diff options
Diffstat (limited to 'poky/meta/recipes-core')
34 files changed, 1915 insertions, 59 deletions
diff --git a/poky/meta/recipes-core/base-files/base-files/hosts b/poky/meta/recipes-core/base-files/base-files/hosts index b94f414d5c..10a5b6c704 100644 --- a/poky/meta/recipes-core/base-files/base-files/hosts +++ b/poky/meta/recipes-core/base-files/base-files/hosts @@ -1,4 +1,4 @@ -127.0.0.1 localhost.localdomain localhost +127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback diff --git a/poky/meta/recipes-core/busybox/busybox.inc b/poky/meta/recipes-core/busybox/busybox.inc index 3553376582..f0c5666f47 100644 --- a/poky/meta/recipes-core/busybox/busybox.inc +++ b/poky/meta/recipes-core/busybox/busybox.inc @@ -139,6 +139,10 @@ do_configure () { do_prepare_config merge_config.sh -m .config ${@" ".join(find_cfgs(d))} cml1_do_configure + + # Save a copy of .config and autoconf.h. + cp .config .config.orig + cp include/autoconf.h include/autoconf.h.orig } do_compile() { @@ -146,13 +150,17 @@ do_compile() { if [ "${BUILD_REPRODUCIBLE_BINARIES}" = "1" ]; then export KCONFIG_NOTIMESTAMP=1 fi + + # Ensure we start do_compile with the original .config and autoconf.h. + # These files should always have matching timestamps. + cp .config.orig .config + cp include/autoconf.h.orig include/autoconf.h + if [ "${BUSYBOX_SPLIT_SUID}" = "1" -a x`grep "CONFIG_FEATURE_INDIVIDUAL=y" .config` = x ]; then + # Guard againt interrupted do_compile: clean temporary files. + rm -f .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps + # split the .config into two parts, and make two busybox binaries - if [ -e .config.orig ]; then - # Need to guard again an interrupted do_compile - restore any backup - cp .config.orig .config - fi - cp .config .config.orig oe_runmake busybox.cfg.suid oe_runmake busybox.cfg.nosuid @@ -189,15 +197,18 @@ do_compile() { bbfatal "busybox suid binary incorrectly provides /bin/sh" fi - # copy .config.orig back to .config, because the install process may check this file - cp .config.orig .config # cleanup - rm .config.orig .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps + rm .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps else oe_runmake busybox_unstripped cp busybox_unstripped busybox oe_runmake busybox.links fi + + # restore original .config and autoconf.h, because the install process + # may check these files + cp .config.orig .config + cp include/autoconf.h.orig include/autoconf.h } do_install () { diff --git a/poky/meta/recipes-core/coreutils/coreutils_8.31.bb b/poky/meta/recipes-core/coreutils/coreutils_8.31.bb index 3d569881e8..3841f71155 100644 --- a/poky/meta/recipes-core/coreutils/coreutils_8.31.bb +++ b/poky/meta/recipes-core/coreutils/coreutils_8.31.bb @@ -51,6 +51,7 @@ PACKAGECONFIG_class-nativesdk ??= "xattr" PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl," PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr," PACKAGECONFIG[single-binary] = "--enable-single-binary,--disable-single-binary,," +PACKAGECONFIG[openssl] = "--with-openssl=yes,--with-openssl=no,openssl" # [ df mktemp nice printenv base64 gets a special treatment and is not included in this bindir_progs = "arch basename chcon cksum comm csplit cut dir dircolors dirname du \ diff --git a/poky/meta/recipes-core/dbus/dbus-test_1.12.20.bb b/poky/meta/recipes-core/dbus/dbus-test_1.12.24.bb index 755c841bad..755c841bad 100644 --- a/poky/meta/recipes-core/dbus/dbus-test_1.12.20.bb +++ b/poky/meta/recipes-core/dbus/dbus-test_1.12.24.bb diff --git a/poky/meta/recipes-core/dbus/dbus.inc b/poky/meta/recipes-core/dbus/dbus.inc index dcbcc0a9d6..82e91c7b13 100644 --- a/poky/meta/recipes-core/dbus/dbus.inc +++ b/poky/meta/recipes-core/dbus/dbus.inc @@ -10,8 +10,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ " -SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4" -SRC_URI[sha256sum] = "f77620140ecb4cdc67f37fb444f8a6bea70b5b6461f12f1cbe2cec60fa7de5fe" +SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38" EXTRA_OECONF = "--disable-xml-docs \ --disable-doxygen-docs \ diff --git a/poky/meta/recipes-core/dbus/dbus_1.12.20.bb b/poky/meta/recipes-core/dbus/dbus_1.12.24.bb index cf6f7dc0ef..cf6f7dc0ef 100644 --- a/poky/meta/recipes-core/dbus/dbus_1.12.20.bb +++ b/poky/meta/recipes-core/dbus/dbus_1.12.24.bb diff --git a/poky/meta/recipes-core/dropbear/dropbear.inc b/poky/meta/recipes-core/dropbear/dropbear.inc index 026292230c..0f5e9ba4ac 100644 --- a/poky/meta/recipes-core/dropbear/dropbear.inc +++ b/poky/meta/recipes-core/dropbear/dropbear.inc @@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ file://CVE-2020-36254.patch \ + file://CVE-2021-36369.patch \ " PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ diff --git a/poky/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/poky/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch new file mode 100644 index 0000000000..5cabe8339d --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch @@ -0,0 +1,145 @@ +From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001 +From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> +Date: Thu, 19 Aug 2021 17:37:14 +0200 +Subject: [PATCH] added option to disable trivial auth methods (#128) + +* added option to disable trivial auth methods + +* rename argument to match with other ssh clients + +* fixed trivial auth detection for pubkeys + +[https://github.com/mkj/dropbear/pull/128] +Upstream-Status: Backport +CVE: CVE-2021-36369 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + cli-auth.c | 3 +++ + cli-authinteract.c | 1 + + cli-authpasswd.c | 2 +- + cli-authpubkey.c | 1 + + cli-runopts.c | 7 +++++++ + cli-session.c | 1 + + runopts.h | 1 + + session.h | 1 + + 8 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/cli-auth.c b/cli-auth.c +index 2e509e5..6f04495 100644 +--- a/cli-auth.c ++++ b/cli-auth.c +@@ -267,6 +267,9 @@ void recv_msg_userauth_success() { + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ + + TRACE(("received msg_userauth_success")) ++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { ++ dropbear_exit("trivial authentication not allowed"); ++ } + /* Note: in delayed-zlib mode, setting authdone here + * will enable compression in the transport layer */ + ses.authstate.authdone = 1; +diff --git a/cli-authinteract.c b/cli-authinteract.c +index e1cc9a1..f7128ee 100644 +--- a/cli-authinteract.c ++++ b/cli-authinteract.c +@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { + m_free(instruction); + + for (i = 0; i < num_prompts; i++) { ++ cli_ses.is_trivial_auth = 0; + unsigned int response_len = 0; + prompt = buf_getstring(ses.payload, NULL); + cleantext(prompt); +diff --git a/cli-authpasswd.c b/cli-authpasswd.c +index 00fdd8b..a24d43e 100644 +--- a/cli-authpasswd.c ++++ b/cli-authpasswd.c +@@ -155,7 +155,7 @@ void cli_auth_password() { + + encrypt_packet(); + m_burn(password, strlen(password)); +- ++ cli_ses.is_trivial_auth = 0; + TRACE(("leave cli_auth_password")) + } + #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ +diff --git a/cli-authpubkey.c b/cli-authpubkey.c +index 7cee164..7da1a04 100644 +--- a/cli-authpubkey.c ++++ b/cli-authpubkey.c +@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { + buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); + cli_buf_put_sign(ses.writepayload, key, type, sigbuf); + buf_free(sigbuf); /* Nothing confidential in the buffer */ ++ cli_ses.is_trivial_auth = 0; + } + + encrypt_packet(); +diff --git a/cli-runopts.c b/cli-runopts.c +index 7d1fffe..6bf8b8e 100644 +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { + #if DROPBEAR_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; + #endif ++ cli_opts.disable_trivial_auth = 0; + #if DROPBEAR_CLI_LOCALTCPFWD + cli_opts.localfwds = list_new(); + opts.listen_fwd_all = 0; +@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) { + #if DROPBEAR_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" + #endif ++ "\tDisableTrivialAuth\n" + #ifndef DISABLE_SYSLOG + "\tUseSyslog\n" + #endif +@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) { + return; + } + ++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { ++ cli_opts.disable_trivial_auth = parse_flag_value(optstr); ++ return; ++ } ++ + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); + } +diff --git a/cli-session.c b/cli-session.c +index 56dd4af..73ef0db 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { + /* Auth */ + cli_ses.lastprivkey = NULL; + cli_ses.lastauthtype = 0; ++ cli_ses.is_trivial_auth = 1; + + /* For printing "remote host closed" for the user */ + ses.remoteclosed = cli_remoteclosed; +diff --git a/runopts.h b/runopts.h +index 31eae1f..8519626 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -154,6 +154,7 @@ typedef struct cli_runopts { + #if DROPBEAR_CLI_ANYTCPFWD + int exit_on_fwd_failure; + #endif ++ int disable_trivial_auth; + #if DROPBEAR_CLI_REMOTETCPFWD + m_list * remotefwds; + #endif +diff --git a/session.h b/session.h +index 0f77055..8676054 100644 +--- a/session.h ++++ b/session.h +@@ -287,6 +287,7 @@ struct clientsession { + + int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, + for the last type of auth we tried */ ++ int is_trivial_auth; + int ignore_next_auth_response; + #if DROPBEAR_CLI_INTERACT_AUTH + int auth_interact_failed; /* flag whether interactive auth can still diff --git a/poky/meta/recipes-core/expat/expat/CVE-2022-43680.patch b/poky/meta/recipes-core/expat/expat/CVE-2022-43680.patch new file mode 100644 index 0000000000..6f93bc3ed7 --- /dev/null +++ b/poky/meta/recipes-core/expat/expat/CVE-2022-43680.patch @@ -0,0 +1,33 @@ +From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Tue, 20 Sep 2022 02:44:34 +0200 +Subject: [PATCH] lib: Fix overeager DTD destruction in + XML_ExternalEntityParserCreate + +CVE: CVE-2022-43680 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5290462a7ea1278a8d5c0d5b2860d4e244f997e4.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comments: Hunk refreshed +--- + lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index aacd6e7fc..57bf103cc 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1035,6 +1035,14 @@ parserCreate(const XML_Char *encodingNam + parserInit(parser, encodingName); + + if (encodingName && ! parser->m_protocolEncodingName) { ++ if (dtd) { ++ // We need to stop the upcoming call to XML_ParserFree from happily ++ // destroying parser->m_dtd because the DTD is shared with the parent ++ // parser and the only guard that keeps XML_ParserFree from destroying ++ // parser->m_dtd is parser->m_isParamEntity but it will be set to ++ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). ++ parser->m_dtd = NULL; ++ } + XML_ParserFree(parser); + return NULL; + } diff --git a/poky/meta/recipes-core/expat/expat_2.2.9.bb b/poky/meta/recipes-core/expat/expat_2.2.9.bb index 578edfcbff..8a5006e59a 100644 --- a/poky/meta/recipes-core/expat/expat_2.2.9.bb +++ b/poky/meta/recipes-core/expat/expat_2.2.9.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ file://CVE-2022-25315.patch \ file://libtool-tag.patch \ file://CVE-2022-40674.patch \ + file://CVE-2022-43680.patch \ " SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index 68efd09ece..5414297ba1 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.31/master" PV = "2.31+git${SRCPV}" -SRCREV_glibc ?= "3ef8be9b89ef98300951741f381eb79126ac029f" +SRCREV_glibc ?= "d4b75594574ab8a9c2c41209cd8c62aac76b5a04" SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/poky/meta/recipes-core/glibc/glibc.inc b/poky/meta/recipes-core/glibc/glibc.inc index 23a6ca99ae..e42040f3dc 100644 --- a/poky/meta/recipes-core/glibc/glibc.inc +++ b/poky/meta/recipes-core/glibc/glibc.inc @@ -1,7 +1,9 @@ require glibc-common.inc require glibc-ld.inc -DEPENDS = "virtual/${TARGET_PREFIX}gcc libgcc-initial linux-libc-headers" +DEPENDS = "virtual/${TARGET_PREFIX}gcc virtual/${TARGET_PREFIX}binutils${BUSUFFIX} libgcc-initial linux-libc-headers" +BUSUFFIX= "" +BUSUFFIX:class-nativesdk = "-crosssdk" PROVIDES = "virtual/libc" PROVIDES += "virtual/libintl virtual/libiconv" diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch index cef0ce54ed..7561e87121 100644 --- a/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch @@ -11,14 +11,10 @@ CVE: CVE-2021-33574 patch#1 Signed-off-by: Armin Kuster <akuster@mvista.com> --- - NEWS | 4 ++++ - sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- - 2 files changed, 14 insertions(+), 5 deletions(-) - -Index: git/NEWS -=================================================================== ---- git.orig/NEWS -+++ git/NEWS +diff --git a/NEWS b/NEWS +index 8a20d3c4e3..be489243ac 100644 +--- a/NEWS ++++ b/NEWS @@ -7,6 +7,10 @@ using `glibc' in the "product" field. Version 2.31.1 @@ -28,12 +24,12 @@ Index: git/NEWS + attribute with a non-default affinity mask. + The following bugs are resolved with this release: + [14231] stdio-common tests memory requirements [19519] iconv(1) with -c option hangs on illegal multi-byte sequences - (CVE-2016-10228) -Index: git/sysdeps/unix/sysv/linux/mq_notify.c -=================================================================== ---- git.orig/sysdeps/unix/sysv/linux/mq_notify.c -+++ git/sysdeps/unix/sysv/linux/mq_notify.c +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index f288bac477..dd47f0b777 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c @@ -135,8 +135,11 @@ helper_thread (void *arg) (void) __pthread_barrier_wait (¬ify_barrier); } @@ -48,7 +44,7 @@ Index: git/sysdeps/unix/sysv/linux/mq_notify.c } return NULL; } -@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sig +@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) if (data.attr == NULL) return -1; @@ -58,7 +54,7 @@ Index: git/sysdeps/unix/sysv/linux/mq_notify.c } /* Construct the new request. */ -@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sig +@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) /* If it failed, free the allocated memory. */ if (__glibc_unlikely (retval != 0)) diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch new file mode 100644 index 0000000000..10c7e5666d --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch @@ -0,0 +1,82 @@ +From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?= + =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru> +Date: Sat, 4 Feb 2023 14:41:38 +0300 +Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `__monstartup()` allocates a buffer used to store all the data +accumulated by the monitor. + +The size of this buffer depends on the size of the internal structures +used and the address range for which the monitor is activated, as well +as on the maximum density of call instructions and/or callable functions +that could be potentially on a segment of executable code. + +In particular a hash table of arcs is placed at the end of this buffer. +The size of this hash table is calculated in bytes as + p->fromssize = p->textsize / HASHFRACTION; + +but actually should be + p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + +This results in writing beyond the end of the allocated buffer when an +added arc corresponds to a call near from the end of the monitored +address range, since `_mcount()` check the incoming caller address for +monitored range but not the intermediate result hash-like index that +uses to write into the table. + +It should be noted that when the results are output to `gmon.out`, the +table is read to the last element calculated from the allocated size in +bytes, so the arcs stored outside the buffer boundary did not fall into +`gprof` for analysis. Thus this "feature" help me to found this bug +during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 + +Just in case, I will explicitly note that the problem breaks the +`make test t=gmon/tst-gmon-dso` added for Bug 29438. +There, the arc of the `f3()` call disappears from the output, since in +the DSO case, the call to `f3` is located close to the end of the +monitored range. + +Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru> + +Another minor error seems a related typo in the calculation of +`kcountsize`, but since kcounts are smaller than froms, this is +actually to align the p->froms data. + +Co-authored-by: DJ Delorie <dj@redhat.com> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc] +CVE: CVE-2023-0687 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + gmon/gmon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/gmon/gmon.c b/gmon/gmon.c +index dee6480..bf76358 100644 +--- a/gmon/gmon.c ++++ b/gmon/gmon.c +@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc) + p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->textsize = p->highpc - p->lowpc; ++ /* This looks like a typo, but it's here to align the p->froms ++ section. */ + p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms)); + p->hashfraction = HASHFRACTION; + p->log_hashfraction = -1; +@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc) + instead of integer division. Precompute shift amount. */ + p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1; + } +- p->fromssize = p->textsize / HASHFRACTION; ++ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + p->tolimit = p->textsize * ARCDENSITY / 100; + if (p->tolimit < MINARCS) + p->tolimit = MINARCS; +-- +2.7.4 diff --git a/poky/meta/recipes-core/glibc/glibc_2.31.bb b/poky/meta/recipes-core/glibc/glibc_2.31.bb index 0c37467fe4..8d216f6ed1 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.31.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.31.bb @@ -79,6 +79,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ + file://CVE-2023-0687.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7426eb077a..f592158209 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk" inherit core-image setuptools3 -SRCREV ?= "9ae91384970637cd8880c07071fb44b7f5574012" +SRCREV ?= "ee461b42358db458f39e558b8667fbcffb6d8044" SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 0000000000..bdb9e9eb7a --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch @@ -0,0 +1,623 @@ +From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 25 Aug 2022 17:43:08 +0200 +Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE + +Also impose size limits when XML_PARSE_HUGE is set. Limit size of names +to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to +XML_MAX_HUGE_LENGTH (1 billion bytes). + +Move some the length checks to the end of the respective loop to make +them strict. + +xmlParseEntityValue didn't have a length limitation at all. But without +XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. + +Thanks to Maddie Stone working with Google Project Zero for the report! + +CVE: CVE-2022-40303 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0] +Comments: Refreshed hunk + +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + parser.c | 233 +++++++++++++++++++++++++++++-------------------------- + 1 file changed, 121 insertions(+), 112 deletions(-) + +diff --git a/parser.c b/parser.c +index 93f031be..79479979 100644 +--- a/parser.c ++++ b/parser.c +@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); + * * + ************************************************************************/ + ++#define XML_MAX_HUGE_LENGTH 1000000000 ++ + #define XML_PARSER_BIG_ENTITY 1000 + #define XML_PARSER_LOT_ENTITY 5000 + +@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + errmsg = "Malformed declaration expecting version"; + break; + case XML_ERR_NAME_TOO_LONG: +- errmsg = "Name too long use XML_PARSE_HUGE option"; ++ errmsg = "Name too long"; + break; + #if 0 + case: +@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNameComplex++; +@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } +@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3338,7 +3344,10 @@ const xmlChar * + xmlParseName(xmlParserCtxtPtr ctxt) { + const xmlChar *in; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + GROW; + +@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { + in++; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + size_t startPosition = 0; + + #ifdef DEBUG +@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ + (xmlIsNameChar(ctxt, c) && (c != ':'))) { + if (count++ > XML_PARSER_CHUNK_SIZE) { +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- return(NULL); +- } + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + if (c == 0) { +@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3459,7 +3465,10 @@ static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { + const xmlChar *in, *e; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNCName++; +@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + const xmlChar *cur = *str; + int len = 0, l; + int c; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseStringName++; +@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + COPY_BUF(l,buffer,len,c); + cur += l; + c = CUR_SCHAR(cur, l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + *str = cur; + return(buffer); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNmToken++; +@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((max > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + COPY_BUF(l,buffer,len,c); + NEXTL(l); + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + return(buffer); +@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + } + if (len == 0) + return(NULL); +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); + return(NULL); + } +@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int c, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlChar stop; + xmlChar *ret = NULL; + const xmlChar *cur = NULL; +@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + GROW; + c = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, ++ "entity value too long\n"); ++ goto error; ++ } + } + buf[len] = 0; + if (ctxt->instate == XML_PARSER_EOF) +@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar *rep = NULL; + size_t len = 0; + size_t buf_size = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3925,16 +3925,6 @@ + while (((NXT(0) != limit) && /* checked */ + (IS_CHAR(c)) && (c != '<')) && + (ctxt->instate != XML_PARSER_EOF)) { +- /* +- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE +- * special option is given +- */ +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } + if (c == 0) break; + if (c == '&') { + in_space = 0; +@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + GROW; + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue length too long\n"); ++ goto mem_error; ++ } + } + if (ctxt->instate == XML_PARSER_EOF) + goto error; +@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else + NEXT; + +- /* +- * There we potentially risk an overflow, don't allow attribute value of +- * length more than INT_MAX it is a very reasonable assumption ! +- */ +- if (len >= INT_MAX) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } +- + if (attlen != NULL) *attlen = (int) len; + return(buf); + +@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int cur, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar stop; + int state = ctxt->instate; + int count = 0; +@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); +- xmlFree(buf); +- ctxt->instate = (xmlParserInputState) state; +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); ++ xmlFree(buf); ++ ctxt->instate = (xmlParserInputState) state; ++ return(NULL); ++ } + } + buf[len] = 0; + ctxt->instate = (xmlParserInputState) state; +@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar cur; + xmlChar stop; + int count = 0; +@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + if (len + 1 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); +- xmlFree(buf); +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR; + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); ++ xmlFree(buf); ++ return(NULL); ++ } + } + buf[len] = 0; + if (cur != stop) { +@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + int r, rl; + int cur, l; + size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int inputid; + + inputid = ctxt->input->id; +@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + if ((r == '-') && (q == '-')) { + xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment too big found", NULL); +- xmlFree (buf); +- return; +- } + if (len + 5 >= size) { + xmlChar *new_buf; + size_t new_size; +@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + GROW; + cur = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment too big found", NULL); ++ xmlFree (buf); ++ return; ++ } + } + buf[len] = 0; + if (cur == 0) { +@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t size = XML_PARSER_BUFFER_SIZE; + size_t len = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlParserInputState state; + const xmlChar *in; + size_t nbchar = 0; +@@ -4958,8 +4975,7 @@ get_more: + buf[len] = 0; + } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment too big found", NULL); + xmlFree (buf); +@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t len = 0; + size_t size = XML_PARSER_BUFFER_SIZE; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int cur, l; + const xmlChar *target; + xmlParserInputState state; +@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + return; + } + count = 0; +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + } + COPY_BUF(l,buf,len,cur); + NEXTL(l); +@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + GROW; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, ++ "PI %s too big found", target); ++ xmlFree(buf); ++ ctxt->instate = state; ++ return; ++ } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + buf[len] = 0; + if (cur != '?') { + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + const xmlChar *in = NULL, *start, *end, *last; + xmlChar *ret = NULL; + int line, col; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + GROW; + in = (xmlChar *) CUR_PTR; +@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + start = in; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + if ((*in++ == 0x20) && (*in == 0x20)) break; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + last = last + delta; + } + end = ctxt->input->end; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); + } + } + } +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + col++; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + } + } + last = in; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + int s, sl; + int cur, l; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + /* Check 2.6.0 was NXT(0) not RAW */ + if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { +@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, +- "CData section too big found", NULL); +- xmlFree (buf); +- return; +- } + tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); + if (tmp == NULL) { + xmlFree(buf); +@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + } + NEXTL(l); + cur = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, ++ "CData section too big found\n"); ++ xmlFree(buf); ++ return; ++ } + } + buf[len] = 0; + ctxt->instate = XML_PARSER_CONTENT; +-- +GitLab diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 0000000000..c19726fe9f --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch @@ -0,0 +1,104 @@ +From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 31 Aug 2022 22:11:25 +0200 +Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity + reference cycles + +When an entity reference cycle is detected, the entity content is +cleared by setting its first byte to zero. But the entity content might +be allocated from a dict. In this case, the dict entry becomes corrupted +leading to all kinds of logic errors, including memory errors like +double-frees. + +Stop storing entity content, orig, ExternalID and SystemID in a dict. +These values are unlikely to occur multiple times in a document, so they +shouldn't have been stored in a dict in the first place. + +Thanks to Ned Williamson and Nathan Wachholz working with Google Project +Zero for the report! + +CVE: CVE-2022-40304 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b] +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + entities.c | 55 ++++++++++++++++-------------------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +diff --git a/entities.c b/entities.c +index 84435515..d4e5412e 100644 +--- a/entities.c ++++ b/entities.c +@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) + if ((entity->children) && (entity->owner == 1) && + (entity == (xmlEntityPtr) entity->children->parent)) + xmlFreeNodeList(entity->children); +- if (dict != NULL) { +- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) +- xmlFree((char *) entity->name); +- if ((entity->ExternalID != NULL) && +- (!xmlDictOwns(dict, entity->ExternalID))) +- xmlFree((char *) entity->ExternalID); +- if ((entity->SystemID != NULL) && +- (!xmlDictOwns(dict, entity->SystemID))) +- xmlFree((char *) entity->SystemID); +- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) +- xmlFree((char *) entity->URI); +- if ((entity->content != NULL) +- && (!xmlDictOwns(dict, entity->content))) +- xmlFree((char *) entity->content); +- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) +- xmlFree((char *) entity->orig); +- } else { +- if (entity->name != NULL) +- xmlFree((char *) entity->name); +- if (entity->ExternalID != NULL) +- xmlFree((char *) entity->ExternalID); +- if (entity->SystemID != NULL) +- xmlFree((char *) entity->SystemID); +- if (entity->URI != NULL) +- xmlFree((char *) entity->URI); +- if (entity->content != NULL) +- xmlFree((char *) entity->content); +- if (entity->orig != NULL) +- xmlFree((char *) entity->orig); +- } ++ if ((entity->name != NULL) && ++ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) ++ xmlFree((char *) entity->name); ++ if (entity->ExternalID != NULL) ++ xmlFree((char *) entity->ExternalID); ++ if (entity->SystemID != NULL) ++ xmlFree((char *) entity->SystemID); ++ if (entity->URI != NULL) ++ xmlFree((char *) entity->URI); ++ if (entity->content != NULL) ++ xmlFree((char *) entity->content); ++ if (entity->orig != NULL) ++ xmlFree((char *) entity->orig); + xmlFree(entity); + } + +@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, + ret->SystemID = xmlStrdup(SystemID); + } else { + ret->name = xmlDictLookup(dict, name, -1); +- if (ExternalID != NULL) +- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); +- if (SystemID != NULL) +- ret->SystemID = xmlDictLookup(dict, SystemID, -1); ++ ret->ExternalID = xmlStrdup(ExternalID); ++ ret->SystemID = xmlStrdup(SystemID); + } + if (content != NULL) { + ret->length = xmlStrlen(content); +- if ((dict != NULL) && (ret->length < 5)) +- ret->content = (xmlChar *) +- xmlDictLookup(dict, content, ret->length); +- else +- ret->content = xmlStrndup(content, ret->length); ++ ret->content = xmlStrndup(content, ret->length); + } else { + ret->length = 0; + ret->content = NULL; +-- +GitLab diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index dc62991739..40e3434ead 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -34,6 +34,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te file://CVE-2022-29824.patch \ file://0001-Port-gentest.py-to-Python-3.patch \ file://CVE-2016-3709.patch \ + file://CVE-2022-40303.patch \ + file://CVE-2022-40304.patch \ " SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" diff --git a/poky/meta/recipes-core/meta/buildtools-tarball.bb b/poky/meta/recipes-core/meta/buildtools-tarball.bb index faf7108a86..24f5f28589 100644 --- a/poky/meta/recipes-core/meta/buildtools-tarball.bb +++ b/poky/meta/recipes-core/meta/buildtools-tarball.bb @@ -66,7 +66,7 @@ create_sdk_files_append () { # Generate new (mini) sdk-environment-setup file script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}} touch $script - echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH' >> $script + echo 'export PATH="${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH"' >> $script echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script diff --git a/poky/meta/recipes-core/meta/cve-update-db-native.bb b/poky/meta/recipes-core/meta/cve-update-db-native.bb index 85874ead01..efc32470d3 100644 --- a/poky/meta/recipes-core/meta/cve-update-db-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-db-native.bb @@ -17,6 +17,12 @@ deltask do_populate_sysroot # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" +# Timeout for blocking socket operations, such as the connection attempt. +CVE_SOCKET_TIMEOUT ?= "60" +NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" + +CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db" + python () { if not bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") @@ -28,24 +34,15 @@ python do_fetch() { """ import bb.utils import bb.progress - import sqlite3, urllib, urllib.parse, shutil, gzip - from datetime import date + import shutil bb.utils.export_proxies(d) - BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" - YEAR_START = 2002 - db_file = d.getVar("CVE_CHECK_DB_FILE") db_dir = os.path.dirname(db_file) + db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") - if os.path.exists("{0}-journal".format(db_file)): - # If a journal is present the last update might have been interrupted. In that case, - # just wipe any leftovers and force the DB to be recreated. - os.remove("{0}-journal".format(db_file)) - - if os.path.exists(db_file): - os.remove(db_file) + cleanup_db_download(db_file, db_tmp_file) # The NVD database changes once a day, so no need to update more frequently # Allow the user to force-update @@ -62,26 +59,81 @@ python do_fetch() { pass bb.utils.mkdirhier(db_dir) + if os.path.exists(db_file): + shutil.copy2(db_file, db_tmp_file) + + if update_db_file(db_tmp_file, d) == True: + # Update downloaded correctly, can swap files + shutil.move(db_tmp_file, db_file) + else: + # Update failed, do not modify the database + bb.note("CVE database update failed") + os.remove(db_tmp_file) +} + +do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +def cleanup_db_download(db_file, db_tmp_file): + """ + Cleanup the download space from possible failed downloads + """ + + # Clean up the updates done on the main file + # Remove it only if a journal file exists - it means a complete re-download + if os.path.exists("{0}-journal".format(db_file)): + # If a journal is present the last update might have been interrupted. In that case, + # just wipe any leftovers and force the DB to be recreated. + os.remove("{0}-journal".format(db_file)) + + if os.path.exists(db_file): + os.remove(db_file) + + # Clean-up the temporary file downloads, we can remove both journal + # and the temporary database + if os.path.exists("{0}-journal".format(db_tmp_file)): + # If a journal is present the last update might have been interrupted. In that case, + # just wipe any leftovers and force the DB to be recreated. + os.remove("{0}-journal".format(db_tmp_file)) + + if os.path.exists(db_tmp_file): + os.remove(db_tmp_file) + +def update_db_file(db_tmp_file, d): + """ + Update the given database file + """ + import bb.utils, bb.progress + from datetime import date + import urllib, gzip, sqlite3 + + YEAR_START = 2002 + cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) # Connect to database - conn = sqlite3.connect(db_file) + conn = sqlite3.connect(db_tmp_file) initialize_db(conn) with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: total_years = date.today().year + 1 - YEAR_START for i, year in enumerate(range(YEAR_START, date.today().year + 1)): + bb.debug(2, "Updating %d" % year) ph.update((float(i + 1) / total_years) * 100) - year_url = BASE_URL + str(year) + year_url = (d.getVar('NVDCVE_URL')) + str(year) meta_url = year_url + ".meta" json_url = year_url + ".json.gz" # Retrieve meta last modified date try: - response = urllib.request.urlopen(meta_url) + response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') - bb.warn("Failed to fetch CVE data (%s)" % e.reason) - return + bb.warn("Failed to fetch CVE data (%s)" % e) + import socket + result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP) + bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result))) + return False if response: for l in response.read().decode("utf-8").splitlines(): @@ -91,7 +143,7 @@ python do_fetch() { break else: bb.warn("Cannot parse CVE metadata, update failed") - return + return False # Compare with current db last modified date cursor = conn.execute("select DATE from META where YEAR = ?", (year,)) @@ -99,31 +151,29 @@ python do_fetch() { cursor.close() if not meta or meta[0] != last_modified: + bb.debug(2, "Updating entries") # Clear products table entries corresponding to current year conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close() # Update db with current year json file try: - response = urllib.request.urlopen(json_url) + response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) if response: update_db(conn, gzip.decompress(response.read()).decode('utf-8')) conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) - return - + return False + else: + bb.debug(2, "Already up to date (last modified %s)" % last_modified) # Update success, set the date to cve_check file. if year == date.today().year: cve_f.write('CVE database update : %s\n\n' % date.today()) conn.commit() conn.close() -} - -do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" -do_fetch[file-checksums] = "" -do_fetch[vardeps] = "" + return True def initialize_db(conn): with conn: diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch new file mode 100644 index 0000000000..4418d52898 --- /dev/null +++ b/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch @@ -0,0 +1,49 @@ +From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 24 Mar 2022 20:04:34 +0800 +Subject: [PATCH] BaseTools: fix gcc12 warning + +GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free] + 545 | Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +GenFfs.c:544:5: note: call to ?fclose? here + 544 | fclose (InFileHandle); + | ^~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Bob Feng <bob.c.feng@intel.com> + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/7b005f344e533cd913c3ca05b266f9872df886d1] +Signed-off-by: Steve Sakoman <steve@sakoman.com> + +--- + BaseTools/Source/C/GenFfs/GenFfs.c | 2 +- + BaseTools/Source/C/GenSec/GenSec.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c +index 949025c33325..d78d62ab3689 100644 +--- a/BaseTools/Source/C/GenFfs/GenFfs.c ++++ b/BaseTools/Source/C/GenFfs/GenFfs.c +@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) + PeFileBuffer = (UINT8 *) malloc (PeFileSize);
+ if (PeFileBuffer == NULL) {
+ fclose (InFileHandle);
+- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
+diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c +index d54a4f9e0a7d..b1d05367ec0b 100644 +--- a/BaseTools/Source/C/GenSec/GenSec.c ++++ b/BaseTools/Source/C/GenSec/GenSec.c +@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) + PeFileBuffer = (UINT8 *) malloc (PeFileSize);
+ if (PeFileBuffer == NULL) {
+ fclose (InFileHandle);
+- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch new file mode 100644 index 0000000000..a6ef87aa79 --- /dev/null +++ b/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch @@ -0,0 +1,53 @@ +From 24551a99d1f765c891a4dc21a36f18ccbf56e612 Mon Sep 17 00:00:00 2001 +From: Steve Sakoman <steve@sakoman.com> +Date: Tue, 10 Jan 2023 06:15:00 -1000 +Subject: [PATCH] BaseTools: fix gcc12 warning + +Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?: +Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=] + 2828 | p->rc.outStream = &outStream.vt; + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here + 2811 | CLzmaEnc_SeqOutStreamBuf outStream; + | ^~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here +Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=] + 2828 | p->rc.outStream = &outStream.vt; + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here + 2811 | CLzmaEnc_SeqOutStreamBuf outStream; + | ^~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here +cc1: all warnings being treated as errors + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Bob Feng <bob.c.feng@intel.com> + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/85021f8cf22d1bd4114803c6c610dea5ef0059f1] +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c +index e281716fee..b575c4f888 100644 +--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c ++++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c +@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit, +
+ nowPos64 = p->nowPos64;
+ RangeEnc_Init(&p->rc);
+- p->rc.outStream = &outStream.vt;
+
+ if (desiredPackSize == 0)
+ return SZ_ERROR_OUTPUT_EOF;
+
++ p->rc.outStream = &outStream.vt;
+ res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize);
++ p->rc.outStream = NULL;
+
+ *unpackSize = (UInt32)(p->nowPos64 - nowPos64);
+ *destLen -= outStream.rem;
+-- +2.25.1 + diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch new file mode 100644 index 0000000000..73a432684c --- /dev/null +++ b/poky/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch @@ -0,0 +1,41 @@ +From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 24 Mar 2022 20:04:36 +0800 +Subject: [PATCH] Basetools: turn off gcc12 warning + +In function ?SetDevicePathEndNode?, + inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5: +DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=] + 321 | memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from UefiDevicePathLib.h:22, + from DevicePathUtilities.c:16: +../Include/Protocol/DevicePath.h: In function ?FileDevicePath?: +../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1 + 51 | UINT8 Type; ///< 0x01 Hardware Device Path. + | ^~~~ + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Bob Feng <bob.c.feng@intel.com> + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c] +Signed-off-by: Steve Sakoman <steve@sakoman.com> + +--- + BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile +index 7ca08af9662d..b05d2bddfa68 100644 +--- a/BaseTools/Source/C/DevicePath/GNUmakefile ++++ b/BaseTools/Source/C/DevicePath/GNUmakefile +@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili +
+ include $(MAKEROOT)/Makefiles/app.makefile
+
++# gcc 12 trips over device path handling
++BUILD_CFLAGS += -Wno-error=stringop-overflow
++
+ LIBS = -lCommon
+ ifeq ($(CYGWIN), CYGWIN)
+ LIBS += -L/lib/e2fsprogs -luuid
diff --git a/poky/meta/recipes-core/ovmf/ovmf_git.bb b/poky/meta/recipes-core/ovmf/ovmf_git.bb index b00119313b..a487f77e3c 100644 --- a/poky/meta/recipes-core/ovmf/ovmf_git.bb +++ b/poky/meta/recipes-core/ovmf/ovmf_git.bb @@ -18,6 +18,9 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0003-ovmf-enable-long-path-file.patch \ file://0004-ovmf-Update-to-latest.patch \ file://0001-Fix-VLA-parameter-warning.patch \ + file://0001-Basetools-genffs-fix-gcc12-warning.patch \ + file://0001-Basetools-lzmaenc-fix-gcc12-warning.patch \ + file://0001-Basetools-turn-off-gcc12-warning.patch \ " PV = "edk2-stable202008" diff --git a/poky/meta/recipes-core/psplash/files/psplash-start.service b/poky/meta/recipes-core/psplash/files/psplash-start.service index 36c2bb38e0..bec9368427 100644 --- a/poky/meta/recipes-core/psplash/files/psplash-start.service +++ b/poky/meta/recipes-core/psplash/files/psplash-start.service @@ -2,6 +2,7 @@ Description=Start psplash boot splash screen DefaultDependencies=no RequiresMountsFor=/run +ConditionFileIsExecutable=/usr/bin/psplash [Service] Type=notify diff --git a/poky/meta/recipes-core/psplash/files/psplash-systemd.service b/poky/meta/recipes-core/psplash/files/psplash-systemd.service index 082207f232..e93e3deb35 100644 --- a/poky/meta/recipes-core/psplash/files/psplash-systemd.service +++ b/poky/meta/recipes-core/psplash/files/psplash-systemd.service @@ -4,6 +4,7 @@ DefaultDependencies=no After=psplash-start.service Requires=psplash-start.service RequiresMountsFor=/run +ConditionFileIsExecutable=/usr/bin/psplash [Service] ExecStart=/usr/bin/psplash-systemd diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch new file mode 100644 index 0000000000..f9c6704cfc --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch @@ -0,0 +1,47 @@ +From 9102c625a673a3246d7e73d8737f3494446bad4e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 7 Jul 2022 18:27:02 +0900 +Subject: [PATCH] time-util: fix buffer-over-run + +Fixes #23928. + +CVE: CVE-2022-3821 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Both the hunks refreshed to backport + +--- + src/basic/time-util.c | 2 +- + src/test/test-time-util.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index abbc4ad5cd70..26d59de12348 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -514,7 +514,7 @@ char *format_timespan(char *buf, size_t + t = b; + } + +- n = MIN((size_t) k, l); ++ n = MIN((size_t) k, l-1); + + l -= n; + p += n; +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index e8e4e2a67bb1..58c5fa9be40c 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -501,6 +501,12 @@ int main(int argc, char *argv[]) { + test_format_timespan(1); + test_format_timespan(USEC_PER_MSEC); + test_format_timespan(USEC_PER_SEC); ++ ++ /* See issue #23928. */ ++ _cleanup_free_ char *buf; ++ assert_se(buf = new(char, 5)); ++ assert_se(buf == format_timespan(buf, 5, 100005, 1000)); ++ + test_timezone_is_valid(); + test_get_timezones(); + test_usec_add(); diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch new file mode 100644 index 0000000000..39f9480cf8 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch @@ -0,0 +1,115 @@ +From 612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Mon, 31 Aug 2020 19:37:13 +0200 +Subject: [PATCH] pager: set $LESSSECURE whenver we invoke a pager + +Some extra safety when invoked via "sudo". With this we address a +genuine design flaw of sudo, and we shouldn't need to deal with this. +But it's still a good idea to disable this surface given how exotic it +is. + +Prompted by #5666 + +CVE: CVE-2023-26604 +Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0] +Comments: Hunk not refreshed +Signed-off-by: rajmohan r <rajmohan.r@kpit.com> +--- + man/less-variables.xml | 9 +++++++++ + man/systemctl.xml | 1 + + man/systemd.xml | 1 + + src/shared/pager.c | 23 +++++++++++++++++++++-- + 4 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/man/less-variables.xml b/man/less-variables.xml +index 08e513c99f8e..c52511ca8e18 100644 +--- a/man/less-variables.xml ++++ b/man/less-variables.xml +@@ -64,6 +64,15 @@ + the invoking terminal is determined to be UTF-8 compatible).</para></listitem> + </varlistentry> + ++ <varlistentry id='lesssecure'> ++ <term><varname>$SYSTEMD_LESSSECURE</varname></term> ++ ++ <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment ++ variable when invoking the pager, which controls the "secure" mode of less (which disables commands ++ such as <literal>|</literal> which allow to easily shell out to external command lines). By default ++ less secure mode is enabled, with this setting it may be disabled.</para></listitem> ++ </varlistentry> ++ + <varlistentry id='colors'> + <term><varname>$SYSTEMD_COLORS</varname></term> + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 1c5502883700..a3f0c3041a57 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + <xi:include href="less-variables.xml" xpointer="pager"/> + <xi:include href="less-variables.xml" xpointer="less"/> + <xi:include href="less-variables.xml" xpointer="lesscharset"/> ++ <xi:include href="less-variables.xml" xpointer="lesssecure"/> + <xi:include href="less-variables.xml" xpointer="colors"/> + <xi:include href="less-variables.xml" xpointer="urlify"/> + </refsect1> +diff --git a/man/systemd.xml b/man/systemd.xml +index a9040545c2ab..c92cfef77689 100644 +--- a/man/systemd.xml ++++ b/man/systemd.xml +@@ -692,6 +692,7 @@ + <xi:include href="less-variables.xml" xpointer="pager"/> + <xi:include href="less-variables.xml" xpointer="less"/> + <xi:include href="less-variables.xml" xpointer="lesscharset"/> ++ <xi:include href="less-variables.xml" xpointer="lesssecure"/> + <xi:include href="less-variables.xml" xpointer="colors"/> + <xi:include href="less-variables.xml" xpointer="urlify"/> + +diff --git a/src/shared/pager.c b/src/shared/pager.c +index e03be6d23b2d..9c21881241f5 100644 +--- a/src/shared/pager.c ++++ b/src/shared/pager.c +@@ -9,6 +9,7 @@ + #include <unistd.h> + + #include "copy.h" ++#include "env-util.h" + #include "fd-util.h" + #include "fileio.h" + #include "io-util.h" +@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) { + _exit(EXIT_FAILURE); + } + +- /* Initialize a good charset for less. This is +- * particularly important if we output UTF-8 ++ /* Initialize a good charset for less. This is particularly important if we output UTF-8 + * characters. */ + less_charset = getenv("SYSTEMD_LESSCHARSET"); + if (!less_charset && is_locale_utf8()) +@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) { + _exit(EXIT_FAILURE); + } + ++ /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out ++ * privileged stuff. */ ++ r = getenv_bool("SYSTEMD_LESSSECURE"); ++ if (r == 0) { /* Remove env var if off */ ++ if (unsetenv("LESSSECURE") < 0) { ++ log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ } else { ++ /* Set env var otherwise */ ++ if (r < 0) ++ log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m"); ++ ++ if (setenv("LESSSECURE", "1", 1) < 0) { ++ log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ } ++ + if (pager_args) { + r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false); + if (r < 0) { diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch new file mode 100644 index 0000000000..95da7cfad6 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch @@ -0,0 +1,264 @@ +From 1b5b507cd2d1d7a2b053151abb548475ad9c5c3b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Mon, 12 Oct 2020 18:57:32 +0200 +Subject: [PATCH] test-login: always test sd_pid_get_owner_uid(), modernize + +A long time some function only worked when in a session, and the test +didn't execute them when sd_pid_get_session() failed. Let's always call +them to increase coverage. + +While at it, let's test for ==0 not >=0 where we don't expect the function +to return anything except 0 or error. + +CVE: CVE-2023-26604 +Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/1b5b507cd2d1d7a2b053151abb548475ad9c5c3b.patch] +Comments: Hunk not refreshed +Signed-off-by: rajmohan r <rajmohan.r@kpit.com> +--- + src/libsystemd/sd-login/test-login.c | 131 ++++++++++++++------------- + 1 file changed, 70 insertions(+), 61 deletions(-) + +diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c +index c0c77e04714b..0494fc77ba18 100644 +--- a/src/libsystemd/sd-login/test-login.c ++++ b/src/libsystemd/sd-login/test-login.c +@@ -5,21 +5,22 @@ + #include "sd-login.h" + + #include "alloc-util.h" ++#include "errno-list.h" + #include "fd-util.h" + #include "format-util.h" + #include "log.h" + #include "string-util.h" + #include "strv.h" + #include "time-util.h" +-#include "util.h" ++#include "user-util.h" + + static char* format_uids(char **buf, uid_t* uids, int count) { +- int pos = 0, k, inc; ++ int pos = 0, inc; + size_t size = (DECIMAL_STR_MAX(uid_t) + 1) * count + 1; + + assert_se(*buf = malloc(size)); + +- for (k = 0; k < count; k++) { ++ for (int k = 0; k < count; k++) { + sprintf(*buf + pos, "%s"UID_FMT"%n", k > 0 ? " " : "", uids[k], &inc); + pos += inc; + } +@@ -30,6 +31,10 @@ static char* format_uids(char **buf, uid_t* uids, int count) { + return *buf; + } + ++static const char *e(int r) { ++ return r == 0 ? "OK" : errno_to_name(r); ++} ++ + static void test_login(void) { + _cleanup_close_pair_ int pair[2] = { -1, -1 }; + _cleanup_free_ char *pp = NULL, *qq = NULL, +@@ -39,65 +44,71 @@ static void test_login(void) { + *seat = NULL, *session = NULL, + *unit = NULL, *user_unit = NULL, *slice = NULL; + int r; +- uid_t u, u2; +- char *t, **seats, **sessions; ++ uid_t u, u2 = UID_INVALID; ++ char *t, **seats = NULL, **sessions = NULL; + + r = sd_pid_get_unit(0, &unit); +- assert_se(r >= 0 || r == -ENODATA); +- log_info("sd_pid_get_unit(0, …) → \"%s\"", strna(unit)); ++ log_info("sd_pid_get_unit(0, …) → %s / \"%s\"", e(r), strnull(unit)); ++ assert_se(IN_SET(r, 0, -ENODATA)); + + r = sd_pid_get_user_unit(0, &user_unit); +- assert_se(r >= 0 || r == -ENODATA); +- log_info("sd_pid_get_user_unit(0, …) → \"%s\"", strna(user_unit)); ++ log_info("sd_pid_get_user_unit(0, …) → %s / \"%s\"", e(r), strnull(user_unit)); ++ assert_se(IN_SET(r, 0, -ENODATA)); + + r = sd_pid_get_slice(0, &slice); +- assert_se(r >= 0 || r == -ENODATA); +- log_info("sd_pid_get_slice(0, …) → \"%s\"", strna(slice)); ++ log_info("sd_pid_get_slice(0, …) → %s / \"%s\"", e(r), strnull(slice)); ++ assert_se(IN_SET(r, 0, -ENODATA)); ++ ++ r = sd_pid_get_owner_uid(0, &u2); ++ log_info("sd_pid_get_owner_uid(0, …) → %s / "UID_FMT, e(r), u2); ++ assert_se(IN_SET(r, 0, -ENODATA)); + + r = sd_pid_get_session(0, &session); +- if (r < 0) { +- log_warning_errno(r, "sd_pid_get_session(0, …): %m"); +- if (r == -ENODATA) +- log_info("Seems we are not running in a session, skipping some tests."); +- } else { +- log_info("sd_pid_get_session(0, …) → \"%s\"", session); +- +- assert_se(sd_pid_get_owner_uid(0, &u2) == 0); +- log_info("sd_pid_get_owner_uid(0, …) → "UID_FMT, u2); +- +- assert_se(sd_pid_get_cgroup(0, &cgroup) == 0); +- log_info("sd_pid_get_cgroup(0, …) → \"%s\"", cgroup); +- +- r = sd_uid_get_display(u2, &display_session); +- assert_se(r >= 0 || r == -ENODATA); +- log_info("sd_uid_get_display("UID_FMT", …) → \"%s\"", +- u2, strnull(display_session)); +- +- assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0); +- sd_peer_get_session(pair[0], &pp); +- sd_peer_get_session(pair[1], &qq); +- assert_se(streq_ptr(pp, qq)); +- +- r = sd_uid_get_sessions(u2, false, &sessions); ++ log_info("sd_pid_get_session(0, …) → %s / \"%s\"", e(r), strnull(session)); ++ ++ r = sd_pid_get_cgroup(0, &cgroup); ++ log_info("sd_pid_get_cgroup(0, …) → %s / \"%s\"", e(r), strnull(cgroup)); ++ assert_se(r == 0); ++ ++ r = sd_uid_get_display(u2, &display_session); ++ log_info("sd_uid_get_display("UID_FMT", …) → %s / \"%s\"", u2, e(r), strnull(display_session)); ++ if (u2 == UID_INVALID) ++ assert_se(r == -EINVAL); ++ else ++ assert_se(IN_SET(r, 0, -ENODATA)); ++ ++ assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0); ++ sd_peer_get_session(pair[0], &pp); ++ sd_peer_get_session(pair[1], &qq); ++ assert_se(streq_ptr(pp, qq)); ++ ++ r = sd_uid_get_sessions(u2, false, &sessions); ++ assert_se(t = strv_join(sessions, " ")); ++ log_info("sd_uid_get_sessions("UID_FMT", …) → %s \"%s\"", u2, e(r), t); ++ if (u2 == UID_INVALID) ++ assert_se(r == -EINVAL); ++ else { + assert_se(r >= 0); + assert_se(r == (int) strv_length(sessions)); +- assert_se(t = strv_join(sessions, " ")); +- strv_free(sessions); +- log_info("sd_uid_get_sessions("UID_FMT", …) → [%i] \"%s\"", u2, r, t); +- free(t); ++ } ++ sessions = strv_free(sessions); ++ free(t); + +- assert_se(r == sd_uid_get_sessions(u2, false, NULL)); ++ assert_se(r == sd_uid_get_sessions(u2, false, NULL)); + +- r = sd_uid_get_seats(u2, false, &seats); ++ r = sd_uid_get_seats(u2, false, &seats); ++ assert_se(t = strv_join(seats, " ")); ++ log_info("sd_uid_get_seats("UID_FMT", …) → %s \"%s\"", u2, e(r), t); ++ if (u2 == UID_INVALID) ++ assert_se(r == -EINVAL); ++ else { + assert_se(r >= 0); + assert_se(r == (int) strv_length(seats)); +- assert_se(t = strv_join(seats, " ")); +- strv_free(seats); +- log_info("sd_uid_get_seats("UID_FMT", …) → [%i] \"%s\"", u2, r, t); +- free(t); +- +- assert_se(r == sd_uid_get_seats(u2, false, NULL)); + } ++ seats = strv_free(seats); ++ free(t); ++ ++ assert_se(r == sd_uid_get_seats(u2, false, NULL)); + + if (session) { + r = sd_session_is_active(session); +@@ -109,7 +120,7 @@ static void test_login(void) { + log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r)); + + r = sd_session_get_state(session, &state); +- assert_se(r >= 0); ++ assert_se(r == 0); + log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state); + + assert_se(sd_session_get_uid(session, &u) >= 0); +@@ -123,16 +134,16 @@ static void test_login(void) { + log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class); + + r = sd_session_get_display(session, &display); +- assert_se(r >= 0 || r == -ENODATA); ++ assert_se(IN_SET(r, 0, -ENODATA)); + log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display)); + + r = sd_session_get_remote_user(session, &remote_user); +- assert_se(r >= 0 || r == -ENODATA); ++ assert_se(IN_SET(r, 0, -ENODATA)); + log_info("sd_session_get_remote_user(\"%s\") → \"%s\"", + session, strna(remote_user)); + + r = sd_session_get_remote_host(session, &remote_host); +- assert_se(r >= 0 || r == -ENODATA); ++ assert_se(IN_SET(r, 0, -ENODATA)); + log_info("sd_session_get_remote_host(\"%s\") → \"%s\"", + session, strna(remote_host)); + +@@ -161,7 +172,7 @@ static void test_login(void) { + assert_se(r == -ENODATA); + } + +- assert_se(sd_uid_get_state(u, &state2) >= 0); ++ assert_se(sd_uid_get_state(u, &state2) == 0); + log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2); + } + +@@ -173,11 +184,11 @@ static void test_login(void) { + assert_se(sd_uid_is_on_seat(u, 0, seat) > 0); + + r = sd_seat_get_active(seat, &session2, &u2); +- assert_se(r >= 0); ++ assert_se(r == 0); + log_info("sd_seat_get_active(\"%s\", …) → \"%s\", "UID_FMT, seat, session2, u2); + + r = sd_uid_is_on_seat(u, 1, seat); +- assert_se(r >= 0); ++ assert_se(IN_SET(r, 0, 1)); + assert_se(!!r == streq(session, session2)); + + r = sd_seat_get_sessions(seat, &sessions, &uids, &n); +@@ -185,8 +196,8 @@ static void test_login(void) { + assert_se(r == (int) strv_length(sessions)); + assert_se(t = strv_join(sessions, " ")); + strv_free(sessions); +- log_info("sd_seat_get_sessions(\"%s\", …) → %i, \"%s\", [%i] {%s}", +- seat, r, t, n, format_uids(&buf, uids, n)); ++ log_info("sd_seat_get_sessions(\"%s\", …) → %s, \"%s\", [%u] {%s}", ++ seat, e(r), t, n, format_uids(&buf, uids, n)); + free(t); + + assert_se(sd_seat_get_sessions(seat, NULL, NULL, NULL) == r); +@@ -204,7 +215,7 @@ static void test_login(void) { + + r = sd_seat_get_active(NULL, &t, NULL); + assert_se(IN_SET(r, 0, -ENODATA)); +- log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s", strnull(t)); ++ log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t)); + free(t); + + r = sd_get_sessions(&sessions); +@@ -244,13 +255,11 @@ static void test_login(void) { + + static void test_monitor(void) { + sd_login_monitor *m = NULL; +- unsigned n; + int r; + +- r = sd_login_monitor_new("session", &m); +- assert_se(r >= 0); ++ assert_se(sd_login_monitor_new("session", &m) == 0); + +- for (n = 0; n < 5; n++) { ++ for (unsigned n = 0; n < 5; n++) { + struct pollfd pollfd = {}; + usec_t timeout, nw; diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch new file mode 100644 index 0000000000..f02f62b772 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch @@ -0,0 +1,182 @@ +From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Wed, 7 Oct 2020 11:15:05 +0200 +Subject: [PATCH] pager: make pager secure when under euid is changed or + explicitly requested + +The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about +less now), and we automatically enable secure mode in certain cases, but not +otherwise. + +This approach is more nuanced, but should provide a better experience for +users: + +- Previusly we would set LESSSECURE=1 and trust the pager to make use of + it. But this has an effect only on less. We need to not start pagers which + are insecure when in secure mode. In particular more is like that and is a + very popular pager. + +- We don't enable secure mode always, which means that those other pagers can + reasonably used. + +- We do the right thing by default, but the user has ultimate control by + setting SYSTEMD_PAGERSECURE. + +Fixes #5666. + +v2: +- also check $PKEXEC_UID + +v3: +- use 'sd_pid_get_owner_uid() != geteuid()' as the condition + +CVE: CVE-2023-26604 +Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108] +Comments: Hunk refreshed +Signed-off-by: rajmohan r <rajmohan.r@kpit.com> +--- + man/less-variables.xml | 30 +++++++++++++++---- + src/shared/pager.c | 63 ++++++++++++++++++++++++++------------- + 2 files changed, 66 insertions(+), 27 deletions(-) + +diff --git a/man/less-variables.xml b/man/less-variables.xml +index c52511c..049e9f7 100644 +--- a/man/less-variables.xml ++++ b/man/less-variables.xml +@@ -65,12 +65,30 @@ + </varlistentry> + + <varlistentry id='lesssecure'> +- <term><varname>$SYSTEMD_LESSSECURE</varname></term> +- +- <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment +- variable when invoking the pager, which controls the "secure" mode of less (which disables commands +- such as <literal>|</literal> which allow to easily shell out to external command lines). By default +- less secure mode is enabled, with this setting it may be disabled.</para></listitem> ++ <term><varname>$SYSTEMD_PAGERSECURE</varname></term> ++ ++ <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if ++ false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled ++ if the effective UID is not the same as the owner of the login session, see <citerefentry ++ project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and ++ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>. ++ In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall ++ disable commands that open or create new files or start new subprocesses. When ++ <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement ++ secure mode will not be used. (Currently only ++ <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements ++ secure mode.)</para> ++ ++ <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry ++ project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or ++ <citerefentry ++ project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care ++ must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the ++ pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname> ++ or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note ++ that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be ++ honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly ++ disable the pager using <option>--no-pager</option> instead.</para></listitem> + </varlistentry> + + <varlistentry id='colors'> +diff --git a/src/shared/pager.c b/src/shared/pager.c +index a3b6576..a72d9ea 100644 +--- a/src/shared/pager.c ++++ b/src/shared/pager.c +@@ -8,6 +8,8 @@ + #include <sys/prctl.h> + #include <unistd.h> + ++#include "sd-login.h" ++ + #include "copy.h" + #include "env-util.h" + #include "fd-util.h" +@@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) { + } + + /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out +- * privileged stuff. */ +- r = getenv_bool("SYSTEMD_LESSSECURE"); +- if (r == 0) { /* Remove env var if off */ +- if (unsetenv("LESSSECURE") < 0) { +- log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m"); +- _exit(EXIT_FAILURE); +- } +- } else { +- /* Set env var otherwise */ ++ * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the ++ * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE ++ * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we ++ * know to be good. */ ++ int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE"); ++ bool trust_pager = use_secure_mode >= 0; ++ if (use_secure_mode == -ENXIO) { ++ uid_t uid; ++ ++ r = sd_pid_get_owner_uid(0, &uid); + if (r < 0) +- log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m"); ++ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m"); + +- if (setenv("LESSSECURE", "1", 1) < 0) { +- log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m"); +- _exit(EXIT_FAILURE); +- } ++ use_secure_mode = r < 0 || uid != geteuid(); ++ ++ } else if (use_secure_mode < 0) { ++ log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m"); ++ use_secure_mode = true; + } + +- if (pager_args) { ++ /* We generally always set variables used by less, even if we end up using a different pager. ++ * They shouldn't hurt in any case, and ideally other pagers would look at them too. */ ++ if (use_secure_mode) ++ r = setenv("LESSSECURE", "1", 1); ++ else ++ r = unsetenv("LESSSECURE"); ++ if (r < 0) { ++ log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ ++ if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot ++ * know if the user adjusted it to be appropriate for the ++ * secure mode. Thus, start the pager specified through ++ * envvars only when $SYSTEMD_PAGERSECURE was explicitly set ++ * as well. */ + r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false); + if (r < 0) { + log_error_errno(r, "Failed to write pager name to socket: %m"); +@@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) { + "Failed to execute '%s', using fallback pagers: %m", pager_args[0]); + } + +- /* Debian's alternatives command for pagers is +- * called 'pager'. Note that we do not call +- * sensible-pagers here, since that is just a +- * shell script that implements a logic that +- * is similar to this one anyway, but is +- * Debian-specific. */ ++ /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call ++ * sensible-pagers here, since that is just a shell script that implements a logic that is ++ * similar to this one anyway, but is Debian-specific. */ + FOREACH_STRING(exe, "pager", "less", "more") { ++ /* Only less implements secure mode right now. */ ++ if (use_secure_mode && !streq(exe, "less")) ++ continue; ++ + r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false); + if (r < 0) { + log_error_errno(r, "Failed to write pager name to socket: %m"); +@@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) { + "Failed to execute '%s', using next fallback pager: %m", exe); + } + ++ /* Our builtin is also very secure. */ + r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false); + if (r < 0) { + log_error_errno(r, "Failed to write pager name to socket: %m"); diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch new file mode 100644 index 0000000000..bc6b0a91c2 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch @@ -0,0 +1,32 @@ +From b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Thu, 15 Oct 2020 10:54:48 +0200 +Subject: [PATCH] pager: lets check SYSTEMD_PAGERSECURE with secure_getenv() + +I can't think of any real vulnerability about this, but it still feels +better to check a variable with "secure" in its name with +secure_getenv() rather than plain getenv(). + +Paranoia FTW! + +CVE: CVE-2023-26604 +Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17359/commits/b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c] +Comments: Hunk refreshed +Signed-off-by: rajmohan r <rajmohan.r@kpit.com> +--- + src/shared/pager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/pager.c b/src/shared/pager.c +index a72d9ea..250519c 100644 +--- a/src/shared/pager.c ++++ b/src/shared/pager.c +@@ -170,7 +170,7 @@ int pager_open(PagerFlags flags) { + * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE + * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we + * know to be good. */ +- int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE"); ++ int use_secure_mode = getenv_bool_secure("SYSTEMD_PAGERSECURE"); + bool trust_pager = use_secure_mode >= 0; + if (use_secure_mode == -ENXIO) { + uid_t uid; diff --git a/poky/meta/recipes-core/systemd/systemd/systemd-pager.sh b/poky/meta/recipes-core/systemd/systemd/systemd-pager.sh new file mode 100644 index 0000000000..86e3e0ab78 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/systemd-pager.sh @@ -0,0 +1,7 @@ +# Systemd expect a color capable pager, however the less provided +# by busybox is not. This make many interaction with systemd pretty +# annoying. As a workaround we disable the systemd pager if less +# is not the GNU version. +if ! less -V > /dev/null 2>&1 ; then + export SYSTEMD_PAGER= +fi diff --git a/poky/meta/recipes-core/systemd/systemd_244.5.bb b/poky/meta/recipes-core/systemd/systemd_244.5.bb index f3e5395465..bd66d82932 100644 --- a/poky/meta/recipes-core/systemd/systemd_244.5.bb +++ b/poky/meta/recipes-core/systemd/systemd_244.5.bb @@ -18,6 +18,7 @@ SRC_URI += "file://touchscreen.rules \ file://00-create-volatile.conf \ file://init \ file://99-default.preset \ + file://systemd-pager.sh \ file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-implment-systemd-sysv-install-for-OE.patch \ file://CVE-2021-33910.patch \ @@ -33,6 +34,11 @@ SRC_URI += "file://touchscreen.rules \ file://CVE-2021-3997-1.patch \ file://CVE-2021-3997-2.patch \ file://CVE-2021-3997-3.patch \ + file://CVE-2022-3821.patch \ + file://CVE-2023-26604-1.patch \ + file://CVE-2023-26604-2.patch \ + file://CVE-2023-26604-3.patch \ + file://CVE-2023-26604-4.patch \ " # patches needed by musl @@ -213,7 +219,7 @@ rootlibexecdir = "${rootprefix}/lib" EXTRA_OEMESON += "-Dlink-udev-shared=false" EXTRA_OEMESON += "-Dnobody-user=nobody \ - -Dnobody-group=nobody \ + -Dnobody-group=nogroup \ -Drootlibdir=${rootlibdir} \ -Drootprefix=${rootprefix} \ -Ddefault-locale=C \ @@ -316,6 +322,9 @@ do_install() { # install default policy for presets # https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset + + # add a profile fragment to disable systemd pager with busybox less + install -Dm 0644 ${WORKDIR}/systemd-pager.sh ${D}${sysconfdir}/profile.d/systemd-pager.sh } python populate_packages_prepend (){ @@ -403,9 +412,9 @@ FILES_${PN}-binfmt = "${sysconfdir}/binfmt.d/ \ ${rootlibexecdir}/systemd/systemd-binfmt \ ${systemd_unitdir}/system/proc-sys-fs-binfmt_misc.* \ ${systemd_unitdir}/system/systemd-binfmt.service" -RRECOMMENDS_${PN}-binfmt = "kernel-module-binfmt-misc" +RRECOMMENDS_${PN}-binfmt = "${@bb.utils.contains('PACKAGECONFIG', 'binfmt', 'kernel-module-binfmt-misc', '', d)}" -RRECOMMENDS_${PN}-vconsole-setup = "kbd kbd-consolefonts kbd-keymaps" +RRECOMMENDS_${PN}-vconsole-setup = "${@bb.utils.contains('PACKAGECONFIG', 'vconsole', 'kbd kbd-consolefonts kbd-keymaps', '', d)}" FILES_${PN}-journal-gatewayd = "${rootlibexecdir}/systemd/systemd-journal-gatewayd \ @@ -538,6 +547,7 @@ FILES_${PN} = " ${base_bindir}/* \ ${sysconfdir}/dbus-1/ \ ${sysconfdir}/modules-load.d/ \ ${sysconfdir}/pam.d/ \ + ${sysconfdir}/profile.d/ \ ${sysconfdir}/sysctl.d/ \ ${sysconfdir}/systemd/ \ ${sysconfdir}/tmpfiles.d/ \ |