 +Subject: [PATCH] Don't split git references on unicode separators + +Upstream-Status: Backport +(https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b) + +CVE: CVE-2021-3572 + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + src/pip/_internal/vcs/git.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py +index 7483303a9..d706064e7 100644 +--- a/src/pip/_internal/vcs/git.py ++++ b/src/pip/_internal/vcs/git.py +@@ -137,9 +137,15 @@ class Git(VersionControl): + output = cls.run_command(['show-ref', rev], cwd=dest, + show_stdout=False, on_returncode='ignore') + refs = {} +- for line in output.strip().splitlines(): ++ # NOTE: We do not use splitlines here since that would split on other ++ # unicode separators, which can be maliciously used to install a ++ # different revision. ++ for line in output.strip().split("\n"): ++ line = line.rstrip("\r") ++ if not line: ++ continue + try: +- sha, ref = line.split() ++ sha, ref = line.split(" ", maxsplit=2) + except ValueError: + # Include the offending line to simplify troubleshooting if + # this error ever occurs. +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/poky/meta/recipes-devtools/python/python3-pip_20.0.2.bb index 99eeea2edf..9242d0e82e 100644 --- a/poky/meta/recipes-devtools/python/python3-pip_20.0.2.bb +++ b/poky/meta/recipes-devtools/python/python3-pip_20.0.2.bb @@ -6,7 +6,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e" DEPENDS += "python3 python3-setuptools-native" -SRC_URI += "file://0001-change-shebang-to-python3.patch" +SRC_URI += "file://0001-change-shebang-to-python3.patch \ + file://0001-Don-t-split-git-references-on-unicode-separators.patch \ + " SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 3921546df7..c3eecea9d4 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -57,6 +57,18 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-27821.patch \ file://CVE-2021-20263.patch \ file://CVE-2021-3392.patch \ + file://0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch \ + file://0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch \ + file://0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch \ + file://0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch \ + file://0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch \ + file://0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch \ + file://0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch \ + file://CVE-2021-3527-1.patch \ + file://CVE-2021-3527-2.patch \ + file://CVE-2021-3582.patch \ + file://CVE-2021-3607.patch \ + file://CVE-2021-3608.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch new file mode 100644 index 0000000000..981c237292 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-vhost-user-gpu-fix-memory-disclosure-in-virgl_cmd_ge.patch @@ -0,0 +1,43 @@ +CVE: CVE-2021-3545 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:56 -0700 +Subject: [PATCH 1/7] vhost-user-gpu: fix memory disclosure in + virgl_cmd_get_capset_info (CVE-2021-3545) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise some of the 'resp' will be leaked to guest. + +Fixes: CVE-2021-3545 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak +in getting capset info dispatch") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-2-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 9e6660c7ab..6a332d601f 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g, + + VUGPU_FILL_CMD(info); + ++ memset(&resp, 0, sizeof(resp)); + if (info.capset_index == 0) { + resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; + virgl_renderer_get_cap_set(resp.capset_id, +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch b/poky/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch new file mode 100644 index 0000000000..a9aee47e39 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0002-vhost-user-gpu-fix-resource-leak-in-vg_resource_crea.patch @@ -0,0 +1,41 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:57 -0700 +Subject: [PATCH 2/7] vhost-user-gpu: fix resource leak in + 'vg_resource_create_2d' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Call 'vugbm_buffer_destroy' in error path to avoid resource leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-3-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index f73f292c9f..b5e153d0d6 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g, + g_critical("%s: resource creation failed %d %d %d", + __func__, c2d.resource_id, c2d.width, c2d.height); + g_free(res); ++ vugbm_buffer_destroy(&res->buffer); + cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; + return; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch new file mode 100644 index 0000000000..1718486405 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0003-vhost-user-gpu-fix-memory-leak-in-vg_resource_attach.patch @@ -0,0 +1,48 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b9f79858a614d95f5de875d0ca31096eaab72c3b Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:58 -0700 +Subject: [PATCH 3/7] vhost-user-gpu: fix memory leak in + vg_resource_attach_backing (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check whether the 'res' has already been attach_backing to avoid +memory leak. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-4-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index b5e153d0d6..0437e52b64 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch new file mode 100644 index 0000000000..9fc2fafe1d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0004-vhost-user-gpu-fix-memory-leak-while-calling-vg_reso.patch @@ -0,0 +1,50 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:03:59 -0700 +Subject: [PATCH 4/7] vhost-user-gpu: fix memory leak while calling + 'vg_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the guest trigger following sequences, the attach_backing will be leaked: + + vg_resource_create_2d + vg_resource_attach_backing + vg_resource_unref + +This patch fix this by freeing 'res->iov' in vg_resource_destroy. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref") + +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-5-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/vhost-user-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c +index 0437e52b64..770dfad529 100644 +--- a/contrib/vhost-user-gpu/vhost-user-gpu.c ++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c +@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g, + } + + vugbm_buffer_destroy(&res->buffer); ++ g_free(res->iov); + pixman_image_unref(res->image); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch b/poky/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch new file mode 100644 index 0000000000..e70f3c02c2 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0005-vhost-user-gpu-fix-memory-leak-in-virgl_cmd_resource.patch @@ -0,0 +1,58 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From f6091d86ba9ea05f4e111b9b42ee0005c37a6779 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:00 -0700 +Subject: [PATCH 5/7] vhost-user-gpu: fix memory leak in + 'virgl_cmd_resource_unref' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'res->iov' will be leaked if the guest trigger following sequences: + + virgl_cmd_create_resource_2d + virgl_resource_attach_backing + virgl_cmd_resource_unref + +This patch fixes this. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak +in virgl_cmd_resource_unref" + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-6-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 6a332d601f..c669d73a1d 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VUGPU_FILL_CMD(unref); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ g_free(res_iovs); ++ + virgl_renderer_resource_unref(unref.resource_id); + } + +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch new file mode 100644 index 0000000000..5efb87ca33 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0006-vhost-user-gpu-fix-memory-leak-in-virgl_resource_att.patch @@ -0,0 +1,49 @@ +CVE: CVE-2021-3544 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:01 -0700 +Subject: [PATCH 6/7] vhost-user-gpu: fix memory leak in + 'virgl_resource_attach_backing' (CVE-2021-3544) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will +be leaked. + +Fixes: CVE-2021-3544 +Reported-by: Li Qiang <liq3ea@163.com> +virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak +in resource attach backing") + +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-7-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index c669d73a1d..a16a311d80 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, + res_iovs, att_rb.nr_entries); ++ if (ret != 0) { ++ g_free(res_iovs); ++ } + } + + static void +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch new file mode 100644 index 0000000000..33e6a66193 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0007-vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch @@ -0,0 +1,49 @@ +CVE: CVE-2021-3546 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@163.com> +Date: Sat, 15 May 2021 20:04:02 -0700 +Subject: [PATCH 7/7] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' + (CVE-2021-3546) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If 'virgl_cmd_get_capset' set 'max_size' to 0, +the 'virgl_renderer_fill_caps' will write the data after the 'resp'. +This patch avoid this by checking the returned 'max_size'. + +virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check +virgl capabilities max_size") + +Fixes: CVE-2021-3546 +Reported-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Li Qiang <liq3ea@163.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20210516030403.107723-8-liq3ea@163.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + contrib/vhost-user-gpu/virgl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index a16a311d80..7172104b19 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } + resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch new file mode 100644 index 0000000000..77a5385692 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch @@ -0,0 +1,42 @@ +From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> + +Upstream-Status: Backport +https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c +CVE: CVE-2021-3527 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dc..e56802f89a 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +GitLab + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch new file mode 100644 index 0000000000..6371aced12 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch @@ -0,0 +1,59 @@ +From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 May 2021 15:29:12 +0200 +Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use autofree heap allocation instead. + +Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> + +Upstream-Status: Backport +https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 +CVE: CVE-2021-3527 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + hw/usb/redirect.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 17f06f3417..6a75b0dc4a 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, + .endpoint = ep, + .length = p->iov.size + }; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, +@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, + usbredirparser_send_bulk_packet(dev->parser, p->id, + &bulk_packet, NULL, 0); + } else { +- uint8_t buf[size]; ++ g_autofree uint8_t *buf = g_malloc(size); + usb_packet_copy(p, buf, size); + usbredir_log_data(dev, "bulk data out:", buf, size); + usbredirparser_send_bulk_packet(dev->parser, p->id, +@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, + USBPacket *p, uint8_t ep) + { + struct usb_redir_interrupt_packet_header interrupt_packet; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + + DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, + p->iov.size, p->id); +-- +GitLab + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch new file mode 100644 index 0000000000..7a88e29384 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch @@ -0,0 +1,47 @@ +From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel@redhat.com> +Date: Wed, 16 Jun 2021 14:06:00 +0300 +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) + +Ensure mremap boundaries not trusting the guest kernel to +pass the correct buffer length. + +Fixes: CVE-2021-3582 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3582 +Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index f59879e257..da7ddfa548 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, + return NULL; + } + ++ length = ROUND_UP(length, TARGET_PAGE_SIZE); ++ if (nchunks * TARGET_PAGE_SIZE != length) { ++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, ++ (unsigned long)length); ++ return NULL; ++ } ++ + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory"); +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch new file mode 100644 index 0000000000..0547c74484 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch @@ -0,0 +1,43 @@ +From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:46:34 +0300 +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) + +Check the guest passed a non zero page count +for pvrdma device ring buffers. + +Fixes: CVE-2021-3607 +Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630114634.2168872-1-marcel@redhat.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3607 +Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 84ae8024fc..7c0c3551a8 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + uint64_t *dir, *tbl; + int rc = 0; + ++ if (!num_pages) { ++ rdma_error_report("Ring pages count must be strictly positive"); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch new file mode 100644 index 0000000000..22d68b025d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch @@ -0,0 +1,43 @@ +From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001 +From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> +Date: Wed, 30 Jun 2021 14:52:46 +0300 +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Do not unmap uninitialized dma addresses. + +Fixes: CVE-2021-3608 +Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> +Message-Id: <20210630115246.2178219-1-marcel@redhat.com> +Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> + +CVE: CVE-2021-3608 +Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c +index 074ac59b84..42130667a7 100644 +--- a/hw/rdma/vmw/pvrdma_dev_ring.c ++++ b/hw/rdma/vmw/pvrdma_dev_ring.c +@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev, + qatomic_set(&ring->ring_state->cons_head, 0); + */ + ring->npages = npages; +- ring->pages = g_malloc(npages * sizeof(void *)); ++ ring->pages = g_malloc0(npages * sizeof(void *)); + + for (i = 0; i < npages; i++) { + if (!tbl[i]) { +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all index d6a85c4735..0427790825 100644 --- a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all +++ b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all @@ -1,2 +1,3 @@ drd/tests/bar_bad drd/tests/bar_bad_xml +none/tests/amd64/fb_test_amd64 diff --git a/poky/meta/recipes-extended/parted/files/check-vfat.patch b/poky/meta/recipes-extended/parted/files/check-vfat.patch new file mode 100644 index 0000000000..c64130a4e2 --- /dev/null +++ b/poky/meta/recipes-extended/parted/files/check-vfat.patch @@ -0,0 +1,51 @@ +Add checks for both mkfs.vfat and the vfat file system in the kernel before +running tests. + +Upstream-Status: Pending +Signed-off-by: Ross Burton <ross.burton@arm.com> + +diff --git a/tests/t-lib-helpers.sh b/tests/t-lib-helpers.sh +index 4c6c75f..2cc7577 100644 +--- a/tests/t-lib-helpers.sh ++++ b/tests/t-lib-helpers.sh +@@ -418,3 +418,13 @@ require_64bit_() + ;; + esac + } ++ ++# Check if the specified filesystem is either built into the kernel, or can be loaded ++# as a module ++# Usage: has_filesystem vfat ++# Ruturns 0 if the filesystem is available, otherwise skips the test ++require_filesystem_() ++{ ++ grep -q $1 /proc/filesystems && return 0 ++ modprobe --quiet --dry-run $1 || skip_ "this test requires kernel support for $1" ++} +diff --git a/tests/t1100-busy-label.sh b/tests/t1100-busy-label.sh +index f1a13df..0f47b08 100755 +--- a/tests/t1100-busy-label.sh ++++ b/tests/t1100-busy-label.sh +@@ -19,6 +19,9 @@ + . "${srcdir=.}/init.sh"; path_prepend_ ../parted + require_root_ + require_scsi_debug_module_ ++require_fat_ ++require_filesystem_ vfat ++ + ss=$sector_size_ + + scsi_debug_setup_ sector_size=$ss dev_size_mb=90 > dev-name || +diff --git a/tests/t1101-busy-partition.sh b/tests/t1101-busy-partition.sh +index e35e6f0..c813848 100755 +--- a/tests/t1101-busy-partition.sh ++++ b/tests/t1101-busy-partition.sh +@@ -22,6 +22,8 @@ test "$VERBOSE" = yes && parted --version + + require_root_ + require_scsi_debug_module_ ++require_fat_ ++require_filesystem_ vfat + + # create memory-backed device + scsi_debug_setup_ dev_size_mb=80 > dev-name || diff --git a/poky/meta/recipes-extended/parted/files/run-ptest b/poky/meta/recipes-extended/parted/files/run-ptest index 374f1bfbc9..c3d6fca339 100644 --- a/poky/meta/recipes-extended/parted/files/run-ptest +++ b/poky/meta/recipes-extended/parted/files/run-ptest @@ -2,6 +2,6 @@ mkdir -p /etc/udev/mount.blacklist.d echo /dev/sda1 >> /etc/udev/mount.blacklist.d/parted-tmp -rm -f *.log +rm -f tests/*.log make -C tests test-suite.log rm /etc/udev/mount.blacklist.d/parted-tmp diff --git a/poky/meta/recipes-extended/parted/parted_3.4.bb b/poky/meta/recipes-extended/parted/parted_3.4.bb index c15f5aeb0b..4260f3a0d4 100644 --- a/poky/meta/recipes-extended/parted/parted_3.4.bb +++ b/poky/meta/recipes-extended/parted/parted_3.4.bb @@ -11,6 +11,7 @@ SRC_URI = "${GNU_MIRROR}/parted/parted-${PV}.tar.xz \ file://fix-doc-mandir.patch \ file://0002-libparted_fs_resize-link-against-libuuid-explicitly-.patch \ file://run-ptest \ + file://check-vfat.patch \ " SRC_URI[md5sum] = "357d19387c6e7bc4a8a90fe2d015fe80" @@ -35,10 +36,13 @@ do_install_ptest() { cp ${S}/build-aux/test-driver $t/build-aux/ cp -r ${S}/tests $t cp ${B}/tests/Makefile $t/tests/ + mkdir $t/lib + cp ${B}/lib/config.h $t/lib sed -i "s|^VERSION.*|VERSION = ${PV}|g" $t/tests/Makefile sed -i "s|^srcdir =.*|srcdir = \.|g" $t/tests/Makefile sed -i "s|^abs_srcdir =.*|abs_srcdir = \.|g" $t/tests/Makefile - sed -i "s|^abs_top_srcdir =.*|abs_top_srcdir = \.\.|g" $t/tests/Makefile + sed -i "s|^abs_top_srcdir =.*|abs_top_srcdir = "${PTEST_PATH}"|g" $t/tests/Makefile + sed -i "s|^abs_top_builddir =.*|abs_top_builddir = "${PTEST_PATH}"|g" $t/tests/Makefile sed -i "s|^Makefile:.*|Makefile:|g" $t/tests/Makefile sed -i "/^BUILDINFO.*$/d" $t/tests/Makefile for i in print-align print-max print-flags dup-clobber duplicate fs-resize; \ @@ -47,8 +51,8 @@ do_install_ptest() { sed -e 's| ../parted||' -i $t/tests/*.sh } -RDEPENDS_${PN}-ptest = "bash coreutils perl util-linux-losetup python3 make gawk e2fsprogs-mke2fs python3-core" -RRECOMMENDS_${PN}-ptest = "kernel-module-scsi-debug" +RDEPENDS_${PN}-ptest = "bash coreutils perl util-linux-losetup util-linux-mkswap python3 make gawk e2fsprogs-mke2fs e2fsprogs-tune2fs python3-core dosfstools" +RRECOMMENDS_${PN}-ptest += "kernel-module-scsi-debug kernel-module-loop kernel-module-vfat" RDEPENDS_${PN}-ptest_append_libc-glibc = "\ glibc-utils \ locale-base-en-us \ diff --git a/poky/meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch b/poky/meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch deleted file mode 100644 index dba4494b91..0000000000 --- a/poky/meta/recipes-extended/stress-ng/stress-ng/no_daddr_t.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 55e11765af2bdc8adfac87dab1fb2682f7e6c236 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 9 Jun 2020 22:10:28 -0700 -Subject: [PATCH] Define daddr_t if __DADDR_T_TYPE is not defined - -glibc defined daddr_t but musl does not, ideally it should not be used -and simple int type is enough. However, its better to leave glibc behavior -as it is and only define it to int if daddr_t is not provided by libc - -Upstream-Status: Pending - -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- - stress-ng.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/stress-ng.h b/stress-ng.h -index 1a66293..802dc25 100644 ---- a/stress-ng.h -+++ b/stress-ng.h -@@ -3763,6 +3763,10 @@ struct shim_statx { - uint64_t __spare2[14]; - }; - -+#ifndef __DADDR_T_TYPE -+typedef int daddr_t; -+#endif -+ - /* old ustat struct */ - struct shim_ustat { - #if defined(HAVE_DADDR_T) diff --git a/poky/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb b/poky/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb index eb6bdb4a81..3770ba9ae1 100644 --- a/poky/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb +++ b/poky/meta/recipes-extended/stress-ng/stress-ng_0.12.05.bb @@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \ file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \ - file://no_daddr_t.patch \ " SRC_URI[sha256sum] = "af7779aee38e6d94726ed7d5cf36384a64d50c86e42fff89c141d8609913f425" @@ -24,4 +23,3 @@ do_install() { oe_runmake DESTDIR=${D} install ln -s stress-ng ${D}${bindir}/stress } - diff --git a/poky/meta/recipes-extended/tar/tar_1.34.bb b/poky/meta/recipes-extended/tar/tar_1.34.bb index af04919c41..66c11cbfea 100644 --- a/poky/meta/recipes-extended/tar/tar_1.34.bb +++ b/poky/meta/recipes-extended/tar/tar_1.34.bb @@ -61,3 +61,6 @@ PROVIDES_append_class-native = " tar-replacement-native" NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" BBCLASSEXTEND = "native nativesdk" + +# These are both specific to the NPM package node-tar +CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804" diff --git a/poky/meta/recipes-extended/zstd/zstd_1.4.9.bb b/poky/meta/recipes-extended/zstd/zstd_1.4.9.bb index b86fdf8b2d..44224ec627 100644 --- a/poky/meta/recipes-extended/zstd/zstd_1.4.9.bb +++ b/poky/meta/recipes-extended/zstd/zstd_1.4.9.bb @@ -16,6 +16,8 @@ SRC_URI = "git://github.com/facebook/zstd.git;branch=release \ SRCREV = "e4558ffd1dc49399faf4ee5d85abed4386b4dcf5" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" +CVE_PRODUCT = "zstandard" + S = "${WORKDIR}/git" PACKAGECONFIG ??= "" diff --git a/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.66.1.bb b/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.66.1.bb index ebac8d3a43..3b884f03e9 100644 --- a/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.66.1.bb +++ b/poky/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.66.1.bb @@ -6,7 +6,7 @@ generation for bindings, API verification and documentation generation." HOMEPAGE = "https://wiki.gnome.org/action/show/Projects/GObjectIntrospection" BUGTRACKER = "https://gitlab.gnome.org/GNOME/gobject-introspection/issues" SECTION = "libs" -LICENSE = "LGPLv2+ & GPLv2+" +LICENSE = "LGPLv2+ & GPLv2+ & MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=c434e8128a68bedd59b80b2ac1eb1c4a \ file://tools/compiler.c;endline=20;md5=fc5007fc20022720e6c0b0cdde41fabd \ file://giscanner/sourcescanner.c;endline=22;md5=194d6e0c1d00662f32d030ce44de8d39 \ diff --git a/poky/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch b/poky/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch new file mode 100644 index 0000000000..7edcfe8de8 --- /dev/null +++ b/poky/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch @@ -0,0 +1,56 @@ +Upstream-Status: Submitted [https://github.com/nigels-com/glew/pull/311] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 0ce0a85597db48a2fca619bd95e34af091e54ae8 Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@arm.com> +Date: Thu, 22 Jul 2021 16:31:11 +0100 +Subject: [PATCH] Fix build race in Makefile + +The current rule for the binaries is: + +glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) + +In parallel builds, all of those targets happen at the same time. This +means that 'bin' can happen *after* 'bin/$(GLEWINFO.BIN)', which is a +problem as the 'bin' target's responsibility is to create the directory +that the other target writes into. + +Solve this by not having a separate 'create directory' target which is +fundamentally racy, and simply mkdir in each target which writes into it. +--- + Makefile | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index d0e4614..04af44c 100644 +--- a/Makefile ++++ b/Makefile +@@ -171,21 +171,20 @@ VISUALINFO.BIN.OBJ := $(VISUALINFO.BIN.OBJ:.c=.o) + # Don't build glewinfo or visualinfo for NaCL, yet. + + ifneq ($(filter nacl%,$(SYSTEM)),) +-glew.bin: glew.lib bin ++glew.bin: glew.lib + else +-glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) ++glew.bin: glew.lib bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) + endif + +-bin: +- mkdir bin +- + bin/$(GLEWINFO.BIN): $(GLEWINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED) ++ @mkdir -p $(dir $@) + $(CC) $(CFLAGS) -o $@ $(GLEWINFO.BIN.OBJ) $(BIN.LIBS) + ifneq ($(STRIP),) + $(STRIP) -x $@ + endif + + bin/$(VISUALINFO.BIN): $(VISUALINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED) ++ @mkdir -p $(dir $@) + $(CC) $(CFLAGS) -o $@ $(VISUALINFO.BIN.OBJ) $(BIN.LIBS) + ifneq ($(STRIP),) + $(STRIP) -x $@ +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/glew/glew_2.2.0.bb b/poky/meta/recipes-graphics/glew/glew_2.2.0.bb index 8948444e08..92b6083648 100644 --- a/poky/meta/recipes-graphics/glew/glew_2.2.0.bb +++ b/poky/meta/recipes-graphics/glew/glew_2.2.0.bb @@ -6,6 +6,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2" SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \ + file://0001-Fix-build-race-in-Makefile.patch \ file://no-strip.patch" SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7" diff --git a/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb b/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb index 5a3bb22ec3..00dd68006f 100644 --- a/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb +++ b/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb @@ -31,5 +31,7 @@ EXTRA_OEMESON = "-Dgtk=disabled -Dlibpng=disabled" # ld: pixman/libpixman-mmx.a(pixman-mmx.c.o): # linking mips:loongson_2f module with previous mips:isa64 modules EXTRA_OEMESON += "-Dloongson-mmi=disabled" +# disable iwmmxt due to compile fails on most arm platforms. +EXTRA_OEMESON += "-Diwmmxt=disabled" BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-kernel/kmod/kmod_git.bb b/poky/meta/recipes-kernel/kmod/kmod_git.bb index 4f2b037f2f..f6fe049d92 100644 --- a/poky/meta/recipes-kernel/kmod/kmod_git.bb +++ b/poky/meta/recipes-kernel/kmod/kmod_git.bb @@ -24,13 +24,13 @@ do_install_append () { lnr ${D}${base_bindir}/kmod ${D}${base_sbindir}/${tool} done # configuration directories - install -dm755 ${D}${base_libdir}/depmod.d - install -dm755 ${D}${base_libdir}/modprobe.d + install -dm755 ${D}${nonarch_base_libdir}/depmod.d + install -dm755 ${D}${nonarch_base_libdir}/modprobe.d install -dm755 ${D}${sysconfdir}/depmod.d install -dm755 ${D}${sysconfdir}/modprobe.d # install depmod.d file for search/ dir - install -Dm644 "${WORKDIR}/depmod-search.conf" "${D}${base_libdir}/depmod.d/search.conf" + install -Dm644 "${WORKDIR}/depmod-search.conf" "${D}${nonarch_base_libdir}/depmod.d/search.conf" } do_compile_prepend() { @@ -57,6 +57,6 @@ ALTERNATIVE_LINK_NAME[depmod] = "${base_sbindir}/depmod" PACKAGES =+ "libkmod" FILES_libkmod = "${base_libdir}/libkmod*${SOLIBS} ${libdir}/libkmod*${SOLIBS}" -FILES_${PN} += "${base_libdir}/depmod.d ${base_libdir}/modprobe.d" +FILES_${PN} += "${nonarch_base_libdir}/depmod.d ${nonarch_base_libdir}/modprobe.d" BBCLASSEXTEND = "nativesdk" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb index 26091fba70..513932984e 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb @@ -303,8 +303,11 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-qat ${PN}-qat-license \ ${PN}-qcom-license \ ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \ - ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 ${PN}-qcom-adreno-a630 \ + ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \ + ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 \ + ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \ ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ + ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \ ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \ ${PN}-lt9611uxc ${PN}-lontium-license \ ${PN}-whence-license \ @@ -952,22 +955,34 @@ FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*" FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*" FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*" FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*" +FILES_${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*" +FILES_${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*" FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a300_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*" FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" +FILES_${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" +FILES_${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*" FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*" FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*" FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" +FILES_${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*" +FILES_${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*" RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-vpu-1.0 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-vpu-2.0 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-adreno-a3xx = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a650 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a660 = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license" RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sm8250-audio = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sm8250-compute = "${PN}-qcom-license" FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio" diff --git a/poky/meta/recipes-kernel/linux/kernel-devsrc.bb b/poky/meta/recipes-kernel/linux/kernel-devsrc.bb index 92076ac8b0..a5eba7c03a 100644 --- a/poky/meta/recipes-kernel/linux/kernel-devsrc.bb +++ b/poky/meta/recipes-kernel/linux/kernel-devsrc.bb @@ -218,10 +218,10 @@ do_install() { if [ "${ARCH}" = "x86" ]; then # files for 'make prepare' to succeed with kernel-devel - cp -a --parents $(find arch/x86 -type f -name "syscall_32.tbl") $kerneldir/build/ - cp -a --parents $(find arch/x86 -type f -name "syscalltbl.sh") $kerneldir/build/ - cp -a --parents $(find arch/x86 -type f -name "syscallhdr.sh") $kerneldir/build/ - cp -a --parents $(find arch/x86 -type f -name "syscall_64.tbl") $kerneldir/build/ + cp -a --parents $(find arch/x86 -type f -name "syscall_32.tbl") $kerneldir/build/ 2>/dev/null || : + cp -a --parents $(find arch/x86 -type f -name "syscalltbl.sh") $kerneldir/build/ 2>/dev/null || : + cp -a --parents $(find arch/x86 -type f -name "syscallhdr.sh") $kerneldir/build/ 2>/dev/null || : + cp -a --parents $(find arch/x86 -type f -name "syscall_64.tbl") $kerneldir/build/ 2>/dev/null || : cp -a --parents arch/x86/tools/relocs_32.c $kerneldir/build/ cp -a --parents arch/x86/tools/relocs_64.c $kerneldir/build/ cp -a --parents arch/x86/tools/relocs.c $kerneldir/build/ @@ -320,7 +320,7 @@ RDEPENDS_${PN} = "bc python3 flex bison ${TCLIBC}-utils" # 4.15+ needs these next two RDEPENDS RDEPENDS_${PN} += "openssl-dev util-linux" # and x86 needs a bit more for 4.15+ -RDEPENDS_${PN} += "${@bb.utils.contains('ARCH', 'x86', 'elfutils', '', d)}" +RDEPENDS_${PN} += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-dev', '', d)}" # 5.8+ needs gcc-plugins libmpc-dev RDEPENDS_${PN} += "gcc-plugins libmpc-dev" # 5.13+ needs awk for arm64 diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index e0d8280128..351970c03a 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "42032770803ba26765376967cef09945f48abe04" -SRCREV_meta ?= "82899c6a7119b9668be9ae508159f5ac96554cc2" +SRCREV_machine ?= "9ad4f13ee44c39e890638d8a2157adcf830fc7bc" +SRCREV_meta ?= "22257690910a1befc2ed8a98ef218bd0c5cfd844" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.47" +LINUX_VERSION ?= "5.10.57" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index 7a4267531f..e810132d02 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "c86c4081f4764f57bbb26df8a9202c01799c3771" -SRCREV_meta ?= "c5e5dc4e13bd4882a8ed96b8026e6fd268b68f8a" +SRCREV_machine ?= "0ad6f2204daf35fb25df5e9b52383507df813bb4" +SRCREV_meta ?= "98ba88191b7c489bc0d83b6c87a31b2330fcd886" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.129" +LINUX_VERSION ?= "5.4.139" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index 6b71573a39..b035ed3d15 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.47" +LINUX_VERSION ?= "5.10.57" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "eaad1adbc817d996edf44fdd520da4810e57e66d" -SRCREV_machine ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_meta ?= "82899c6a7119b9668be9ae508159f5ac96554cc2" +SRCREV_machine_qemuarm ?= "60d8a10a1e8acdabbd61f3705b67b2112e7866e0" +SRCREV_machine ?= "df4ea731a9dc6e1076f3e2935d6689668d8f58ac" +SRCREV_meta ?= "22257690910a1befc2ed8a98ef218bd0c5cfd844" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 5d487ac23f..c734ce8db5 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.129" +LINUX_VERSION ?= "5.4.139" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "ca636d1a2ccbb2626c4eacbdb0da2c30654b108c" -SRCREV_machine ?= "d46f8ecb3f81bdba8131b90dc90174ecb36a1b78" -SRCREV_meta ?= "c5e5dc4e13bd4882a8ed96b8026e6fd268b68f8a" +SRCREV_machine_qemuarm ?= "a80ea6be16b19c18855f831333c93d4f3b55e58a" +SRCREV_machine ?= "405fce9e3f0314767e38b5e8295b34a24cd97a46" +SRCREV_meta ?= "98ba88191b7c489bc0d83b6c87a31b2330fcd886" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto.inc b/poky/meta/recipes-kernel/linux/linux-yocto.inc index a85280990b..eb3081ee31 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto.inc +++ b/poky/meta/recipes-kernel/linux/linux-yocto.inc @@ -34,6 +34,7 @@ KERNEL_LD_append_arc = " ${TOOLCHAIN_OPTIONS}" KERNEL_FEATURES_append_qemuall=" features/debug/printk.scc" KERNEL_FEATURES_append = " ${@bb.utils.contains('MACHINE_FEATURES', 'numa', 'features/numa/numa.scc', '', d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains('MACHINE_FEATURES', 'vfat', 'cfg/fs/vfat.scc', '', d)}" # A KMACHINE is the mapping of a yocto $MACHINE to what is built # by the kernel. This is typically the branch that should be built, diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb index 0315808989..05cfa54480 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH_qemux86 ?= "v5.10/standard/base" KBRANCH_qemux86-64 ?= "v5.10/standard/base" KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "8950bba5dc5b6139af3711cf82b6c35ea3ef873f" -SRCREV_machine_qemuarm64 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_machine_qemumips ?= "271e6f3b206246da2937788d83c3b4e57cb33da0" -SRCREV_machine_qemuppc ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_machine_qemuriscv64 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_machine_qemuriscv32 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_machine_qemux86 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_machine_qemux86-64 ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_machine_qemumips64 ?= "1112c8f8594df02dd6f2bd1cf13848536ca3f536" -SRCREV_machine ?= "52bcc5b2342739bbfc8fc385d151616883c4425c" -SRCREV_meta ?= "82899c6a7119b9668be9ae508159f5ac96554cc2" +SRCREV_machine_qemuarm ?= "21075c593dd7a09fc2e0fe4c1f751999fee1127a" +SRCREV_machine_qemuarm64 ?= "e32f43fed15419c8461207c4d2b76879920d5928" +SRCREV_machine_qemumips ?= "127501aba35af6e38f50ecd814da4416f361fd84" +SRCREV_machine_qemuppc ?= "219057449c55acde1060af4b63c2d1ba5ec19978" +SRCREV_machine_qemuriscv64 ?= "b1ff0bb0de7abc5039e0db14f66e01eb0a3c24bb" +SRCREV_machine_qemuriscv32 ?= "b1ff0bb0de7abc5039e0db14f66e01eb0a3c24bb" +SRCREV_machine_qemux86 ?= "b1ff0bb0de7abc5039e0db14f66e01eb0a3c24bb" +SRCREV_machine_qemux86-64 ?= "b1ff0bb0de7abc5039e0db14f66e01eb0a3c24bb" +SRCREV_machine_qemumips64 ?= "dd28c0cc8a79329b8b724821e7c09b210a2e2948" +SRCREV_machine ?= "b1ff0bb0de7abc5039e0db14f66e01eb0a3c24bb" +SRCREV_meta ?= "22257690910a1befc2ed8a98ef218bd0c5cfd844" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.47" +LINUX_VERSION ?= "5.10.57" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 94605b3942..fcf65149f0 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "dfb964733268c1e6f932900a384a793a0ca8de34" -SRCREV_machine_qemuarm64 ?= "7d3eac73a6edc8fdcd701bbb0aa8c21030eb2027" -SRCREV_machine_qemumips ?= "a40b68f2f4be601dfe020940ad29ac894cc31298" -SRCREV_machine_qemuppc ?= "a3258c8b1690ecfa620eae9552a75cec9224ecd4" -SRCREV_machine_qemuriscv64 ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" -SRCREV_machine_qemux86 ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" -SRCREV_machine_qemux86-64 ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" -SRCREV_machine_qemumips64 ?= "dded4f6e58cd90c7333b5257c9327e5e30f78e26" -SRCREV_machine ?= "e211c039dcd85ad2d4c1f1a70909d0eefef49778" -SRCREV_meta ?= "c5e5dc4e13bd4882a8ed96b8026e6fd268b68f8a" +SRCREV_machine_qemuarm ?= "3d243cfd29a57dfe6b04a6a6cf1b1088d107f1f6" +SRCREV_machine_qemuarm64 ?= "dcac97a2b4469136189f86fe42703026693384be" +SRCREV_machine_qemumips ?= "ee74231b68518107954078d03d0606910603cf7a" +SRCREV_machine_qemuppc ?= "76c51679aa6b9c25fe2b5c2052e84197ff2e4e2d" +SRCREV_machine_qemuriscv64 ?= "807b4668ff7fe3be031ace442a84d70821ef9571" +SRCREV_machine_qemux86 ?= "807b4668ff7fe3be031ace442a84d70821ef9571" +SRCREV_machine_qemux86-64 ?= "807b4668ff7fe3be031ace442a84d70821ef9571" +SRCREV_machine_qemumips64 ?= "3396071f8ce8ca148231fee4d2130feeead41926" +SRCREV_machine ?= "807b4668ff7fe3be031ace442a84d70821ef9571" +SRCREV_meta ?= "98ba88191b7c489bc0d83b6c87a31b2330fcd886" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.129" +LINUX_VERSION ?= "5.4.139" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch new file mode 100644 index 0000000000..4fe80cffa1 --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch @@ -0,0 +1,35 @@ +From 073bad2fcae5be78c11a1623a20319107dfae9f8 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Fri, 28 May 2021 20:18:25 +0200 +Subject: [PATCH 1/5] avcodec/aacpsy: Avoid floating point division by 0 of + norm_fac + +Fixes: Ticket7995 +Fixes: CVE-2020-20446 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-20446 +Upstream-Status: Backport [223b5e8ac9f6461bb13ed365419ec485c5b2b002] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavcodec/aacpsy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c +index fca692cb15..bd444fecdc 100644 +--- a/libavcodec/aacpsy.c ++++ b/libavcodec/aacpsy.c +@@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, + + if (pe < 1.15f * desired_pe) { + /* 6.6.1.3.6 "Final threshold modification by linearization" */ +- norm_fac = 1.0f / norm_fac; ++ norm_fac = norm_fac ? 1.0f / norm_fac : 0; + for (w = 0; w < wi->num_windows*16; w += 16) { + for (g = 0; g < num_bands; g++) { + AacPsyBand *band = &pch->band[w+g]; +-- +2.32.0 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch new file mode 100644 index 0000000000..4e430726b0 --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch @@ -0,0 +1,42 @@ +From 80f9cbee46757430af0769ec999ca702be652f7f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Fri, 28 May 2021 21:37:26 +0200 +Subject: [PATCH 2/5] avcodec/aacenc: Avoid 0 lambda + +Fixes: Ticket8003 +Fixes: CVE-2020-20453 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-20453 +Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavcodec/aacenc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c +index db11e0ca29..9c6cb75be4 100644 +--- a/libavcodec/aacenc.c ++++ b/libavcodec/aacenc.c +@@ -28,6 +28,7 @@ + * TODOs: + * add sane pulse detection + ***********************************/ ++#include <float.h> + + #include "libavutil/libm.h" + #include "libavutil/thread.h" +@@ -856,7 +857,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, + /* Not so fast though */ + ratio = sqrtf(ratio); + } +- s->lambda = FFMIN(s->lambda * ratio, 65536.f); ++ s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + + /* Keep iterating if we must reduce and lambda is in the sky */ + if (ratio > 0.9f && ratio < 1.1f) { +-- +2.32.0 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch new file mode 100644 index 0000000000..1fdb31de7d --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch @@ -0,0 +1,44 @@ +From dce5d2c2ee991f8cd96ab74d51a2d1a134a1a645 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 29 May 2021 09:22:27 +0200 +Subject: [PATCH 3/5] avformat/movenc: Check pal_size before use + +Fixes: assertion failure +Fixes: out of array read +Fixes: Ticket8190 +Fixes: CVE-2020-22015 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + + +CVE: CVE-2020-22015 +Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavformat/movenc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavformat/movenc.c b/libavformat/movenc.c +index c34d86522a..9603704083 100644 +--- a/libavformat/movenc.c ++++ b/libavformat/movenc.c +@@ -2094,11 +2094,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex + avio_wb16(pb, 0x18); /* Reserved */ + + if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { +- int pal_size = 1 << track->par->bits_per_coded_sample; +- int i; ++ int pal_size, i; + avio_wb16(pb, 0); /* Color table ID */ + avio_wb32(pb, 0); /* Color table seed */ + avio_wb16(pb, 0x8000); /* Color table flags */ ++ if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) ++ return AVERROR(EINVAL); ++ pal_size = 1 << track->par->bits_per_coded_sample; + avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ + for (i = 0; i < pal_size; i++) { + uint32_t rgb = track->palette[i]; +-- +2.32.0 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch new file mode 100644 index 0000000000..05cba736ff --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch @@ -0,0 +1,87 @@ +From 384177ca945395c8cf0ebbddd4b8b1eae64e900f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 29 May 2021 11:17:35 +0200 +Subject: [PATCH 4/5] avfilter/vf_yadif: Fix handing of tiny images + +Fixes: out of array access +Fixes: Ticket8240 +Fixes: CVE-2020-22021 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-22021 +Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +index 43dea67add..06fd24ecfa 100644 +--- a/libavfilter/vf_yadif.c ++++ b/libavfilter/vf_yadif.c +@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, + uint8_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN - 1; ++ int offset = FFMAX(w - edge, 3); + + /* Only edge pixels need to be processed here. A constant value of false + * for is_not_edge should let the compiler ignore the whole branch. */ +- FILTER(0, 3, 0) ++ FILTER(0, FFMIN(3, w), 0) + +- dst = (uint8_t*)dst1 + w - edge; +- prev = (uint8_t*)prev1 + w - edge; +- cur = (uint8_t*)cur1 + w - edge; +- next = (uint8_t*)next1 + w - edge; ++ dst = (uint8_t*)dst1 + offset; ++ prev = (uint8_t*)prev1 + offset; ++ cur = (uint8_t*)cur1 + offset; ++ next = (uint8_t*)next1 + offset; + prev2 = (uint8_t*)(parity ? prev : cur); + next2 = (uint8_t*)(parity ? cur : next); + +- FILTER(w - edge, w - 3, 1) +- FILTER(w - 3, w, 0) ++ FILTER(offset, w - 3, 1) ++ offset = FFMAX(offset, w - 3); ++ FILTER(offset, w, 0) + } + + +@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, + uint16_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN / 2 - 1; ++ int offset = FFMAX(w - edge, 3); + + mrefs /= 2; + prefs /= 2; + +- FILTER(0, 3, 0) ++ FILTER(0, FFMIN(3, w), 0) + +- dst = (uint16_t*)dst1 + w - edge; +- prev = (uint16_t*)prev1 + w - edge; +- cur = (uint16_t*)cur1 + w - edge; +- next = (uint16_t*)next1 + w - edge; ++ dst = (uint16_t*)dst1 + offset; ++ prev = (uint16_t*)prev1 + offset; ++ cur = (uint16_t*)cur1 + offset; ++ next = (uint16_t*)next1 + offset; + prev2 = (uint16_t*)(parity ? prev : cur); + next2 = (uint16_t*)(parity ? cur : next); + +- FILTER(w - edge, w - 3, 1) +- FILTER(w - 3, w, 0) ++ FILTER(offset, w - 3, 1) ++ offset = FFMAX(offset, w - 3); ++ FILTER(offset, w, 0) + } + + static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) +-- +2.32.0 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch new file mode 100644 index 0000000000..e98ddaaede --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch @@ -0,0 +1,39 @@ +From 2f3bf456fa641edf154a99c4586d7bf52c02a495 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 29 May 2021 09:58:31 +0200 +Subject: [PATCH 5/5] avfilter/vf_vmafmotion: Check dimensions + +Fixes: out of array access +Fixes: Ticket8241 +Fixes: Ticket8246 +Fixes: CVE-2020-22019 +Fixes: CVE-2020-22033 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-22033 +CVE: CVE-2020-22019 +Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavfilter/vf_vmafmotion.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +index 88d0b35095..0730147e7d 100644 +--- a/libavfilter/vf_vmafmotion.c ++++ b/libavfilter/vf_vmafmotion.c +@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, + int i; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + ++ if (w < 3 || h < 3) ++ return AVERROR(EINVAL); ++ + s->width = w; + s->height = h; + s->stride = FFALIGN(w * sizeof(uint16_t), 32); +-- +2.32.0 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index 08be38ca50..0a49493abd 100644 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -26,6 +26,11 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://mips64_cpu_detection.patch \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ + file://fix-CVE-2020-20446.patch \ + file://fix-CVE-2020-20453.patch \ + file://fix-CVE-2020-22015.patch \ + file://fix-CVE-2020-22021.patch \ + file://fix-CVE-2020-22033-CVE-2020-22019.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" diff --git a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb b/poky/meta/recipes-support/aspell/aspell_0.60.8.bb index 6548c54b64..9147c820e7 100644 --- a/poky/meta/recipes-support/aspell/aspell_0.60.8.bb +++ b/poky/meta/recipes-support/aspell/aspell_0.60.8.bb @@ -13,7 +13,9 @@ HOMEPAGE = "http://aspell.net/" LICENSE = "LGPLv2 | LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" -SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz" +SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ + file://CVE-2019-25051.patch \ +" SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3" SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2" diff --git a/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch new file mode 100644 index 0000000000..8513f6de79 --- /dev/null +++ b/poky/meta/recipes-support/aspell/files/CVE-2019-25051.patch @@ -0,0 +1,101 @@ +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 +From: Kevin Atkinson <kevina@gnu.org> +Date: Sat, 21 Dec 2019 20:32:47 +0000 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk + to prevent a buffer overflow + +Bug found using OSS-Fuze. + +Upstream-Status: Backport +[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a] +CVE: CVE-2019-25051 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + common/objstack.hpp | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/objstack.hpp b/common/objstack.hpp +index 3997bf7..bd97ccd 100644 +--- a/common/objstack.hpp ++++ b/common/objstack.hpp +@@ -5,6 +5,7 @@ + #include "parm_string.hpp" + #include <stdlib.h> + #include <assert.h> ++#include <stddef.h> + + namespace acommon { + +@@ -26,6 +27,12 @@ class ObjStack + byte * temp_end; + void setup_chunk(); + void new_chunk(); ++ bool will_overflow(size_t sz) const { ++ return offsetof(Node,data) + sz > chunk_size; ++ } ++ void check_size(size_t sz) { ++ assert(!will_overflow(sz)); ++ } + + ObjStack(const ObjStack &); + void operator=(const ObjStack &); +@@ -56,7 +63,7 @@ class ObjStack + void * alloc_bottom(size_t size) { + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} + return tmp; + } + // This alloc_bottom will insure that the object is aligned based on the +@@ -66,7 +73,7 @@ class ObjStack + align_bottom(align); + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); goto loop;} ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} + return tmp; + } + char * dup_bottom(ParmString str) { +@@ -79,7 +86,7 @@ class ObjStack + // always be aligned as such. + void * alloc_top(size_t size) { + top -= size; +- if (top < bottom) {new_chunk(); top -= size;} ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} + return top; + } + // This alloc_top will insure that the object is aligned based on +@@ -88,7 +95,7 @@ class ObjStack + {loop: + top -= size; + align_top(align); +- if (top < bottom) {new_chunk(); goto loop;} ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} + return top; + } + char * dup_top(ParmString str) { +@@ -117,6 +124,7 @@ class ObjStack + void * alloc_temp(size_t size) { + temp_end = bottom + size; + if (temp_end > top) { ++ check_size(size); + new_chunk(); + temp_end = bottom + size; + } +@@ -131,6 +139,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +@@ -150,6 +159,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22901.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22901.patch new file mode 100644 index 0000000000..c5775c6306 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22901.patch @@ -0,0 +1,453 @@ +From a801ebdc2b1c008fa72c31f1bf7773d99e6e2a2d Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Tue, 3 Aug 2021 08:41:45 +0000 +Subject: [PATCH] openssl: associate/detach the transfer from connection + +CVE-2021-22901 + +Bug: https://curl.se/docs/CVE-2021-22901.html + +CVE: CVE-2021-22901 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/multi.c | 5 +- + lib/vtls/gskit.c | 4 +- + lib/vtls/gtls.c | 4 +- + lib/vtls/mbedtls.c | 4 +- + lib/vtls/mesalink.c | 4 +- + lib/vtls/nss.c | 4 +- + lib/vtls/openssl.c | 146 +++++++++++++++++++++++++++++++------------ + lib/vtls/schannel.c | 6 +- + lib/vtls/sectransp.c | 4 +- + lib/vtls/vtls.c | 23 ++++++- + lib/vtls/vtls.h | 12 ++++ + lib/vtls/wolfssl.c | 4 +- + 12 files changed, 170 insertions(+), 50 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 85707a1..a4ff9ac 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -875,8 +875,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) + void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; +- if(conn) ++ if(conn) { + Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); ++ Curl_ssl_detach_conn(data, conn); ++ } + data->conn = NULL; + } + +@@ -893,6 +895,7 @@ void Curl_attach_connnection(struct Curl_easy *data, + data->conn = conn; + Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, + &data->conn_queue); ++ Curl_ssl_associate_conn(data, conn); + } + + static int waitconnect_getsock(struct connectdata *conn, +diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c +index 9b5f649..bd9c602 100644 +--- a/lib/vtls/gskit.c ++++ b/lib/vtls/gskit.c +@@ -1282,7 +1282,9 @@ const struct Curl_ssl Curl_ssl_gskit = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_GSKIT */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 28ca528..24e036b 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1683,7 +1683,9 @@ const struct Curl_ssl Curl_ssl_gnutls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- gtls_sha256sum /* sha256sum */ ++ gtls_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_GNUTLS */ +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index bd0e080..fc973c7 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -1112,7 +1112,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- mbedtls_sha256sum /* sha256sum */ ++ mbedtls_sha256sumi, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_MBEDTLS */ +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index ad807d3..8a91487 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -666,7 +666,9 @@ const struct Curl_ssl Curl_ssl_mesalink = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index e5ab71c..fb9f763 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2444,7 +2444,9 @@ const struct Curl_ssl Curl_ssl_nss = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + nss_false_start, /* false_start */ +- nss_sha256sum /* sha256sum */ ++ nss_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_NSS */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 8304264..946b4c5 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -244,6 +244,10 @@ struct ssl_backend_data { + #endif + }; + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ + /* + * Number of bytes to read from the random number seed file. This must be + * a finite value (because some entropy "files" like /dev/urandom have +@@ -2527,6 +2531,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + ctx_option_t ctx_options = 0; ++ void *ssl_sessionid = NULL; + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + bool sni; +@@ -3224,46 +3229,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + } + #endif + +- /* Check if there's a cached ID we can/should use here! */ +- if(SSL_SET_OPTION(primary.sessionid)) { +- void *ssl_sessionid = NULL; +- int data_idx = ossl_get_ssl_data_index(); +- int connectdata_idx = ossl_get_ssl_conn_index(); +- int sockindex_idx = ossl_get_ssl_sockindex_index(); +- int proxy_idx = ossl_get_proxy_index(); +- +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && +- proxy_idx >= 0) { +- /* Store the data needed for the "new session" callback. +- * The sockindex is stored as a pointer to an array element. */ +- SSL_set_ex_data(backend->handle, data_idx, data); +- SSL_set_ex_data(backend->handle, connectdata_idx, conn); +- SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); +-#ifndef CURL_DISABLE_PROXY +- SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: +- NULL); +-#else +- SSL_set_ex_data(backend->handle, proxy_idx, NULL); +-#endif +- +- } ++ ossl_associate_connection(data, conn, sockindex); + +- Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, +- &ssl_sessionid, NULL, sockindex)) { +- /* we got a session id, use it! */ +- if(!SSL_set_session(backend->handle, ssl_sessionid)) { +- Curl_ssl_sessionid_unlock(data); +- failf(data, "SSL: SSL_set_session failed: %s", +- ossl_strerror(ERR_get_error(), error_buffer, +- sizeof(error_buffer))); +- return CURLE_SSL_CONNECT_ERROR; +- } +- /* Informational message */ +- infof(data, "SSL re-using session ID\n"); ++ Curl_ssl_sessionid_lock(data); ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { ++ /* we got a session id, use it! */ ++ if(!SSL_set_session(backend->handle, ssl_sessionid)) { ++ Curl_ssl_sessionid_unlock(data); ++ failf(data, "SSL: SSL_set_session failed: %s", ++ ossl_strerror(ERR_get_error(), error_buffer, ++ sizeof(error_buffer))); ++ return CURLE_SSL_CONNECT_ERROR; + } +- Curl_ssl_sessionid_unlock(data); ++ /* Informational message */ ++ infof(data, "SSL re-using session ID\n"); + } ++ Curl_ssl_sessionid_unlock(data); + + #ifndef CURL_DISABLE_PROXY + if(conn->proxy_ssl[sockindex].use) { +@@ -4481,6 +4463,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, + (void *)backend->ctx : (void *)backend->handle; + } + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex) ++{ ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Store the data needed for the "new session" callback. ++ * The sockindex is stored as a pointer to an array element. */ ++ SSL_set_ex_data(backend->handle, data_idx, data); ++ SSL_set_ex_data(backend->handle, connectdata_idx, conn); ++ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ } ++ } ++} ++ ++/* ++ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after ++ * the handshake. If the transfer that sets up the callback gets killed before ++ * this callback arrives, we must make sure to properly clear the data to ++ * avoid UAF problems. A future optimization could be to instead store another ++ * transfer that might still be using the same connection. ++ */ ++ ++static void ossl_disassociate_connection(struct Curl_easy *data, ++ int sockindex) ++{ ++ struct connectdata *conn = data->conn; ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ bool isproxy = FALSE; ++ bool incache; ++ void *old_ssl_sessionid = NULL; ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Invalidate the session cache entry, if any */ ++ isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE; ++ ++ /* Disable references to data in "new session" callback to avoid ++ * accessing a stale pointer. */ ++ SSL_set_ex_data(backend->handle, data_idx, NULL); ++ SSL_set_ex_data(backend->handle, connectdata_idx, NULL); ++ SSL_set_ex_data(backend->handle, sockindex_idx, NULL); ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++ } ++ ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); ++ if(incache) ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ Curl_ssl_sessionid_unlock(data); ++ } ++} ++ + const struct Curl_ssl Curl_ssl_openssl = { + { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ + +@@ -4514,10 +4580,12 @@ const struct Curl_ssl Curl_ssl_openssl = { + ossl_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) +- ossl_sha256sum /* sha256sum */ ++ ossl_sha256sum, /* sha256sum */ + #else +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ + #endif ++ ossl_associate_connection, /* associate_connection */ ++ ossl_disassociate_connection /* disassociate_connection */ + }; + + #endif /* USE_OPENSSL */ +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 670310d..596106a 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -325,7 +325,7 @@ get_alg_id_by_name(char *name) + + static CURLcode + set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, +- int *algIds) ++ ALG_ID *algIds) + { + char *startCur = ciphers; + int algCount = 0; +@@ -2429,7 +2429,9 @@ const struct Curl_ssl Curl_ssl_schannel = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- schannel_sha256sum /* sha256sum */ ++ schannel_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_SCHANNEL */ +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 6d1ea7e..37b41f8 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -3311,7 +3311,9 @@ const struct Curl_ssl Curl_ssl_sectransp = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + sectransp_false_start, /* false_start */ +- sectransp_sha256sum /* sha256sum */ ++ sectransp_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #ifdef __clang__ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 00b6268..59a7efb 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -579,6 +579,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + return CURLE_OK; + } + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->associate_connection) { ++ Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); ++ } ++} ++ ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->disassociate_connection) { ++ Curl_ssl->disassociate_connection(data, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); ++ } ++} + + void Curl_ssl_close_all(struct Curl_easy *data) + { +@@ -1212,7 +1231,9 @@ static const struct Curl_ssl Curl_ssl_multi = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + const struct Curl_ssl *Curl_ssl = +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 1351215..94049f9 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -75,6 +75,11 @@ struct Curl_ssl { + bool (*false_start)(void); + CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, + unsigned char *sha256sum, size_t sha256sumlen); ++ ++ void (*associate_connection)(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ void (*disassociate_connection)(struct Curl_easy *data, int sockindex); + }; + + #ifdef USE_SSL +@@ -264,6 +269,11 @@ bool Curl_ssl_cert_status_request(void); + + bool Curl_ssl_false_start(void); + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++ + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ + + #else /* if not USE_SSL */ +@@ -290,6 +300,8 @@ bool Curl_ssl_false_start(void); + #define Curl_ssl_cert_status_request() FALSE + #define Curl_ssl_false_start() FALSE + #define Curl_ssl_tls13_ciphersuites() FALSE ++#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt ++#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt + #endif + + #endif /* HEADER_CURL_VTLS_H */ +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index f1b12b1..f734a84 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -1165,7 +1165,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- wolfssl_sha256sum /* sha256sum */ ++ wolfssl_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif +-- +2.31.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..f09704c8a9 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22924.patch @@ -0,0 +1,298 @@ +From 205cf19fc374ee8eb848c5448e31fa703392832e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 4 Aug 2021 01:52:40 +0000 +Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case + sensitivity + +CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html + +CVE: CVE-2021-22924 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/url.c | 10 ++++++---- + lib/urldata.h | 6 ++++-- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 18 +++++++++--------- + lib/vtls/vtls.c | 26 +++++++++++++++++++++----- + 6 files changed, 47 insertions(+), 27 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index c02d2c2..474c53b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3695,6 +3695,8 @@ static CURLcode create_conn(struct Curl_easy *data, + */ + data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +@@ -3719,8 +3721,11 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; + data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert_blob = ++ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3729,7 +3734,6 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; + data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; +@@ -3743,9 +3747,7 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif +- + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG]; +- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG]; + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, + &conn->ssl_config)) { +diff --git a/lib/urldata.h b/lib/urldata.h +index f7d60b2..7d01874 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -246,6 +246,7 @@ struct ssl_primary_config { + long version_max; /* max supported version the client wants to use*/ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -253,6 +254,7 @@ struct ssl_primary_config { + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; + struct curl_blob *cert_blob; ++ struct curl_blob *issuercert_blob; + char *curves; /* list of curves to use */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ +@@ -264,8 +266,6 @@ struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ +- struct curl_blob *issuercert_blob; + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -1545,6 +1545,7 @@ enum dupstring { + STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */ + STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */ + STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */ ++ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ + STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */ + STRING_SSL_ENGINE, /* name of ssl engine */ + STRING_USERNAME, /* <username>, if used */ +@@ -1600,6 +1601,7 @@ enum dupblob { + BLOB_CERT_PROXY, + BLOB_KEY_ORIG, + BLOB_KEY_PROXY, ++ BLOB_SSL_ISSUERCERT, + BLOB_SSL_ISSUERCERT_ORIG, + BLOB_SSL_ISSUERCERT_PROXY, + BLOB_LAST +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 2c65ba0..d1c3919 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -855,7 +855,7 @@ gtls_connect_step3(struct Curl_easy *data, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef HAVE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1039,21 +1039,21 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certname); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index fb9f763..dab12b6 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(backend->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 946b4c5..85e1ee5 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3881,10 +3881,10 @@ static CURLcode servercert(struct Curl_easy *data, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) { +- if(SSL_SET_OPTION(issuercert_blob)) +- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data, +- (int)SSL_SET_OPTION(issuercert_blob)->len); ++ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { ++ if(SSL_CONN_CONFIG(issuercert_blob)) ++ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, ++ (int)SSL_CONN_CONFIG(issuercert_blob)->len); + else { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { +@@ -3898,10 +3898,10 @@ static CURLcode servercert(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(backend->server_cert); + backend->server_cert = NULL; +@@ -3913,7 +3913,7 @@ static CURLcode servercert(struct Curl_easy *data, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data, + if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3933,7 +3933,7 @@ static CURLcode servercert(struct Curl_easy *data, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 59a7efb..eb885da 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, + struct ssl_primary_config *needle) +@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && + blobcmp(data->cert_blob, needle->cert_blob) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ blobcmp(data->issuercert_blob, needle->issuercert_blob) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->issuercert, needle->issuercert) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && +@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->sessionid = source->sessionid; + + CLONE_BLOB(cert_blob); ++ CLONE_BLOB(issuercert_blob); + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); + Curl_safefree(sslc->cert_blob); ++ Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); + } + +-- +2.31.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..e3009c9533 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22925.patch @@ -0,0 +1,50 @@ +From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html + +CVE: CVE-2021-22925 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1d3024ec4..a81bb81c3 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.17.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2021-22926.patch b/poky/meta/recipes-support/curl/curl/CVE-2021-22926.patch new file mode 100644 index 0000000000..3a803bcc98 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2021-22926.patch @@ -0,0 +1,79 @@ +From 6180ef7c19defa9f77ae166acb8b63ed98a9c09a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 4 Aug 2021 03:05:45 +0000 +Subject: [PATCH] sectransp: check for client certs by name first, then file + +CVE-2021-22926 + +Bug: https://curl.se/docs/CVE-2021-22926.html + +Assisted-by: Daniel Gustafsson +Reported-by: Harry Sintonen + +CVE: CVE-2021-22926 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/fd9b40bf8dfd43edcbc0d254d613d95a11061c05] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/vtls/sectransp.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 37b41f8..f8effde 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -32,6 +32,7 @@ + #include "curl_base64.h" + #include "strtok.h" + #include "multiif.h" ++#include "strcase.h" + + #ifdef USE_SECTRANSP + +@@ -1648,24 +1649,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, + bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); + SecIdentityRef cert_and_key = NULL; + +- /* User wants to authenticate with a client cert. Look for it: +- If we detect that this is a file on disk, then let's load it. +- Otherwise, assume that the user wants to use an identity loaded +- from the Keychain. */ +- if(is_cert_file || is_cert_data) { ++ /* User wants to authenticate with a client cert. Look for it. Assume that ++ the user wants to use an identity loaded from the Keychain. If not, try ++ it as a file on disk */ ++ ++ if(!is_cert_data) ++ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); ++ else ++ err = !noErr; ++ if((err != noErr) && (is_cert_file || is_cert_data)) { + if(!SSL_SET_OPTION(cert_type)) +- infof(data, "WARNING: SSL: Certificate type not set, assuming " +- "PKCS#12 format.\n"); +- else if(strncmp(SSL_SET_OPTION(cert_type), "P12", +- strlen(SSL_SET_OPTION(cert_type))) != 0) +- infof(data, "WARNING: SSL: The Security framework only supports " +- "loading identities that are in PKCS#12 format.\n"); ++ infof(data, "SSL: Certificate type not set, assuming " ++ "PKCS#12 format."); ++ else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { ++ failf(data, "SSL: The Security framework only supports " ++ "loading identities that are in PKCS#12 format."); ++ return CURLE_SSL_CERTPROBLEM; ++ } + + err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, +- SSL_SET_OPTION(key_passwd), &cert_and_key); ++ SSL_SET_OPTION(key_passwd), ++ &cert_and_key); + } +- else +- err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); + + if(err == noErr && cert_and_key) { + SecCertificateRef cert = NULL; +-- +2.31.1 + diff --git a/poky/meta/recipes-support/curl/curl_7.75.0.bb b/poky/meta/recipes-support/curl/curl_7.75.0.bb index 42be2eb0b5..d64e5e1f79 100644 --- a/poky/meta/recipes-support/curl/curl_7.75.0.bb +++ b/poky/meta/recipes-support/curl/curl_7.75.0.bb @@ -17,6 +17,10 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://vtls-fix-warning.patch \ file://CVE-2021-22898.patch \ file://CVE-2021-22897.patch \ + file://CVE-2021-22925.patch \ + file://CVE-2021-22901.patch \ + file://CVE-2021-22924.patch \ + file://CVE-2021-22926.patch \ " SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026" diff --git a/poky/meta/recipes-support/gnutls/gnutls_3.7.1.bb b/poky/meta/recipes-support/gnutls/gnutls_3.7.2.bb index 51d472c828..430d1f2d7d 100644 --- a/poky/meta/recipes-support/gnutls/gnutls_3.7.1.bb +++ b/poky/meta/recipes-support/gnutls/gnutls_3.7.2.bb @@ -23,15 +23,15 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://arm_eabi.patch \ " -SRC_URI[sha256sum] = "3777d7963eca5e06eb315686163b7b3f5045e2baac5e54e038ace9835e5cac6f" +SRC_URI[sha256sum] = "646e6c5a9a185faa4cea796d378a1ba8e1148dbb197ca6605f95986a25af2752" inherit autotools texinfo pkgconfig gettext lib_package gtk-doc -PACKAGECONFIG ??= "libidn" +PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}" # You must also have CONFIG_SECCOMP enabled in the kernel for # seccomp to work. -PACKAGECONFIG[seccomp] = "ac_cv_libseccomp=yes,ac_cv_libseccomp=no,libseccomp" +PACKAGECONFIG[seccomp] = "--with-libseccomp-prefix=${STAGING_EXECPREFIXDIR},ac_cv_libseccomp=no,libseccomp" PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" diff --git a/poky/meta/recipes-support/lzo/lzo_2.10.bb b/poky/meta/recipes-support/lzo/lzo_2.10.bb index 85b14b3c5c..f0c8631aea 100644 --- a/poky/meta/recipes-support/lzo/lzo_2.10.bb +++ b/poky/meta/recipes-support/lzo/lzo_2.10.bb @@ -18,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42 inherit autotools ptest +CVE_PRODUCT = "lzo oberhumer:lzo2" + EXTRA_OECONF = "--enable-shared" do_install_ptest() { diff --git a/poky/meta/recipes-support/nettle/nettle_3.7.2.bb b/poky/meta/recipes-support/nettle/nettle_3.7.3.bb index f8f3360086..031500d741 100644 --- a/poky/meta/recipes-support/nettle/nettle_3.7.2.bb +++ b/poky/meta/recipes-support/nettle/nettle_3.7.3.bb @@ -24,7 +24,7 @@ SRC_URI_append_class-target = "\ file://dlopen-test.patch \ " -SRC_URI[sha256sum] = "8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162" +SRC_URI[sha256sum] = "661f5eb03f048a3b924c3a8ad2515d4068e40f67e774e8a26827658007e3bcf0" UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar" |