diff options
Diffstat (limited to 'poky/meta/recipes-extended')
8 files changed, 293 insertions, 7 deletions
diff --git a/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch new file mode 100644 index 0000000000..4b96e4316c --- /dev/null +++ b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch @@ -0,0 +1,39 @@ +From 77ff5f1be394eb2c786df561ff37dde7f982ec76 Mon Sep 17 00:00:00 2001 +From: Stefano Babic <sbabic@denx.de> +Date: Fri, 28 Jul 2017 13:20:52 +0200 +Subject: [PATCH] Wrong CRC with ASCII CRC for large files + +Due to signedness, the checksum is not computed when filesize is bigger +a 2GB. + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bug-cpio/2017-07/msg00004.html] +Signed-off-by: Stefano Babic <sbabic@denx.de> +--- + src/copyout.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/copyout.c b/src/copyout.c +index 1f0987a..727aeca 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -34,13 +34,13 @@ + compute and return a checksum for them. */ + + static uint32_t +-read_for_checksum (int in_file_des, int file_size, char *file_name) ++read_for_checksum (int in_file_des, unsigned int file_size, char *file_name) + { + uint32_t crc; + char buf[BUFSIZ]; +- int bytes_left; +- int bytes_read; +- int i; ++ unsigned int bytes_left; ++ unsigned int bytes_read; ++ unsigned int i; + + crc = 0; + +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/cpio/cpio_2.13.bb b/poky/meta/recipes-extended/cpio/cpio_2.13.bb index e72a114de9..dd3541096f 100644 --- a/poky/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/poky/meta/recipes-extended/cpio/cpio_2.13.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ file://CVE-2021-38185.patch \ + file://0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch \ " SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810" diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch new file mode 100644 index 0000000000..9b057d609a --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch @@ -0,0 +1,60 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. +--- +CVE: CVE-2023-28879 + +Upstream-Status: Backport [see text] + +git://git.ghostscript.com/ghostpdl +cherry-pick + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 979ae0992..47fc233ec 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2021 Artifex Software, Inc. ++/* Copyright (C) 2001-2023 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 365420fb64..f29c57beea 100644 --- a/poky/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/poky/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://avoid-host-contamination.patch \ file://mkdir-p.patch \ file://CVE-2022-2085.patch \ + file://cve-2023-28879.patch \ " SRC_URI = "${SRC_URI_BASE} \ diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index acc84de9da..ffcc103112 100644 --- a/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -7,11 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d499814247adaee08d88080841cb5665" DEPENDS = "e2fsprogs-native" -PACKAGECONFIG ?= "zlib bz2 xz lzo zstd" - -PACKAGECONFIG:append:class-target = "\ - ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)} \ -" +PACKAGECONFIG ?= "zlib bz2 xz lzo zstd ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)}" DEPENDS_BZIP2 = "bzip2-replacement-native" DEPENDS_BZIP2:class-target = "bzip2" diff --git a/poky/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/poky/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch new file mode 100644 index 0000000000..94dcb04f0a --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch @@ -0,0 +1,108 @@ +From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001 +From: Per Jessen <per@jessen.ch> +Date: Fri, 22 Apr 2022 18:15:36 +0200 +Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype + +When using scandir() to look for MOTD files to display, we wrongly +relied on all filesystems providing a filetype. This is a fix to divert +to lstat() when we have no filetype. To maintain MT safety, it isn't +possible to use lstat() in the scandir() filter function, so all of the +filtering has been moved to an additional loop after scanning all the +motd dirs. +Also, remove superfluous alphasort from scandir(), we are doing +a qsort() later. + +Resolves: https://github.com/linux-pam/linux-pam/issues/455 + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70] + +Signed-off-by: Per Jessen <per@jessen.ch> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++------- + 1 file changed, 40 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c +index 6ac8cba2..5ca486e4 100644 +--- a/modules/pam_motd/pam_motd.c ++++ b/modules/pam_motd/pam_motd.c +@@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b) + } + } + +-static int filter_dirents(const struct dirent *d) +-{ +- return (d->d_type == DT_REG || d->d_type == DT_LNK); +-} +- + static void try_to_display_directories_with_overrides(pam_handle_t *pamh, + char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing) + { +@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, + + for (i = 0; i < num_motd_dirs; i++) { + int rv; +- rv = scandir(motd_dir_path_split[i], &(dirscans[i]), +- filter_dirents, alphasort); ++ rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL); + if (rv < 0) { + if (errno != ENOENT || report_missing) { + pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m", +@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, + if (dirscans_size_total == 0) + goto out; + ++ /* filter out unwanted names, directories, and complement data with lstat() */ ++ for (i = 0; i < num_motd_dirs; i++) { ++ struct dirent **d = dirscans[i]; ++ for (unsigned int j = 0; j < dirscans_sizes[i]; j++) { ++ int rc; ++ char *fullpath; ++ struct stat s; ++ ++ switch(d[j]->d_type) { /* the filetype determines how to proceed */ ++ case DT_REG: /* regular files and */ ++ case DT_LNK: /* symlinks */ ++ continue; /* are good. */ ++ case DT_UNKNOWN: /* for file systems that do not provide */ ++ /* a filetype, we use lstat() */ ++ if (join_dir_strings(&fullpath, motd_dir_path_split[i], ++ d[j]->d_name) <= 0) ++ break; ++ rc = lstat(fullpath, &s); ++ _pam_drop(fullpath); /* free the memory alloc'ed by join_dir_strings */ ++ if (rc != 0) /* if the lstat() somehow failed */ ++ break; ++ ++ if (S_ISREG(s.st_mode) || /* regular files and */ ++ S_ISLNK(s.st_mode)) continue; /* symlinks are good */ ++ break; ++ case DT_DIR: /* We don't want directories */ ++ default: /* nor anything else */ ++ break; ++ } ++ _pam_drop(d[j]); /* free memory */ ++ d[j] = NULL; /* indicate this one was dropped */ ++ dirscans_size_total--; ++ } ++ } ++ + /* Allocate space for all file names found in the directories, including duplicates. */ + if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) { + pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array"); +@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, + unsigned int j; + + for (j = 0; j < dirscans_sizes[i]; j++) { +- dirnames_all[i_dirnames] = dirscans[i][j]->d_name; +- i_dirnames++; ++ if (NULL != dirscans[i][j]) { ++ dirnames_all[i_dirnames] = dirscans[i][j]->d_name; ++ i_dirnames++; ++ } + } + } + +-- +2.39.0 + diff --git a/poky/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/poky/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch new file mode 100644 index 0000000000..3a12f7a3ed --- /dev/null +++ b/poky/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch @@ -0,0 +1,80 @@ +From e806a902cc90a0b87da00854de8d5fd8222540fc Mon Sep 17 00:00:00 2001 +From: Pavel Kopylov <pkopylov@> +Date: Wed, 17 May 2023 11:33:45 +0200 +Subject: [PATCH] Fix an overflow which is still possible for some values. + +Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/954ff2e2673c] +CVE: CVE-2023-33204 + +Signed-off-by: Xiangyu Chen <xiangyu.chen@...> +Signed-off-by: Sanjay Chitroda <schitrod@...> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + common.c | 18 ++++++++++-------- + common.h | 2 +- + sa_common.c | 4 ++-- + 3 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/common.c b/common.c +index db9b0ed..e05c5bb 100644 +--- a/common.c ++++ b/common.c +@@ -1640,17 +1640,19 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char + * @val3 Third value. + *************************************************************************** + */ +-void check_overflow(size_t val1, size_t val2, size_t val3) ++void check_overflow(unsigned int val1, unsigned int val2, ++ unsigned int val3) + { +- if ((unsigned long long) val1 * +- (unsigned long long) val2 * +- (unsigned long long) val3 > UINT_MAX) { ++ if ((val1 != 0) && (val2 != 0) && (val3 != 0) && ++ (((unsigned long long) UINT_MAX / (unsigned long long) val1 < ++ (unsigned long long) val2) || ++ ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) < ++ (unsigned long long) val3))) { + #ifdef DEBUG +- fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", +- __FUNCTION__, +- (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++ fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n", ++ __FUNCTION__, val1, val2, val3); + #endif +- exit(4); ++ exit(4); + } + } + +diff --git a/common.h b/common.h +index 0ac5896..b2ffe9f 100644 +--- a/common.h ++++ b/common.h +@@ -256,7 +256,7 @@ int check_dir + + #ifndef SOURCE_SADC + void check_overflow +- (size_t, size_t, size_t); ++ (unsigned int, unsigned int, unsigned int); + int count_bits + (void *, int); + int count_csvalues +diff --git a/sa_common.c b/sa_common.c +index 1b8fcaa..1144cfe 100644 +--- a/sa_common.c ++++ b/sa_common.c +@@ -452,8 +452,8 @@ void allocate_structures(struct activity *act[]) + if (act[i]->nr_ini > 0) { + + /* Look for a possible overflow */ +- check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, +- (size_t) act[i]->nr2); ++ check_overflow((unsigned int) act[i]->msize, (unsigned int) act[i]->nr_ini, ++ (unsigned int) act[i]->nr2); + + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb b/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb index 3a3d1fb6ba..f8a950e8a2 100644 --- a/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb +++ b/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb @@ -3,6 +3,7 @@ require sysstat.inc LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb" SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \ - file://CVE-2022-39377.patch" - + file://CVE-2022-39377.patch \ + file://CVE-2023-33204.patch \ + " SRC_URI[sha256sum] = "ef445acea301bbb996e410842f6290a8d049e884d4868cfef7e85dc04b7eee5b" |