From 61a2d43a172b70aa34fd7ec33fc048a211fa5c4c Mon Sep 17 00:00:00 2001 From: Patrick Williams Date: Tue, 18 Oct 2022 12:43:19 -0500 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit meta-openembedded: f22bf6efaa..6792ebdd96: Armin Kuster (1): Revert "c-ares: Add fix for CVE-2021-3672" Hitendra Prajapati (1): python3-lxml: CVE-2022-2309 NULL Pointer Dereference allows attackers to cause a denial of service Khem Raj (1): c-ares: Upgrade to 1.17.1 release Ranjitsinh Rathod (1): nodejs: Upgrade to 12.22.12 Sinan Kaya (1): c-ares: remove custom patches Yi Zhao (1): cryptsetup: upgrade 2.3.2 -> 2.3.7 wangmy (2): c-ares: upgrade 1.17.1 -> 1.17.2 c-ares: upgrade 1.17.2 -> 1.18.1 poky: 4aad5914ef..90a6f6a110: Alexander Kanavin (3): mobile-broadband-provider-info: upgrade 20220511 -> 20220725 tzdata: upgrade 2022a -> 2022b wireless-regdb: upgrade 2022.06.06 -> 2022.08.12 Andrei Gherzan (1): qemu: Define libnfs PACKAGECONFIG Anuj Mittal (1): cryptodev-module: fix build with 5.11+ kernels Aryaman Gupta (2): bitbake: bitbake: runqueue: add cpu/io pressure regulation bitbake: bitbake: runqueue: add memory pressure regulation Bruce Ashfield (3): linux-yocto/5.4: update to v5.4.210 linux-yocto/5.4: update to v5.4.212 linux-yocto/5.4: update to v5.4.213 Chee Yang Lee (6): connman: fix CVE-2022-32292 gnutls: fix CVE-2021-4209 virglrenderer: fix CVE-2022-0135 gst-plugins-good: fix several CVE go: fix and ignore several CVEs qemu: fix and ignore several CVEs Dmitry Baryshkov (3): linux-firmware: upgrade 20220708 -> 20220913 linux-firmware: package new Qualcomm firmware linux-firmware: package new Qualcomm firmware Ernst Sjöstrand (1): cve-check: Don't use f-strings Florin Diaconescu (1): binutils : CVE-2022-38533 Hitendra Prajapati (9): libtiff: CVE-2022-34526 A stack overflow was discovered golang: fix CVE-2022-30629 and CVE-2022-30631 golang: fix CVE-2022-30632 and CVE-2022-30633 golang: fix CVE-2022-30635 and CVE-2022-32148 golang: CVE-2022-32189 a denial of service sqlite: CVE-2022-35737 assertion failure connman: CVE-2022-32293 man-in-the-middle attack against a WISPR HTTP bluez: CVE-2022-39176 BlueZ allows physically proximate attackers golang: CVE-2022-27664 net/http: handle server errors after sending GOAWAY Jon Mason (1): ref-manual: add numa to machine features Joshua Watt (2): bitbake: utils: Pass lock argument in fileslocked classes: cve-check: Get shared database lock Khan@kpit.com (1): python3: Fix CVE-2021-28861 for python3 Lee Chee Yang (1): subversion: fix CVE-2021-28544 Martin Jansa (1): create-pull-request: don't switch the git remote protocol to git:// Mathieu Dubois-Briand (1): bind: Fix CVEs 2022-2795, 2022-38177, 2022-38178 Michael Opdenacker (1): dev-manual: fix reference to BitBake user manual Minjae Kim (1): inetutils: CVE-2022-39028 - fix remote DoS vulnerability in inetutils-telnetd Paul Barker (1): licenses: Handle newer SPDX license names Paul Eggleton (1): relocate_sdk.py: ensure interpreter size error causes relocation to fail Pawan Badganchi (1): libxml2: Add fix for CVE-2016-3709 Rajesh Dangi (1): linux-yocto/5.4: update genericx86* machines to v5.4.205 Ranjitsinh Rathod (2): libarchive: Fix CVE-2021-23177 issue libarchive: Fix CVE-2021-31566 issue Richard Purdie (8): bitbake: runqueue: Change pressure file warning to a note vim: Upgrade 9.0.0115 -> 9.0.0242 vim: Upgrade 9.0.0242 -> 9.0.0341 vim: Upgrade 9.0.0341 -> 9.0.0453 qemu: Add PACKAGECONFIG for brlapi vim: Upgrade 9.0.453 -> 9.0.541 vim: Upgrade 9.0.0541 -> 9.0.0598 build-appliance-image: Update to dunfell head revision Robert Joslyn (2): curl: Backport patch for CVE-2022-35252 tzdata: Update from 2022b to 2022c Ross Burton (1): cve-check: close cursors as soon as possible Sana Kazi (1): sqlite3: Fix CVE-2021-20223 Shubham Kulkarni (1): go: Add fix for CVE-2022-32190 Steve Sakoman (2): documentation: update for 3.1.20 poky.conf: bump version for 3.1.20 release Virendra Thakur (4): tiff: Fix for CVE-2022-2867/8/9 sqlite3: Fix CVE-2020-35525 sqlite3: Fix CVE-2020-35527 expat: Fix CVE-2022-40674 Yi Zhao (1): tiff: Security fixes CVE-2022-1354 and CVE-2022-1355 niko.mauno@vaisala.com (2): systemd: Fix unwritable /var/lock when no sysvinit handling systemd: Add 'no-dns-fallback' PACKAGECONFIG option Signed-off-by: Patrick Williams Change-Id: I90e4979b6917a013eca89c594677a940ccfac5fc --- .../recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb | 92 - .../recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb | 92 + .../nodejs/nodejs/CVE-2021-44532.patch | 3090 -------------------- .../recipes-devtools/nodejs/nodejs_12.22.12.bb | 161 + .../recipes-devtools/nodejs/nodejs_12.22.2.bb | 162 - ...re-error-mv-libcares.pc.cmakein-to-libcar.patch | 27 - ..._name-fix-formatting-and-handling-of-root.patch | 115 - ...expand_name-should-escape-more-characters.patch | 90 - .../c-ares/c-ares/cmake-install-libcares.pc.patch | 84 - .../recipes-support/c-ares/c-ares_1.16.1.bb | 29 - .../recipes-support/c-ares/c-ares_1.18.1.bb | 21 + .../recipes-devtools/python/python-lxml.inc | 2 + .../python/python3-lxml/CVE-2022-2309.patch | 94 + poky/bitbake/lib/bb/runqueue.py | 82 + poky/bitbake/lib/bb/utils.py | 6 +- .../dev-manual/dev-manual-common-tasks.rst | 2 +- poky/documentation/poky.yaml | 10 +- poky/documentation/ref-manual/ref-features.rst | 2 + poky/meta-poky/conf/distro/poky.conf | 2 +- .../recipes-kernel/linux/linux-yocto_5.4.bbappend | 8 +- poky/meta/classes/cve-check.bbclass | 36 +- poky/meta/conf/licenses.conf | 7 + poky/meta/lib/oe/cve_check.py | 2 +- .../bind/bind/CVE-2022-2795.patch | 67 + .../bind/bind/CVE-2022-38177.patch | 31 + .../bind/bind/CVE-2022-38178.patch | 33 + .../meta/recipes-connectivity/bind/bind_9.11.37.bb | 3 + poky/meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2022-39176.patch | 126 + .../connman/connman/CVE-2022-32292.patch | 37 + .../connman/connman/CVE-2022-32293.patch | 266 ++ .../recipes-connectivity/connman/connman_1.37.bb | 2 + .../inetutils/inetutils/CVE-2022-39028.patch | 54 + .../inetutils/inetutils_1.9.4.bb | 1 + .../mobile-broadband-provider-info_git.bb | 4 +- .../recipes-core/expat/expat/CVE-2022-40674.patch | 53 + poky/meta/recipes-core/expat/expat_2.2.9.bb | 1 + .../images/build-appliance-image_15.0.0.bb | 2 +- .../libxml/libxml2/CVE-2016-3709.patch | 89 + poky/meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + .../meta/recipes-core/meta/cve-update-db-native.bb | 51 +- .../systemd/systemd/00-create-volatile.conf | 1 + poky/meta/recipes-core/systemd/systemd_244.5.bb | 1 + .../recipes-devtools/binutils/binutils-2.34.inc | 1 + .../binutils/binutils/CVE-2022-38533.patch | 37 + poky/meta/recipes-devtools/go/go-1.14.inc | 22 + .../go/go-1.14/0001-CVE-2022-32190.patch | 74 + .../go/go-1.14/0002-CVE-2022-32190.patch | 48 + .../go/go-1.14/0003-CVE-2022-32190.patch | 36 + .../go/go-1.14/0004-CVE-2022-32190.patch | 82 + .../go/go-1.14/CVE-2021-27918.patch | 191 ++ .../go/go-1.14/CVE-2021-36221.patch | 101 + .../go/go-1.14/CVE-2021-39293.patch | 79 + .../go/go-1.14/CVE-2021-41771.patch | 86 + .../go/go-1.14/CVE-2022-27664.patch | 68 + .../go/go-1.14/CVE-2022-30629.patch | 47 + .../go/go-1.14/CVE-2022-30631.patch | 116 + .../go/go-1.14/CVE-2022-30632.patch | 71 + .../go/go-1.14/CVE-2022-30633.patch | 131 + .../go/go-1.14/CVE-2022-30635.patch | 120 + .../go/go-1.14/CVE-2022-32148.patch | 49 + .../go/go-1.14/CVE-2022-32189.patch | 113 + .../python/python3/CVE-2021-28861.patch | 135 + .../meta/recipes-devtools/python/python3_3.8.13.bb | 1 + poky/meta/recipes-devtools/qemu/qemu.inc | 17 + .../qemu/qemu/CVE-2020-13754-1.patch | 91 + .../qemu/qemu/CVE-2020-13754-2.patch | 69 + .../qemu/qemu/CVE-2020-13754-3.patch | 65 + .../qemu/qemu/CVE-2020-13754-4.patch | 39 + .../recipes-devtools/qemu/qemu/CVE-2021-3713.patch | 67 + .../recipes-devtools/qemu/qemu/CVE-2021-3748.patch | 124 + .../recipes-devtools/qemu/qemu/CVE-2021-3930.patch | 53 + .../recipes-devtools/qemu/qemu/CVE-2021-4206.patch | 89 + .../recipes-devtools/qemu/qemu/CVE-2021-4207.patch | 43 + .../qemu/qemu/CVE-2022-0216-1.patch | 42 + .../qemu/qemu/CVE-2022-0216-2.patch | 52 + .../subversion/subversion/CVE-2021-28544.patch | 146 + .../subversion/subversion_1.13.0.bb | 1 + .../libarchive/libarchive/CVE-2021-23177.patch | 183 ++ .../libarchive/libarchive/CVE-2021-31566-01.patch | 23 + .../libarchive/libarchive/CVE-2021-31566-02.patch | 172 ++ .../libarchive/libarchive_3.4.2.bb | 3 + poky/meta/recipes-extended/timezone/timezone.inc | 6 +- .../virglrenderer/CVE-2022-0135.patch | 100 + .../virglrenderer/virglrenderer_0.8.2.bb | 1 + .../cryptodev/cryptodev-module_1.10.bb | 1 + .../files/fix-build-for-Linux-5.11-rc1.patch | 32 + .../linux-firmware/linux-firmware_20220708.bb | 1070 ------- .../linux-firmware/linux-firmware_20220913.bb | 1101 +++++++ .../recipes-kernel/linux/linux-yocto-rt_5.4.bb | 6 +- .../recipes-kernel/linux/linux-yocto-tiny_5.4.bb | 8 +- poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +- .../wireless-regdb/wireless-regdb_2022.06.06.bb | 43 - .../wireless-regdb/wireless-regdb_2022.08.12.bb | 43 + .../gstreamer1.0-plugins-good/CVE-2022-1920.patch | 59 + .../gstreamer1.0-plugins-good/CVE-2022-1921.patch | 69 + .../CVE-2022-1922-1923-1924-1925.patch | 214 ++ .../gstreamer1.0-plugins-good/CVE-2022-2122.patch | 60 + .../gstreamer/gstreamer1.0-plugins-good_1.16.3.bb | 4 + .../gstreamer/gstreamer1.0_1.16.3.bb | 7 + ...CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 + .../libtiff/files/CVE-2022-34526.patch | 29 + .../libtiff/tiff/CVE-2022-1354.patch | 212 ++ .../libtiff/tiff/CVE-2022-1355.patch | 62 + poky/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 4 + .../recipes-support/curl/curl/CVE-2022-35252.patch | 72 + poky/meta/recipes-support/curl/curl_7.69.1.bb | 1 + .../gnutls/gnutls/CVE-2021-4209.patch | 37 + poky/meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + .../sqlite/files/CVE-2020-35525.patch | 21 + .../sqlite/files/CVE-2020-35527.patch | 22 + .../sqlite/files/CVE-2021-20223.patch | 23 + .../sqlite/files/CVE-2022-35737.patch | 29 + poky/meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 4 + poky/meta/recipes-support/vim/vim.inc | 4 +- poky/scripts/create-pull-request | 2 +- poky/scripts/relocate_sdk.py | 10 +- 117 files changed, 6582 insertions(+), 4883 deletions(-) delete mode 100644 meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb create mode 100644 meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb delete mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2021-44532.patch create mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb delete mode 100644 meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.2.bb delete mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch delete mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb create mode 100644 meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb create mode 100644 meta-openembedded/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch create mode 100644 poky/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch create mode 100644 poky/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch create mode 100644 poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch create mode 100644 poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch create mode 100644 poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch create mode 100644 poky/meta/recipes-core/expat/expat/CVE-2022-40674.patch create mode 100644 poky/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch create mode 100644 poky/meta/recipes-devtools/python/python3/CVE-2021-28861.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch create mode 100644 poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch create mode 100644 poky/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch create mode 100644 poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch create mode 100644 poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch create mode 100644 poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch create mode 100644 poky/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch create mode 100644 poky/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch delete mode 100644 poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220708.bb create mode 100644 poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb delete mode 100644 poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb create mode 100644 poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.08.12.bb create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch create mode 100644 poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch create mode 100644 poky/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch create mode 100644 poky/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch create mode 100644 poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch create mode 100644 poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch create mode 100644 poky/meta/recipes-support/curl/curl/CVE-2022-35252.patch create mode 100644 poky/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch create mode 100644 poky/meta/recipes-support/sqlite/files/CVE-2020-35525.patch create mode 100644 poky/meta/recipes-support/sqlite/files/CVE-2020-35527.patch create mode 100644 poky/meta/recipes-support/sqlite/files/CVE-2021-20223.patch create mode 100644 poky/meta/recipes-support/sqlite/files/CVE-2022-35737.patch diff --git a/meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb deleted file mode 100644 index 3c1c8b0beb..0000000000 --- a/meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb +++ /dev/null @@ -1,92 +0,0 @@ -SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" -DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ -device-mapper mappings. These include plain dm-crypt volumes and \ -LUKS volumes. The difference is that LUKS uses a metadata header \ -and can hence offer more features than plain dm-crypt. On the other \ -hand, the header is visible and vulnerable to damage." -HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" -SECTION = "console" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" - -DEPENDS = " \ - json-c \ - libdevmapper \ - popt \ - util-linux \ -" - -RDEPENDS_${PN} = " \ - libdevmapper \ -" - -SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd" -SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb" - -inherit autotools gettext pkgconfig - -# Use openssl because libgcrypt drops root privileges -# if libgcrypt is linked with libcap support -PACKAGECONFIG ??= " \ - keyring \ - cryptsetup \ - veritysetup \ - cryptsetup-reencrypt \ - integritysetup \ - ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - kernel_crypto \ - internal-argon2 \ - blkid \ - luks-adjust-xts-keysize \ - openssl \ -" -PACKAGECONFIG_append_class-target = " \ - udev \ -" - -PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" -PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" -PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" -PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" -PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" -PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" -PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" -PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" -PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" -# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't -# recognized. -PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" -PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" -PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" -PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" -PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" -PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" -PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" -PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" -PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" -PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" -PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" -PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" - -RRECOMMENDS_${PN} = "kernel-module-aes-generic \ - kernel-module-dm-crypt \ - kernel-module-md5 \ - kernel-module-cbc \ - kernel-module-sha256-generic \ - kernel-module-xts \ -" - -EXTRA_OECONF = "--enable-static" -# Building without largefile is not supported by upstream -EXTRA_OECONF += "--enable-largefile" -# Requires a static popt library -EXTRA_OECONF += "--disable-static-cryptsetup" -# There's no recipe for libargon2 yet -EXTRA_OECONF += "--disable-libargon2" - -FILES_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb b/meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb new file mode 100644 index 0000000000..d303f27ebb --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb @@ -0,0 +1,92 @@ +SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" +DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ +device-mapper mappings. These include plain dm-crypt volumes and \ +LUKS volumes. The difference is that LUKS uses a metadata header \ +and can hence offer more features than plain dm-crypt. On the other \ +hand, the header is visible and vulnerable to damage." +HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" +SECTION = "console" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" + +DEPENDS = " \ + json-c \ + libdevmapper \ + popt \ + util-linux \ +" + +RDEPENDS_${PN} = " \ + libdevmapper \ +" + +SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" +SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964" +SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9" + +inherit autotools gettext pkgconfig + +# Use openssl because libgcrypt drops root privileges +# if libgcrypt is linked with libcap support +PACKAGECONFIG ??= " \ + keyring \ + cryptsetup \ + veritysetup \ + cryptsetup-reencrypt \ + integritysetup \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + kernel_crypto \ + internal-argon2 \ + blkid \ + luks-adjust-xts-keysize \ + openssl \ +" +PACKAGECONFIG_append_class-target = " \ + udev \ +" + +PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" +PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" +PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" +PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" +PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" +PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" +PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" +PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" +PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" +# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't +# recognized. +PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" +PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" +PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" +PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" +PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" +PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" +PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" +PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" +PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" +PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" +PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" +PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" + +RRECOMMENDS_${PN} = "kernel-module-aes-generic \ + kernel-module-dm-crypt \ + kernel-module-md5 \ + kernel-module-cbc \ + kernel-module-sha256-generic \ + kernel-module-xts \ +" + +EXTRA_OECONF = "--enable-static" +# Building without largefile is not supported by upstream +EXTRA_OECONF += "--enable-largefile" +# Requires a static popt library +EXTRA_OECONF += "--disable-static-cryptsetup" +# There's no recipe for libargon2 yet +EXTRA_OECONF += "--disable-libargon2" + +FILES_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2021-44532.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2021-44532.patch deleted file mode 100644 index dff7fe23a2..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2021-44532.patch +++ /dev/null @@ -1,3090 +0,0 @@ -From 19873abfb24dce75ffff042efe76dc5633052677 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= -Date: Wed, 29 Dec 2021 19:30:57 -0500 -Subject: [PATCH] crypto,tls: implement safe x509 GeneralName format - -This change introduces JSON-compatible escaping rules for strings that -include X.509 GeneralName components (see RFC 5280). This non-standard -format avoids ambiguities and prevents injection attacks that could -previously lead to X.509 certificates being accepted even though they -were not valid for the target hostname. - -These changes affect the format of subject alternative names and the -format of authority information access. The checkServerIdentity function -has been modified to safely handle the new format, eliminating the -possibility of injecting subject alternative names into the verification -logic. - -Because each subject alternative name is only encoded as a JSON string -literal if necessary for security purposes, this change will only be -visible in rare cases. - -This addresses CVE-2021-44532. - -Co-authored-by: Akshay K -CVE-ID: CVE-2021-44532 -Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/306 -PR-URL: https://github.com/nodejs-private/node-private/pull/300 -Reviewed-By: Michael Dawson -Reviewed-By: Rich Trott - -Upstream-Status: Backport [https://github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677] - -CVE: CVE-2021-44532 - -Signed-off-by: Virendra Thakur - ---- - doc/api/errors.md | 8 + - lib/_tls_common.js | 9 + - lib/internal/errors.js | 2 + - lib/tls.js | 52 +- - src/node_crypto_common.cc | 340 ++++++++++-- - test/common/index.js | 7 + - test/fixtures/keys/Makefile | 14 + - .../incorrect_san_correct_subject-cert.pem | 11 + - .../incorrect_san_correct_subject-key.pem | 5 + - test/fixtures/x509-escaping/.gitignore | 2 + - test/fixtures/x509-escaping/alt-0-cert.pem | 29 + - test/fixtures/x509-escaping/alt-1-cert.pem | 28 + - test/fixtures/x509-escaping/alt-10-cert.pem | 28 + - test/fixtures/x509-escaping/alt-11-cert.pem | 28 + - test/fixtures/x509-escaping/alt-12-cert.pem | 28 + - test/fixtures/x509-escaping/alt-13-cert.pem | 28 + - test/fixtures/x509-escaping/alt-14-cert.pem | 29 + - test/fixtures/x509-escaping/alt-15-cert.pem | 29 + - test/fixtures/x509-escaping/alt-16-cert.pem | 29 + - test/fixtures/x509-escaping/alt-17-cert.pem | 29 + - test/fixtures/x509-escaping/alt-18-cert.pem | 29 + - test/fixtures/x509-escaping/alt-19-cert.pem | 29 + - test/fixtures/x509-escaping/alt-2-cert.pem | 28 + - test/fixtures/x509-escaping/alt-20-cert.pem | 29 + - test/fixtures/x509-escaping/alt-21-cert.pem | 29 + - test/fixtures/x509-escaping/alt-22-cert.pem | 28 + - test/fixtures/x509-escaping/alt-23-cert.pem | 28 + - test/fixtures/x509-escaping/alt-24-cert.pem | 28 + - test/fixtures/x509-escaping/alt-25-cert.pem | 29 + - test/fixtures/x509-escaping/alt-26-cert.pem | 29 + - test/fixtures/x509-escaping/alt-27-cert.pem | 28 + - test/fixtures/x509-escaping/alt-28-cert.pem | 28 + - test/fixtures/x509-escaping/alt-29-cert.pem | 28 + - test/fixtures/x509-escaping/alt-3-cert.pem | 28 + - test/fixtures/x509-escaping/alt-30-cert.pem | 28 + - test/fixtures/x509-escaping/alt-4-cert.pem | 28 + - test/fixtures/x509-escaping/alt-5-cert.pem | 29 + - test/fixtures/x509-escaping/alt-6-cert.pem | 28 + - test/fixtures/x509-escaping/alt-7-cert.pem | 28 + - test/fixtures/x509-escaping/alt-8-cert.pem | 28 + - test/fixtures/x509-escaping/alt-9-cert.pem | 28 + - test/fixtures/x509-escaping/create-certs.js | 502 ++++++++++++++++++ - .../x509-escaping/google/intermediate.pem | 11 + - test/fixtures/x509-escaping/google/key.pem | 5 + - test/fixtures/x509-escaping/google/leaf0.pem | 10 + - test/fixtures/x509-escaping/google/leaf1.pem | 10 + - test/fixtures/x509-escaping/google/leaf2.pem | 10 + - test/fixtures/x509-escaping/google/leaf3.pem | 10 + - test/fixtures/x509-escaping/google/leaf4.pem | 10 + - test/fixtures/x509-escaping/google/root.pem | 9 + - test/fixtures/x509-escaping/info-0-cert.pem | 30 ++ - test/fixtures/x509-escaping/info-1-cert.pem | 31 ++ - test/fixtures/x509-escaping/info-2-cert.pem | 29 + - test/fixtures/x509-escaping/info-3-cert.pem | 30 ++ - test/fixtures/x509-escaping/info-4-cert.pem | 29 + - test/fixtures/x509-escaping/package.json | 12 + - test/fixtures/x509-escaping/server-key.pem | 52 ++ - test/parallel/test-tls-0-dns-altname.js | 2 +- - test/parallel/test-x509-escaping.js | 349 ++++++++++++ - 59 files changed, 2429 insertions(+), 42 deletions(-) - create mode 100644 test/fixtures/keys/incorrect_san_correct_subject-cert.pem - create mode 100644 test/fixtures/keys/incorrect_san_correct_subject-key.pem - create mode 100644 test/fixtures/x509-escaping/.gitignore - create mode 100644 test/fixtures/x509-escaping/alt-0-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-1-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-10-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-11-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-12-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-13-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-14-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-15-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-16-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-17-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-18-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-19-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-2-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-20-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-21-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-22-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-23-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-24-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-25-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-26-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-27-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-28-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-29-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-3-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-30-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-4-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-5-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-6-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-7-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-8-cert.pem - create mode 100644 test/fixtures/x509-escaping/alt-9-cert.pem - create mode 100644 test/fixtures/x509-escaping/create-certs.js - create mode 100644 test/fixtures/x509-escaping/google/intermediate.pem - create mode 100644 test/fixtures/x509-escaping/google/key.pem - create mode 100644 test/fixtures/x509-escaping/google/leaf0.pem - create mode 100644 test/fixtures/x509-escaping/google/leaf1.pem - create mode 100644 test/fixtures/x509-escaping/google/leaf2.pem - create mode 100644 test/fixtures/x509-escaping/google/leaf3.pem - create mode 100644 test/fixtures/x509-escaping/google/leaf4.pem - create mode 100644 test/fixtures/x509-escaping/google/root.pem - create mode 100644 test/fixtures/x509-escaping/info-0-cert.pem - create mode 100644 test/fixtures/x509-escaping/info-1-cert.pem - create mode 100644 test/fixtures/x509-escaping/info-2-cert.pem - create mode 100644 test/fixtures/x509-escaping/info-3-cert.pem - create mode 100644 test/fixtures/x509-escaping/info-4-cert.pem - create mode 100644 test/fixtures/x509-escaping/package.json - create mode 100644 test/fixtures/x509-escaping/server-key.pem - create mode 100644 test/parallel/test-x509-escaping.js - -diff --git a/doc/api/errors.md b/doc/api/errors.md -index d5d8e1efa7..9d176d9048 100644 ---- a/doc/api/errors.md -+++ b/doc/api/errors.md -@@ -1869,6 +1869,14 @@ An unspecified or non-specific system error has occurred within the Node.js - process. The error object will have an `err.info` object property with - additional details. - -+ -+### `ERR_TLS_CERT_ALTNAME_FORMAT` -+ -+This error is thrown by `checkServerIdentity` if a user-supplied -+`subjectaltname` property violates encoding rules. Certificate objects produced -+by Node.js itself always comply with encoding rules and will never cause -+this error. -+ - - ### `ERR_TLS_CERT_ALTNAME_INVALID` - -diff --git a/lib/_tls_common.js b/lib/_tls_common.js -index b7a3b70a24..a2a74813f1 100644 ---- a/lib/_tls_common.js -+++ b/lib/_tls_common.js -@@ -23,6 +23,7 @@ - - const { - ArrayIsArray, -+ JSONParse, - ObjectCreate, - } = primordials; - -@@ -323,6 +324,14 @@ exports.translatePeerCertificate = function translatePeerCertificate(c) { - - // XXX: More key validation? - info.replace(/([^\n:]*):([^\n]*)(?:\n|$)/g, (all, key, val) => { -+ if (val.charCodeAt(0) === 0x22) { -+ // The translatePeerCertificate function is only -+ // used on internally created legacy certificate -+ // objects, and any value that contains a quote -+ // will always be a valid JSON string literal, -+ // so this should never throw. -+ val = JSONParse(val); -+ } - if (key in c.infoAccess) - c.infoAccess[key].push(val); - else -diff --git a/lib/internal/errors.js b/lib/internal/errors.js -index 2cf7df436b..cd7153ad1a 100644 ---- a/lib/internal/errors.js -+++ b/lib/internal/errors.js -@@ -1345,6 +1345,8 @@ E('ERR_STREAM_WRAP', 'Stream has StringDecoder set or is in objectMode', Error); - E('ERR_STREAM_WRITE_AFTER_END', 'write after end', Error); - E('ERR_SYNTHETIC', 'JavaScript Callstack', Error); - E('ERR_SYSTEM_ERROR', 'A system error occurred', SystemError); -+E('ERR_TLS_CERT_ALTNAME_FORMAT', 'Invalid subject alternative name string', -+ SyntaxError); - E('ERR_TLS_CERT_ALTNAME_INVALID', function(reason, host, cert) { - this.reason = reason; - this.host = host; -diff --git a/lib/tls.js b/lib/tls.js -index 2ccbe409c9..cefb47d10f 100644 ---- a/lib/tls.js -+++ b/lib/tls.js -@@ -24,11 +24,19 @@ - const { - Array, - ArrayIsArray, -+ ArrayPrototypePush, -+ JSONParse, - ObjectDefineProperty, - ObjectFreeze, -+ RegExpPrototypeExec, -+ StringPrototypeIncludes, -+ StringPrototypeIndexOf, -+ StringPrototypeSplit, -+ StringPrototypeSubstring, - } = primordials; - - const { -+ ERR_TLS_CERT_ALTNAME_FORMAT, - ERR_TLS_CERT_ALTNAME_INVALID, - ERR_OUT_OF_RANGE - } = require('internal/errors').codes; -@@ -207,6 +215,45 @@ function check(hostParts, pattern, wildcards) { - return true; - } - -+// This pattern is used to determine the length of escaped sequences within -+// the subject alt names string. It allows any valid JSON string literal. -+// This MUST match the JSON specification (ECMA-404 / RFC8259) exactly. -+const jsonStringPattern = -+ // eslint-disable-next-line no-control-regex -+ /^"(?:[^"\\\u0000-\u001f]|\\(?:["\\/bfnrt]|u[0-9a-fA-F]{4}))*"/; -+ -+function splitEscapedAltNames(altNames) { -+ const result = []; -+ let currentToken = ''; -+ let offset = 0; -+ while (offset !== altNames.length) { -+ const nextSep = StringPrototypeIndexOf(altNames, ', ', offset); -+ const nextQuote = StringPrototypeIndexOf(altNames, '"', offset); -+ if (nextQuote !== -1 && (nextSep === -1 || nextQuote < nextSep)) { -+ // There is a quote character and there is no separator before the quote. -+ currentToken += StringPrototypeSubstring(altNames, offset, nextQuote); -+ const match = RegExpPrototypeExec( -+ jsonStringPattern, StringPrototypeSubstring(altNames, nextQuote)); -+ if (!match) { -+ throw new ERR_TLS_CERT_ALTNAME_FORMAT(); -+ } -+ currentToken += JSONParse(match[0]); -+ offset = nextQuote + match[0].length; -+ } else if (nextSep !== -1) { -+ // There is a separator and no quote before it. -+ currentToken += StringPrototypeSubstring(altNames, offset, nextSep); -+ ArrayPrototypePush(result, currentToken); -+ currentToken = ''; -+ offset = nextSep + 2; -+ } else { -+ currentToken += StringPrototypeSubstring(altNames, offset); -+ offset = altNames.length; -+ } -+ } -+ ArrayPrototypePush(result, currentToken); -+ return result; -+} -+ - let urlWarningEmitted = false; - exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { - const subject = cert.subject; -@@ -218,7 +265,10 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) { - hostname = '' + hostname; - - if (altNames) { -- for (const name of altNames.split(', ')) { -+ const splitAltNames = StringPrototypeIncludes(altNames, '"') ? -+ splitEscapedAltNames(altNames) : -+ StringPrototypeSplit(altNames, ', '); -+ for (const name of splitAltNames) { - if (name.startsWith('DNS:')) { - dnsNames.push(name.slice(4)); - } else if (name.startsWith('URI:')) { -diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc -index 74bc0a9756..53fbc576ef 100644 ---- a/src/node_crypto_common.cc -+++ b/src/node_crypto_common.cc -@@ -480,39 +480,320 @@ void AddFingerprintDigest( - } - } - --bool SafeX509ExtPrint(const BIOPointer& out, X509_EXTENSION* ext) { -- const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext); -+static inline bool IsSafeAltName(const char* name, size_t length, bool utf8) { -+ for (size_t i = 0; i < length; i++) { -+ char c = name[i]; -+ switch (c) { -+ case '"': -+ case '\\': -+ // These mess with encoding rules. -+ // Fall through. -+ case ',': -+ // Commas make it impossible to split the list of subject alternative -+ // names unambiguously, which is why we have to escape. -+ // Fall through. -+ case '\'': -+ // Single quotes are unlikely to appear in any legitimate values, but they -+ // could be used to make a value look like it was escaped (i.e., enclosed -+ // in single/double quotes). -+ return false; -+ default: -+ if (utf8) { -+ // In UTF8 strings, we require escaping for any ASCII control character, -+ // but NOT for non-ASCII characters. Note that all bytes of any code -+ // point that consists of more than a single byte have their MSB set. -+ if (static_cast(c) < ' ' || c == '\x7f') { -+ return false; -+ } -+ } else { -+ // Check if the char is a control character or non-ASCII character. Note -+ // that char may or may not be a signed type. Regardless, non-ASCII -+ // values will always be outside of this range. -+ if (c < ' ' || c > '~') { -+ return false; -+ } -+ } -+ } -+ } -+ return true; -+} - -- if (method != X509V3_EXT_get_nid(NID_subject_alt_name)) -- return false; -+static inline void PrintAltName(const BIOPointer& out, const char* name, -+ size_t length, bool utf8, -+ const char* safe_prefix) { -+ if (IsSafeAltName(name, length, utf8)) { -+ // For backward-compatibility, append "safe" names without any -+ // modifications. -+ if (safe_prefix != nullptr) { -+ BIO_printf(out.get(), "%s:", safe_prefix); -+ } -+ BIO_write(out.get(), name, length); -+ } else { -+ // If a name is not "safe", we cannot embed it without special -+ // encoding. This does not usually happen, but we don't want to hide -+ // it from the user either. We use JSON compatible escaping here. -+ BIO_write(out.get(), "\"", 1); -+ if (safe_prefix != nullptr) { -+ BIO_printf(out.get(), "%s:", safe_prefix); -+ } -+ for (size_t j = 0; j < length; j++) { -+ char c = static_cast(name[j]); -+ if (c == '\\') { -+ BIO_write(out.get(), "\\\\", 2); -+ } else if (c == '"') { -+ BIO_write(out.get(), "\\\"", 2); -+ } else if ((c >= ' ' && c != ',' && c <= '~') || (utf8 && (c & 0x80))) { -+ // Note that the above condition explicitly excludes commas, which means -+ // that those are encoded as Unicode escape sequences in the "else" -+ // block. That is not strictly necessary, and Node.js itself would parse -+ // it correctly either way. We only do this to account for third-party -+ // code that might be splitting the string at commas (as Node.js itself -+ // used to do). -+ BIO_write(out.get(), &c, 1); -+ } else { -+ // Control character or non-ASCII character. We treat everything as -+ // Latin-1, which corresponds to the first 255 Unicode code points. -+ const char hex[] = "0123456789abcdef"; -+ char u[] = { '\\', 'u', '0', '0', hex[(c & 0xf0) >> 4], hex[c & 0x0f] }; -+ BIO_write(out.get(), u, sizeof(u)); -+ } -+ } -+ BIO_write(out.get(), "\"", 1); -+ } -+} -+ -+static inline void PrintLatin1AltName(const BIOPointer& out, -+ const ASN1_IA5STRING* name, -+ const char* safe_prefix = nullptr) { -+ PrintAltName(out, reinterpret_cast(name->data), name->length, -+ false, safe_prefix); -+} -+ -+static inline void PrintUtf8AltName(const BIOPointer& out, -+ const ASN1_UTF8STRING* name, -+ const char* safe_prefix = nullptr) { -+ PrintAltName(out, reinterpret_cast(name->data), name->length, -+ true, safe_prefix); -+} -+ -+// This function currently emulates the behavior of i2v_GENERAL_NAME in a safer -+// and less ambiguous way. -+// TODO(tniessen): gradually improve the format in the next major version(s) -+static bool PrintGeneralName(const BIOPointer& out, const GENERAL_NAME* gen) { -+ if (gen->type == GEN_DNS) { -+ ASN1_IA5STRING* name = gen->d.dNSName; -+ BIO_write(out.get(), "DNS:", 4); -+ // Note that the preferred name syntax (see RFCs 5280 and 1034) with -+ // wildcards is a subset of what we consider "safe", so spec-compliant DNS -+ // names will never need to be escaped. -+ PrintLatin1AltName(out, name); -+ } else if (gen->type == GEN_EMAIL) { -+ ASN1_IA5STRING* name = gen->d.rfc822Name; -+ BIO_write(out.get(), "email:", 6); -+ PrintLatin1AltName(out, name); -+ } else if (gen->type == GEN_URI) { -+ ASN1_IA5STRING* name = gen->d.uniformResourceIdentifier; -+ BIO_write(out.get(), "URI:", 4); -+ // The set of "safe" names was designed to include just about any URI, -+ // with a few exceptions, most notably URIs that contains commas (see -+ // RFC 2396). In other words, most legitimate URIs will not require -+ // escaping. -+ PrintLatin1AltName(out, name); -+ } else if (gen->type == GEN_DIRNAME) { -+ // For backward compatibility, use X509_NAME_oneline to print the -+ // X509_NAME object. The format is non standard and should be avoided -+ // elsewhere, but conveniently, the function produces ASCII and the output -+ // is unlikely to contains commas or other characters that would require -+ // escaping. With that in mind, note that it SHOULD NOT produce ASCII -+ // output since an RFC5280 AttributeValue may be a UTF8String. -+ // TODO(tniessen): switch to RFC2253 rules in a major release -+ BIO_printf(out.get(), "DirName:"); -+ char oline[256]; -+ if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) != nullptr) { -+ PrintAltName(out, oline, strlen(oline), false, nullptr); -+ } else { -+ return false; -+ } -+ } else if (gen->type == GEN_IPADD) { -+ BIO_printf(out.get(), "IP Address:"); -+ const ASN1_OCTET_STRING* ip = gen->d.ip; -+ const unsigned char* b = ip->data; -+ if (ip->length == 4) { -+ BIO_printf(out.get(), "%d.%d.%d.%d", b[0], b[1], b[2], b[3]); -+ } else if (ip->length == 16) { -+ for (unsigned int j = 0; j < 8; j++) { -+ uint16_t pair = (b[2 * j] << 8) | b[2 * j + 1]; -+ BIO_printf(out.get(), (j == 0) ? "%X" : ":%X", pair); -+ } -+ } else { -+#if OPENSSL_VERSION_MAJOR >= 3 -+ BIO_printf(out.get(), "", ip->length); -+#else -+ BIO_printf(out.get(), ""); -+#endif -+ } -+ } else if (gen->type == GEN_RID) { -+ // TODO(tniessen): unlike OpenSSL's default implementation, never print the -+ // OID as text and instead always print its numeric representation, which is -+ // backward compatible in practice and more future proof (see OBJ_obj2txt). -+ char oline[256]; -+ i2t_ASN1_OBJECT(oline, sizeof(oline), gen->d.rid); -+ BIO_printf(out.get(), "Registered ID:%s", oline); -+ } else if (gen->type == GEN_OTHERNAME) { -+ // TODO(tniessen): the format that is used here is based on OpenSSL's -+ // implementation of i2v_GENERAL_NAME (as of OpenSSL 3.0.1), mostly for -+ // backward compatibility. It is somewhat awkward, especially when passed to -+ // translatePeerCertificate, and should be changed in the future, probably -+ // to the format used by GENERAL_NAME_print (in a major release). -+ bool unicode = true; -+ const char* prefix = nullptr; -+ // OpenSSL 1.1.1 does not support othername in i2v_GENERAL_NAME and may not -+ // define these NIDs. -+#if OPENSSL_VERSION_MAJOR >= 3 -+ int nid = OBJ_obj2nid(gen->d.otherName->type_id); -+ switch (nid) { -+ case NID_id_on_SmtpUTF8Mailbox: -+ prefix = " SmtpUTF8Mailbox:"; -+ break; -+ case NID_XmppAddr: -+ prefix = " XmppAddr:"; -+ break; -+ case NID_SRVName: -+ prefix = " SRVName:"; -+ unicode = false; -+ break; -+ case NID_ms_upn: -+ prefix = " UPN:"; -+ break; -+ case NID_NAIRealm: -+ prefix = " NAIRealm:"; -+ break; -+ } -+#endif // OPENSSL_VERSION_MAJOR >= 3 -+ int val_type = gen->d.otherName->value->type; -+ if (prefix == nullptr || -+ (unicode && val_type != V_ASN1_UTF8STRING) || -+ (!unicode && val_type != V_ASN1_IA5STRING)) { -+ BIO_printf(out.get(), "othername:"); -+ } else { -+ BIO_printf(out.get(), "othername:"); -+ if (unicode) { -+ PrintUtf8AltName(out, gen->d.otherName->value->value.utf8string, -+ prefix); -+ } else { -+ PrintLatin1AltName(out, gen->d.otherName->value->value.ia5string, -+ prefix); -+ } -+ } -+ } else if (gen->type == GEN_X400) { -+ // TODO(tniessen): this is what OpenSSL does, implement properly instead -+ BIO_printf(out.get(), "X400Name:"); -+ } else if (gen->type == GEN_EDIPARTY) { -+ // TODO(tniessen): this is what OpenSSL does, implement properly instead -+ BIO_printf(out.get(), "EdiPartyName:"); -+ } else { -+ // This is safe because X509V3_EXT_d2i would have returned nullptr in this -+ // case already. -+ UNREACHABLE(); -+ } -+ -+ return true; -+} -+ -+bool SafeX509SubjectAltNamePrint(const BIOPointer& out, X509_EXTENSION* ext) { -+ const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext); -+ CHECK(method == X509V3_EXT_get_nid(NID_subject_alt_name)); - - GENERAL_NAMES* names = static_cast(X509V3_EXT_d2i(ext)); - if (names == nullptr) - return false; - -+ bool ok = true; -+ - for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) { - GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i); - - if (i != 0) - BIO_write(out.get(), ", ", 2); - -- if (gen->type == GEN_DNS) { -- ASN1_IA5STRING* name = gen->d.dNSName; -- -- BIO_write(out.get(), "DNS:", 4); -- BIO_write(out.get(), name->data, name->length); -- } else { -- STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME( -- const_cast(method), gen, nullptr); -- if (nval == nullptr) -- return false; -- X509V3_EXT_val_prn(out.get(), nval, 0, 0); -- sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); -+ if (!(ok = PrintGeneralName(out, gen))) { -+ break; - } - } - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); - -- return true; -+ return ok; -+} -+ -+bool SafeX509InfoAccessPrint(const BIOPointer& out, X509_EXTENSION* ext) { -+ const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext); -+ CHECK(method == X509V3_EXT_get_nid(NID_info_access)); -+ -+ AUTHORITY_INFO_ACCESS* descs = -+ static_cast(X509V3_EXT_d2i(ext)); -+ if (descs == nullptr) -+ return false; -+ -+ bool ok = true; -+ -+ for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(descs); i++) { -+ ACCESS_DESCRIPTION* desc = sk_ACCESS_DESCRIPTION_value(descs, i); -+ -+ if (i != 0) -+ BIO_write(out.get(), "\n", 1); -+ -+ char objtmp[80]; -+ i2t_ASN1_OBJECT(objtmp, sizeof(objtmp), desc->method); -+ BIO_printf(out.get(), "%s - ", objtmp); -+ if (!(ok = PrintGeneralName(out, desc->location))) { -+ break; -+ } -+ } -+ sk_ACCESS_DESCRIPTION_pop_free(descs, ACCESS_DESCRIPTION_free); -+ -+#if OPENSSL_VERSION_MAJOR < 3 -+ BIO_write(out.get(), "\n", 1); -+#endif -+ -+ return ok; -+} -+ -+v8::MaybeLocal GetSubjectAltNameString( -+ Environment* env, -+ const BIOPointer& bio, -+ X509* cert) { -+ int index = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); -+ if (index < 0) -+ return Undefined(env->isolate()); -+ -+ X509_EXTENSION* ext = X509_get_ext(cert, index); -+ CHECK_NOT_NULL(ext); -+ -+ if (!SafeX509SubjectAltNamePrint(bio, ext)) { -+ USE(BIO_reset(bio.get())); -+ return v8::Null(env->isolate()); -+ } -+ -+ return ToV8Value(env, bio); -+} -+ -+v8::MaybeLocal GetInfoAccessString( -+ Environment* env, -+ const BIOPointer& bio, -+ X509* cert) { -+ int index = X509_get_ext_by_NID(cert, NID_info_access, -1); -+ if (index < 0) -+ return Undefined(env->isolate()); -+ -+ X509_EXTENSION* ext = X509_get_ext(cert, index); -+ CHECK_NOT_NULL(ext); -+ -+ if (!SafeX509InfoAccessPrint(bio, ext)) { -+ USE(BIO_reset(bio.get())); -+ return v8::Null(env->isolate()); -+ } -+ -+ return ToV8Value(env, bio); - } - - MaybeLocal GetFingerprintDigest( -@@ -628,27 +909,6 @@ MaybeLocal GetModulusString( - return ToV8Value(env, bio); - } - --template --MaybeLocal GetInfoString( -- Environment* env, -- const BIOPointer& bio, -- X509* cert) { -- int index = X509_get_ext_by_NID(cert, nid, -1); -- if (index < 0) -- return Undefined(env->isolate()); -- -- X509_EXTENSION* ext = X509_get_ext(cert, index); -- CHECK_NOT_NULL(ext); -- -- if (!SafeX509ExtPrint(bio, ext) && -- X509V3_EXT_print(bio.get(), ext, 0, 0) != 1) { -- USE(BIO_reset(bio.get())); -- return Null(env->isolate()); -- } -- -- return ToV8Value(env, bio); --} -- - MaybeLocal GetIssuerString( - Environment* env, - const BIOPointer& bio, -@@ -917,11 +1177,11 @@ MaybeLocal X509ToObject(Environment* env, X509* cert) { - !Set(context, - info, - env->subjectaltname_string(), -- GetInfoString(env, bio, cert)) || -+ GetSubjectAltNameString(env, bio, cert)) || - !Set(context, - info, - env->infoaccess_string(), -- GetInfoString(env, bio, cert))) { -+ GetInfoAccessString(env, bio, cert))) { - return MaybeLocal(); - } - -diff --git a/test/common/index.js b/test/common/index.js -index 8cd9841527..98b586cafd 100644 ---- a/test/common/index.js -+++ b/test/common/index.js -@@ -51,6 +51,11 @@ const noop = () => {}; - const hasCrypto = Boolean(process.versions.openssl) && - !process.env.NODE_SKIP_CRYPTO; - -+const hasOpenSSL3 = hasCrypto && -+ require('crypto').constants.OPENSSL_VERSION_NUMBER >= 805306368; -+ -+const hasQuic = hasCrypto && !!process.config.variables.openssl_quic; -+ - // Check for flags. Skip this for workers (both, the `cluster` module and - // `worker_threads`) and child processes. - // If the binary was built without-ssl then the crypto flags are -@@ -714,6 +719,8 @@ const common = { - getTTYfd, - hasIntl, - hasCrypto, -+ hasOpenSSL3, -+ hasQuic, - hasMultiLocalhost, - invalidArgTypeHelper, - isAIX, -diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile -index 824704c724..49cc29ad1c 100644 ---- a/test/fixtures/keys/Makefile -+++ b/test/fixtures/keys/Makefile -@@ -75,6 +75,8 @@ all: \ - ed448_public.pem \ - x448_private.pem \ - x448_public.pem \ -+ incorrect_san_correct_subject-cert.pem \ -+ incorrect_san_correct_subject-key.pem \ - - # - # Create Certificate Authority: ca1 -@@ -733,6 +735,18 @@ x448_private.pem: - x448_public.pem: x448_private.pem - openssl pkey -in x448_private.pem -pubout -out x448_public.pem - -+incorrect_san_correct_subject-cert.pem: incorrect_san_correct_subject-key.pem -+ openssl req -x509 \ -+ -key incorrect_san_correct_subject-key.pem \ -+ -out incorrect_san_correct_subject-cert.pem \ -+ -sha256 \ -+ -days 3650 \ -+ -subj "/CN=good.example.com" \ -+ -addext "subjectAltName = DNS:evil.example.com" -+ -+incorrect_san_correct_subject-key.pem: -+ openssl ecparam -name prime256v1 -genkey -noout -out incorrect_san_correct_subject-key.pem -+ - clean: - rm -f *.pfx *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial *.print *.old fake-startcom-root-issued-certs/*.pem - @> fake-startcom-root-database.txt -diff --git a/test/fixtures/keys/incorrect_san_correct_subject-cert.pem b/test/fixtures/keys/incorrect_san_correct_subject-cert.pem -new file mode 100644 -index 0000000000..787d9f1135 ---- /dev/null -+++ b/test/fixtures/keys/incorrect_san_correct_subject-cert.pem -@@ -0,0 +1,11 @@ -+-----BEGIN CERTIFICATE----- -+MIIBqDCCAU6gAwIBAgIUE3Kx4WUjkwuKy/fBOM+UJkb9aSAwCgYIKoZIzj0EAwIw -+GzEZMBcGA1UEAwwQZ29vZC5leGFtcGxlLmNvbTAeFw0yMTEyMTExNjUxNDVaFw0z -+MTEyMDkxNjUxNDVaMBsxGTAXBgNVBAMMEGdvb2QuZXhhbXBsZS5jb20wWTATBgcq -+hkjOPQIBBggqhkjOPQMBBwNCAASQ/CKa5uMZuLYssnNOm7DPdw3I5Doa0Qpyf3cS -+7aGatfK3tuY8qG7nJ5OGtl1WOL/gN0vRRN0/KA/iRJyjafzzo3AwbjAdBgNVHQ4E -+FgQUFkpgPzE1ePjK5UsPcR0gk5uLsTUwHwYDVR0jBBgwFoAUFkpgPzE1ePjK5UsP -+cR0gk5uLsTUwDwYDVR0TAQH/BAUwAwEB/zAbBgNVHREEFDASghBldmlsLmV4YW1w -+bGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQCMZAinQXkOEhfp+moxVnLbcUPAAqsl -+1KCq3NRG91TGCgIgC4grmOhCRqJMF1RPNWobGogX/yNrYNjiGzNVyJzMR0s= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/keys/incorrect_san_correct_subject-key.pem b/test/fixtures/keys/incorrect_san_correct_subject-key.pem -new file mode 100644 -index 0000000000..f7f51253a8 ---- /dev/null -+++ b/test/fixtures/keys/incorrect_san_correct_subject-key.pem -@@ -0,0 +1,5 @@ -+-----BEGIN EC PRIVATE KEY----- -+MHcCAQEEIOOVRgLS3H2T2fUhj4ASCFq60ySwO6yvSK6rvZHldAHuoAoGCCqGSM49 -+AwEHoUQDQgAEkPwimubjGbi2LLJzTpuwz3cNyOQ6GtEKcn93Eu2hmrXyt7bmPKhu -+5yeThrZdVji/4DdL0UTdPygP4kSco2n88w== -+-----END EC PRIVATE KEY----- -diff --git a/test/fixtures/x509-escaping/.gitignore b/test/fixtures/x509-escaping/.gitignore -new file mode 100644 -index 0000000000..504afef81f ---- /dev/null -+++ b/test/fixtures/x509-escaping/.gitignore -@@ -0,0 +1,2 @@ -+node_modules/ -+package-lock.json -diff --git a/test/fixtures/x509-escaping/alt-0-cert.pem b/test/fixtures/x509-escaping/alt-0-cert.pem -new file mode 100644 -index 0000000000..30e6fa6c3f ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-0-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+NTAzMDEGA1UdEQQqMCiCJmdvb2QuZXhhbXBsZS5jb20sIEROUzpldmlsLmV4YW1w -+bGUuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQAcsy+PIduM8NRrdqcTqufiajsAajQz -+eB5+5+lZLi9MliXqoS4HsdrDMDevMa2cC+wB+XZW9SJXjtqrwXAxTAHtEyhsCi25 -+XV0sJPWmZM+OQkGTtp7Ain12htr/t/DJ13YJpT03W6kYogA1kKJ5OMYMTcGT+7UB -+zM4G2LUSrrSisxhfz9bF8Q9s1piG2gb5ACEQUiMLRrZXl8WLlaY59lloKyMa/9g6 -+i3TgLxhp7XNS/bh/f2tDx+7ZgdtHUlkNhl1MycIVQRGK3BaZBEd+sDxS52kwym5I -+CWLXGLutU3OeaNgqyvZuMvy//2oER3PysizyjwNoFlUbIz3zMnXvBeEjeGtEHsCJ -+EBtX+xBWwMhUKE2QcMLxQaZNJCZFVFw8fDeEgFjTdEBcLsZ1PngT3jgXSHEWA+YL -+C3rQhFMjyjy2h8u1sjySFrTlbZPm8gC3q/+LaXxhf5i5xiZOOcVfeYiWFUa5gQal -+FaWj2SlQFaN2nidPaQO62vRIYn0Y/qbtUQAPkq4VVeycgxiuZaVVWCdct8UCYb9F -+b9QSMpK4r99MKy+s41RiJodDJy0XraOxy7hUDjyObL2fuuPUK6mQAFGwWtajv3qq -+vrRMvBEXdOPVmbETyzIosUHvOXT+v8WoCbC14mqMZTWVywRg7bD/NTHJDRIBrqvi -+O6Zqbod3EImVnQ== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-1-cert.pem b/test/fixtures/x509-escaping/alt-1-cert.pem -new file mode 100644 -index 0000000000..63883c2bbf ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-1-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE0zCCArugAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+IjAgMB4GA1UdEQQXMBWGE2h0dHA6Ly9leGFtcGxlLmNvbS8wDQYJKoZIhvcNAQEL -+BQADggIBACFwNHWQ5w3UBbyq17emn7Z0BT0Zm5iFr8Qeik75WzbyzXd5QIeFWewB -+qmiuaoKGGZ674sGcuomnIwoZBCoqvzbBBqBHp+O3/6pq59THQxeE6vhjKAe8oaih -+emdigRmkX+Qi8UwUh76B51wHtkp6zAZnLDn8M67qmP7bjNrrMQeE81wRWYz9ssfd -+N63dzu2BdD3EGl4CepdszpfUYLkz6iiDwFkc1NaBcQbBDoGqn2ubNXTHAyGGeL5a -+ulDCND0FQtg+jhHHE3zXBqh1nPg/cXXRUG2zjxzUnaU2eMs5b4yqoLN/2n7fb7mV -+HRh0T6X1HZcYpf5BSsgmr3Ngd/9b3sYRvNXBkVmKAu8dH7zguksczsvbL9r/u2YX -+hgGjNT3xSphJbZTzqsACcoDo67EFkJ5p25f0N1i/rxk7O6uLMtrUqnzOXs6NXgEQ -+8lyfVEgLFrXzdKXuk2l/6bwym80Eqdpjv5yCckCl24cFVpc15MRP3MPwIHrtoOLw -+bdNZA5NUAnppLmG6zTdPPgBWEmf5+4ei9WjmpG1hq72/nJ1qM2dLIgV5nLggr1UH -+i+vih+ujceBLVumAu/naP440xO5HRvpPfDWI+eU/wuXjUyAqe6YlYS+Txu/5YnFh -+aMHO+PIgudWwGPhkABtrc/1jC+Yfy+GCtih10zBagoN9/DSugh0H -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-10-cert.pem b/test/fixtures/x509-escaping/alt-10-cert.pem -new file mode 100644 -index 0000000000..14bec45d28 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-10-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIExTCCAq2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+FDASMBAGA1UdEQQJMAeHBQAICAQEMA0GCSqGSIb3DQEBCwUAA4ICAQA+jnyjJ/9X -+ENWXApq2g+GlWBM07KpsrxzwDXc6wsOnZCIiMoDqpcH96X8Q2Lahc4mZuz4yOZtv -+z8Q9YUDTnJY+RtKYNDbxlz7wI1ASxKdP0X1qdzkYtHH752tG/zwVU2FSvqJLw+nl -+rPJvQQ82/30BspejbW0JIfO7JnfN5BHPzzJp/V5tI1KQe+Wh0gEq6UvXjFrkCoeU -+gaedPaG2RYDi1LWawRque7pnYzrcJCtc+wb8wiL1dRv7fDDmI7fFm3Bj6Rnid4/6 -+/CxK3WqLBQrXoGnPGwI4iR17Rx08hPCL2V8NvDuJlagJe/Vc6LzOEixofoHGx4rG -+Cm0AKubKbak/ML/rjyP2TiUmOhhm3Xdml3xexedErkgTLtlvmC0jesYuc4MeypNx -+Q0eKRnChRGZYT9kaNgXZG1Scq63vpxKhayVvwU4ahGQS+nmuZdbRMEMIH6YkGxo/ -+i5qmNxQPLMLE6HclSdDtUxN4ywQAQ49CaTCxVYq7dLTzpII3ldQ+KuefenaXrYGE -+7TyqJBVdsTq0Bg2Ftf7GaoidJ/ZjjkB3Sj5uVQFMfU8uSATOolBOzh6fSiQJ60Zn -+CtAAkb9uOwTl67Qijo4qAe9JRNqR9H5d65D0Vx+gdhcZVEriqIVhXVcgsvYQ55Ju -+VGhc/foVd+vBuM3jXEdGR+DN/dEu+HZrhQ== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-11-cert.pem b/test/fixtures/x509-escaping/alt-11-cert.pem -new file mode 100644 -index 0000000000..694cb7e9d8 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-11-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIExjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+FTATMBEGA1UdEQQKMAiHBgABAgMEBTANBgkqhkiG9w0BAQsFAAOCAgEAp2nxfYla -+giNJ9S2owtp/5DxB3jIhQJzmdSxuUKVwWBffmzxrTkOoK/IcGkq3hu27GIy+ICFc -+YkSsAE3DfboSTStxhkVZKMVv+e5tXPQ0i+Z+CSgHZbrnaA7nH0UPEgFFddhqogGw -+LGE54iZ3D7ZYebTw/ELCIHNu9KeOStF7j04WXG7qRrqza5NmKqlxTC5tGoWAljzN -+cdC2BdK7H2+6de3c4dBsYqcL2IgwNhA1uKIsDjJwwkOPmCEPl+7DjleI3IAKpROh -+vX66DLaAsLEkoHsN7XTienHF8o/avIMGUfb0rtNLbwW8tzfjeAaJ7iTSm7ibhBLP -+fK+n7Osh9QH+lG0K7M2zez7Kd3u+eNgTEG63gVR+zDZQwkA2Hy1o4zmZ+a3iCtdi -+w6JGq3TT8nfPNO4kSoq7EYs6daPnGi3sqNRC20t4FZw0jOpvI4Uw7rPcTTqmAeAw -+9H37WU3URD2EP8BpkoZiOShMHzNGqlC9qbqr5dd83Lkdz9gN4w3ipdbiiGFGPXhT -+YubUecjwXoBUUI+be/edVbg7RtSSuplDv5l4bBSy+BG8JEUL6CKAUEtt2Tpt2SVD -+AIaj0B19/DSYq1e4x8IBVBsI2RnEEpP70bdLiSYLhVhMdzp0PRqDVDE+zt4mm0lx -+NRDSdNS1/rJEH1gLQEh4SGMs9iY5Vv+kx28= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-12-cert.pem b/test/fixtures/x509-escaping/alt-12-cert.pem -new file mode 100644 -index 0000000000..7e48ebdf05 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-12-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE0DCCArigAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+HzAdMBsGA1UdEQQUMBKHEAoLDA0ODwAAAAAAAHp7fH0wDQYJKoZIhvcNAQELBQAD -+ggIBAEMU6XcjSdQ+EG22BsyAYin2d3g9Fd0gljsuyEyw2qwFE1zeNqz2sFX7GdmP -+hEmUVdzQ0EQsHtKiO2BIhU5fkLoGIkJQT0MY/Tkc3xCLjVBG9ryHNjhv4aYfcvZ2 -+K8LwWu5na5YtpmEHppFTmhQFHK9Yf2Jeh5Ms1VH2jwKR8iFM9dk0wcB74Y1WqyX0 -+bhNUzv0ISvz/DK6rN0CM0OiZ7D1toMFJIslEcZD/MCZ0icFwRgGLzooDbm1xtixo -+NjgdswdiL0cS/wgSdzu9eIugUQZU2KvUWYXGqYMDpn7iukiZSKQuFhZGcuK17zyR -+y6TkDFe9rTxVtw9SAxjlo94rEqWN9Cns0n7tqAI/Wg6ILHUjUFwqSdrZQTEgH4O3 -+tfhRkV4HCgP1Tzfz/20uMBqjCLbdt7xcSfLIiHgaxgwM0LGhH2Uk3oYinL2WIUDi -+bZPI+1bzeyZ/tHw4sDxkGn3W3Nr44Td/5DAFz1lRMxAliVwHNzFTiY7IjCqmB0DL -+z91agdgPMdh/huFvGJZHS/v7EXMSXyNLyIw+5JO12iwf4+pu8NLnOtMoHDB4yY0w -+MEerc4e8SmygBQGF0MrcmirdT+7yiKRktZZFuyQoj4fBSKeBaBKUrnnk4UYw9H8f -+j/EQwM87PmYjTwYPrJ0Kz5r4dmAUvq4z2ReLgM08Ve4SPa79 -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-13-cert.pem b/test/fixtures/x509-escaping/alt-13-cert.pem -new file mode 100644 -index 0000000000..574ad1ca8f ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-13-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIEzzCCAregAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+HjAcMBoGA1UdEQQTMBGBD2Zvb0BleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOC -+AgEAkx9jG86PMjL+/UxlhX0B/gIKHyTVrEt8j+/fn74uMnd7CV7toK6f5DANIxYp -+3OJWAFYZ2lNS3MQMxpbjpd7D0BeNwhiJyBnRPhJ9KdsvdXnupF5ANNzr3oMioWwL -+3WxvmQDEz35sorae5nzuZu8EpuwgodR0NCEmoPdW9JOUiB7k3Ku5goZHqlrdzM8f -+YPbRDNOxSIpRqr5eqhEM9tEf+TF6qOM/NZJlXxtGDVdaDTbaULuCJGEW8TdVajnY -+FfWWtIHwF64G5qJTgENqJjR1kkJy5vg2lFoDXE8MG+LvTHfyY0rMilncD2YOBLcj -+gb3mBTxZGI2w2KZbchgEvA9+0heumAVJQPfdGs+pCUdvlhwWh8FCvu3aQb5X57OU -+3D97vwvEs8Mxm0KHf0o0ZnTvaBWN5htX2bbpvYxGGB0SsWM8r1LIXj8bwGNdViV8 -+UWNrg37XyGCppL1jXJ1q+DDKOvi0JR384ocRmS8mWUf9qiAMOqveix38rHezWlEm -+4TCscq4tv135nM194D6uilzv4mUxLAMTX8Lvag1R3aKuOHio9lCGep4v776kALE6 -+9/rekRGoMwNApoaC96x+V/dkbfnjWcxRXL5TvjDwVInl+RCcn6ijYZM0HYc+U1Dw -+MwqBCbP2Y9Ee7xcnAgPbqH2svWG7XadQHAcOEDc/DFsPRG8= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-14-cert.pem b/test/fixtures/x509-escaping/alt-14-cert.pem -new file mode 100644 -index 0000000000..0265b5992c ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-14-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE5TCCAs2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+NDAyMDAGA1UdEQQpMCeBJWZvb0BleGFtcGxlLmNvbSwgRE5TOmdvb2QuZXhhbXBs -+ZS5jb20wDQYJKoZIhvcNAQELBQADggIBABf7bojDeoFEFyk/Xzo50sAL+5irJYzV -+n//5aEvUotYxQt5coi7UnkKUgdiUhIXD8WaxD9KP3nUH+C3cxAQ+I7iVjFhjqFQB -+X4c/ZjJA2QIX7VMWA3kpOFvR5N0HHest097Fi/HUEEXNkcUtCkRNtI2Msse9uz09 -+DIv9P0IQ2TFgBRCTJwq2ZfVebHk/xoQ5fV9b0b39ts6ToiuMvGJVng2zz8fVNMah -+hycCn0WSb6dPi9k0ItSvRTYL6vp9X842+Q0Xkq0FxQPUcvzN7D1tSmHXDM7nYXp3 -+FB6DKASp0+nn+J88RXVSpO0JedEyRDEluxHJcan+hqhWJ4DgamlVTEPN3q5yE4lt -+Jr/R5tnx0Lv0CxDTAfZLaFiKb2jz9nVhzbCh7t21mxyb2mOM+GAxRaIgxodeNJoY -+QA6Ezz4cbjjA72Rgi+tBxy2abXpbbJ/vX7FUhs0ICFKZJHvFoxazgtSGgHHYNxhc -+/+9o6Y9jhunwGn/MaoxWJsdSjZ8VX7HY0iOSU3z4d4PWvIz05n4sGoJET6s1JuKe -+dZAAeQy0V5/EzxIu4GPGrzVtk2SQhNHVJZKponZeCRruruGT5Z1T+gF5YSqVM6BA -+XA0ZVXwOEbZ5XRIzBBbaiX3Eeful50ILOiP/uxLlcZtTtOyT4wNBgijfJehRHbED -+ppJk42EFZKb2 -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-15-cert.pem b/test/fixtures/x509-escaping/alt-15-cert.pem -new file mode 100644 -index 0000000000..70a98fb90b ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-15-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+MTAvMC0GA1UdEQQmMCSkIjAgMQswCQYDVQQGEwJERTERMA8GA1UEBwwISGFubm92 -+ZXIwDQYJKoZIhvcNAQELBQADggIBABIv7Wlg5F1gh0+0v/+LnushmLeypcXQGqkg -+E2IxXC2VnZxq8xTFCHy/m1qTBLPJK5VIg5qmtstL9zIk9rOUshQvusvNLplC0j3o -+GuQdQJNKV7rrzYYpUZO1en11q27AgDsO6lwSNg4U+mqzJxxIHc8IMeJpfaGTkUz/ -+ZXXNz04JJalUff+W2436vSvu8Y82fD72/qNu6EMiOl0EHJFQ/7eCAlz6hSNleLT/ -+N2GztApNzujbPgH7+PHOeVpwppDuXY1rkmPJMxCqkY8yOwyM5dMov0bjIN1f+QXv -+7voxVGMTefUajKADaNGMShH5rhgjIWBgujvdCyLPr6W2R4S1QPzjx4X26eTX1G8V -+/eTsJ6mMc+3cd6CEmEahUnc6LdEdwm+1SMRG2nejea4o8c+crwYX5KQVrqx92FqB -+SdkdCtS6qlnxJVvSz+HW6lEM0EShvjKEz/udsnttALQjhxfB7AHNWA073o/OiH25 -+Y9QpUudmWJjOoqRokN0SV4rDQnfNcLKIoVFPu+rG2CpBDjUsoxG3/aC8Owcd8Ceh -+w+O/DqQXudXFS3RsePbz4rPfID9YtBHrihCE10B70DUutWPsbe5lKie3wJpQbqvl -+zp5kkI5RffVU7OFD6os3+wPomdIG21Cf/fru56nV3FmkINCabLQddes7OarQcZ5y -+xsumEzq+ -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-16-cert.pem b/test/fixtures/x509-escaping/alt-16-cert.pem -new file mode 100644 -index 0000000000..64f852ceeb ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-16-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+MTAvMC0GA1UdEQQmMCSkIjAgMQswCQYDVQQGEwJERTERMA8GA1UEBwwITcO8bmNo -+ZW4wDQYJKoZIhvcNAQELBQADggIBAEID22h5WK1YJrKUmmO0owley+tL519YwJbs -+FwbwPz7+SJKA+UQNqVXYOGLwDJ6A6OzsV1TnJuwGotTmvNwr7eOVyLf03qggIYEj -+5Twgk57gJmqE+Q8UXUq2ocALUcgReZhluhNoL1XYQMbDaHYwh9HSOP7udEszVQoE -+m1D74cSiW803XnqPJGj0i1s9mD6AEewPl2k0mQ0hTMM3rlE1jOCj4Jx81tWH5KNY -+LXn/LhFomeo/LAU4PCFTt65tAomKTNXq0GwuunU62fy8pwh9QUpD3Vfrkm4+08uz -+WXSk9PeaF8tOs5pRwVMRr0GIdnQHa9GKuBBSZEvkGTxLM+cxO7jp5qSs2IRVpI5s -+ztlJQcJpeTRNCEF7gM98nMqDqve/IySGle9s1RjpnBuSD9UKzbMGeBuZK8d0JfBt -+7XF3i6Tu74EbBL/mP/0xoHausW9Yo8HZhXjm5k9P7m9xxlq2JSSXeQCLbKFT/SN+ -+Q3bS6rh0HaqLP8Gd3OyU+aOOy13Tr167LEFNK6DlfSadITuHwRMNvCk8UIDRDzAZ -+kXVXdT5UfUe4IJU6OPVsFfntTX6G8s2/K4WropnjD5NjBJ0ppvPgCBqEA03mCGVt -+IunRhQypiA0+SilM7BX6jD97IcmnbSyQ6fUkIdDBTMlX3MoYXkT00gDT3y8D/aKw -+KTd5SKbD -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-17-cert.pem b/test/fixtures/x509-escaping/alt-17-cert.pem -new file mode 100644 -index 0000000000..f09f41b918 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-17-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE9jCCAt6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+RTBDMEEGA1UdEQQ6MDikNjA0MQswCQYDVQQGEwJERTElMCMGA1UEBwwcQmVybGlu -+LCBETlM6Z29vZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAchR9+hds -+zMK0NKgiX32XxJJ79tlo2sRMCZqij8Lqfyz7JDlTMSvIVqcrmimlAMX5u8BxKRXG -+99KzXhbJb6Hnj2i6fQobxpD6nKnPSUcoiiWccmp8jmcKQW7M6TuqOfEdEnKpf0BF -+vNFBjXGxs0KqOArX/1d0DqYS1LTnxaC6NimgvjAqKVRm9mqj62pc9//ixCgHkqLJ -+stuoSerbo/mO0ieY1wq9r9TZT1epacVrQpJFWeJWhow94WutMNesJSWLcxX63mH4 -+j0LHEEkHLa1UkMzM2RkHTVhKrthCiuyrtqrglLsdPInU7ZYVONyUrR2D1tMy52mB -+b1HzzP43pomBJtp3OeEZtBDwmmGgD8RBdVK/T9hcK02cvB1w1yr4LHUeYLMqrZaP -+SJHQ7kv9AV5Os64SYW9+7cqjt1q4VmaEqcuCqvB6mORHWHnsa6PQ19myA7OdqNpT -+WAK3D94tpbGPTzfhUCHk0w0fPzJ4A1+S6g4eHX4iQQxxDg9sXV4ZRvAEKnJhs2S7 -+OhtXdfyu/1+lfaunN13SyxMwyyxHzylEU707Sisxse2usX1Zy2zxqD+LO/9iIu1S -+76/rquhiOFRWxSpjb7ewpH97OGFmtzfH70vBBukn0alT4xjkje10NlBfzcFwHWQH -+59nxPd5sUEqq+DxTjoAgwO91woU7UTs98lw= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-18-cert.pem b/test/fixtures/x509-escaping/alt-18-cert.pem -new file mode 100644 -index 0000000000..341ac0b7ce ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-18-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIFBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+VjBUMFIGA1UdEQRLMEmkRzBFMQswCQYDVQQGEwJERTE2MDQGA1UEBwwtQmVybGlu -+LCBETlM6Z29vZC5leGFtcGxlLmNvbQBldmlsLmV4YW1wbGUuY29tMA0GCSqGSIb3 -+DQEBCwUAA4ICAQBFUk2Z1E5Q4mW7S8dLz5h78AmfNbwx9eNtECc8iLQq2Q0MuIzQ -+noURyNSHhH2hkohU4afXjolCr54DkJNYogrBwHaNDt3Y3wqGQXc+BKRnqblfr1+A -+1EoIaqRFjv/Mu2gB0H4U3vBRYriZu7BhQFXiQHAr6hWLG91B1eN1i+my9zOSoSZF -+7BuemB/9F4wjvwmDJieSwOgGk3FhNV64Ce9M95RwDKNSJBTBqOTLoyvOw2jgs22m -+MntqW9oRywGeHdJ5EucPBrZQKDNysNFj3We8H7PedGNlnG/QknE6pzpRgqbRCAax -+hcvGQIaMcUJ3oWhJuPNscjsJ/nfaitz58nH5raj4O8JhlS1h49NpbJO/pAWMHh0d -+ZruXspxdEwW17aMJJ365q0XyVysRHiwQuIQYCo8L7oVUsH5FUJ9xxPH22b+PG05r -+EABdID+aDV7X/MNwBxgeBOFVOgE5bfrH8NBjkx/F7ID/hjcQDLVWWoFnpIjekebC -+EeqTRl5TcnoN9Dc7zkfwmuYGoaYJrGhj7WRvfFgcw1Cr1xujiJtoKbEbMoeD45+H -+SQ8MwBb37Gm3aBNakpVmJlp/QZSJY403hA8QrZdjnqoS4THrC0+gN2q71aZ9ZCZY -+3+OPNg659ZcYvo1onBSA0p1WGKEAWdHKqZCVRdsl5LnRg4H5gEVW4gmhjA== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-19-cert.pem b/test/fixtures/x509-escaping/alt-19-cert.pem -new file mode 100644 -index 0000000000..f163184204 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-19-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIFCDCCAvCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+VzBVMFMGA1UdEQRMMEqkSDBGMQswCQYDVQQGEwJERTE3MDUGA1UEBwwuQmVybGlu -+LCBETlM6Z29vZC5leGFtcGxlLmNvbVwAZXZpbC5leGFtcGxlLmNvbTANBgkqhkiG -+9w0BAQsFAAOCAgEAWtSJOhwRpYdB/aq/AixRTIpwf5VR3MWaDNh7clpnpYhYoLDY -+7dJ8cv3AR5dOScFXLrCZ2UYVD+tTPyt18opnYDT4h6If/U9TTHVu5tRSX0wGIdPc -+j3zVVegty/HWMA5LfwygNTvZjgXhocckNND7hC42+BuXE2bqoqnkqMRer/R+9PmU -+FXpyLk0aDl2QmspDAz86FYpEuxpMfmDNmM1nWDz+n+uBbeuriTttsFqFWkfOGoNN -+/3tAmUjAt5IqkL+7rnDt6Lc9inY0z3uYGJEdqa0GJJFJ7U+8wcw8rUwvKETqAtW1 -+mBOswkoCImPeNDpiqiotwl4cfrsb1+j9gNpYTP2oSurh/bF0mxGLoJa1iDeibwqg -++f6oWcCdYQ94ItvS3d+lNXT0MWM6HU6sHXf3+5SqvsvsKjUBRyy1Nvnug1bha6Qv -+bdeErN0ZSGy12Vc90Y5fpl8kebmYiJc79OqvuTNDeRfgBm+U4ASAj/AEhtbN+wDd -+HrUHbk/9U9h0UFRZ5s7Pqoy5PEoLRoFeA/jQQa/fLC8nl7YTSwidVgj8cyAy36sV -+uaBNXrcgelqlR26SBynXM3APaFlv5IdSlF199swMCusQrGbiNajl21TUm+Iv+84g -+x7rnUPnQ1grkLpMOBtGaraKc93e2VfH5bAZvyaIq99qdA10ERCtE2grvjik= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-2-cert.pem b/test/fixtures/x509-escaping/alt-2-cert.pem -new file mode 100644 -index 0000000000..6ae58f5636 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-2-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE2zCCAsOgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+KjAoMCYGA1UdEQQfMB2GG2h0dHA6Ly9leGFtcGxlLmNvbS8/YT1iJmM9ZDANBgkq -+hkiG9w0BAQsFAAOCAgEANTZFCjNmspLkZaVYkcAXfT2poPPWAu7wS/wG4VEmKwPV -+A4dnFV2McXNW/iyABeoofeIjsjiYLpxTvz3teD2JJh+hidNED77PV7f4hj7vs4Dn -+DGB3HKJvTD63AVOiPJ4bbfUyiuvLO5TwdxAGm+q9lsf/fWFraTF2qlnFwyWf6Qul -++NQo3bM8mErvntZMscq7wo0cOdAXA0bNqxKS+IDnc+HLxoEr2egbRJmEagMgV4/U -++AGVQ1sY+HrEszOPUA6NZ/OzLuXUT3swm+4rqJZEQ3AVr2BdqSzoiGHqqzmfKO33 -+sODcYXuED0sUkIhRZE1vW+wXR94WQsT5C4MtHabNjpPLSH7cVjGvEfTX8DJH/F7p -+OdMmXxvPey0wLGJwoZMMhG/XC8Nb1g+qCLLou9WuA7KHMibfiYdBnPcMDg3fwWwg -+pYzrvK/S6f5h6TS8y9zKxCJwTdfC7f4KT6EjxQFhgHCm8oFupOLSEZKF0UmLMeOA -+J504ZnGdhEG5p9AqQNBlyBsGGmSyQkSJg1BPB6U7wFBSwrXS+3b2ph4J5RivH68O -+CKjR7yWl7M75LOa1dt133GmhPUUGHLsjHTnuCDVB0eHcgboonKTjCSAmckNKm/uw -+tAUMkO3puty5JM38b8AwFRDXLnlWdSsNr9j243SHOfKyFWidjwglRpVGBhoECtA= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-20-cert.pem b/test/fixtures/x509-escaping/alt-20-cert.pem -new file mode 100644 -index 0000000000..eca176f2df ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-20-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+MTAvMC0GA1UdEQQmMCSkIjAgMQswCQYDVQQGEwJERTERMA8GA1UEBwwIQmVybGlu -+DQowDQYJKoZIhvcNAQELBQADggIBAKvkEHjR6lk0AlKiC7oltE+gp7SpVHdKs7I4 -+zswnbZ1EcddA9D6hjemU+nIUriLkt8BxY+KxNtkwDm5mvXZn5E4XDXzRDsCdNZXE -+qx9og9LhkhfGbPJ1LPutQ0VmqPwY17mRUeaLhNIwOmD7g++oVHYmZWqA8tHVB9f+ -+gP5Ni2x/PX772Vt/hIpI14VoYIsMFs4Ewjc0Gc02DvOdsDT9eUmAo6GNOAbxeRS/ -+D2D0w6CQhwJ+cemcAo0lGw8KemCYfqzL+MQd8wUGPsiZgm5wQACOp+ImL4guy2gX -+h60W9Gtxu77jsjF7n0n4LlInylrZAgw09CkehUfF4+cP2kZDTcsuqOoCVYATAGxa -+49ZvuRHoo5Ine5PcfuARS09LmxgI0fdsjaRvRELYIRWHTvE+zCLlNkxkpwXULgZZ -+bpJ08L52P+jz+HJPeiHZnYKXgtXyGLpwG1danS600tqiMmDh0G9Ss+UzwhS+jhN5 -+viIvpmns0zvI1Z1IWPw3y27pw7rmLVcFMbEZFK5mwHiT10iRrT4sxihWIT+sn6n5 -+5baup/od4kSJABQy9LAuhhuZHyCfxC2yPYz70sP8qGVtY+rA3LNe0ns6pY1L77DR -+QIRD/Mm2hql91+U222mxikdT4WQEheh2cLwdg/T1uo/SQDruliNZncdNbTGDmnhc -+cg1mw5tk -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-21-cert.pem b/test/fixtures/x509-escaping/alt-21-cert.pem -new file mode 100644 -index 0000000000..16d5e7265b ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-21-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE9DCCAtygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+QzBBMD8GA1UdEQQ4MDakNDAyMQswCQYDVQQGEwJERTEjMCEGA1UEBwwaQmVybGlu -+L0NOPWdvb2QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggIBAHdccJEkqezS -+GSNNVIWv9XffNTrZnejms90h66UDC4O9shHMy0aNWgmGuu7uFi1BK4sTciXT+ZR5 -+3+1ni3WKMhJ5Iu1aNlNeXULOlmuHKVJKrAj8BR7lflSFqj/MHnw22HU+BTmddZPj -+F/OCl2W+O+eUNBTTmYI2+pZgmyyU9v8qEwLZn57qlpAJa4gpnSRYQS1xfSaUgAcM -+xtZM/AE4F9mDFOdO86/RxXsYRyT0+sOGmaoJrlTWoKduoI7fhzQAIGHnhn9yBT60 -+0K6LmCR2dXRyLxxVTy0Laiz487IXpQTJ8jo6c0wT6SeiQBlE0W3FTH3IM8Shzd7b -+5tbix0bCR1pUT2Q46oaB4xkEweKNGKS46kIps6mpTav3TMhNDVyalUfF4fOu4FQu -+RLB6B/I1TI1KHiTeD9xfNInBAdO9ewjWQ9spFei3EExZmvnnWKZIA82mjG/9Wcdh -+HFK/uEylzo1Nsxujv2V6ueMYc0pF4XH2U1Azjxb0+pWUZhoy537Nlf8b+PO/GSG8 -+del0yPwf6JP5AZdXfiV8vNqwEGCC/BEIPrbZ6Zz1q6lT+7GZAGkzbMYlfkzA1lXh -+JteRIracA38WfQOHf3FOPYvTBOPlVHWB+tJbwlalYQqCPupMaaxxizCLPIsNvqdy -+TAtC5Jbx6N1DdeyHpRuKRUe1M926oKTp -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-22-cert.pem b/test/fixtures/x509-escaping/alt-22-cert.pem -new file mode 100644 -index 0000000000..5f89b00dfd ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-22-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIEyTCCArGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+GDAWMBQGA1UdEQQNMAuICSqGSIb3DQEBCzANBgkqhkiG9w0BAQsFAAOCAgEAE8vG -+nLYo/G+3Cuzir4toX726vLOkCEqZrkRE18dc3px/CgmEI/6+4lWjp3u/9MxER+kT -+t5o5Xin+vmg5F+hocR16mMeX6pjD6tXJ+uzDacTxDgRBFdbqX4x8Fjiig0FXsr3H -+jFBY2c4UcKszFlCTqjH1/RfwLYJPU6Q1WZM+1iJotSKnhK7y4A/3jho7sL0PPuMG -+WEoxbTBmpAf+jPT+LRe2MY++VnVJHjlPba+S4Y9PHOzizQuIJs7YnhNIqA9So7Iv -+eA7Lp8GID+w/eY4DEq4z6CIuCplKZTrrWH0kQbG1sV4J5+W+JL0DOXDk91JwkOPH -+rWf6aOb3akFRk5Z/PrrcTAlqtApPQF4uGycQBo8KgcatZyP/3HZZHyyxhEjF9sw/ -+STHm93GlCIwocJ+SkwjBmdupv6Yk8fRmA7LinjVvi7EnQQ7qcRE3oUCPPReDD96G -+TuDsGkQbv5WQSh+0mBAiTFze3C6FSNcldQBrlWReqOj6pVWtUN49lpYOJ2XfLCQe -+RjS7IUYNn7Ku3xXi2etgNzmJXcSnNXZkh+3henpFqkwEFJ5b5RgOHXULTwoqo9KS -+YMs3eKHp62J6l0pQD+wTGUyVU8cJghJ0hR1WnNR7o32Bos2dfBmIQgET4ZH/P2+H -+A2gtbJO5mRsTvuD+kZut1jxJvUzuO0yZoNpuUVQ= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-23-cert.pem b/test/fixtures/x509-escaping/alt-23-cert.pem -new file mode 100644 -index 0000000000..5cd6795cde ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-23-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIExTCCAq2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+FDASMBAGA1UdEQQJMAeIBSvODwwiMA0GCSqGSIb3DQEBCwUAA4ICAQBps3VQshvW -+9HDR2oDXSldWNW2SWksa+9npI4IEMDusiDbLdR0VBphw2R3iUuJ4IAPDc1s/SMi0 -+1t1o92lC5zVeTq9LvOOC1KxwbZXDubFDmdsuJ/DYPDkaRoDqoH7eFsJuIyD/TKqm -+HXPYmWmjUNv51SSLTTqPRz2TmLQVA1Iw7J7H3fz2LExsAtczx6gRZJPIZGdMx6do -+E67SUp/2RPYtkEmmCELOxCAh/Pzm6pBPncI86AMTNwppl+FpqaH0LPrqMre40tTt -+cQq/0XrMWRoWsS3VU8uor+aGTnNp5VT3ZLVmXZNyG7nISW7ERaGCeTZJRcqwjeH/ -+yPxhQc7IpYCm5x+HN2sDuvVC7l/q1A7+CbO3jNR5Gb7aEEyGiKb5ZkElbsulfwom -+JOg1K8+SBDGrErEf0MDCenKY2g0lhpKGBwu6O+RVmKbhlHEjt2/31/NCSBMLopdU -+AmCNoBo3+KaRljo1lVf7tWbffNRCqsbPZPHtq9uXs0DliJTUroaJ584h92VrSLJB -+SdAUVLAwzmwu2Pa4bp0STv5tJy1hFNJdVFQ4rgAfaFudXy41K9zqrDCB7RbzX7Yi -+97TCDu/phzkoFpOZabqTrvcP13N0wfDeOx4Y9nx77aeqTAaQ0ooTG9IWrHmjuUKF -+wpEXQBfkuXug5+xq/hlCllkPj67cIaldDQ== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-24-cert.pem b/test/fixtures/x509-escaping/alt-24-cert.pem -new file mode 100644 -index 0000000000..2a858dd39a ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-24-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE1DCCArygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+IzAhMB8GA1UdEQQYMBagFAYIKwYBBQUHCAWgCAwGYWJjMTIzMA0GCSqGSIb3DQEB -+CwUAA4ICAQCKRaPaQO4+oztra70h3g1qwmJurQ1vGBdcXh27nf9epFAwhU1zL5v7 -+7wN7iclY15BX3w3WrZ+ag74AvQLG6WQkDY1JCmidEjjt2bmVTxIus0H9Bb2AlUEw -+BtVYMJrr+fiWbfSwRxhMQa9BQ6ZcUA7EluYQFApo2m7GIcMc4x51L/bwzmsXYj4t -+2tjnkU7clL+7GR/w/+ZB7nIe80j7wYvIbOfMS3Yxh+uu0aQCNdoh9Tsdtu1jtmJv -+4lJ5aZIDABE/XIFVkWRyHv2ou14J/LXUKE3HPEhSKWu7GShrdTeS+gZpOixM+uPG -+ieHah1GfJMS69P82Z72Cr7XWpQY0NKwMB+ePhTzz1LMBHQ5ySXQCViQRClRMc5K+ -+cXZm8cs6oe4IEhMcf3kc/9xblgRWqxX7vsb6Gcrn1eXsfxco17S1yNBzTt75ybt9 -+kvPmrWqpg+sQ0r4473DjEASoSCPwlzCpd7AHOw+XxSwsOUNXkEnXMa2v2VHBjx06 -+QnrLenB/n7EQ5Vo9JLDMLM6ie4gfehHxfdyoBg21jN9eUPpKGnjARVvyfDWV+7rI -+ZHU7wc2iMnqroAqm9FZ0YBqZ/eI8M4ZAYSvDKnGZQlUWfhdNDhI4FsHBPymMFtjW -+ln5eFUNLMoitMGs12Ib+omr9WSTxRj97GvRkRTNK5Gxmo9Mi/Pkxng== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-25-cert.pem b/test/fixtures/x509-escaping/alt-25-cert.pem -new file mode 100644 -index 0000000000..695b8ebba8 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-25-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE6jCCAtKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+OTA3MDUGA1UdEQQuMCygKgYIKwYBBQUHCAWgHgwcYWJjMTIzLCBETlM6Z29vZC5l -+eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAIgp7IrYYdLCoUqg7E4igLD3u -+C68B896uoeenMmTKDfCzvB5svYKZlfIi3njJUZ2G6kgBNcSd/mwQ2ggex9AEUiGp -+uaT7Dpev3RpwtCz5zpOZxN+B0LJk4hPzzE4sjJFrmHRgJVzADL5RdcEF7+GV81nP -+X/cXviffkxSihAFALArAaOA6/hBoT6unvlDsY3cxgZWFl3ao76vTQFLs7ZNHYbHe -+WDkkNpheWmNlOrVTEz0vjNCQz5wYOM6HJ0O3cxzR/6+OnhPQagZRCWApPopYGuxc -+kXHAPbEkXpVzJTrNgHIvZ3l3JdJSHsh+DdGVz1NY4bogQNKCVa3xt+zLpUrr34XM -+61Z91MekMijfjOsy7LGLSBdCPCZ00enXPkflDEhv1kRlbo/ZdYGHynzl6Xzu1A5B -+nuwDbpsCzR6ij8fZDXGUS7F8Iemdfag4XTtrXnVXLgPpD/FMzJUx4kCIAjgh2MaP -+0nUvZDVYt+GKGohCNDrSt2ByFtbYGaX5GeMIp8zW+GT8KUW/K7pp9PjsmzG6vvQd -+kqxB45ddf87E8NoDWh/ptdj3pjfbDc5A1SeXKGXrt1TwgWHtUNW0zF8qOuG+PZ1P -+u10lUx4gayyF3unaSLZwYu8nYq5C7mC9DjjnbjLhsh0VOIEEh+Q8vJH8OvZFkyti -+l2ADXC+6evQTvqLwXi8= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-26-cert.pem b/test/fixtures/x509-escaping/alt-26-cert.pem -new file mode 100644 -index 0000000000..1204d95a8a ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-26-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE5TCCAs2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+NDAyMDAGA1UdEQQpMCegJQYIKwYBBQUHCAWgGQwXZ29vZC5leGFtcGxlLmNvbQBh -+YmMxMjMwDQYJKoZIhvcNAQELBQADggIBAKmgEHc9b/bscpyO5mTKrITyoYtbhz/P -+0Uz2Uc4tKokUI9EBuuD/XX4EjtVzne9mssAAs9EhBSFmNhDjpAUYh9n2cFvAJQit -+4d9EbaNbB3SuzG5onu8ZBtfLsABr5L5tQspO3tinamSM2ZuRo4dvcQ2a38C38LAQ -+HBnvZ744Th3LckPMLTWNChe3E2jAt8Av0XA2yVJ/B+EeEaqSYDALKhI49CLeq96L -+m/Vq/mqADborW51pMNFn7CAF1jxizQNHy6K0E95ziq8q/OL7j4+j8Erh4x7bcjrQ -+X04Z+hrA9q5AjG++ieztKqGuGxHeSclqBhOdnU0UI528Vn0OXRxeMmbqMF+qhx17 -+nHuxxs4z5CIdTwHA6LgMUpDxcOhdUctIj32gwZM3UHI8lmdRTWn13y/Ht6CpIXCL -+1ohSXne5y34z4AKeJQpdUfwQD552Ui8B+bhH1JBm5phjLn1fboXCYiCgnPQ+SJzx -+3hsIv7Fji7lfk1UPkr0s7Ze8b/seYS8nVB5rg4qXEwFDMo9zsjCEIyg0tKwj5Ani -+HlYzqjjsIK50TPjXYOA9J+NHcBDCDa3r8TBtRGtQqOXQGzvWTqAyT8Uwn7jimmh+ -+EGDr4PJSTJxv43EYL+of0sRHkOhnfFfJYF9vQLT+wD6l+6T1xNPE/gjX8DyQS9a3 -+zOgdOiTp0AKH -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-27-cert.pem b/test/fixtures/x509-escaping/alt-27-cert.pem -new file mode 100644 -index 0000000000..268abdd300 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-27-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE0TCCArmgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+IDAeMBwGA1UdEQQVMBOgEQYFK84PDCKgCAwGYWJjMTIzMA0GCSqGSIb3DQEBCwUA -+A4ICAQBtXT+t0fuBRClJdY6y01k1jqcsXEkmKOr4czznuiloGVEjpbjmxzxsgvzw -+nz3od6Sx56SHG1xYbKDCapX9Ld2IDsPvpF2wdH2wpIS5DI7tQdBpLm7vr3vTYKwm -+Wns+WKO5VBHDLCyuYvHNo37MJCAfBlr1ni7BCLOg3eycPiANJHPD2T9BnXlJm49K -+166VMviuiLBEyO9tadhvQHGqCX3D4pW31zwsKHvS4wau15N4yt053Iac6eaysdTp -+mspw5jX85tlQ9XxKNTftUVJU9Uzk2ll4A0Gvnq2FEjiqf6m3tye2nsqDI3C81Dwb -+Y/+AeO7ZsVyLpIstfUBFmpLGPUoZ5MNmgrboGf8K8dPPgVbmbS0msrsI4LWSQb8P -+R2hzj0F7bFvgbZad7rFXJW9FQOqTwvJrZBkkDpZpeNbhah14avV2Ftrc5+PtVfP0 -+jB1L3nhc5KGpGL4xqE19K+GVR/KBREgiFD7B7NYUOPt9NjFTrbbC3XA8L0MC7PNh -+ySDN/NCiIF9K9MtpC8BYuNBlRt5C82L37qPY4Tw3z9sCyXK5oOQ4xdbdDEWdwzc5 -+F2S4zfQiB7y+C9RigOyGPChxBqDK/bCExrG1S2b95oP4QMuaL55iXnaG9ME8sCoa -+cUd62cMPk7piQW29oFiQPYsStfo09u9JXbalKhol9oPrDtQfrQ== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-28-cert.pem b/test/fixtures/x509-escaping/alt-28-cert.pem -new file mode 100644 -index 0000000000..147fba3aff ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-28-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE1DCCArygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+IzAhMB8GA1UdEQQYMBagFAYIKwYBBQUHCAegCBYGYWJjMTIzMA0GCSqGSIb3DQEB -+CwUAA4ICAQA2KjgKCSLg/rDajrBTtVIu14rAP1pMwFZWrxcpTbN+fOs2dYQXZf7d -+/GaozSMSchjPAJ8lTFfEB20Mur/E284LlQPuQKqHHn3gIh92VkHHBHjj0ohnfigg -+eBHNMUisuGyNzKV7VI1+iwCoPBZC7ptbE4X08osVxxRESj+IT0TwtKDONTIIeogW -+6VhsKTQ1HM6AMbhVe0Led/ENxFFMquB25GG/hVB4ZzPmsJZzNdZYNNMa34kNcMN3 -+5OFcxWV/4Hc77JYsqM9fE9gBaKC9pQE0XwIrOMQSaGYx+GO8Ty33YlM+oYBt6TMH -+/9oU8HVvEYW9GAyptNbXPOwyv/wikNBsJyDGfvuDoiTZ9iMFb/bEoWHSK/rYmAgk -+D272zxiPS3YgaZkvhlYZ+60w5CCgXoN5L0Zq9yAOTv92/VHFnMPrTP7zfD+4eUHY -+lg+A7pOCIUK4cIDUXQefn1dU5/8DHJ8aM+KQDBfkKOH3me3GzIKjtKQjhwYFiJ8L -+vD4V6+nq90GasShQDKUbMVbCxfyqlvrXOP0an+FxdknadnD5hRT3UsU9SRxAdkXi -+3er2sXpuULYqOst55Ahnj7D5uDN4KBoatZwFd1iw0CVPoox7ixZ2zOAkwVqzaEAq -+0yWyIlELm9/FdF78fu6LPrFKI1H4MH+0TQrF4MiyJWPvET7t8WKJsA== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-29-cert.pem b/test/fixtures/x509-escaping/alt-29-cert.pem -new file mode 100644 -index 0000000000..434bda3e8e ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-29-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE1DCCArygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+IzAhMB8GA1UdEQQYMBagFAYIKwYBBQUHCAegCAwGYWJjMTIzMA0GCSqGSIb3DQEB -+CwUAA4ICAQCIFfHE09aftJrS629ZBBRKjRiVcxN0/FjeEHWbnb+3Re/LoU/Y64BT -+LmjMBB6wik3JxxUtLs2UYExQKfz3zmB+O99lR94of3V3RXPCe9Dz8C12iohYBvVO -+q+WzXyg8g4zoIndn9+ByR+JJsuk+WVTZd50wRaRvssUB5yhpLaFdZpnLUBdV5J2d -+shmefZxr0NgMb9p75wvWgZ2BiZQDeTR93+PWaZTMdSxZh6ynfG//5sxxw5fLm3pv -+eVo3oQQ8px9j8G83ouiDZJn7XZgNfXYNq7wo3yaqXX0zlCE00K6tXGI6FkKJnVdQ -+si+JYfGjzTM39JqFU9YYOOc3Gfw20iKIEQ0jnE0Z+z9Pv2GAel0UNdovluttxu9R -+CJcPJOLS+TMd/sAwCAELvhPpeWsDLhfd+lG7ofE/nM6hzec6apWYyCqqlYIdE8WK -+rtHXBIMGk/5Eo+2KDGQHgpMs/P8fNUL6FBx/i1pjm5nSHveDQryepEmOJq9NJCBW -+1AJhE4jCXMv+43Fnr1OSATNiOd+1KfQ7KC5PFkpZLY4GDFZcbLBKYj1TWx4WzRnm -+EW7cC/00Z3Cd76L5i+y1Xr44nbQcAMw6TlT6vvZjFCbCO+ZDUJSZBZMpWwBI/gAf -+MNzYPltOGm+GZUuxib2MSF9Qy8c9NegENmsK+zyPT3N9mUHCl9nknA== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-3-cert.pem b/test/fixtures/x509-escaping/alt-3-cert.pem -new file mode 100644 -index 0000000000..59185b64a4 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-3-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE1jCCAr6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+JTAjMCEGA1UdEQQaMBiGFmh0dHA6Ly9leGFtcGxlLmNvbS9hLGIwDQYJKoZIhvcN -+AQELBQADggIBAEKwv45Zp5xJEGENPrOIwrGmuBDMtBPmXtSKydKSNUgrv08u4dHL -+n295L7jIwQ3SnRjS8PrZWD8RQ46hgFRY9pqk1uTys4jB7lki0eAUBC7oPn7q0GUv -+ojdSwOEjp5bfXyuRv7Z+3y2gD8pcCZsqcCjF5Svim6Q3pXMLRKQFhzhzL9k/gsNF -+lJ8KcLBECJSm5nUrZIRHPdIGYmWJG+t8CfS3E6OIyHILK1xCc1MasEpmYVoY9uzT -+2W2z+3pvwQqfdXO+lEOsT9dnjM/WbnkQMTWAn+++YFtkvA4kON4b/cp9imnXok02 -+vq7MCbN+b5CJXIhKMC5eNA36ez5hou0MUmnsNo9ai1gVJXRoL67YgUh1yMfcAaSM -+Sfy3UBF++Az/yQo4AWtqWk4KPePdcsrYo9Fke1inUl+M12gkdIz+efbElHMqehbt -+lunbyFI/7CY6/Tno+T1cDkQlTouHK8Ddb1cPhkJbE4euRuLGdtn2AcFSemYGtib0 -+ffuhnEBF8M8enPVyLjYA/3sELkmmaHMtgDTm0+XYQJtjIbvGcY7+bftPZgbXPVGv -+7+tiYjwarIexXN5yzMasgFI5+7qLSQJHcmwrzOm8K+Bzx34f20vwR4M2FJ6cqUeN -+qzdN1HSNp8aYNilaFa3+hfGRG9CZnVP8up8BwYx736EMu0G3yAp6UqqJ -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-30-cert.pem b/test/fixtures/x509-escaping/alt-30-cert.pem -new file mode 100644 -index 0000000000..1b67d1f782 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-30-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE1TCCAr2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+JDAiMCAGA1UdEQQZMBegFQYIKwYBBQUHCAegCRYHYWJjAGRlZjANBgkqhkiG9w0B -+AQsFAAOCAgEAgG06c7GRpPohHa1X/YQVQGWa/J/f3qok3cu1nrD2H5Dkw1eAVPcQ -+lsng08lOxwSI0OgqJw0jl+ljLKuhHI3U68KbFmUO3Jw7uLDk1+UniRSNkfxVOrlc -+7YTlmsxiDgQdX6/TAHu6bERx147NqVzB4/I6qpX7ouLv4E7xdQgjKuvhWlJ+Fg/0 -+pQ7EleQymRN6Y8qO6RwEWYao5pypg8/22cE3jgXleLM+5qWHqJs2ZewPQf7uo4Bf -+IwSUV5H0weftiSN+kOLYiNfUago108VHuk5sCIKr92q4WAJgA5C6ylcUWaJCKbCv -+HQYR/QG10Mrn4JCzzni90aBHrQoYQ8msEDH1QKyMJiNz6XXzwBP6bvgPlB2f7nPW -+ERpH45M2I4Z3dZYFw8bF7CcOIUuR0/Zu2WN22IhqhjVQSZPzdRWJt5Rr1mFUz+Nv -+Ymdi0w68KyRUiuOpKNLczDDnYpc9EqGBprnMOxALS4mQn1ySBXbZAXnTTdEzN5fM -+L4CXWUzIBVKv56Mn5YskhbCd+N8GV9Nj/A6dBwa004CQxbgAj+ndNWc7+h4iSNlz -+9VPHK2Kju6j4fVpe10jzSoEs0nnrsPy5Lxa6C4KhXBBJ3cPl6wWNe2mgbEqG9Pq2 -+KrCizuFkIfZTAeSrR+prZXLw6cjmKPPEtNbK2JbteL2SEDT/3AjmmZE= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-4-cert.pem b/test/fixtures/x509-escaping/alt-4-cert.pem -new file mode 100644 -index 0000000000..086af8e02e ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-4-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE2DCCAsCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+JzAlMCMGA1UdEQQcMBqGGGh0dHA6Ly9leGFtcGxlLmNvbS9hJTJDYjANBgkqhkiG -+9w0BAQsFAAOCAgEAPu7ubyZw1rOQJhFX6nBHyCYaBzaKxRZOHOFCjMrD/YQXPUNM -+Hs+8ChOeQ4M82jTyiP7XgF8EumDcckDIlIYvGXGrCB/6VcCVL1vPPtzjSaiF3PlG -+/dh0OlPvevr5Ajz7ZtFFwxeQ2EfsHiry8qnlDJSEjrh4Trcx9YzdkSZz8DaoODXz -+ctR/p1JEnQ6h/Axa6hdqTzbzTsINN7gD5Wi3ObfQbK6Ug/CuH6Zr8bdTsmeGcnD0 -+fqHptuLVNcROykneYziXDzcqGwrZnYaOF54a4ibV/OfrBcgEKeDwsCrLs3nztSC4 -+whV7DXZwaLl2KWl4/suBNI1cIKbxII1xTFLTog+UYz0zSZGPrtbt7zrlM4yG033t -+h9xIGUKebaNpQYkoxOc/+kKhbKCeL3klfxJoX+6Gf8DkTP7byX2HovfWV1rJbh57 -+YZ04Bh69VmyxE4iyb1tAh5xh1bArCR9m96eXS/0KIZbykxltQGyHf1jpWw/4Wi3n -+oadkpMcyNX76M1xBJ5u03JL8+LWrXuzf/ScWdmPUWulAEhbo4fn4oRwP2C3l0vVQ -+iL482cIq1zF91lssRwQ17k38phulRdm+7W65/VI7hLoG6lXiSiHLH8e39hHO8Jey -+Z+BBvn8x+aFgIvpBK/MX35s0gSrl/UiIZPU9glnktSsX5D+aaQynbuvbOW8= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-5-cert.pem b/test/fixtures/x509-escaping/alt-5-cert.pem -new file mode 100644 -index 0000000000..04a918008c ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-5-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE6jCCAtKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+OTA3MDUGA1UdEQQuMCyGKmh0dHA6Ly9leGFtcGxlLmNvbS9hLCBETlM6Z29vZC5l -+eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEANAyZnL8f81Aax/0Rhw3CCdcQ -+SXF3dpAolObQB8rlirRZ7yOY1v3Poj411aV0x9zM6mjOJZwarUTL7kbO7odQxGhB -+x7O0DvUoG15VTvs0XLNHTPgnXtNjKOZ7XXVMzb46APfYSqdzMqhRWfy+Iaikp494 -+urtqkVt05q2amzq7EXbXI8JQWhkJkhjBTowfZnpZUw4JeeqMNRZT9Ldv2XDZjaYS -+lkHOLzTmSmm2mf1oxhKGcRCgUCr/pzVUfDA3RBz25a6PWAQt4b2r8k5jydWyOeCZ -++sjacoK5/E1PcdaOFJAjuAfbRMeK/gz2+yJwaB39Yh77t/9vQC0G6aiAmO0HxjJE -+L6Lb8BG/QNYBS7gGhzKFVXVVv5yXRioO9vMv0i8uxShqD2Lo/MbrNtRgi3eMFESd -+3NxUPXS1jMq2/SaXrENdKqNNi06LbnLaYpI3BLZ/Katq0V9ESlhcC2nT5uNBPiLr -+DNSekaIGobbTDkuV896L7jqsQpU+sgs4XqaISGgk2wAfnwbfpeiBCL8oH9yCYAO0 -+1YlevrMGjBNvhysoABv7qaorqeL97ffRhjOZ72/fm2axD5l9MvWEFIf7L5uOah0f -+hF5vScQYgyWNuK8wjzT2tl0CuxvEyI7N4fkUEk+ZMkyI1Obx17p+d4SFyuq7wTXR -+05oWMsCMDyzxvFDv92w= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-6-cert.pem b/test/fixtures/x509-escaping/alt-6-cert.pem -new file mode 100644 -index 0000000000..6643519957 ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-6-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIEyzCCArOgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+GjAYMBYGA1UdEQQPMA2CC2V45G1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBB -+lBfIjUH7/PbpC00TWTOSR6sAzyBr681lSxYAgFLduDdfR/bTkI1p7txIAgennoUq -++9slIIMaR799BUtQDfAQRYdbsWiG/+5Lj3JXs33LPPTdW1C97LOPlnnbRJh1sjbi -+UfGdxvdPA6iuyWhfwPZd+4IrcN+kefkvEnRkvDMGwmfmKQDjbu2mSIAIe+ECyLLu -+wdSI2sPBSUKQEKk+dABYq9TcdxlA+OSPjgs5ZF3NK3s/or7ay2r/i8be5TswY4Up -+IwByEk+7AST6ijwi3P8EN0HAyyuOfpBelWZCQgdEGt40Mpa58AwBGqdrCZ5wDAz5 -+nBx6GscZUsqG9sVM71Tgq7Bc1b69FXUYAhmFucnXizHv1Ys0oGQVza1tkKbaLEFQ -+WvXWc7zW/0hTzvmtogKn/oM6GoNcQiW8KCwaCJq1TTv7Tip9znfB496tDruOr+2w -+HoqZTJ7ERklz0mlZ38ISTuaz+Qkn1KjBYh4tgP/wZIjIyppAaAr+JdqXzBejfb4M -+6x0S1AG9QgvyR1xDv3Vljjkh3m55kktTWSOfjS6aSzomaAyVAgi/vhHkxhsoBhgQ -+41+ffkhM9ps9wkmguwqOXsByQAZUQEJQigO39qYuGuJEDV8Bu8i/T5BuuJWP4BRF -+X+now5ObP73ufyFwYGsSgblivHUX4z/zAt4kp4AMXw== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-7-cert.pem b/test/fixtures/x509-escaping/alt-7-cert.pem -new file mode 100644 -index 0000000000..6c0f287a1b ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-7-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIE0jCCArqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+ITAfMB0GA1UdEQQWMBSCEiJldmlsLmV4YW1wbGUuY29tIjANBgkqhkiG9w0BAQsF -+AAOCAgEAKmYr4QEnNq1Sy9lYePNRR60jufFXk44bczNT/wA6kvXKgv472V9wltVb -+yJVvYUWkTO8ahlELNLfqRcuih6myV64WJoewog8mwby0lBYr6bAz86DdeN/B9rFD -+OYnev1Ux4um45l42XP8acgJCoqn8+EE+H4AeMrz2xxHt+IDy4vUOowZna82f1Pcp -+O+vhod2uXlukfnhofVK4lMHl4++4kECkmUYl8U+L/zXwzOb4S3Yksffmadgo7ERk -+rJYLMLztvCk6TtP+p4NcvrE90dmss7R8hfw3asfjXsRbAMigdfSMKzGB2IHoHeV6 -+fpmJy6kotfwulDrbr2QtrWOYdMrm1wT6ohT355KZQxcZr3VcK9gqEjcYafqIsXtA -+wYAaorKXaz7UkmFCDbk/24UuHgNgCl4KkGsFNwW6whTMpb9WnvPR7F798tiIbOL+ -+FK6yA1q3Z2500lmloQWcUFBX48DViG3bsTJ9wmQ28aPqHVd5gTmTm/7W2iRGx36N -+PmbAk17J/bUzUSORgrPi2FLNNFg64x40pfdAyrF9ZBNcsVCFCUgOQHgMh4OjX/n7 -+khmNbMYiOvJEoUbZ9flNr4AYY3ucpxQ2peTl4DNsVZZ8Xyh96h3URu63Ji9+xLrQ -+jSUtNHUCJaC3E9yTaIDc8jMli9s5/ElDZRkPxRP8o4VOt9KcLvU= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-8-cert.pem b/test/fixtures/x509-escaping/alt-8-cert.pem -new file mode 100644 -index 0000000000..201b520f8b ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-8-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIExDCCAqygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+EzARMA8GA1UdEQQIMAaHBAgICAgwDQYJKoZIhvcNAQELBQADggIBAHfvavrzBLuS -+MMJwNkJGVt1W856zeZ6NZJ5vx2ZXziYxAkzw9N0pLHwgfzS8pXEPSZ6vMoeYMaH0 -+zr/S5tHSMGEwOp/dIoxE4Hm1uMzugHFxNp34hvqsaDbwKMpQQzEPhN1QvAkD9IXL -+H2wOLqm+ZaTkT3OvOyJoml56wyUJ0nU746RuXgJHTFiWsUTPqT9bvofedC80MUyH -+MX2lA1oy8nzJa9h7JqsxOE4uccRhpCRf+PxeYvOdsUxyDWw8+rjwe4Ulr0yVjwnD -+x9ha/fTl96mYXyJGLtQvZmkllrctxcs0o82+wMZWBw4iPH/VnI7dj36b2uIHdrrf -+cVurEPcVE03zLwukjQPZh9otleTwmQI1wqg/Gm2OahXy/0f0fpBDQnPycczn8nFw -+nj6avmHubWVvzmEoKmOtavGEAbUn7ntQfsvM5JpiM+ck3MDMP9i9cMZvWKH8Eial -+ZnYcXkgAatWwp4Cbsv4H7LMNisKjrcY+r+MpaYYIpTRNp/s/P5bMCIVt07yosePg -+m9VWy03+hQJmD4/THeJsjuczPSBtsoJiKoTJ5TndmpFaG6J6lBVvpXJhoiW/QIgX -+u2QIb8Z6bRK/eQ8UVYm0/ZQLN+OOzYiQfm0AFbFpYhl46o6QNZ03P6GRLshv+N3E -+CX66ucPLd4QJitUy39LZjMlC0YxTZUry -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/alt-9-cert.pem b/test/fixtures/x509-escaping/alt-9-cert.pem -new file mode 100644 -index 0000000000..660e65b8ed ---- /dev/null -+++ b/test/fixtures/x509-escaping/alt-9-cert.pem -@@ -0,0 +1,28 @@ -+-----BEGIN CERTIFICATE----- -+MIIExDCCAqygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+EzARMA8GA1UdEQQIMAaHBAgIBAQwDQYJKoZIhvcNAQELBQADggIBAIefUJjnOtt8 -+viFkr3lupabUMwSgtBXVCp+M9xhKqcSnYReSgg/LcqVDaXmU4s23n0Bc0M51HQMG -+puTpfr34ZUSQiLup9huELm5L+lcpYANJsKrBo+vz1w+fkPlcxXvXHpLzgb393XSJ -+/Prn7lNBrrh9b74azUEhz1KPmFbbMs7IwlhE1+stQ107VeSGvKlAOmaYdnVG1PXl -+AG7KJynpE5Ex8XF1ONQLneTdvo8gXZueb07SY+my5wrCQhSlh4/6Y2MnE9h+9ugx -+BfdU72okDaYRH1MAfFeAsUE7Y52cQqm26b7nBz0+IeP+uk7oqDLF+PGHfjeUGXGW -+aGFfaLk8Dl2gMg1DsRE8zcT215Dl4rqOtwbhW8kX7XzYE0sA7cnyZ0daLrrtxwe6 -+MhrAOjYklRZpwUvy6E2IyipKwWSuKHLUk3mVxPrxVqvye2enZWW1PJeHNdL//Ogx -+5Mm++BOTNR+61pg/UrATlO3GMK6ggAfkP8H1r3jp24hc/TkXRkoUuWZqtjC5+qwB -+KVIPlr+/0zIhzDjNbN0TMgqv/Yz4/wCUjsmCPJu21C3+BP2O5ZD2e4hYe/X9kuhC -+YGWTf8dpq0LgYgVHqwXo0gCU/Ich9KtaJmCgZRUrzMl1aIYhqpuR2EW8H1bs3a0P -+/7wXhGudHCwm6j2H5/tbsREeYInl3mv4 -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/create-certs.js b/test/fixtures/x509-escaping/create-certs.js -new file mode 100644 -index 0000000000..b84547e1d0 ---- /dev/null -+++ b/test/fixtures/x509-escaping/create-certs.js -@@ -0,0 +1,502 @@ -+'use strict'; -+ -+const asn1 = require('asn1.js'); -+const crypto = require('crypto'); -+const { writeFileSync } = require('fs'); -+const rfc5280 = require('asn1.js-rfc5280'); -+const BN = asn1.bignum; -+ -+const oid = { -+ commonName: [2, 5, 4, 3], -+ countryName: [2, 5, 4, 6], -+ localityName: [2, 5, 4, 7], -+ rsaEncryption: [1, 2, 840, 113549, 1, 1, 1], -+ sha256WithRSAEncryption: [1, 2, 840, 113549, 1, 1, 11], -+ xmppAddr: [1, 3, 6, 1, 5, 5, 7, 8, 5], -+ srvName: [1, 3, 6, 1, 5, 5, 7, 8, 7], -+ ocsp: [1, 3, 6, 1, 5, 5, 7, 48, 1], -+ caIssuers: [1, 3, 6, 1, 5, 5, 7, 48, 2], -+ privateUnrecognized: [1, 3, 9999, 12, 34] -+}; -+ -+const digest = 'SHA256'; -+ -+const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', { -+ modulusLength: 4096, -+ publicKeyEncoding: { -+ type: 'pkcs1', -+ format: 'der' -+ } -+}); -+ -+writeFileSync('server-key.pem', privateKey.export({ -+ type: 'pkcs8', -+ format: 'pem' -+})); -+ -+const now = Date.now(); -+const days = 3650; -+ -+function utilType(name, fn) { -+ return asn1.define(name, function() { -+ this[fn](); -+ }); -+} -+ -+const Null_ = utilType('Null_', 'null_'); -+const null_ = Null_.encode('der'); -+ -+const IA5String = utilType('IA5String', 'ia5str'); -+const PrintableString = utilType('PrintableString', 'printstr'); -+const UTF8String = utilType('UTF8String', 'utf8str'); -+ -+const subjectCommonName = PrintableString.encode('evil.example.com', 'der'); -+ -+const sans = [ -+ { type: 'dNSName', value: 'good.example.com, DNS:evil.example.com' }, -+ { type: 'uniformResourceIdentifier', value: 'http://example.com/' }, -+ { type: 'uniformResourceIdentifier', value: 'http://example.com/?a=b&c=d' }, -+ { type: 'uniformResourceIdentifier', value: 'http://example.com/a,b' }, -+ { type: 'uniformResourceIdentifier', value: 'http://example.com/a%2Cb' }, -+ { -+ type: 'uniformResourceIdentifier', -+ value: 'http://example.com/a, DNS:good.example.com' -+ }, -+ { type: 'dNSName', value: Buffer.from('exämple.com', 'latin1') }, -+ { type: 'dNSName', value: '"evil.example.com"' }, -+ { type: 'iPAddress', value: Buffer.from('08080808', 'hex') }, -+ { type: 'iPAddress', value: Buffer.from('08080404', 'hex') }, -+ { type: 'iPAddress', value: Buffer.from('0008080404', 'hex') }, -+ { type: 'iPAddress', value: Buffer.from('000102030405', 'hex') }, -+ { -+ type: 'iPAddress', -+ value: Buffer.from('0a0b0c0d0e0f0000000000007a7b7c7d', 'hex') -+ }, -+ { type: 'rfc822Name', value: 'foo@example.com' }, -+ { type: 'rfc822Name', value: 'foo@example.com, DNS:good.example.com' }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode('Hannover', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode('München', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode('Berlin, DNS:good.example.com', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode('Berlin, DNS:good.example.com\0evil.example.com', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode( -+ 'Berlin, DNS:good.example.com\\\0evil.example.com', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode('Berlin\r\n', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'directoryName', -+ value: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { -+ type: oid.countryName, -+ value: PrintableString.encode('DE', 'der') -+ } -+ ], -+ [ -+ { -+ type: oid.localityName, -+ value: UTF8String.encode('Berlin/CN=good.example.com', 'der') -+ } -+ ] -+ ] -+ } -+ }, -+ { -+ type: 'registeredID', -+ value: oid.sha256WithRSAEncryption -+ }, -+ { -+ type: 'registeredID', -+ value: oid.privateUnrecognized -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.xmppAddr, -+ value: UTF8String.encode('abc123', 'der') -+ } -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.xmppAddr, -+ value: UTF8String.encode('abc123, DNS:good.example.com', 'der') -+ } -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.xmppAddr, -+ value: UTF8String.encode('good.example.com\0abc123', 'der') -+ } -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.privateUnrecognized, -+ value: UTF8String.encode('abc123', 'der') -+ } -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.srvName, -+ value: IA5String.encode('abc123', 'der') -+ } -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.srvName, -+ value: UTF8String.encode('abc123', 'der') -+ } -+ }, -+ { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.srvName, -+ value: IA5String.encode('abc\0def', 'der') -+ } -+ } -+]; -+ -+for (let i = 0; i < sans.length; i++) { -+ const san = sans[i]; -+ -+ const tbs = { -+ version: 'v3', -+ serialNumber: new BN('01', 16), -+ signature: { -+ algorithm: oid.sha256WithRSAEncryption, -+ parameters: null_ -+ }, -+ issuer: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { type: oid.commonName, value: subjectCommonName } -+ ] -+ ] -+ }, -+ validity: { -+ notBefore: { type: 'utcTime', value: now }, -+ notAfter: { type: 'utcTime', value: now + days * 86400000 } -+ }, -+ subject: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { type: oid.commonName, value: subjectCommonName } -+ ] -+ ] -+ }, -+ subjectPublicKeyInfo: { -+ algorithm: { -+ algorithm: oid.rsaEncryption, -+ parameters: null_ -+ }, -+ subjectPublicKey: { -+ unused: 0, -+ data: publicKey -+ } -+ }, -+ extensions: [ -+ { -+ extnID: 'subjectAlternativeName', -+ critical: false, -+ extnValue: [san] -+ } -+ ] -+ }; -+ -+ // Self-sign the certificate. -+ const tbsDer = rfc5280.TBSCertificate.encode(tbs, 'der'); -+ const signature = crypto.createSign(digest).update(tbsDer).sign(privateKey); -+ -+ // Construct the signed certificate. -+ const cert = { -+ tbsCertificate: tbs, -+ signatureAlgorithm: { -+ algorithm: oid.sha256WithRSAEncryption, -+ parameters: null_ -+ }, -+ signature: { -+ unused: 0, -+ data: signature -+ } -+ }; -+ -+ // Store the signed certificate. -+ const pem = rfc5280.Certificate.encode(cert, 'pem', { -+ label: 'CERTIFICATE' -+ }); -+ writeFileSync(`./alt-${i}-cert.pem`, `${pem}\n`); -+} -+ -+const infoAccessExtensions = [ -+ [ -+ { -+ accessMethod: oid.ocsp, -+ accessLocation: { -+ type: 'uniformResourceIdentifier', -+ value: 'http://good.example.com/\nOCSP - URI:http://evil.example.com/', -+ }, -+ }, -+ ], -+ [ -+ { -+ accessMethod: oid.caIssuers, -+ accessLocation: { -+ type: 'uniformResourceIdentifier', -+ value: 'http://ca.example.com/\nOCSP - URI:http://evil.example.com', -+ }, -+ }, -+ { -+ accessMethod: oid.ocsp, -+ accessLocation: { -+ type: 'dNSName', -+ value: 'good.example.com\nOCSP - URI:http://ca.nodejs.org/ca.cert', -+ }, -+ }, -+ ], -+ [ -+ { -+ accessMethod: oid.privateUnrecognized, -+ accessLocation: { -+ type: 'uniformResourceIdentifier', -+ value: 'http://ca.example.com/', -+ }, -+ }, -+ ], -+ [ -+ { -+ accessMethod: oid.ocsp, -+ accessLocation: { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.xmppAddr, -+ value: UTF8String.encode('good.example.com', 'der'), -+ }, -+ }, -+ }, -+ { -+ accessMethod: oid.ocsp, -+ accessLocation: { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.privateUnrecognized, -+ value: UTF8String.encode('abc123', 'der') -+ }, -+ }, -+ }, -+ { -+ accessMethod: oid.ocsp, -+ accessLocation: { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.srvName, -+ value: IA5String.encode('abc123', 'der') -+ } -+ } -+ }, -+ ], -+ [ -+ { -+ accessMethod: oid.ocsp, -+ accessLocation: { -+ type: 'otherName', -+ value: { -+ 'type-id': oid.xmppAddr, -+ value: UTF8String.encode('good.example.com\0abc123', 'der'), -+ }, -+ }, -+ }, -+ ], -+]; -+ -+for (let i = 0; i < infoAccessExtensions.length; i++) { -+ const infoAccess = infoAccessExtensions[i]; -+ -+ const tbs = { -+ version: 'v3', -+ serialNumber: new BN('01', 16), -+ signature: { -+ algorithm: oid.sha256WithRSAEncryption, -+ parameters: null_ -+ }, -+ issuer: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { type: oid.commonName, value: subjectCommonName } -+ ] -+ ] -+ }, -+ validity: { -+ notBefore: { type: 'utcTime', value: now }, -+ notAfter: { type: 'utcTime', value: now + days * 86400000 } -+ }, -+ subject: { -+ type: 'rdnSequence', -+ value: [ -+ [ -+ { type: oid.commonName, value: subjectCommonName } -+ ] -+ ] -+ }, -+ subjectPublicKeyInfo: { -+ algorithm: { -+ algorithm: oid.rsaEncryption, -+ parameters: null_ -+ }, -+ subjectPublicKey: { -+ unused: 0, -+ data: publicKey -+ } -+ }, -+ extensions: [ -+ { -+ extnID: 'authorityInformationAccess', -+ critical: false, -+ extnValue: infoAccess -+ } -+ ] -+ }; -+ -+ // Self-sign the certificate. -+ const tbsDer = rfc5280.TBSCertificate.encode(tbs, 'der'); -+ const signature = crypto.createSign(digest).update(tbsDer).sign(privateKey); -+ -+ // Construct the signed certificate. -+ const cert = { -+ tbsCertificate: tbs, -+ signatureAlgorithm: { -+ algorithm: oid.sha256WithRSAEncryption, -+ parameters: null_ -+ }, -+ signature: { -+ unused: 0, -+ data: signature -+ } -+ }; -+ -+ // Store the signed certificate. -+ const pem = rfc5280.Certificate.encode(cert, 'pem', { -+ label: 'CERTIFICATE' -+ }); -+ writeFileSync(`./info-${i}-cert.pem`, `${pem}\n`); -+} -diff --git a/test/fixtures/x509-escaping/google/intermediate.pem b/test/fixtures/x509-escaping/google/intermediate.pem -new file mode 100644 -index 0000000000..9d2aeb32c4 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/intermediate.pem -@@ -0,0 +1,11 @@ -+-----BEGIN CERTIFICATE----- -+MIIBjjCCATSgAwIBAgIBAjAKBggqhkjOPQQDAjAPMQ0wCwYDVQQDEwRSb290MCAX -+DTAwMDEwMTAwMDAwMFoYDzIwOTkwMTAxMDAwMDAwWjAXMRUwEwYDVQQDEwxJbnRl -+cm1lZGlhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjM -+qxJVf/FvZm2ftiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkY -+tM/Bo3cwdTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQlGcYbYohaK3S+XGeq -+CTi4LLHeLTAfBgNVHSMEGDAWgBQlGcYbYohaK3S+XGeqCTi4LLHeLTAiBgNVHR4B -+Af8EGDAWoBQwEoIQYXR0YWNrZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNIADBFAiEA -+uZhmF3buUdhzHjXLZQSOyT41DqUUX/VKBEraDu+gj+wCIG/R1arbHFRFnEuoVgZI -+bihwUpUZjIZ5YwJcBu6yuXlZ -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/google/key.pem b/test/fixtures/x509-escaping/google/key.pem -new file mode 100644 -index 0000000000..102a9d8816 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/key.pem -@@ -0,0 +1,5 @@ -+-----BEGIN PRIVATE KEY----- -+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgaNbpDxJET5xVHxd/ -+ig5x2u2KUIe0jaCVWqarpIN/582hRANCAAR7DaOQvpvA47q2XxjMqxJVf/FvZm2f -+tiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkYtM/B -+-----END PRIVATE KEY----- -diff --git a/test/fixtures/x509-escaping/google/leaf0.pem b/test/fixtures/x509-escaping/google/leaf0.pem -new file mode 100644 -index 0000000000..ce19dc9699 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/leaf0.pem -@@ -0,0 +1,10 @@ -+-----BEGIN CERTIFICATE----- -+MIIBajCCARCgAwIBAgIBAzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxJbnRlcm1l -+ZGlhdGUwIBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMA8xDTALBgNV -+BAMTBExlYWYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjM -+qxJVf/FvZm2ftiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkY -+tM/Bo1MwUTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCUZxhtiiFordL5cZ6oJ -+OLgssd4tMCAGA1UdEQQZMBeCFWJsYWguYXR0YWNrZXIuZXhhbXBsZTAKBggqhkjO -+PQQDAgNIADBFAiEA4NgHDxVrBjNW+So4MrRZMwDknvjRaBsB4j2IwVRKl4sCIDpg -+Bhm4ZdHwlUYrALkXa3dFBy8kXBkVumY7UJpbB2mO -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/google/leaf1.pem b/test/fixtures/x509-escaping/google/leaf1.pem -new file mode 100644 -index 0000000000..0b45056656 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/leaf1.pem -@@ -0,0 +1,10 @@ -+-----BEGIN CERTIFICATE----- -+MIIBdTCCARygAwIBAgIBBDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxJbnRlcm1l -+ZGlhdGUwIBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMA8xDTALBgNV -+BAMTBExlYWYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjM -+qxJVf/FvZm2ftiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkY -+tM/Bo18wXTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCUZxhtiiFordL5cZ6oJ -+OLgssd4tMCwGA1UdEQQlMCOCCm5vZGVqcy5vcmeCFWJsYWguYXR0YWNrZXIuZXhh -+bXBsZTAKBggqhkjOPQQDAgNHADBEAiAOFFOCfA6c/iZWxbDn5QMjNdtZbtJPBcRv -+uEgSqWrGTAIgK5RK0xGK8UZb2aM2VjGNTYozlcwKaLgQukA+UnKrrJg= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/google/leaf2.pem b/test/fixtures/x509-escaping/google/leaf2.pem -new file mode 100644 -index 0000000000..9cf03fae7d ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/leaf2.pem -@@ -0,0 +1,10 @@ -+-----BEGIN CERTIFICATE----- -+MIIBejCCASCgAwIBAgIBBTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxJbnRlcm1l -+ZGlhdGUwIBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMA8xDTALBgNV -+BAMTBExlYWYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjM -+qxJVf/FvZm2ftiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkY -+tM/Bo2MwYTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCUZxhtiiFordL5cZ6oJ -+OLgssd4tMDAGA1UdEQQpMCeCJW5vZGVqcy5vcmcsIEROUzpibGFoLmF0dGFja2Vy -+LmV4YW1wbGUwCgYIKoZIzj0EAwIDSAAwRQIgWfT1VXQA79PxgM0DsfeoiwZCc2Be -+v3/RCRYoRky9DgICIQDUTjndnBQ0KeIWhuMjtSz1C5uPUYofKe7pV2qb/57kvA== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/google/leaf3.pem b/test/fixtures/x509-escaping/google/leaf3.pem -new file mode 100644 -index 0000000000..55a64fdc89 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/leaf3.pem -@@ -0,0 +1,10 @@ -+-----BEGIN CERTIFICATE----- -+MIIBZzCCAQ2gAwIBAgIBBjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxJbnRlcm1l -+ZGlhdGUwIBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMA8xDTALBgNV -+BAMTBExlYWYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjM -+qxJVf/FvZm2ftiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkY -+tM/Bo1AwTjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCUZxhtiiFordL5cZ6oJ -+OLgssd4tMB0GA1UdEQQWMBSGEmh0dHBzOi8vbm9kZWpzLm9yZzAKBggqhkjOPQQD -+AgNIADBFAiEArZgaxFBuPYFWCXeFTkXhV57MKxG/tIJ2Z3Wzts2Im7QCICoukuRf -+EsQN7g6h30fRuLOIdbfCCduc7YVpkkSlwe99 -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/google/leaf4.pem b/test/fixtures/x509-escaping/google/leaf4.pem -new file mode 100644 -index 0000000000..668a659f45 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/leaf4.pem -@@ -0,0 +1,10 @@ -+-----BEGIN CERTIFICATE----- -+MIIBdTCCARugAwIBAgIBBzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxJbnRlcm1l -+ZGlhdGUwIBcNMDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMDwxHzAdBgNV -+BAsMFm9yZyB1bml0CkNOPW5vZGVqcy5vcmcxGTAXBgNVBAMTEGF0dGFja2VyLmV4 -+YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjMqxJV -+f/FvZm2ftiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkYtM/B -+ozEwLzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCUZxhtiiFordL5cZ6oJOLgs -+sd4tMAoGCCqGSM49BAMCA0gAMEUCIQCpchwik2NT0v8ifDT8aMqOLv5YwqB7oeOu -+LincYQYMagIgZc2U7DBrdEAWNfuAJx4I+ZkluIcswcdnOhbriOrTSHg= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/google/root.pem b/test/fixtures/x509-escaping/google/root.pem -new file mode 100644 -index 0000000000..68eb00ae86 ---- /dev/null -+++ b/test/fixtures/x509-escaping/google/root.pem -@@ -0,0 +1,9 @@ -+-----BEGIN CERTIFICATE----- -+MIIBQTCB56ADAgECAgEBMAoGCCqGSM49BAMCMA8xDTALBgNVBAMTBFJvb3QwIBcN -+MDAwMTAxMDAwMDAwWhgPMjA5OTAxMDEwMDAwMDBaMA8xDTALBgNVBAMTBFJvb3Qw -+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7DaOQvpvA47q2XxjMqxJVf/FvZm2f -+tiFRXNJMe/fhSlDh2CybdkFIw2mE5g4ShW5UBJe+sohqy5V9WRkYtM/BozIwMDAP -+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQlGcYbYohaK3S+XGeqCTi4LLHeLTAK -+BggqhkjOPQQDAgNJADBGAiEA+Y5oEpcG6aRK5qQFLYRi2FrOSSLF1/dI4HtBh0mk -+GFoCIQD1DpNg6m5ZaogRW1mY1wmR5HFIr3gG8PYDRimQogXUxg== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/info-0-cert.pem b/test/fixtures/x509-escaping/info-0-cert.pem -new file mode 100644 -index 0000000000..6872b9870a ---- /dev/null -+++ b/test/fixtures/x509-escaping/info-0-cert.pem -@@ -0,0 +1,30 @@ -+-----BEGIN CERTIFICATE----- -+MIIFDTCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+XDBaMFgGCCsGAQUFBwEBBEwwSjBIBggrBgEFBQcwAYY8aHR0cDovL2dvb2QuZXhh -+bXBsZS5jb20vCk9DU1AgLSBVUkk6aHR0cDovL2V2aWwuZXhhbXBsZS5jb20vMA0G -+CSqGSIb3DQEBCwUAA4ICAQAAd/bIBmSIOJg+Rp96/BDpsZQYgYTyBNWrnBkuHQ0M -+bovgqEEI/5xiYGEzXhrzmWrUoG40PDeVrpCSsW5m+bsO4zDQeWW5mXejbr0Iwflf -+TYDxwGUUakAcZ1c5yJ/ABjKy0Tocb9bSzln+tc+HNStp86bbgrhb/wjddn6ca21V -+cuNFZbN+0SM0LxcWO8oGKXF0HFo0durGhamcH5B/D38FYkaVR5QXoOsWVqtPFjW2 -+t67rmKS6XKaz2JhZDpWDZmDofCoFu/zlkPHXkq7yyrkJ/8qpJCznkZmLn+B1WA+y -+SrSOYMpQ6RnzMx7wK5UafX5J+lMv16+LTb/n1KAd4zElcqt5eRPLcEuknIEgC2X/ -+AY1ooyN/Xb4QnqvtTmhzIDb7lzzMowi5QrG3rRYMldxG2Rdqwjc8qa5Tgh7EsiU8 -+A/n5X/6cxA1zoyakSHFXzGtazIkPc+zFfOaV1+gpJtd2vD2T+FrmkL1fgazuHXNZ -+hAQq0RGZWPsCdxm7dG4w5bd3YgRKfD2ck+b9Imu0ta4pqMDHZYgncaeOuuHzHgXA -+MIvxIG5JfwYUJLUqBUz8hwDVcNMpnscyn2msdpiwXK0AahucBQjbyZ6sovoxmgk5 -+xLdnq2GTtdghwdkF9DYK0ZekDlk1XWbP0tR5Cevo6WlMx+cbEBG+OSfNd8/dFrkd -+aw== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/info-1-cert.pem b/test/fixtures/x509-escaping/info-1-cert.pem -new file mode 100644 -index 0000000000..05247873d8 ---- /dev/null -+++ b/test/fixtures/x509-escaping/info-1-cert.pem -@@ -0,0 +1,31 @@ -+-----BEGIN CERTIFICATE----- -+MIIFVTCCAz2gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+gaMwgaAwgZ0GCCsGAQUFBwEBBIGQMIGNMEUGCCsGAQUFBzAChjlodHRwOi8vY2Eu -+ZXhhbXBsZS5jb20vCk9DU1AgLSBVUkk6aHR0cDovL2V2aWwuZXhhbXBsZS5jb20w -+RAYIKwYBBQUHMAGCOGdvb2QuZXhhbXBsZS5jb20KT0NTUCAtIFVSSTpodHRwOi8v -+Y2Eubm9kZWpzLm9yZy9jYS5jZXJ0MA0GCSqGSIb3DQEBCwUAA4ICAQCbwqw8YKIt -+Ht9qegR076xpnxuiH0THPGsgazvhCmEr5YHJ68sR1LexjneQDhpNXcnpYpfk6J4d -+Tu0ApMSbVypFyHcd88g0qVYI9JF+CTNnzut/Zn6xgnUjVjrSz6SZPhkMcBX9ahtY -+tzswzcyTzso5Do5pxvCWDI+bshgIhC3CYNyAjyOyyhnQrwcOcoatlhDmX1fCk+dC -+fhmzurBFNIz2gwDC7aRjcaUdTIlYnd6qHk5xLs3neBm44gNk17GazPIPo04LTKXs -+ZYzvDEUAdJ2FJMiYqSvvEv4k9ozx5HtwtncZpu46El2PQRANgj1UhemYVmHfbdU+ -+7Q+rCv+Loq2v76fddhc1cM3gCQ+6SW2QmRo2rShRGxpuSuZiTngwgdQEGrkQq7Sv -+r695V7NlHWJgvv1r49wGmqWkviH5l6A0QdzL6TNYhwqCRsjxgsvCZUpOlZPASiME -+jhwBIOMy1YUSdEMnBrbuemawvbfocSuUlHaodwLZvwMgqHvNz/8ebMyRyyZrnmCx -+TYh8d0JIcA57VvfaZvvsPPV7TO7WLoJgbmuqM02JzzkJMh0fbt2oi1cqJL65V5Sn -+z0sXh/A/BzB4QawI93f9m0hX7RtuT1SolTNVyhg7dm1MwfO8khpfz5LLgflVwgN8 -+6egKc6L755SlqZRMT03txH2UCBizLz1gjA== -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/info-2-cert.pem b/test/fixtures/x509-escaping/info-2-cert.pem -new file mode 100644 -index 0000000000..06212d4e12 ---- /dev/null -+++ b/test/fixtures/x509-escaping/info-2-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE5DCCAsygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+MzAxMC8GCCsGAQUFBwEBBCMwITAfBgUrzg8MIoYWaHR0cDovL2NhLmV4YW1wbGUu -+Y29tLzANBgkqhkiG9w0BAQsFAAOCAgEABR5VyTZEQ0AQvdqlk+IDQT85qyf891eN -+BREiSg5KCei9Kmubv3ZJGoNVwZgybr5sCi5GqWOtG7S0GXvzS6c2Qy+cW0R4DDYs -+s6IIUn+ex1XygGrRHTDHu6tEUwSJMmOMKBh+iLjhtamD+YHjgOLG3MfadO5/9mvp -+r412MPhU1VvQ3FC3dZmBUW2gIKNEU4mzwISgPkLJXmBsnxu8F9YqHPgppqsfJ9AF -+KIc2nX7N3s8w9fCc03FrihdkE2C802jy71px5aPqa1xrIT/YBq/1fKTcYRAWF/pd -+iy2G1v0pz0kYu2/yPIC/xlFcUgeFqR/biwxAD9T9rp7rq+dpIJA5BUCpXVULqhY1 -+SVZ22WKS0NR5rbu4BPDMShTOiwaDSwFQtI0OxM0g5zVFVjFOc6YbFu7ZyfLQ582S -+vgVU5/vaHANnEsCSUegXyLofqxTMPbM1rqibFmv2A4pm1Mp18ZFmqwh8cm6C0f7F -+qjdzBuSkcktTCq/dLX5yTm9aocyzye9cfNBjiGUregJEF7sD3nzsokEGj+S320w2 -+5yUl95xgrHr+5bdDUEox+trTeBnddC4VxrieeH+Wv45try0Go48yK7b1Aqfu9G4B -+B/as+upQ+YjMG8mAe6JJ9JibpTvTmatYAsssEKT1vDZ5trqo4C5/utfbuyaf7qtx -+O+jFfYToPtE= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/info-3-cert.pem b/test/fixtures/x509-escaping/info-3-cert.pem -new file mode 100644 -index 0000000000..1825949bd3 ---- /dev/null -+++ b/test/fixtures/x509-escaping/info-3-cert.pem -@@ -0,0 +1,30 @@ -+-----BEGIN CERTIFICATE----- -+MIIFMDCCAxigAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+fzB9MHsGCCsGAQUFBwEBBG8wbTAqBggrBgEFBQcwAaAeBggrBgEFBQcIBaASDBBn -+b29kLmV4YW1wbGUuY29tMB0GCCsGAQUFBzABoBEGBSvODwwioAgMBmFiYzEyMzAg -+BggrBgEFBQcwAaAUBggrBgEFBQcIB6AIFgZhYmMxMjMwDQYJKoZIhvcNAQELBQAD -+ggIBACR9nH4pRlcSIIF9DEExlJvLtkeFWHGIAYLBuauHmdzPdbq9Py9M5DOcc7yd -+OQYVYwW26hASb+3CYzhRQaWKOR+T/OwP+QMUl5Y6nc3HzLdYTSen2LLAYHySXK3G -+gTdOhmVQwdh+IzhpjLXC67/9gn/F1p73Ixv/0PBZzmC64DOp1ogso9RICu0xTAbo -+h8mdN4/Tbh9Ikd89lb91x1Xf86NyC7ZvSA9dUO07/3B6B0kkqCdP9Ytlsrt2wbt3 -+2TVPp+ghjbPjdLrJUi3fbdC2CgjV2oLiYr1h7qn7SmYPNgOpDPKBI4Cei7UO+Wow -+yLCxBO0HgLZKcZorJFofekPjqtQYYj1sw3OEIcifMAmoHT7H57onfoQbRDpt57k2 -+rHJKgzrRuT8Qbl3OHSkiWRE3u0S9kAg7QEq27e2fuvh23p+YHEiYIjAR9XLVh7/Q -+EG5QDfDq3MvtgD/khAd36il61T5h8F4u3MhONFMuwJ/TYtGR6QINrv4DqLBM1pRr -+LMApQYi0w/MCRj2wLeAro9NflE+PFDk+l44ojvnEUYAGUyIzWp80bjQrV7Up6sgQ -+HehcmxxTrOmiqrfw08c1aHhmGeplmPpQEET1wIjnyj49sfdSPYxg5Lh+f/l79fLb -+jFemE8otKfog84vNGbPFl/AHwxjKCeCA/MaNJz3y3RYVsZn6 -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/info-4-cert.pem b/test/fixtures/x509-escaping/info-4-cert.pem -new file mode 100644 -index 0000000000..8f1e69afec ---- /dev/null -+++ b/test/fixtures/x509-escaping/info-4-cert.pem -@@ -0,0 +1,29 @@ -+-----BEGIN CERTIFICATE----- -+MIIE9jCCAt6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBldmls -+LmV4YW1wbGUuY29tMB4XDTIxMTIyMDE0NTczNVoXDTMxMTIxODE0NTczNVowGzEZ -+MBcGA1UEAxMQZXZpbC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -+ADCCAgoCggIBALERZ3TS70T1P+SjpZwIqOFnu2Od9XKWcDszQQc7C92K+APjp4Bv -+WiayictqCJWtmsbsSli4yG3P6Ddi/V3Se8W+/yB71Qh2c3wQNMPMukncps2odRGt -+qJe4EOpret1jgkFqQJy5geXVuPU5N7DvGXUVZzWN7TisFNAZMUhF2YlljJz1sjD1 -+aRjqayh3TDU8NwuFlLd6aH95hovjMBBatWFB9bN/itnMVoj9rmfSjvlpSRO6/EMN -+DnVXZ3paRJTcps6d/Ylb5Ald/Ow056JgD0Cd9jn16+vgYR4bxVl0a5Qbf24MIhaY -+BRPx6WFdepWr410GpzpVQ0sMluoKYzH8RynjwQc7pfm5ebTFWJkhU80jOqKJGFW3 -+icV/A9BmtOBqrb60Pv/MPXIQPg7UWGUOXm3AfY3v6gbToewSW5B0s+uPsh52md4Z -+UoyzTvwN2i/uPqJxi/9FkdV60OWvMMMeMslbDHIBbN0Z2SG0wY93oH2LhO0X89Tc -+nedukufld8QEW7iMn7D7la+TlrrSAXURHL84sEz97yyujawQEimnW03XAlUFk61M -+iLhVUOHANFBSLBvZ3VF7sZDv6ZzPkP/TWrFbpL7DQgqunAlSNHealrQ5T3wp8pUm -+R7J4QEuQSEN2cZMOpn0T+JyQaiytbaAABgqDNeTvbl2nFN2ksSix8NunAgMBAAGj -+RTBDMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAaAlBggrBgEFBQcIBaAZDBdn -+b29kLmV4YW1wbGUuY29tAGFiYzEyMzANBgkqhkiG9w0BAQsFAAOCAgEAQERLvjQB -+E2fmTVgHbr4MVXPfse9Xxk9TK8/IhxDNnql4bor3xat5oP+tDHVRi2StajfIcJlX -+C9blYOWg4w6QH3pmD6M7eQGOw7ntOUid4R2vhX3XiK3QB1h8lWSPFmSwBHA47mMJ -+IkrKNIo9+M9b7M05YwbAENi3TPgT8h2Ej9V4DUjLIEhDcu8fSh3FkNpZ2HohZ2I3 -+QPe23FB052jX7uPfeZ9gcjL/iGxuTuPbKWxzZ/Gy2RmS8xfLkJESvvQ8a0H4f7Ij -+yjn7qYUkY6FoHxyg5BU34YNaJCmfgzRIE53Kv2FMPwj2JaXmIguR+mSDAbc0xjw3 -+G3dRoCqhZugn8C6I5FhuXHdu6zSuuHtwOGEf07y5Im2sBsPVoq+Txh/mv3Zy9Ydy -+0yCDuq87jKSZd7FKorHOEoQY94UMs33PYjS4h/hYWiysYUeR0mlbjr4gyv1KH6K8 -+JERGpI/OE+vzfOtgj/Z46/+wn7jF0LBCin7Jn5Zw1a1TNsiHKAjqW/P4vJxxUW++ -+FtYwJhI7XJehwNNFra9rSC5M4TkpaqAZnbPvWZWxWVJIEYFgNjnt+b/VOpRpv5bJ -+7BOlVvP+56KF+vlmCnzVBmlHcr45sZUZ3mw3Sb6dcF0V0VaNQKw/F5EteQyafIIl -+dvCwwV4OwLwPliPAvwYfVEI41Dv3mF4fN7k= -+-----END CERTIFICATE----- -diff --git a/test/fixtures/x509-escaping/package.json b/test/fixtures/x509-escaping/package.json -new file mode 100644 -index 0000000000..37d9f2a938 ---- /dev/null -+++ b/test/fixtures/x509-escaping/package.json -@@ -0,0 +1,12 @@ -+{ -+ "name": "x509-escaping", -+ "version": "1.0.0", -+ "description": "create certificates for x509-escaping test", -+ "main": "createCert.js", -+ "license": "SEE LICENSE IN ../../../LICENSE", -+ "private": true, -+ "dependencies": { -+ "asn1.js": "^5.4.1", -+ "asn1.js-rfc5280": "^3.0.0" -+ } -+} -diff --git a/test/fixtures/x509-escaping/server-key.pem b/test/fixtures/x509-escaping/server-key.pem -new file mode 100644 -index 0000000000..db1d2652d0 ---- /dev/null -+++ b/test/fixtures/x509-escaping/server-key.pem -@@ -0,0 +1,52 @@ -+-----BEGIN PRIVATE KEY----- -+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCxEWd00u9E9T/k -+o6WcCKjhZ7tjnfVylnA7M0EHOwvdivgD46eAb1omsonLagiVrZrG7EpYuMhtz+g3 -+Yv1d0nvFvv8ge9UIdnN8EDTDzLpJ3KbNqHURraiXuBDqa3rdY4JBakCcuYHl1bj1 -+OTew7xl1FWc1je04rBTQGTFIRdmJZYyc9bIw9WkY6msod0w1PDcLhZS3emh/eYaL -+4zAQWrVhQfWzf4rZzFaI/a5n0o75aUkTuvxDDQ51V2d6WkSU3KbOnf2JW+QJXfzs -+NOeiYA9AnfY59evr4GEeG8VZdGuUG39uDCIWmAUT8elhXXqVq+NdBqc6VUNLDJbq -+CmMx/Ecp48EHO6X5uXm0xViZIVPNIzqiiRhVt4nFfwPQZrTgaq2+tD7/zD1yED4O -+1FhlDl5twH2N7+oG06HsEluQdLPrj7IedpneGVKMs078Ddov7j6icYv/RZHVetDl -+rzDDHjLJWwxyAWzdGdkhtMGPd6B9i4TtF/PU3J3nbpLn5XfEBFu4jJ+w+5Wvk5a6 -+0gF1ERy/OLBM/e8sro2sEBIpp1tN1wJVBZOtTIi4VVDhwDRQUiwb2d1Re7GQ7+mc -+z5D/01qxW6S+w0IKrpwJUjR3mpa0OU98KfKVJkeyeEBLkEhDdnGTDqZ9E/ickGos -+rW2gAAYKgzXk725dpxTdpLEosfDbpwIDAQABAoICAAwUElkTPHQZQKsBiL38jzyU -+/WDduQ0AexZmuCRcoEIUBTgKsvXdYqpqGmEwUfaX2YuBOc8Uh8OJ357Ll1nrjjre -+fPvDxrPllJodZuQGVpzMOuqjd5zlmi8DRNAg1cg9TfjVXSPzuYsqiYvcw9JDdRqa -+A6jRDiIEBwVs+oIiFaU8MpvQXL/fNbSX5QhlHuMwwNZ93beoV3F+ojFvpWswLNg+ -+DhsY86lIuYxttZRqdgtIZc49PpD6VoalmC7t8mivJofImi9g/8ytxx97umNGpzOy -+ssWgY1/7NdS+czdXbDE1sPsaQ8cDxrDmGxPjswV7rK4/Um/1ufnoGXFMlRinS1lQ -+nns4VAFefVUCk81LRyFb+X97NXPGC1p4zNlC1ZoihMgWKJBzH0uk5K/hURS/wDNZ -+epm9ssnEQrFGJhEI+635srfn9SVRZ8xNh+oCguo5NaZm/BezC6iBQeoaBmVL2lY8 -+KLztN/JQd6MMZi3CWhTn0ZAtVNMxGjU9/yrdWIkX9EV8Sw68fqLGoKQXI67AOynQ -+5AnUyEjhVu7M39gYL71l7BVpuG7qaX8l4brzBcgzFldvuhuNCx0SW4gU2/Nx4OwY -+BLOX1LOrpD+5M9YwcbtSxcxz97nP8efb3hUK3QD2iuZ9Fa6zKWsoreMb7Jku38i7 -+e41lupAIkxxuxGBe1YrZAoIBAQDVF7Kru6tsaWtvJw5cbZpKxcuUHHQ0X3XRgA+H -+uWfT8EbxmDpgcG8polqiYuXPFWcrElmtWeBCYXazGZocHRV8y+ri/9c2rMTH6Bni -+TcYfsc4E8WY6adxfUqajgQ2zShdZbxZtBvSP50HheZ0a+L2qn2MWDUN/mbwYEmom -+SonVx3MSJWm/Vrh5i4b/L/+9u7uumIjWYFK6pKdLerTfbXO7ZsNR9KDIOBLDnUcf -++6K2vcclZN7aga1S7wTsrX+k9C/OQuj8ONMWQHCxryp5RAmgtArTBrJZq8el1lcG -+518Vo4QuOqsqTdAhqiImoPKe4NNCs1iTS9BdCqNYiF8sbmeJAoIBAQDUuL5ebQ68 -+6vqTKYD47ZtCzeqziN3Y/0a1BsyZh0/snNmK5WIr4T0vX0Y/XG0EpkZdpW3odMBv -+CemKs6Zm+pfOUGu20PTJcdSOXRbFiVYSeQnfa0l3iXZvY9Ottz/IU/mWPuU3hc18 -+hOZD9tKiwYDzZREg6L4XRizfT70UkD2eTz4lGBjR092TTj8WqSaI9GF6d9B6Aw9Y -+OCZdTqV7hPe0Rnvd1XiGsk68HN2Np47HHwwPsKMCYj8YNKmsUF8QSXmCkijlDeJW -+bC6TjAHlvnN6n1LjaLwULUs9Rb2fkNUOqsgR+T8YlqbclJbzC7gW53M/68c9eOQ1 -+Y01JnzsB3S2vAoIBAQDT8DP2djtzIg6GiNPRvfj9cWifMQWqqV8nNTU9Cnxn4MzO -+sVcuX+VQBXgblj13D5SC1Ed5ELDplMJYM5iBabPbYX2GtGq6qG83XHOSD0SEdXWw -+mN/SLUPPUwcGC+8yaPh8LO6jFY3cKmft9+T31Hnf35LPdfWyTZc0YexNlUkt5Kdg -+XvGkKn5j9RAZcwXrEXMDnhZLEZZ2qBj0C2El71hyBS0ysBnRyWNwR1dcSgx1sJ8H -+ZCH6NYvLtoqxU4Zm6684eHf9lA7uTL1JHC0kWzUwLqGtbTWp1h5FpL790NVTUkS/ -+Lf7bnnTpZqt8vAtTVc0IxBPOvFLKlzALd+cg69XxAoIBAQCv6Sbkh2NMrzUQRZ42 -+PKfMkuSoG2L6dABQ65J+0/swPHVZ+1830kf6yNsawqAU3DwMbSV6ujH4oUXUQcQ2 -+HL01DCRHRn1nqQ6RvEF8kZnwJNAZRmu2wqKCcxc17Ph9/ZPEv7ZmN+w6MN0LDy4Z -+EdRFcyq7AD1SmeG5ugMu4ilSpU1K96ZuvrnZezeI0dDgKNgDotlwTN9/oM95EfSf -+NNJy7ma4iDPnj8S0o1pELnBQEkizIOtsqTpsFgDKUpyKp3golh3jbZvixAuwUHOx -+PdHZca/mB1KhjONPhEDPl8HZIznYQzn+Z3cNqoM58lMF/di834ogN7zguYHMhDUT -+0YhZAoIBAHlYhuni+gyrn4tyZgep68VXW7wQxSvgSj8cpZAuT/w0UKAU53J5QTWZ -+aGHeICXvgvpalUL+2dGwASlOvPa52ekcOPd2+qKWyss0zA4ksI7mNE2vjFUcOr+S -+n9QSNvu3E8dYAjzSIsizcQbPTlk6A/TmytNJ4x67ZVGCmKXw1ZzzSrxSbAIdY254 -+TxSGchrfcy0ofXIL2HXq16FRmesORTJFkkyQaldzn4y7S6HJ/vGppImTfeac1MwG -+jLYljIkIbt+nB1c8HeNvARmBa6M2pxB9f72oRMVqFdUUc5AxXuWP9v6xk227EuCq -+TBORAafu9WxKVwUsHa1rE1uGgNEfRJ8= -+-----END PRIVATE KEY----- -diff --git a/test/parallel/test-tls-0-dns-altname.js b/test/parallel/test-tls-0-dns-altname.js -index 4bc87e44cb..e5cb8e3d48 100644 ---- a/test/parallel/test-tls-0-dns-altname.js -+++ b/test/parallel/test-tls-0-dns-altname.js -@@ -44,7 +44,7 @@ const server = tls.createServer({ - }, common.mustCall(() => { - const cert = c.getPeerCertificate(); - assert.strictEqual(cert.subjectaltname, -- 'DNS:good.example.org\0.evil.example.com, ' + -+ 'DNS:"good.example.org\\u0000.evil.example.com", ' + - 'DNS:just-another.example.com, ' + - 'IP Address:8.8.8.8, ' + - 'IP Address:8.8.4.4, ' + -diff --git a/test/parallel/test-x509-escaping.js b/test/parallel/test-x509-escaping.js -new file mode 100644 -index 0000000000..4e0f82767d ---- /dev/null -+++ b/test/parallel/test-x509-escaping.js -@@ -0,0 +1,349 @@ -+'use strict'; -+ -+const common = require('../common'); -+if (!common.hasCrypto) -+ common.skip('missing crypto'); -+ -+const assert = require('assert'); -+const tls = require('tls'); -+const fixtures = require('../common/fixtures'); -+ -+const { hasOpenSSL3 } = common; -+ -+// Test that all certificate chains provided by the reporter are rejected. -+{ -+ const rootPEM = fixtures.readSync('x509-escaping/google/root.pem'); -+ const intermPEM = fixtures.readSync('x509-escaping/google/intermediate.pem'); -+ const keyPEM = fixtures.readSync('x509-escaping/google/key.pem'); -+ -+ const numLeaves = 5; -+ -+ for (let i = 0; i < numLeaves; i++) { -+ // TODO(tniessen): this test case requires proper handling of URI SANs, -+ // which node currently does not implement. -+ if (i === 3) continue; -+ -+ const name = `x509-escaping/google/leaf${i}.pem`; -+ const leafPEM = fixtures.readSync(name, 'utf8'); -+ -+ const server = tls.createServer({ -+ key: keyPEM, -+ cert: leafPEM + intermPEM, -+ }, common.mustNotCall()).listen(common.mustCall(() => { -+ const { port } = server.address(); -+ const socket = tls.connect(port, { -+ ca: rootPEM, -+ servername: 'nodejs.org', -+ }, common.mustNotCall()); -+ socket.on('error', common.mustCall()); -+ })).unref(); -+ } -+} -+ -+// Test escaping rules for subject alternative names. -+{ -+ const expectedSANs = [ -+ 'DNS:"good.example.com\\u002c DNS:evil.example.com"', -+ // URIs should not require escaping. -+ 'URI:http://example.com/', -+ 'URI:http://example.com/?a=b&c=d', -+ // Unless they contain commas. -+ 'URI:"http://example.com/a\\u002cb"', -+ // Percent encoding should not require escaping. -+ 'URI:http://example.com/a%2Cb', -+ // Malicious attempts should be escaped. -+ 'URI:"http://example.com/a\\u002c DNS:good.example.com"', -+ // Non-ASCII characters in DNS names should be treated as Latin-1. -+ 'DNS:"ex\\u00e4mple.com"', -+ // It should not be possible to cause unescaping without escaping. -+ 'DNS:"\\"evil.example.com\\""', -+ // IPv4 addresses should be represented as usual. -+ 'IP Address:8.8.8.8', -+ 'IP Address:8.8.4.4', -+ // For backward-compatibility, include invalid IP address lengths. -+ hasOpenSSL3 ? 'IP Address:' : 'IP Address:', -+ hasOpenSSL3 ? 'IP Address:' : 'IP Address:', -+ // IPv6 addresses are represented as OpenSSL does. -+ 'IP Address:A0B:C0D:E0F:0:0:0:7A7B:7C7D', -+ // Regular email addresses don't require escaping. -+ 'email:foo@example.com', -+ // ... but should be escaped if they contain commas. -+ 'email:"foo@example.com\\u002c DNS:good.example.com"', -+ 'DirName:/C=DE/L=Hannover', -+ // TODO(tniessen): support UTF8 in DirName -+ 'DirName:"/C=DE/L=M\\\\xC3\\\\xBCnchen"', -+ 'DirName:"/C=DE/L=Berlin\\u002c DNS:good.example.com"', -+ 'DirName:"/C=DE/L=Berlin\\u002c DNS:good.example.com\\\\x00' + -+ 'evil.example.com"', -+ 'DirName:"/C=DE/L=Berlin\\u002c DNS:good.example.com\\\\\\\\x00' + -+ 'evil.example.com"', -+ // These next two tests might be surprising. OpenSSL applies its own rules -+ // first, which introduce backslashes, which activate node's escaping. -+ // Unfortunately, there are also differences between OpenSSL 1.1.1 and 3.0. -+ 'DirName:"/C=DE/L=Berlin\\\\x0D\\\\x0A"', -+ hasOpenSSL3 ? -+ 'DirName:"/C=DE/L=Berlin\\\\/CN=good.example.com"' : -+ 'DirName:/C=DE/L=Berlin/CN=good.example.com', -+ // TODO(tniessen): even OIDs that are well-known (such as the following, -+ // which is sha256WithRSAEncryption) should be represented numerically only. -+ 'Registered ID:sha256WithRSAEncryption', -+ // This is an OID that will likely never be assigned to anything, thus -+ // OpenSSL should not know it. -+ 'Registered ID:1.3.9999.12.34', -+ hasOpenSSL3 ? -+ 'othername: XmppAddr::abc123' : -+ 'othername:', -+ hasOpenSSL3 ? -+ 'othername:" XmppAddr::abc123\\u002c DNS:good.example.com"' : -+ 'othername:', -+ hasOpenSSL3 ? -+ 'othername:" XmppAddr::good.example.com\\u0000abc123"' : -+ 'othername:', -+ // This is unsupported because the OID is not recognized. -+ 'othername:', -+ hasOpenSSL3 ? 'othername: SRVName::abc123' : 'othername:', -+ // This is unsupported because it is an SRVName with a UTF8String value, -+ // which is not allowed for SRVName. -+ 'othername:', -+ hasOpenSSL3 ? -+ 'othername:" SRVName::abc\\u0000def"' : -+ 'othername:', -+ ]; -+ -+ const serverKey = fixtures.readSync('x509-escaping/server-key.pem', 'utf8'); -+ -+ for (let i = 0; i < expectedSANs.length; i++) { -+ const pem = fixtures.readSync(`x509-escaping/alt-${i}-cert.pem`, 'utf8'); -+ -+ // X509Certificate interface is not supported in v12.x & v14.x. Disable -+ // checks for subjectAltName with expectedSANs. The testcase is ported -+ // from v17.x -+ // -+ // Test the subjectAltName property of the X509Certificate API. -+ // const cert = new X509Certificate(pem); -+ // assert.strictEqual(cert.subjectAltName, expectedSANs[i]); -+ -+ // Test that the certificate obtained by checkServerIdentity has the correct -+ // subjectaltname property. -+ const server = tls.createServer({ -+ key: serverKey, -+ cert: pem, -+ }, common.mustCall((conn) => { -+ conn.destroy(); -+ server.close(); -+ })).listen(common.mustCall(() => { -+ const { port } = server.address(); -+ tls.connect(port, { -+ ca: pem, -+ servername: 'example.com', -+ checkServerIdentity: (hostname, peerCert) => { -+ assert.strictEqual(hostname, 'example.com'); -+ assert.strictEqual(peerCert.subjectaltname, expectedSANs[i]); -+ }, -+ }, common.mustCall()); -+ })); -+ } -+} -+ -+// Test escaping rules for authority info access. -+{ -+ const expectedInfoAccess = [ -+ { -+ text: 'OCSP - URI:"http://good.example.com/\\u000a' + -+ 'OCSP - URI:http://evil.example.com/"', -+ legacy: { -+ 'OCSP - URI': [ -+ 'http://good.example.com/\nOCSP - URI:http://evil.example.com/', -+ ], -+ }, -+ }, -+ { -+ text: 'CA Issuers - URI:"http://ca.example.com/\\u000a' + -+ 'OCSP - URI:http://evil.example.com"\n' + -+ 'OCSP - DNS:"good.example.com\\u000a' + -+ 'OCSP - URI:http://ca.nodejs.org/ca.cert"', -+ legacy: { -+ 'CA Issuers - URI': [ -+ 'http://ca.example.com/\nOCSP - URI:http://evil.example.com', -+ ], -+ 'OCSP - DNS': [ -+ 'good.example.com\nOCSP - URI:http://ca.nodejs.org/ca.cert', -+ ], -+ }, -+ }, -+ { -+ text: '1.3.9999.12.34 - URI:http://ca.example.com/', -+ legacy: { -+ '1.3.9999.12.34 - URI': [ -+ 'http://ca.example.com/', -+ ], -+ }, -+ }, -+ hasOpenSSL3 ? { -+ text: 'OCSP - othername: XmppAddr::good.example.com\n' + -+ 'OCSP - othername:\n' + -+ 'OCSP - othername: SRVName::abc123', -+ legacy: { -+ 'OCSP - othername': [ -+ ' XmppAddr::good.example.com', -+ '', -+ ' SRVName::abc123', -+ ], -+ }, -+ } : { -+ text: 'OCSP - othername:\n' + -+ 'OCSP - othername:\n' + -+ 'OCSP - othername:', -+ legacy: { -+ 'OCSP - othername': [ -+ '', -+ '', -+ '', -+ ], -+ }, -+ }, -+ hasOpenSSL3 ? { -+ text: 'OCSP - othername:" XmppAddr::good.example.com\\u0000abc123"', -+ legacy: { -+ 'OCSP - othername': [ -+ ' XmppAddr::good.example.com\0abc123', -+ ], -+ }, -+ } : { -+ text: 'OCSP - othername:', -+ legacy: { -+ 'OCSP - othername': [ -+ '', -+ ], -+ }, -+ }, -+ ]; -+ -+ const serverKey = fixtures.readSync('x509-escaping/server-key.pem', 'utf8'); -+ -+ for (let i = 0; i < expectedInfoAccess.length; i++) { -+ const pem = fixtures.readSync(`x509-escaping/info-${i}-cert.pem`, 'utf8'); -+ const expected = expectedInfoAccess[i]; -+ -+ // X509Certificate interface is not supported in v12.x & v14.x. Disable -+ // checks for cert.infoAccess with expected text. The testcase is ported -+ // from v17.x -+ // Test the subjectAltName property of the X509Certificate API. -+ // const cert = new X509Certificate(pem); -+ // assert.strictEqual(cert.infoAccess, -+ // `${expected.text}${hasOpenSSL3 ? '' : '\n'}`); -+ -+ // Test that the certificate obtained by checkServerIdentity has the correct -+ // subjectaltname property. -+ const server = tls.createServer({ -+ key: serverKey, -+ cert: pem, -+ }, common.mustCall((conn) => { -+ conn.destroy(); -+ server.close(); -+ })).listen(common.mustCall(() => { -+ const { port } = server.address(); -+ tls.connect(port, { -+ ca: pem, -+ servername: 'example.com', -+ checkServerIdentity: (hostname, peerCert) => { -+ assert.strictEqual(hostname, 'example.com'); -+ assert.deepStrictEqual(peerCert.infoAccess, -+ Object.assign(Object.create(null), -+ expected.legacy)); -+ }, -+ }, common.mustCall()); -+ })); -+ } -+} -+ -+// The internal parsing logic must match the JSON specification exactly. -+{ -+ // This list is partially based on V8's own JSON tests. -+ const invalidJSON = [ -+ '"\\a invalid escape"', -+ '"\\v invalid escape"', -+ '"\\\' invalid escape"', -+ '"\\x42 invalid escape"', -+ '"\\u202 invalid escape"', -+ '"\\012 invalid escape"', -+ '"Unterminated string', -+ '"Unterminated string\\"', -+ '"Unterminated string\\\\\\"', -+ '"\u0000 control character"', -+ '"\u001e control character"', -+ '"\u001f control character"', -+ ]; -+ -+ for (const invalidStringLiteral of invalidJSON) { -+ // Usually, checkServerIdentity returns an error upon verification failure. -+ // In this case, however, it should throw an error since this is not a -+ // verification error. Node.js itself will never produce invalid JSON string -+ // literals, so this can only happen when users construct invalid subject -+ // alternative name strings (that do not follow escaping rules). -+ assert.throws(() => { -+ tls.checkServerIdentity('example.com', { -+ subjectaltname: `DNS:${invalidStringLiteral}`, -+ }); -+ }, { -+ code: 'ERR_TLS_CERT_ALTNAME_FORMAT', -+ message: 'Invalid subject alternative name string' -+ }); -+ } -+} -+ -+// While node does not produce commas within SAN entries, it should parse them -+// correctly (i.e., not simply split at commas). -+{ -+ // Regardless of the quotes, splitting this SAN string at commas would -+ // cause checkServerIdentity to see 'DNS:b.example.com' and thus to accept -+ // the certificate for b.example.com. -+ const san = 'DNS:"a.example.com, DNS:b.example.com, DNS:c.example.com"'; -+ -+ // This is what node used to do, and which is not correct! -+ const hostname = 'b.example.com'; -+ assert.strictEqual(san.split(', ')[1], `DNS:${hostname}`); -+ -+ // The new implementation should parse the string correctly. -+ const err = tls.checkServerIdentity(hostname, { subjectaltname: san }); -+ assert(err); -+ assert.strictEqual(err.code, 'ERR_TLS_CERT_ALTNAME_INVALID'); -+ assert.strictEqual(err.message, 'Hostname/IP does not match certificate\'s ' + -+ 'altnames: Host: b.example.com. is not in ' + -+ 'the cert\'s altnames: DNS:"a.example.com, ' + -+ 'DNS:b.example.com, DNS:c.example.com"'); -+} -+ -+// The subject MUST be ignored if a dNSName subject alternative name exists. -+{ -+ const key = fixtures.readKey('incorrect_san_correct_subject-key.pem'); -+ const cert = fixtures.readKey('incorrect_san_correct_subject-cert.pem'); -+ -+ // The hostname is the CN, but not a SAN entry. -+ const servername = 'good.example.com'; -+ -+ // X509Certificate interface is not supported in v12.x & v14.x. Disable -+ // checks for certX509.subject and certX509.subjectAltName with expected -+ // value. The testcase is ported from v17.x -+ // -+ // const certX509 = new X509Certificate(cert); -+ // assert.strictEqual(certX509.subject, `CN=${servername}`); -+ // assert.strictEqual(certX509.subjectAltName, 'DNS:evil.example.com'); -+ -+ // Try connecting to a server that uses the self-signed certificate. -+ const server = tls.createServer({ key, cert }, common.mustNotCall()); -+ server.listen(common.mustCall(() => { -+ const { port } = server.address(); -+ const socket = tls.connect(port, { -+ ca: cert, -+ servername, -+ }, common.mustNotCall()); -+ socket.on('error', common.mustCall((err) => { -+ assert.strictEqual(err.code, 'ERR_TLS_CERT_ALTNAME_INVALID'); -+ assert.strictEqual(err.message, 'Hostname/IP does not match ' + -+ "certificate's altnames: Host: " + -+ "good.example.com. is not in the cert's" + -+ ' altnames: DNS:evil.example.com'); -+ })); -+ })).unref(); -+} --- -2.17.1 - diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb new file mode 100644 index 0000000000..8dbdd088e9 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb @@ -0,0 +1,161 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & BSD & Artistic-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8" + +DEPENDS = "openssl" +DEPENDS_append_class-target = " nodejs-native" + +inherit pkgconfig python3native + +COMPATIBLE_MACHINE_armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE_armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST_riscv64 = "null" +COMPATIBLE_HOST_riscv32 = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ + file://0003-Install-both-binaries-and-use-libdir.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-warnings.patch \ + file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \ + " +SRC_URI_append_class-target = " \ + file://0002-Using-native-binaries.patch \ + " +SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2" + +S = "${WORKDIR}/node-v${PV}" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS_arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +GYP_DEFINES_append_mipsel = " mips_arch_variant='r1' " +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "ares brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +python do_unpack() { + import shutil + + bb.build.exec_func('base_do_unpack', d) + + shutil.rmtree(d.getVar('S') + '/deps/openssl', True) + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares', True) + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli', True) + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv', True) + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib', True) +} + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + export LD="${CXX}" + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --prefix=${prefix} --cross-compiling --without-snapshot --shared-openssl \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${D}${libdir} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + export LD="${CXX}" + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} + + # wasn't updated since 2009 and is the only thing requiring python2 in runtime + # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS_nodejs-npm? [file-rdeps] + rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples +} + +do_install_append_class-native() { + # use node from PATH instead of absolute path to sysroot + # node-v0.10.25/tools/install.py is using: + # shebang = os.path.join(node_prefix, 'bin/node') + # update_shebang(link_path, shebang) + # and node_prefix can be very long path to bindir in native sysroot and + # when it exceeds 128 character shebang limit it's stripped to incorrect path + # and npm fails to execute like in this case with 133 characters show in log.do_install: + # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node + # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js + # use sed on npm-cli.js because otherwise symlink is replaced with normal file and + # npm-cli.js continues to use old shebang + sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js + + # Install the native binaries to provide it within sysroot for the target compilation + install -d ${D}${bindir} + install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque + install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator + if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then + install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case + fi + install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache + install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot +} + +do_install_append_class-target() { + sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js +} + +PACKAGES =+ "${PN}-npm" +FILES_${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" +RDEPENDS_${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES_${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.2.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.2.bb deleted file mode 100644 index 2c7d3b3edd..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_12.22.2.bb +++ /dev/null @@ -1,162 +0,0 @@ -DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" -HOMEPAGE = "http://nodejs.org" -LICENSE = "MIT & BSD & Artistic-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54" - -DEPENDS = "openssl" -DEPENDS_append_class-target = " nodejs-native" - -inherit pkgconfig python3native - -COMPATIBLE_MACHINE_armv4 = "(!.*armv4).*" -COMPATIBLE_MACHINE_armv5 = "(!.*armv5).*" -COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" - -COMPATIBLE_HOST_riscv64 = "null" -COMPATIBLE_HOST_riscv32 = "null" - -SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ - file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ - file://0003-Install-both-binaries-and-use-libdir.patch \ - file://0004-v8-don-t-override-ARM-CFLAGS.patch \ - file://big-endian.patch \ - file://mips-warnings.patch \ - file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \ - file://CVE-2021-44532.patch \ - " -SRC_URI_append_class-target = " \ - file://0002-Using-native-binaries.patch \ - " -SRC_URI[sha256sum] = "7fd805571df106f086f4c45e131efed98bfd62628d9dec96bd62f8c11b0c48dc" - -S = "${WORKDIR}/node-v${PV}" - -# v8 errors out if you have set CCACHE -CCACHE = "" - -def map_nodejs_arch(a, d): - import re - - if re.match('i.86$', a): return 'ia32' - elif re.match('x86_64$', a): return 'x64' - elif re.match('aarch64$', a): return 'arm64' - elif re.match('(powerpc64|ppc64le)$', a): return 'ppc64' - elif re.match('powerpc$', a): return 'ppc' - return a - -ARCHFLAGS_arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ - ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ - bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ - bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ - '--with-arm-fpu=vfp', d), d), d)}" -GYP_DEFINES_append_mipsel = " mips_arch_variant='r1' " -ARCHFLAGS ?= "" - -PACKAGECONFIG ??= "ares brotli icu zlib" - -PACKAGECONFIG[ares] = "--shared-cares,,c-ares" -PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" -PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" -PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" -PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" -PACKAGECONFIG[shared] = "--shared" -PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" - -# We don't want to cross-compile during target compile, -# and we need to use the right flags during host compile, -# too. -EXTRA_OEMAKE = "\ - CC.host='${CC}' \ - CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ - CXX.host='${CXX}' \ - CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ - LDFLAGS.host='${LDFLAGS}' \ - AR.host='${AR}' \ - \ - builddir_name=./ \ -" - -python do_unpack() { - import shutil - - bb.build.exec_func('base_do_unpack', d) - - shutil.rmtree(d.getVar('S') + '/deps/openssl', True) - if 'ares' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/cares', True) - if 'brotli' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/brotli', True) - if 'libuv' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/uv', True) - if 'nghttp2' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) - if 'zlib' in d.getVar('PACKAGECONFIG'): - shutil.rmtree(d.getVar('S') + '/deps/zlib', True) -} - -# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi -do_configure () { - export LD="${CXX}" - GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES - # $TARGET_ARCH settings don't match --dest-cpu settings - python3 configure.py --prefix=${prefix} --cross-compiling --without-snapshot --shared-openssl \ - --without-dtrace \ - --without-etw \ - --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ - --dest-os=linux \ - --libdir=${D}${libdir} \ - ${ARCHFLAGS} \ - ${PACKAGECONFIG_CONFARGS} -} - -do_compile () { - export LD="${CXX}" - oe_runmake BUILDTYPE=Release -} - -do_install () { - oe_runmake install DESTDIR=${D} - - # wasn't updated since 2009 and is the only thing requiring python2 in runtime - # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS_nodejs-npm? [file-rdeps] - rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples -} - -do_install_append_class-native() { - # use node from PATH instead of absolute path to sysroot - # node-v0.10.25/tools/install.py is using: - # shebang = os.path.join(node_prefix, 'bin/node') - # update_shebang(link_path, shebang) - # and node_prefix can be very long path to bindir in native sysroot and - # when it exceeds 128 character shebang limit it's stripped to incorrect path - # and npm fails to execute like in this case with 133 characters show in log.do_install: - # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node - # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js - # use sed on npm-cli.js because otherwise symlink is replaced with normal file and - # npm-cli.js continues to use old shebang - sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js - - # Install the native binaries to provide it within sysroot for the target compilation - install -d ${D}${bindir} - install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque - install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator - if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then - install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case - fi - install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache - install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot -} - -do_install_append_class-target() { - sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js -} - -PACKAGES =+ "${PN}-npm" -FILES_${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" -RDEPENDS_${PN}-npm = "bash python3-core python3-shell python3-datetime \ - python3-misc python3-multiprocessing" - -PACKAGES =+ "${PN}-systemtap" -FILES_${PN}-systemtap = "${datadir}/systemtap" - -BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch deleted file mode 100644 index 8f15f8424c..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f2f1e134bf5d9d0789942848e03006af8d926cf8 Mon Sep 17 00:00:00 2001 -From: Wang Mingyu -Date: Tue, 17 Mar 2020 12:53:35 +0800 -Subject: [PATCH] fix configure error : mv libcares.pc.cmakein to - libcares.pc.cmake - -Signed-off-by: Wang Mingyu ---- - CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 3a5878d..c2e5740 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -563,7 +563,7 @@ IF (CARES_STATIC) - ENDIF() - - # Write ares_config.h configuration file. This is used only for the build. --CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+CONFIGURE_FILE (libcares.pc.cmake ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) - - - --- -2.17.1 - diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch deleted file mode 100644 index d1cb54aefb..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: bradh352 -Date: Fri, 11 Jun 2021 12:39:24 -0400 -Subject: [2/2] ares_expand_name(): fix formatting and handling of root name - response -Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 - -Fixes issue introduced in prior commit with formatting and handling -of parsing a root name response which should not be escaped. - -Fix By: Brad House -CVE: CVE-2021-3672 -Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] -Signed-off-by: Neetika Singh ---- - ares_expand_name.c | 62 ++++++++++++++++++++++++-------------- - 1 file changed, 40 insertions(+), 22 deletions(-) - -diff --git a/ares_expand_name.c b/ares_expand_name.c -index f1c874a97cfc..eb9268c1ff0a 100644 ---- a/ares_expand_name.c -+++ b/ares_expand_name.c -@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - } - else - { -- len = *p; -+ int name_len = *p; -+ len = name_len; - p++; -+ - while (len--) - { -- if (!isprint(*p)) { -- /* Output as \DDD for consistency with RFC1035 5.1 */ -- *q++ = '\\'; -- *q++ = '0' + *p / 100; -- *q++ = '0' + (*p % 100) / 10; -- *q++ = '0' + (*p % 10); -- } else if (is_reservedch(*p)) { -- *q++ = '\\'; -- *q++ = *p; -- } else { -- *q++ = *p; -- } -+ /* Output as \DDD for consistency with RFC1035 5.1, except -+ * for the special case of a root name response */ -+ if (!isprint(*p) && !(name_len == 1 && *p == 0)) -+ { -+ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } -+ else if (is_reservedch(*p)) -+ { -+ *q++ = '\\'; -+ *q++ = *p; -+ } -+ else -+ { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; - } -- } -+ } -+ - if (!indir) - *enclen = aresx_uztosl(p + 1U - encoded); - -@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - } - else if (top == 0x00) - { -- offset = *encoded; -+ int name_len = *encoded; -+ offset = name_len; - if (encoded + offset + 1 >= abuf + alen) - return -1; - encoded++; -+ - while (offset--) - { -- if (!isprint(*encoded)) { -- n += 4; -- } else if (is_reservedch(*encoded)) { -- n += 2; -- } else { -- n += 1; -- } -+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0)) -+ { -+ n += 4; -+ } -+ else if (is_reservedch(*encoded)) -+ { -+ n += 2; -+ } -+ else -+ { -+ n += 1; -+ } - encoded++; - } -+ - n++; - } - else --- -2.32.0 - diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch deleted file mode 100644 index 3603ef1278..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: bradh352 -Date: Fri, 11 Jun 2021 11:27:45 -0400 -Subject: [1/2] ares_expand_name() should escape more characters -Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 - -RFC1035 5.1 specifies some reserved characters and escaping sequences -that are allowed to be specified. Expand the list of reserved characters -and also escape non-printable characters using the \DDD format as -specified in the RFC. - -Bug Reported By: philipp.jeitner@sit.fraunhofer.de -Fix By: Brad House (@bradh352) -CVE: CVE-2021-3672 -Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] -Signed-off-by: Neetika Singh ---- - ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/ares_expand_name.c b/ares_expand_name.c -index 407200ef5b4b..f1c874a97cfc 100644 ---- a/ares_expand_name.c -+++ b/ares_expand_name.c -@@ -32,6 +32,26 @@ - static int name_length(const unsigned char *encoded, const unsigned char *abuf, - int alen); - -+/* Reserved characters for names that need to be escaped */ -+static int is_reservedch(int ch) -+{ -+ switch (ch) { -+ case '"': -+ case '.': -+ case ';': -+ case '\\': -+ case '(': -+ case ')': -+ case '@': -+ case '$': -+ return 1; -+ default: -+ break; -+ } -+ -+ return 0; -+} -+ - /* Expand an RFC1035-encoded domain name given by encoded. The - * containing message is given by abuf and alen. The result given by - * *s, which is set to a NUL-terminated allocated buffer. *enclen is -@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - p++; - while (len--) - { -- if (*p == '.' || *p == '\\') -+ if (!isprint(*p)) { -+ /* Output as \DDD for consistency with RFC1035 5.1 */ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } else if (is_reservedch(*p)) { - *q++ = '\\'; -- *q++ = *p; -+ *q++ = *p; -+ } else { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; -@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - encoded++; - while (offset--) - { -- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1; -+ if (!isprint(*encoded)) { -+ n += 4; -+ } else if (is_reservedch(*encoded)) { -+ n += 2; -+ } else { -+ n += 1; -+ } - encoded++; - } - n++; --- -2.32.0 - diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch deleted file mode 100644 index 0eb7e4bbb3..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 12414304245cce6ef0e8b9547949be5109845353 Mon Sep 17 00:00:00 2001 -From: Changqing Li -Date: Tue, 24 Jul 2018 13:33:33 +0800 -Subject: [PATCH] cmake: Install libcares.pc - -Prepare and install libcares.pc file during cmake build, so libraries -using pkg-config to find libcares will not fail. - -Signed-off-by: Alexey Firago - -update to 1.14.0, fix patch warning - -Signed-off-by: Changqing Li ---- - CMakeLists.txt | 28 +++++++++++++++++++++++----- - 1 file changed, 23 insertions(+), 5 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fd123e1..3a5878d 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -214,22 +214,25 @@ ADD_DEFINITIONS(${SYSFLAGS}) - - - # Tell C-Ares about libraries to depend on -+# Also pass these libraries to pkg-config file -+SET(CARES_PRIVATE_LIBS_LIST) - IF (HAVE_LIBRESOLV) -- LIST (APPEND CARES_DEPENDENT_LIBS resolv) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lresolv") - ENDIF () - IF (HAVE_LIBNSL) -- LIST (APPEND CARES_DEPENDENT_LIBS nsl) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lnsl") - ENDIF () - IF (HAVE_LIBSOCKET) -- LIST (APPEND CARES_DEPENDENT_LIBS socket) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lsocket") - ENDIF () - IF (HAVE_LIBRT) -- LIST (APPEND CARES_DEPENDENT_LIBS rt) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lrt") - ENDIF () - IF (WIN32) -- LIST (APPEND CARES_DEPENDENT_LIBS ws2_32 Advapi32) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lws2_32") - ENDIF () - -+string (REPLACE ";" " " CARES_PRIVATE_LIBS "${CARES_PRIVATE_LIBS_LIST}") - - # When checking for symbols, we need to make sure we set the proper - # headers, libraries, and definitions for the detection to work properly -@@ -554,6 +557,15 @@ CONFIGURE_FILE (ares_build.h.cmake ${PROJECT_BINARY_DIR}/ares_build.h) - # Write ares_config.h configuration file. This is used only for the build. - CONFIGURE_FILE (ares_config.h.cmake ${PROJECT_BINARY_DIR}/ares_config.h) - -+# Pass required CFLAGS to pkg-config in case of static library -+IF (CARES_STATIC) -+ SET (CPPFLAG_CARES_STATICLIB "-DCARES_STATICLIB") -+ENDIF() -+ -+# Write ares_config.h configuration file. This is used only for the build. -+CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+ -+ - - # TRANSFORM_MAKEFILE_INC - # -@@ -728,6 +740,12 @@ IF (CARES_INSTALL) - INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" COMPONENT Devel DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") - ENDIF () - -+# pkg-config file -+IF (CARES_INSTALL) -+ SET (PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig") -+ INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" DESTINATION ${PKGCONFIG_INSTALL_DIR}) -+ENDIF () -+ - # Legacy chain-building variables (provided for compatibility with old code). - # Don't use these, external code should be updated to refer to the aliases directly (e.g., Cares::cares). - SET (CARES_FOUND 1 CACHE INTERNAL "CARES LIBRARY FOUND") --- -2.17.1 - diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb deleted file mode 100644 index 692a5f0d6e..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2012-2014 LG Electronics, Inc. -SUMMARY = "c-ares is a C library that resolves names asynchronously." -HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" -SECTION = "libs" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" - -PV = "1.16.1+gitr${SRCPV}" - -SRC_URI = "\ - git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ - file://cmake-install-libcares.pc.patch \ - file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ - file://ares_expand_name-should-escape-more-characters.patch \ - file://ares_expand_name-fix-formatting-and-handling-of-root.patch \ -" -SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e" - -UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P\d+_(\d_?)+)" - -S = "${WORKDIR}/git" - -inherit cmake pkgconfig - -PACKAGES =+ "${PN}-utils" - -FILES_${PN}-utils = "${bindir}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb new file mode 100644 index 0000000000..25ce45d74c --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -0,0 +1,21 @@ +# Copyright (c) 2012-2014 LG Electronics, Inc. +SUMMARY = "c-ares is a C library that resolves names asynchronously." +HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" +SECTION = "libs" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" + +SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main" +SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" + +UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P\d+_(\d_?)+)" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig + +PACKAGES =+ "${PN}-utils" + +FILES_${PN}-utils = "${bindir}" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python-lxml.inc b/meta-openembedded/meta-python/recipes-devtools/python/python-lxml.inc index 05b5eae462..0276a3e81a 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python-lxml.inc +++ b/meta-openembedded/meta-python/recipes-devtools/python/python-lxml.inc @@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ DEPENDS += "libxml2 libxslt" +SRC_URI += "file://CVE-2022-2309.patch" + SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11" SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-openembedded/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch new file mode 100644 index 0000000000..ff3fcee6e2 --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch @@ -0,0 +1,94 @@ +From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 29 Jul 2022 10:16:59 +0530 +Subject: [PATCH] CVE-2022-2309 + +Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f] +CVE: CVE-2022-2309 +Signed-off-by: Hitendra Prajapati +--- + src/lxml/apihelpers.pxi | 7 ++++--- + src/lxml/iterparse.pxi | 11 ++++++----- + src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi +index 5eb3416..88a031d 100644 +--- a/src/lxml/apihelpers.pxi ++++ b/src/lxml/apihelpers.pxi +@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node): + while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE: + c_ns = c_node.nsDef + while c_ns is not NULL: +- prefix = funicodeOrNone(c_ns.prefix) +- if prefix not in nsmap: +- nsmap[prefix] = funicodeOrNone(c_ns.href) ++ if c_ns.prefix or c_ns.href: ++ prefix = funicodeOrNone(c_ns.prefix) ++ if prefix not in nsmap: ++ nsmap[prefix] = funicodeOrNone(c_ns.href) + c_ns = c_ns.next + c_node = c_node.parent + return nsmap +diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi +index 4c20506..3da7485 100644 +--- a/src/lxml/iterparse.pxi ++++ b/src/lxml/iterparse.pxi +@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node): + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- count += 1 ++ count += (c_ns.href is not NULL) + c_ns = c_ns.next + return count + +@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1: + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '', +- funicode(c_ns.href)) +- event_list.append( (u"start-ns", ns_tuple) ) +- count += 1 ++ if c_ns.href: ++ ns_tuple = (funicodeOrEmpty(c_ns.prefix), ++ funicode(c_ns.href)) ++ event_list.append( (u"start-ns", ns_tuple) ) ++ count += 1 + c_ns = c_ns.next + return count +diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py +index b997e4d..69e1bf1 100644 +--- a/src/lxml/tests/test_etree.py ++++ b/src/lxml/tests/test_etree.py +@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase): + [1,2,1,4], + counts) + ++ def test_walk_after_parse_failure(self): ++ # This used to be an issue because libxml2 can leak empty namespaces ++ # between failed parser runs. iterwalk() failed to handle such a tree. ++ try: ++ etree.XML('''''') ++ except etree.XMLSyntaxError: ++ pass ++ else: ++ assert False, "invalid input did not fail to parse" ++ ++ et = etree.XML(''' ''') ++ try: ++ ns = next(etree.iterwalk(et, events=('start-ns',))) ++ except StopIteration: ++ # This would be the expected result, because there was no namespace ++ pass ++ else: ++ # This is a bug in libxml2 ++ assert not ns, repr(ns) ++ + def test_itertext_comment_pi(self): + # https://bugs.launchpad.net/lxml/+bug/1844674 + XML = self.etree.XML +-- +2.25.1 + diff --git a/poky/bitbake/lib/bb/runqueue.py b/poky/bitbake/lib/bb/runqueue.py index a513b0983b..6cdc72a85b 100644 --- a/poky/bitbake/lib/bb/runqueue.py +++ b/poky/bitbake/lib/bb/runqueue.py @@ -24,6 +24,7 @@ import pickle from multiprocessing import Process import shlex import pprint +import time bblogger = logging.getLogger("BitBake") logger = logging.getLogger("BitBake.RunQueue") @@ -142,6 +143,55 @@ class RunQueueScheduler(object): self.buildable.append(tid) self.rev_prio_map = None + self.is_pressure_usable() + + def is_pressure_usable(self): + """ + If monitoring pressure, return True if pressure files can be open and read. For example + openSUSE /proc/pressure/* files have readable file permissions but when read the error EOPNOTSUPP (Operation not supported) + is returned. + """ + if self.rq.max_cpu_pressure or self.rq.max_io_pressure or self.rq.max_memory_pressure: + try: + with open("/proc/pressure/cpu") as cpu_pressure_fds, \ + open("/proc/pressure/io") as io_pressure_fds, \ + open("/proc/pressure/memory") as memory_pressure_fds: + + self.prev_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1] + self.prev_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1] + self.prev_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1] + self.prev_pressure_time = time.time() + self.check_pressure = True + except: + bb.note("The /proc/pressure files can't be read. Continuing build without monitoring pressure") + self.check_pressure = False + else: + self.check_pressure = False + + def exceeds_max_pressure(self): + """ + Monitor the difference in total pressure at least once per second, if + BB_PRESSURE_MAX_{CPU|IO|MEMORY} are set, return True if above threshold. + """ + if self.check_pressure: + with open("/proc/pressure/cpu") as cpu_pressure_fds, \ + open("/proc/pressure/io") as io_pressure_fds, \ + open("/proc/pressure/memory") as memory_pressure_fds: + # extract "total" from /proc/pressure/{cpu|io} + curr_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1] + curr_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1] + curr_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1] + exceeds_cpu_pressure = self.rq.max_cpu_pressure and (float(curr_cpu_pressure) - float(self.prev_cpu_pressure)) > self.rq.max_cpu_pressure + exceeds_io_pressure = self.rq.max_io_pressure and (float(curr_io_pressure) - float(self.prev_io_pressure)) > self.rq.max_io_pressure + exceeds_memory_pressure = self.rq.max_memory_pressure and (float(curr_memory_pressure) - float(self.prev_memory_pressure)) > self.rq.max_memory_pressure + now = time.time() + if now - self.prev_pressure_time > 1.0: + self.prev_cpu_pressure = curr_cpu_pressure + self.prev_io_pressure = curr_io_pressure + self.prev_memory_pressure = curr_memory_pressure + self.prev_pressure_time = now + return (exceeds_cpu_pressure or exceeds_io_pressure or exceeds_memory_pressure) + return False def next_buildable_task(self): """ @@ -155,6 +205,12 @@ class RunQueueScheduler(object): if not buildable: return None + # Bitbake requires that at least one task be active. Only check for pressure if + # this is the case, otherwise the pressure limitation could result in no tasks + # being active and no new tasks started thereby, at times, breaking the scheduler. + if self.rq.stats.active and self.exceeds_max_pressure(): + return None + # Filter out tasks that have a max number of threads that have been exceeded skip_buildable = {} for running in self.rq.runq_running.difference(self.rq.runq_complete): @@ -1700,6 +1756,9 @@ class RunQueueExecute: self.number_tasks = int(self.cfgData.getVar("BB_NUMBER_THREADS") or 1) self.scheduler = self.cfgData.getVar("BB_SCHEDULER") or "speed" + self.max_cpu_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_CPU") + self.max_io_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_IO") + self.max_memory_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_MEMORY") self.sq_buildable = set() self.sq_running = set() @@ -1735,6 +1794,29 @@ class RunQueueExecute: if self.number_tasks <= 0: bb.fatal("Invalid BB_NUMBER_THREADS %s" % self.number_tasks) + lower_limit = 1.0 + upper_limit = 1000000.0 + if self.max_cpu_pressure: + self.max_cpu_pressure = float(self.max_cpu_pressure) + if self.max_cpu_pressure < lower_limit: + bb.fatal("Invalid BB_PRESSURE_MAX_CPU %s, minimum value is %s." % (self.max_cpu_pressure, lower_limit)) + if self.max_cpu_pressure > upper_limit: + bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_CPU is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_cpu_pressure)) + + if self.max_io_pressure: + self.max_io_pressure = float(self.max_io_pressure) + if self.max_io_pressure < lower_limit: + bb.fatal("Invalid BB_PRESSURE_MAX_IO %s, minimum value is %s." % (self.max_io_pressure, lower_limit)) + if self.max_io_pressure > upper_limit: + bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_IO is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure)) + + if self.max_memory_pressure: + self.max_memory_pressure = float(self.max_memory_pressure) + if self.max_memory_pressure < lower_limit: + bb.fatal("Invalid BB_PRESSURE_MAX_MEMORY %s, minimum value is %s." % (self.max_memory_pressure, lower_limit)) + if self.max_memory_pressure > upper_limit: + bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_MEMORY is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure)) + # List of setscene tasks which we've covered self.scenequeue_covered = set() # List of tasks which are covered (including setscene ones) diff --git a/poky/bitbake/lib/bb/utils.py b/poky/bitbake/lib/bb/utils.py index fab16ffc58..6592eb00dd 100644 --- a/poky/bitbake/lib/bb/utils.py +++ b/poky/bitbake/lib/bb/utils.py @@ -421,12 +421,14 @@ def better_eval(source, locals, extraglobals = None): return eval(source, ctx, locals) @contextmanager -def fileslocked(files): +def fileslocked(files, *args, **kwargs): """Context manager for locking and unlocking file locks.""" locks = [] if files: for lockfile in files: - locks.append(bb.utils.lockfile(lockfile)) + l = bb.utils.lockfile(lockfile, *args, **kwargs) + if l is not None: + locks.append(l) try: yield diff --git a/poky/documentation/dev-manual/dev-manual-common-tasks.rst b/poky/documentation/dev-manual/dev-manual-common-tasks.rst index 7c0fc662bd..9dcafb2783 100644 --- a/poky/documentation/dev-manual/dev-manual-common-tasks.rst +++ b/poky/documentation/dev-manual/dev-manual-common-tasks.rst @@ -2628,7 +2628,7 @@ Recipe Syntax Understanding recipe file syntax is important for writing recipes. The following list overviews the basic items that make up a BitBake recipe file. For more complete BitBake syntax descriptions, see the -":doc:`bitbake-user-manual/bitbake-user-manual-metadata`" +":doc:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata`" chapter of the BitBake User Manual. - *Variable Assignments and Manipulations:* Variable assignments allow diff --git a/poky/documentation/poky.yaml b/poky/documentation/poky.yaml index dae9abb63b..b6baac7d0d 100644 --- a/poky/documentation/poky.yaml +++ b/poky/documentation/poky.yaml @@ -1,13 +1,13 @@ -DISTRO : "3.1.19" +DISTRO : "3.1.20" DISTRO_NAME_NO_CAP : "dunfell" DISTRO_NAME : "Dunfell" DISTRO_NAME_NO_CAP_MINUS_ONE : "zeus" -YOCTO_DOC_VERSION : "3.1.19" +YOCTO_DOC_VERSION : "3.1.20" YOCTO_DOC_VERSION_MINUS_ONE : "3.0.4" -DISTRO_REL_TAG : "yocto-3.1.19" -DOCCONF_VERSION : "3.1.19" +DISTRO_REL_TAG : "yocto-3.1.20" +DOCCONF_VERSION : "3.1.20" BITBAKE_SERIES : "1.46" -POKYVERSION : "23.0.19" +POKYVERSION : "23.0.20" YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;" YOCTO_DL_URL : "https://downloads.yoctoproject.org" YOCTO_AB_URL : "https://autobuilder.yoctoproject.org" diff --git a/poky/documentation/ref-manual/ref-features.rst b/poky/documentation/ref-manual/ref-features.rst index f28ad2bb4c..be3a9e3a3e 100644 --- a/poky/documentation/ref-manual/ref-features.rst +++ b/poky/documentation/ref-manual/ref-features.rst @@ -63,6 +63,8 @@ Project metadata: - *keyboard:* Hardware has a keyboard +- *numa:* Hardware has non-uniform memory access + - *pcbios:* Support for booting through BIOS - *pci:* Hardware has a PCI bus diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf index eefd37fd1e..ffea526dd0 100644 --- a/poky/meta-poky/conf/distro/poky.conf +++ b/poky/meta-poky/conf/distro/poky.conf @@ -1,6 +1,6 @@ DISTRO = "poky" DISTRO_NAME = "Poky (Yocto Project Reference Distro)" -DISTRO_VERSION = "3.1.19" +DISTRO_VERSION = "3.1.20" DISTRO_CODENAME = "dunfell" SDK_VENDOR = "-pokysdk" SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}" diff --git a/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend b/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend index b2824cbb1d..219e788f47 100644 --- a/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend +++ b/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend @@ -7,8 +7,8 @@ KMACHINE_genericx86 ?= "common-pc" KMACHINE_genericx86-64 ?= "common-pc-64" KMACHINE_beaglebone-yocto ?= "beaglebone" -SRCREV_machine_genericx86 ?= "e2020dbe2ccaef50d7e8f37a5bf08c68a006a064" -SRCREV_machine_genericx86-64 ?= "e2020dbe2ccaef50d7e8f37a5bf08c68a006a064" +SRCREV_machine_genericx86 ?= "8a59dfded81659402005acfb06fbb00b71c8ce86" +SRCREV_machine_genericx86-64 ?= "8a59dfded81659402005acfb06fbb00b71c8ce86" SRCREV_machine_edgerouter ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd" SRCREV_machine_beaglebone-yocto ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd" @@ -17,7 +17,7 @@ COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64" COMPATIBLE_MACHINE_edgerouter = "edgerouter" COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" -LINUX_VERSION_genericx86 = "5.4.178" -LINUX_VERSION_genericx86-64 = "5.4.178" +LINUX_VERSION_genericx86 = "5.4.205" +LINUX_VERSION_genericx86-64 = "5.4.205" LINUX_VERSION_edgerouter = "5.4.58" LINUX_VERSION_beaglebone-yocto = "5.4.58" diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 9eb9a95574..4fc4e545e4 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -138,17 +138,18 @@ python do_cve_check () { """ from oe.cve_check import get_patched_cves - if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): - try: - patched_cves = get_patched_cves(d) - except FileNotFoundError: - bb.fatal("Failure in searching patches") - whitelisted, patched, unpatched, status = check_cves(d, patched_cves) - if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): - cve_data = get_cve_info(d, patched + unpatched + whitelisted) - cve_write_data(d, patched, unpatched, whitelisted, cve_data, status) - else: - bb.note("No CVE database found, skipping CVE check") + with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True): + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): + try: + patched_cves = get_patched_cves(d) + except FileNotFoundError: + bb.fatal("Failure in searching patches") + ignored, patched, unpatched, status = check_cves(d, patched_cves) + if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): + cve_data = get_cve_info(d, patched + unpatched + ignored) + cve_write_data(d, patched, unpatched, ignored, cve_data, status) + else: + bb.note("No CVE database found, skipping CVE check") } @@ -289,7 +290,8 @@ def check_cves(d, patched_cves): vendor = "%" # Find all relevant CVE IDs. - for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): + cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)) + for cverow in cve_cursor: cve = cverow[0] if cve in cve_whitelist: @@ -308,7 +310,8 @@ def check_cves(d, patched_cves): vulnerable = False ignored = False - for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): + product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)) + for row in product_cursor: (_, _, _, version_start, operator_start, version_end, operator_end) = row #bb.debug(2, "Evaluating row " + str(row)) if cve in cve_whitelist: @@ -352,10 +355,12 @@ def check_cves(d, patched_cves): bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) cves_unpatched.append(cve) break + product_cursor.close() if not vulnerable: bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) patched_cves.add(cve) + cve_cursor.close() if not cves_in_product: bb.note("No CVE records found for product %s, pn %s" % (product, pn)) @@ -377,14 +382,15 @@ def get_cve_info(d, cves): conn = sqlite3.connect(db_file, uri=True) for cve in cves: - for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): + cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)) + for row in cursor: cve_data[row[0]] = {} cve_data[row[0]]["summary"] = row[1] cve_data[row[0]]["scorev2"] = row[2] cve_data[row[0]]["scorev3"] = row[3] cve_data[row[0]]["modified"] = row[4] cve_data[row[0]]["vector"] = row[5] - + cursor.close() conn.close() return cve_data diff --git a/poky/meta/conf/licenses.conf b/poky/meta/conf/licenses.conf index 5b309eb385..0149b1dc44 100644 --- a/poky/meta/conf/licenses.conf +++ b/poky/meta/conf/licenses.conf @@ -13,24 +13,31 @@ SPDXLICENSEMAP[AGPL-3] = "AGPL-3.0" SPDXLICENSEMAP[AGPLv3] = "AGPL-3.0" SPDXLICENSEMAP[AGPLv3.0] = "AGPL-3.0" +SPDXLICENSEMAP[AGPL-3.0-only] = "AGPL-3.0" # GPL variations SPDXLICENSEMAP[GPL-1] = "GPL-1.0" SPDXLICENSEMAP[GPLv1] = "GPL-1.0" SPDXLICENSEMAP[GPLv1.0] = "GPL-1.0" +SPDXLICENSEMAP[GPL-1.0-only] = "GPL-1.0" SPDXLICENSEMAP[GPL-2] = "GPL-2.0" SPDXLICENSEMAP[GPLv2] = "GPL-2.0" SPDXLICENSEMAP[GPLv2.0] = "GPL-2.0" +SPDXLICENSEMAP[GPL-2.0-only] = "GPL-2.0" SPDXLICENSEMAP[GPL-3] = "GPL-3.0" SPDXLICENSEMAP[GPLv3] = "GPL-3.0" SPDXLICENSEMAP[GPLv3.0] = "GPL-3.0" +SPDXLICENSEMAP[GPL-3.0-only] = "GPL-3.0" #LGPL variations SPDXLICENSEMAP[LGPLv2] = "LGPL-2.0" SPDXLICENSEMAP[LGPLv2.0] = "LGPL-2.0" +SPDXLICENSEMAP[LGPL-2.0-only] = "LGPL-2.0" SPDXLICENSEMAP[LGPL2.1] = "LGPL-2.1" SPDXLICENSEMAP[LGPLv2.1] = "LGPL-2.1" +SPDXLICENSEMAP[LGPL-2.1-only] = "LGPL-2.1" SPDXLICENSEMAP[LGPLv3] = "LGPL-3.0" +SPDXLICENSEMAP[LGPL-3.0-only] = "LGPL-3.0" #MPL variations SPDXLICENSEMAP[MPL-1] = "MPL-1.0" diff --git a/poky/meta/lib/oe/cve_check.py b/poky/meta/lib/oe/cve_check.py index 30fdc3e3dd..67f0644889 100644 --- a/poky/meta/lib/oe/cve_check.py +++ b/poky/meta/lib/oe/cve_check.py @@ -168,7 +168,7 @@ def get_cpe_ids(cve_product, version): else: vendor = "*" - cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' + cpe_id = 'cpe:2.3:a:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version) cpe_ids.append(cpe_id) return cpe_ids diff --git a/poky/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/poky/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 0000000000..940c6776d3 --- /dev/null +++ b/poky/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch @@ -0,0 +1,67 @@ +From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH 1/3] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) + +Upstream-Status: Backport +CVE: CVE-2022-2795 +Reference to upstream patch: +https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8 + +Signed-off-by: Mathieu Dubois-Briand +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 8ae9a993bbd7..ac9a9ef5d009 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -180,6 +180,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.34.1 + diff --git a/poky/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/poky/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch new file mode 100644 index 0000000000..0ef87fd260 --- /dev/null +++ b/poky/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch @@ -0,0 +1,31 @@ +From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:15:34 +1000 +Subject: [PATCH 2/3] Free eckey on siglen mismatch + +Upstream-Status: Backport +CVE: CVE-2022-38177 +Reference to upstream patch: +https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590 + +Signed-off-by: Mathieu Dubois-Briand +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 83b5b51cd78c..7576e04ac635 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ECDSA384SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) + DST_RET (dst__openssl_toresult3(dctx->category, +-- +2.34.1 + diff --git a/poky/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/poky/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch new file mode 100644 index 0000000000..e0b398e24a --- /dev/null +++ b/poky/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch @@ -0,0 +1,33 @@ +From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 11 Aug 2022 15:28:13 +1000 +Subject: [PATCH 3/3] Free ctx on invalid siglen + +(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825) + +Upstream-Status: Backport +CVE: CVE-2022-38178 +Reference to upstream patch: +https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6 + +Signed-off-by: Mathieu Dubois-Briand +--- + lib/dns/openssleddsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index 8b115ec283f0..b4fcd607c131 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + siglen = DNS_SIG_ED448SIZE; + + if (sig->length != siglen) +- return (DST_R_VERIFYFAILURE); ++ DST_RET(ISC_R_NOTIMPLEMENTED); + + isc_buffer_usedregion(buf, &tbsreg); + +-- +2.34.1 + diff --git a/poky/meta/recipes-connectivity/bind/bind_9.11.37.bb b/poky/meta/recipes-connectivity/bind/bind_9.11.37.bb index afc8cf0b3b..2fca28e684 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.11.37.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.11.37.bb @@ -19,6 +19,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2022-2795.patch \ + file://CVE-2022-38177.patch \ + file://CVE-2022-38178.patch \ " SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc index 4d4348898a..eaac9ee849 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc @@ -56,6 +56,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \ file://CVE-2021-3588.patch \ file://CVE-2021-3658.patch \ file://CVE-2022-0204.patch \ + file://CVE-2022-39176.patch \ " S = "${WORKDIR}/bluez-${PV}" diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/poky/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch new file mode 100644 index 0000000000..7bd1f5f80f --- /dev/null +++ b/poky/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch @@ -0,0 +1,126 @@ +From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Wed, 28 Sep 2022 10:45:53 +0530 +Subject: [PATCH] CVE-2022-39176 + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6] +CVE: CVE-2022-39176 +Signed-off-by: Hitendra Prajapati +--- + profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++--------------- + profiles/audio/avrcp.c | 8 ++++++ + 2 files changed, 44 insertions(+), 20 deletions(-) + +diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c +index 782268c..0adf413 100644 +--- a/profiles/audio/avdtp.c ++++ b/profiles/audio/avdtp.c +@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session, + return NULL; + } + +-static GSList *caps_to_list(uint8_t *data, int size, ++static GSList *caps_to_list(uint8_t *data, size_t size, + struct avdtp_service_capability **codec, + gboolean *delay_reporting) + { ++ struct avdtp_service_capability *cap; + GSList *caps; +- int processed; + + if (delay_reporting) + *delay_reporting = FALSE; + +- for (processed = 0, caps = NULL; processed + 2 <= size;) { +- struct avdtp_service_capability *cap; +- uint8_t length, category; ++ if (size < sizeof(*cap)) ++ return NULL; ++ ++ for (caps = NULL; size >= sizeof(*cap);) { ++ struct avdtp_service_capability *cpy; + +- category = data[0]; +- length = data[1]; ++ cap = (struct avdtp_service_capability *)data; + +- if (processed + 2 + length > size) { ++ if (sizeof(*cap) + cap->length > size) { + error("Invalid capability data in getcap resp"); + break; + } + +- cap = g_malloc(sizeof(struct avdtp_service_capability) + +- length); +- memcpy(cap, data, 2 + length); ++ if (cap->category == AVDTP_MEDIA_CODEC && ++ cap->length < sizeof(**codec)) { ++ error("Invalid codec data in getcap resp"); ++ break; ++ } ++ ++ cpy = btd_malloc(sizeof(*cpy) + cap->length); ++ memcpy(cpy, cap, sizeof(*cap) + cap->length); + +- processed += 2 + length; +- data += 2 + length; ++ size -= sizeof(*cap) + cap->length; ++ data += sizeof(*cap) + cap->length; + +- caps = g_slist_append(caps, cap); ++ caps = g_slist_append(caps, cpy); + +- if (category == AVDTP_MEDIA_CODEC && +- length >= +- sizeof(struct avdtp_media_codec_capability)) +- *codec = cap; +- else if (category == AVDTP_DELAY_REPORTING && delay_reporting) +- *delay_reporting = TRUE; ++ switch (cap->category) { ++ case AVDTP_MEDIA_CODEC: ++ if (codec) ++ *codec = cpy; ++ break; ++ case AVDTP_DELAY_REPORTING: ++ if (delay_reporting) ++ *delay_reporting = TRUE; ++ break; ++ } + } + + return caps; +@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction, + &stream->codec, + &stream->delay_reporting); + ++ if (!stream->caps || !stream->codec) { ++ err = AVDTP_UNSUPPORTED_CONFIGURATION; ++ category = 0x00; ++ goto failed_stream; ++ } ++ + /* Verify that the Media Transport capability's length = 0. Reject otherwise */ + for (l = stream->caps; l != NULL; l = g_slist_next(l)) { + struct avdtp_service_capability *cap = l->data; +diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c +index d9471c0..0233d53 100644 +--- a/profiles/audio/avrcp.c ++++ b/profiles/audio/avrcp.c +@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, + goto err_metadata; + } + ++ operands += sizeof(*pdu); ++ operand_count -= sizeof(*pdu); ++ ++ if (pdu->params_len != operand_count) { ++ DBG("AVRCP PDU parameters length don't match"); ++ pdu->params_len = operand_count; ++ } ++ + for (handler = session->control_handlers; handler->pdu_id; handler++) { + if (handler->pdu_id == pdu->pdu_id) + break; +-- +2.25.1 + diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch @@ -0,0 +1,37 @@ +From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 +From: Nathan Crandall +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 + +Upstream-Status: Backport +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b +CVE: CVE-2022-32292 +Signed-off-by: Lee Chee Yang +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8..13c6c5f2 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +cgit + diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch new file mode 100644 index 0000000000..83a013981c --- /dev/null +++ b/poky/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch @@ -0,0 +1,266 @@ +From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Tue, 20 Sep 2022 17:58:19 +0530 +Subject: [PATCH] CVE-2022-32293 + +CVE: CVE-2022-32293 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] +Signed-off-by: Hitendra Prajapati +--- + src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 63 insertions(+), 20 deletions(-) + +diff --git a/src/wispr.c b/src/wispr.c +index 473c0e0..97e0242 100644 +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -59,6 +59,7 @@ struct wispr_route { + }; + + struct connman_wispr_portal_context { ++ int refcount; + struct connman_service *service; + enum connman_ipconfig_type type; + struct connman_wispr_portal *wispr_portal; +@@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data); + + static GHashTable *wispr_portal_list = NULL; + ++#define wispr_portal_context_ref(wp_context) \ ++ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) ++#define wispr_portal_context_unref(wp_context) \ ++ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) ++ + static void connman_wispr_message_init(struct connman_wispr_message *msg) + { +- DBG(""); +- + msg->has_error = false; + msg->current_element = NULL; + +@@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) + static void free_connman_wispr_portal_context( + struct connman_wispr_portal_context *wp_context) + { +- DBG("context %p", wp_context); +- +- if (!wp_context) +- return; +- + if (wp_context->wispr_portal) { + if (wp_context->wispr_portal->ipv4_context == wp_context) + wp_context->wispr_portal->ipv4_context = NULL; +@@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context( + g_free(wp_context); + } + ++static struct connman_wispr_portal_context * ++wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount + 1, file, line, caller); ++ ++ __sync_fetch_and_add(&wp_context->refcount, 1); ++ ++ return wp_context; ++} ++ ++static void wispr_portal_context_unref_debug( ++ struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ if (!wp_context) ++ return; ++ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount - 1, file, line, caller); ++ ++ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) ++ return; ++ ++ free_connman_wispr_portal_context(wp_context); ++} ++ + static struct connman_wispr_portal_context *create_wispr_portal_context(void) + { +- return g_try_new0(struct connman_wispr_portal_context, 1); ++ return wispr_portal_context_ref( ++ g_new0(struct connman_wispr_portal_context, 1)); + } + + static void free_connman_wispr_portal(gpointer data) +@@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data) + if (!wispr_portal) + return; + +- free_connman_wispr_portal_context(wispr_portal->ipv4_context); +- free_connman_wispr_portal_context(wispr_portal->ipv6_context); ++ wispr_portal_context_unref(wispr_portal->ipv4_context); ++ wispr_portal_context_unref(wispr_portal->ipv6_context); + + g_free(wispr_portal); + } +@@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result, + &str)) + connman_info("Client-Timezone: %s", str); + +- free_connman_wispr_portal_context(wp_context); +- + __connman_service_ipconfig_indicate_state(service, + CONNMAN_SERVICE_STATE_ONLINE, type); + } +@@ -509,14 +535,17 @@ static void wispr_portal_request_portal( + { + DBG(""); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + wp_context->status_url, + wispr_portal_web_result, + wispr_route_request, + wp_context); + +- if (wp_context->request_id == 0) ++ if (wp_context->request_id == 0) { + wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); ++ } + } + + static bool wispr_input(const guint8 **data, gsize *length, +@@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, + return; + + if (!authentication_done) { +- wispr_portal_error(wp_context); + free_wispr_routes(wp_context); ++ wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + + /* Restarting the test */ + __connman_service_wispr_start(service, wp_context->type); ++ wispr_portal_context_unref(wp_context); + } + + static void wispr_portal_request_wispr_login(struct connman_service *service, +@@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, + return; + } + +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + +@@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result, + + wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; + ++ wispr_portal_context_ref(wp_context); + if (__connman_agent_request_login_input(wp_context->service, + wispr_portal_request_wispr_login, +- wp_context) != -EINPROGRESS) ++ wp_context) != -EINPROGRESS) { + wispr_portal_error(wp_context); +- else ++ wispr_portal_context_unref(wp_context); ++ } else + return true; + + break; +@@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (length > 0) { + g_web_parser_feed_data(wp_context->wispr_parser, + chunk, length); ++ wispr_portal_context_unref(wp_context); + return true; + } + +@@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + switch (status) { + case 000: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (g_web_result_get_header(result, "X-ConnMan-Status", + &str)) { + portal_manage_status(result, wp_context); ++ wispr_portal_context_unref(wp_context); + return false; +- } else ++ } else { ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->redirect_url, wp_context); ++ } + + break; + case 302: +@@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + !g_web_result_get_header(result, "Location", + &redirect)) { + ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + wp_context->redirect_url = g_strdup(redirect); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + redirect, wispr_portal_web_result, + wispr_route_request, wp_context); +@@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + break; + case 505: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + wp_context->request_id = 0; + done: + wp_context->wispr_msg.message_type = -1; ++ wispr_portal_context_unref(wp_context); + return false; + } + +@@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data) + xml_wispr_parser_callback, wp_context); + + wispr_portal_request_portal(wp_context); ++ wispr_portal_context_unref(wp_context); + } + + static gboolean no_proxy_callback(gpointer user_data) +@@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) + + if (wp_context->token == 0) { + err = -EINVAL; +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + } + } else if (wp_context->timeout == 0) { + wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); +@@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service, + + /* If there is already an existing context, we wipe it */ + if (wp_context) +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + + wp_context = create_wispr_portal_context(); + if (!wp_context) +-- +2.25.1 + diff --git a/poky/meta/recipes-connectivity/connman/connman_1.37.bb b/poky/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..73d7f7527e 100644 --- a/poky/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/poky/meta/recipes-connectivity/connman/connman_1.37.bb @@ -12,6 +12,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2021-33833.patch \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ + file://CVE-2022-32292.patch \ + file://CVE-2022-32293.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch new file mode 100644 index 0000000000..da2da8da8a --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch @@ -0,0 +1,54 @@ +From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Mon, 26 Sep 2022 22:05:07 +0200 +Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt + +Fix telnetd crash if the first two bytes of a new connection +are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). + +The problem was reported in: +. + +* NEWS: Mention fix. +* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and +zero slctab[SLC_EL].sptr. + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] +Signed-off-by: Minjae Kim +--- + telnetd/state.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/telnetd/state.c b/telnetd/state.c +index 2184bca..7948503 100644 +--- a/telnetd/state.c ++++ b/telnetd/state.c +@@ -314,15 +314,21 @@ telrcv (void) + case EC: + case EL: + { +- cc_t ch; ++ cc_t ch = (cc_t) (_POSIX_VDISABLE); + + DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); + ptyflush (); /* half-hearted */ + init_termbuf (); + if (c == EC) +- ch = *slctab[SLC_EC].sptr; ++ { ++ if (slctab[SLC_EC].sptr) ++ ch = *slctab[SLC_EC].sptr; ++ } + else +- ch = *slctab[SLC_EL].sptr; ++ { ++ if (slctab[SLC_EL].sptr) ++ ch = *slctab[SLC_EL].sptr; ++ } + if (ch != (cc_t) (_POSIX_VDISABLE)) + pty_output_byte ((unsigned char) ch); + break; +-- +2.25.1 + diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/poky/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb index f4450e19f4..fe391b8bce 100644 --- a/poky/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb +++ b/poky/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb @@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \ file://0001-rcp-fix-to-work-with-large-files.patch \ file://fix-buffer-fortify-tfpt.patch \ file://CVE-2021-40491.patch \ + file://CVE-2022-39028.patch \ " SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" diff --git a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index e6f216e5cb..2cc92b7b47 100644 --- a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -5,8 +5,8 @@ SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "3d5c8d0f7e0264768a2c000d0fd4b4d4a991e041" -PV = "20220511" +SRCREV = "fe19892a8168bf19d81e3bc4ee319bf7f9f058f5" +PV = "20220725" PE = "1" SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" diff --git a/poky/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/poky/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/poky/meta/recipes-core/expat/expat/CVE-2022-40674.patch @@ -0,0 +1,53 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b] +CVE: CVE-2022-40674 +Signed-off-by: Virendra Thakur +--- + expat/lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: expat/lib/xmlparse.c +=================================================================== +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/poky/meta/recipes-core/expat/expat_2.2.9.bb b/poky/meta/recipes-core/expat/expat_2.2.9.bb index f50e535922..578edfcbff 100644 --- a/poky/meta/recipes-core/expat/expat_2.2.9.bb +++ b/poky/meta/recipes-core/expat/expat_2.2.9.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \ file://CVE-2022-25314.patch \ file://CVE-2022-25315.patch \ file://libtool-tag.patch \ + file://CVE-2022-40674.patch \ " SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13" diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 52442c38ed..7426eb077a 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk" inherit core-image setuptools3 -SRCREV ?= "23322786e02469c08e3db007043da1091bf0f466" +SRCREV ?= "9ae91384970637cd8880c07071fb44b7f5574012" SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch new file mode 100644 index 0000000000..5301d05323 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch @@ -0,0 +1,89 @@ +From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 15 Aug 2020 18:32:29 +0200 +Subject: [PATCH] Revert "Do not URI escape in server side includes" + +This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. + +This commit introduced + +- an infinite loop, found by OSS-Fuzz, which could be easily fixed. +- an algorithm with quadratic runtime +- a security issue, see + https://bugzilla.gnome.org/show_bug.cgi?id=769760 + +A better approach is to add an option not to escape URLs at all +which libxml2 should have possibly done in the first place. + +CVE: CVE-2016-3709 +Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f] +Signed-off-by: Pawan Badganchi +--- + HTMLtree.c | 49 +++++++++++-------------------------------------- + 1 file changed, 11 insertions(+), 38 deletions(-) + +diff --git a/HTMLtree.c b/HTMLtree.c +index 8d236bb35..cdb7f86a6 100644 +--- a/HTMLtree.c ++++ b/HTMLtree.c +@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur, + (!xmlStrcasecmp(cur->name, BAD_CAST "src")) || + ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) && + (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) { ++ xmlChar *escaped; + xmlChar *tmp = value; +- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */ +- xmlBufCCat(buf->buffer, "\""); + + while (IS_BLANK_CH(*tmp)) tmp++; + +- /* URI Escape everything, except server side includes. */ +- for ( ; ; ) { +- xmlChar *escaped; +- xmlChar endChar; +- xmlChar *end = NULL; +- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST ""); +- if (end != NULL) { +- *start = '\0'; +- } +- } +- +- /* Escape the whole string, or until start (set to '\0'). */ +- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+"); +- if (escaped != NULL) { +- xmlBufCat(buf->buffer, escaped); +- xmlFree(escaped); +- } else { +- xmlBufCat(buf->buffer, tmp); +- } +- +- if (end == NULL) { /* Everything has been written. */ +- break; +- } +- +- /* Do not escape anything within server side includes. */ +- *start = '<'; /* Restore the first character of "") */ +- endChar = *end; +- *end = '\0'; +- xmlBufCat(buf->buffer, start); +- *end = endChar; +- tmp = end; ++ /* ++ * the < and > have already been escaped at the entity level ++ * And doing so here breaks server side includes ++ */ ++ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>"); ++ if (escaped != NULL) { ++ xmlBufWriteQuotedString(buf->buffer, escaped); ++ xmlFree(escaped); ++ } else { ++ xmlBufWriteQuotedString(buf->buffer, value); + } +- +- xmlBufCCat(buf->buffer, "\""); + } else { + xmlBufWriteQuotedString(buf->buffer, value); + } diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index d1c1f0884f..dc62991739 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -33,6 +33,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te file://CVE-2022-29824-dependent.patch \ file://CVE-2022-29824.patch \ file://0001-Port-gentest.py-to-Python-3.patch \ + file://CVE-2016-3709.patch \ " SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" diff --git a/poky/meta/recipes-core/meta/cve-update-db-native.bb b/poky/meta/recipes-core/meta/cve-update-db-native.bb index a49f446a53..85874ead01 100644 --- a/poky/meta/recipes-core/meta/cve-update-db-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-db-native.bb @@ -65,9 +65,7 @@ python do_fetch() { # Connect to database conn = sqlite3.connect(db_file) - c = conn.cursor() - - initialize_db(c) + initialize_db(conn) with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: total_years = date.today().year + 1 - YEAR_START @@ -96,18 +94,20 @@ python do_fetch() { return # Compare with current db last modified date - c.execute("select DATE from META where YEAR = ?", (year,)) - meta = c.fetchone() + cursor = conn.execute("select DATE from META where YEAR = ?", (year,)) + meta = cursor.fetchone() + cursor.close() + if not meta or meta[0] != last_modified: # Clear products table entries corresponding to current year - c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)) + conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close() # Update db with current year json file try: response = urllib.request.urlopen(json_url) if response: - update_db(c, gzip.decompress(response.read()).decode('utf-8')) - c.execute("insert or replace into META values (?, ?)", [year, last_modified]) + update_db(conn, gzip.decompress(response.read()).decode('utf-8')) + conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) @@ -125,21 +125,26 @@ do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" do_fetch[file-checksums] = "" do_fetch[vardeps] = "" -def initialize_db(c): - c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") +def initialize_db(conn): + with conn: + c = conn.cursor() + + c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") + + c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ + SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") - c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ - SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ + VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ + VERSION_END TEXT, OPERATOR_END TEXT)") + c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") - c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ - VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ - VERSION_END TEXT, OPERATOR_END TEXT)") - c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") + c.close() -def parse_node_and_insert(c, node, cveId): +def parse_node_and_insert(conn, node, cveId): # Parse children node if needed for child in node.get('children', ()): - parse_node_and_insert(c, child, cveId) + parse_node_and_insert(conn, child, cveId) def cpe_generator(): for cpe in node.get('cpe_match', ()): @@ -196,9 +201,9 @@ def parse_node_and_insert(c, node, cveId): # Save processing by representing as -. yield [cveId, vendor, product, '-', '', '', ''] - c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()) + conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close() -def update_db(c, jsondata): +def update_db(conn, jsondata): import json root = json.loads(jsondata) @@ -222,12 +227,12 @@ def update_db(c, jsondata): accessVector = accessVector or "UNKNOWN" cvssv3 = 0.0 - c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", - [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) + conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() configurations = elt['configurations']['nodes'] for config in configurations: - parse_node_and_insert(c, config, cveId) + parse_node_and_insert(conn, config, cveId) do_fetch[nostamp] = "1" diff --git a/poky/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/poky/meta/recipes-core/systemd/systemd/00-create-volatile.conf index 87cbe1e7d3..c4277221a2 100644 --- a/poky/meta/recipes-core/systemd/systemd/00-create-volatile.conf +++ b/poky/meta/recipes-core/systemd/systemd/00-create-volatile.conf @@ -3,5 +3,6 @@ # inside /var/log. +d /run/lock 1777 - - - d /var/volatile/log - - - - d /var/volatile/tmp 1777 - - diff --git a/poky/meta/recipes-core/systemd/systemd_244.5.bb b/poky/meta/recipes-core/systemd/systemd_244.5.bb index a648272bc0..f3e5395465 100644 --- a/poky/meta/recipes-core/systemd/systemd_244.5.bb +++ b/poky/meta/recipes-core/systemd/systemd_244.5.bb @@ -162,6 +162,7 @@ PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native xmlto-native do PACKAGECONFIG[microhttpd] = "-Dmicrohttpd=true,-Dmicrohttpd=false,libmicrohttpd" PACKAGECONFIG[myhostname] = "-Dnss-myhostname=true,-Dnss-myhostname=false,,libnss-myhostname" PACKAGECONFIG[networkd] = "-Dnetworkd=true,-Dnetworkd=false" +PACKAGECONFIG[no-dns-fallback] = "-Ddns-servers=" PACKAGECONFIG[nss] = "-Dnss-systemd=true,-Dnss-systemd=false" PACKAGECONFIG[nss-mymachines] = "-Dnss-mymachines=true,-Dnss-mymachines=false" PACKAGECONFIG[nss-resolve] = "-Dnss-resolve=true,-Dnss-resolve=false" diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.34.inc b/poky/meta/recipes-devtools/binutils/binutils-2.34.inc index 6a55de2d45..ff0d467132 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -52,5 +52,6 @@ SRC_URI = "\ file://CVE-2021-3549.patch \ file://CVE-2020-16593.patch \ file://0001-CVE-2021-45078.patch \ + file://CVE-2022-38533.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch new file mode 100644 index 0000000000..102d65f8a6 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch @@ -0,0 +1,37 @@ +From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 13 Aug 2022 15:32:47 +0930 +Subject: [PATCH] PR29482 - strip: heap-buffer-overflow + + PR 29482 + * coffcode.h (coff_set_section_contents): Sanity check _LIB. + +CVE: CVE-2022-38533 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] + +Signed-off-by: Florin Diaconescu + +--- + bfd/coffcode.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/bfd/coffcode.h b/bfd/coffcode.h +index dec2e9c6370..75c18d88602 100644 +--- a/bfd/coffcode.h ++++ b/bfd/coffcode.h +@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd, + + rec = (bfd_byte *) location; + recend = rec + count; +- while (rec < recend) ++ while (recend - rec >= 4) + { ++ size_t len = bfd_get_32 (abfd, rec); ++ if (len == 0 || len > (size_t) (recend - rec) / 4) ++ break; ++ rec += len * 4; + ++section->lma; +- rec += bfd_get_32 (abfd, rec) * 4; + } + + BFD_ASSERT (rec == recend); diff --git a/poky/meta/recipes-devtools/go/go-1.14.inc b/poky/meta/recipes-devtools/go/go-1.14.inc index b160222f76..2e1d8240f6 100644 --- a/poky/meta/recipes-devtools/go/go-1.14.inc +++ b/poky/meta/recipes-devtools/go/go-1.14.inc @@ -25,6 +25,22 @@ SRC_URI += "\ file://CVE-2021-44717.patch \ file://CVE-2022-24675.patch \ file://CVE-2021-31525.patch \ + file://CVE-2022-30629.patch \ + file://CVE-2022-30631.patch \ + file://CVE-2022-30632.patch \ + file://CVE-2022-30633.patch \ + file://CVE-2022-30635.patch \ + file://CVE-2022-32148.patch \ + file://CVE-2022-32189.patch \ + file://CVE-2021-27918.patch \ + file://CVE-2021-36221.patch \ + file://CVE-2021-39293.patch \ + file://CVE-2021-41771.patch \ + file://CVE-2022-27664.patch \ + file://0001-CVE-2022-32190.patch \ + file://0002-CVE-2022-32190.patch \ + file://0003-CVE-2022-32190.patch \ + file://0004-CVE-2022-32190.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" @@ -35,3 +51,9 @@ SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d8 # https://github.com/golang/go/issues/30999#issuecomment-910470358 CVE_CHECK_WHITELIST += "CVE-2021-29923" +# this issue affected go1.15 onwards +# https://security-tracker.debian.org/tracker/CVE-2022-29526 +CVE_CHECK_WHITELIST += "CVE-2022-29526" + +# Issue only on windows +CVE_CHECK_WHITELIST += "CVE-2022-30634" diff --git a/poky/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch b/poky/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch new file mode 100644 index 0000000000..ad263b8023 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch @@ -0,0 +1,74 @@ +From 755f2dc35a19e6806de3ecbf836fa06ad875c67a Mon Sep 17 00:00:00 2001 +From: Carl Johnson +Date: Fri, 4 Mar 2022 14:49:52 +0000 +Subject: [PATCH 1/4] net/url: add JoinPath, URL.JoinPath + +Builds on CL 332209. + +Fixes #47005 + +Change-Id: I82708dede05d79a196ca63f5a4e7cb5ac9a041ea +GitHub-Last-Rev: 51b735066eef74f5e67c3e8899c58f44c0383c61 +GitHub-Pull-Request: golang/go#50383 +Reviewed-on: https://go-review.googlesource.com/c/go/+/374654 +Reviewed-by: Russ Cox +Auto-Submit: Russ Cox +Trust: Ian Lance Taylor +Reviewed-by: Damien Neil +Run-TryBot: Ian Lance Taylor +TryBot-Result: Gopher Robot + +Upstream-Status: Backport [https://github.com/golang/go/commit/604140d93111f89911e17cb147dcf6a02d2700d0] +CVE: CVE-2022-32190 +Signed-off-by: Shubham Kulkarni +--- + src/net/url/url.go | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 2880e82..dea8bfe 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -13,6 +13,7 @@ package url + import ( + "errors" + "fmt" ++ "path" + "sort" + "strconv" + "strings" +@@ -1104,6 +1105,17 @@ func (u *URL) UnmarshalBinary(text []byte) error { + return nil + } + ++// JoinPath returns a new URL with the provided path elements joined to ++// any existing path and the resulting path cleaned of any ./ or ../ elements. ++func (u *URL) JoinPath(elem ...string) *URL { ++ url := *u ++ if len(elem) > 0 { ++ elem = append([]string{u.Path}, elem...) ++ url.setPath(path.Join(elem...)) ++ } ++ return &url ++} ++ + // validUserinfo reports whether s is a valid userinfo string per RFC 3986 + // Section 3.2.1: + // userinfo = *( unreserved / pct-encoded / sub-delims / ":" ) +@@ -1144,3 +1156,14 @@ func stringContainsCTLByte(s string) bool { + } + return false + } ++ ++// JoinPath returns a URL string with the provided path elements joined to ++// the existing path of base and the resulting path cleaned of any ./ or ../ elements. ++func JoinPath(base string, elem ...string) (result string, err error) { ++ url, err := Parse(base) ++ if err != nil { ++ return ++ } ++ result = url.JoinPath(elem...).String() ++ return ++} +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch b/poky/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch new file mode 100644 index 0000000000..1a11cc72bc --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch @@ -0,0 +1,48 @@ +From 985108de87e7d2ecb2b28cb53b323d530387b884 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Thu, 31 Mar 2022 13:21:39 -0700 +Subject: [PATCH 2/4] net/url: preserve a trailing slash in JoinPath + +Fixes #52074 + +Change-Id: I30897f32e70a6ca0c4e11aaf07088c27336efaba +Reviewed-on: https://go-review.googlesource.com/c/go/+/397256 +Trust: Ian Lance Taylor +Run-TryBot: Ian Lance Taylor +TryBot-Result: Gopher Robot +Reviewed-by: Matt Layher +Trust: Matt Layher + +Upstream-Status: Backport [https://github.com/golang/go/commit/dbb52cc9f3e83a3040f46c2ae7650c15ab342179] +CVE: CVE-2022-32190 +Signed-off-by: Shubham Kulkarni +--- + src/net/url/url.go | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index dea8bfe..3436707 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -1107,11 +1107,18 @@ func (u *URL) UnmarshalBinary(text []byte) error { + + // JoinPath returns a new URL with the provided path elements joined to + // any existing path and the resulting path cleaned of any ./ or ../ elements. ++// Any sequences of multiple / characters will be reduced to a single /. + func (u *URL) JoinPath(elem ...string) *URL { + url := *u + if len(elem) > 0 { + elem = append([]string{u.Path}, elem...) +- url.setPath(path.Join(elem...)) ++ p := path.Join(elem...) ++ // path.Join will remove any trailing slashes. ++ // Preserve at least one. ++ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") { ++ p += "/" ++ } ++ url.setPath(p) + } + return &url + } +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch b/poky/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch new file mode 100644 index 0000000000..816d914983 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch @@ -0,0 +1,36 @@ +From 2c632b883b0f11084cc247c8b50ad6c71fa7b447 Mon Sep 17 00:00:00 2001 +From: Sean Liao +Date: Sat, 9 Jul 2022 18:38:45 +0100 +Subject: [PATCH 3/4] net/url: use EscapedPath for url.JoinPath + +Fixes #53763 + +Change-Id: I08b53f159ebdce7907e8cc17316fd0c982363239 +Reviewed-on: https://go-review.googlesource.com/c/go/+/416774 +TryBot-Result: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Bryan Mills +Run-TryBot: Ian Lance Taylor + +Upstream-Status: Backport [https://github.com/golang/go/commit/bf5898ef53d1693aa572da0da746c05e9a6f15c5] +CVE: CVE-2022-32190 +Signed-off-by: Shubham Kulkarni +--- + src/net/url/url.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 3436707..73079a5 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -1111,7 +1111,7 @@ func (u *URL) UnmarshalBinary(text []byte) error { + func (u *URL) JoinPath(elem ...string) *URL { + url := *u + if len(elem) > 0 { +- elem = append([]string{u.Path}, elem...) ++ elem = append([]string{u.EscapedPath()}, elem...) + p := path.Join(elem...) + // path.Join will remove any trailing slashes. + // Preserve at least one. +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/poky/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch new file mode 100644 index 0000000000..4bdff3aed4 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch @@ -0,0 +1,82 @@ +From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 12 Aug 2022 16:21:09 -0700 +Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath + +JoinPath would fail to remove relative elements from the start of +the path when the first path element is "". + +In addition, JoinPath would return the original path unmodified +when provided with no elements to join, violating the documented +behavior of always cleaning the resulting path. + +Correct both these cases. + + JoinPath("http://go.dev", "../go") + // before: http://go.dev/../go + // after: http://go.dev/go + + JoinPath("http://go.dev/../go") + // before: http://go.dev/../go + // after: http://go.dev/go + +For #54385. +Fixes #54635. +Fixes CVE-2022-32190. + +Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 +Reviewed-by: David Chase +Reviewed-by: Alan Donovan +(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51) +Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 +Run-TryBot: Damien Neil +TryBot-Result: Gopher Robot + +Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec] +CVE: CVE-2022-32190 +Signed-off-by: Shubham Kulkarni +--- + src/net/url/url.go | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 73079a5..1e8baf9 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error { + // any existing path and the resulting path cleaned of any ./ or ../ elements. + // Any sequences of multiple / characters will be reduced to a single /. + func (u *URL) JoinPath(elem ...string) *URL { +- url := *u +- if len(elem) > 0 { +- elem = append([]string{u.EscapedPath()}, elem...) +- p := path.Join(elem...) +- // path.Join will remove any trailing slashes. +- // Preserve at least one. +- if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") { +- p += "/" +- } +- url.setPath(p) ++ elem = append([]string{u.EscapedPath()}, elem...) ++ var p string ++ if !strings.HasPrefix(elem[0], "/") { ++ // Return a relative path if u is relative, ++ // but ensure that it contains no ../ elements. ++ elem[0] = "/" + elem[0] ++ p = path.Join(elem...)[1:] ++ } else { ++ p = path.Join(elem...) + } ++ // path.Join will remove any trailing slashes. ++ // Preserve at least one. ++ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") { ++ p += "/" ++ } ++ url := *u ++ url.setPath(p) + return &url + } + +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch new file mode 100644 index 0000000000..faa3f7f641 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch @@ -0,0 +1,191 @@ +From d0b79e3513a29628f3599dc8860666b6eed75372 Mon Sep 17 00:00:00 2001 +From: Katie Hockman +Date: Mon, 1 Mar 2021 09:54:00 -0500 +Subject: [PATCH] encoding/xml: prevent infinite loop while decoding + +This change properly handles a TokenReader which +returns an EOF in the middle of an open XML +element. + +Thanks to Sam Whited for reporting this. + +Fixes CVE-2021-27918 +Fixes #44913 + +Change-Id: Id02a3f3def4a1b415fa2d9a8e3b373eb6cb0f433 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004594 +Reviewed-by: Russ Cox +Reviewed-by: Roland Shoemaker +Reviewed-by: Filippo Valsorda +Reviewed-on: https://go-review.googlesource.com/c/go/+/300391 +Trust: Katie Hockman +Run-TryBot: Katie Hockman +TryBot-Result: Go Bot +Reviewed-by: Alexander Rakoczy +Reviewed-by: Filippo Valsorda + +https://github.com/golang/go/commit/d0b79e3513a29628f3599dc8860666b6eed75372 +CVE: CVE-2021-27918 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + src/encoding/xml/xml.go | 19 ++++--- + src/encoding/xml/xml_test.go | 104 +++++++++++++++++++++++++++-------- + 2 files changed, 92 insertions(+), 31 deletions(-) + +diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go +index adaf4daf198b9..6f9594d7ba7a3 100644 +--- a/src/encoding/xml/xml.go ++++ b/src/encoding/xml/xml.go +@@ -271,7 +271,7 @@ func NewTokenDecoder(t TokenReader) *Decoder { + // it will return an error. + // + // Token implements XML name spaces as described by +-// https://www.w3.org/TR/REC-xml-names/. Each of the ++// https://www.w3.org/TR/REC-xml-names/. Each of the + // Name structures contained in the Token has the Space + // set to the URL identifying its name space when known. + // If Token encounters an unrecognized name space prefix, +@@ -285,16 +285,17 @@ func (d *Decoder) Token() (Token, error) { + if d.nextToken != nil { + t = d.nextToken + d.nextToken = nil +- } else if t, err = d.rawToken(); err != nil { +- switch { +- case err == io.EOF && d.t != nil: +- err = nil +- case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF: +- err = d.syntaxError("unexpected EOF") ++ } else { ++ if t, err = d.rawToken(); t == nil && err != nil { ++ if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF { ++ err = d.syntaxError("unexpected EOF") ++ } ++ return nil, err + } +- return t, err ++ // We still have a token to process, so clear any ++ // errors (e.g. EOF) and proceed. ++ err = nil + } +- + if !d.Strict { + if t1, ok := d.autoClose(t); ok { + d.nextToken = t +diff --git a/src/encoding/xml/xml_test.go b/src/encoding/xml/xml_test.go +index efddca43e9102..5672ebb375f0d 100644 +--- a/src/encoding/xml/xml_test.go ++++ b/src/encoding/xml/xml_test.go +@@ -33,30 +33,90 @@ func (t *toks) Token() (Token, error) { + + func TestDecodeEOF(t *testing.T) { + start := StartElement{Name: Name{Local: "test"}} +- t.Run("EarlyEOF", func(t *testing.T) { +- d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{ +- start, +- start.End(), +- }}) +- err := d.Decode(&struct { +- XMLName Name `xml:"test"` +- }{}) +- if err != nil { +- t.Error(err) ++ tests := []struct { ++ name string ++ tokens []Token ++ ok bool ++ }{ ++ { ++ name: "OK", ++ tokens: []Token{ ++ start, ++ start.End(), ++ }, ++ ok: true, ++ }, ++ { ++ name: "Malformed", ++ tokens: []Token{ ++ start, ++ StartElement{Name: Name{Local: "bad"}}, ++ start.End(), ++ }, ++ ok: false, ++ }, ++ } ++ for _, tc := range tests { ++ for _, eof := range []bool{true, false} { ++ name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof) ++ t.Run(name, func(t *testing.T) { ++ d := NewTokenDecoder(&toks{ ++ earlyEOF: eof, ++ t: tc.tokens, ++ }) ++ err := d.Decode(&struct { ++ XMLName Name `xml:"test"` ++ }{}) ++ if tc.ok && err != nil { ++ t.Fatalf("d.Decode: expected nil error, got %v", err) ++ } ++ if _, ok := err.(*SyntaxError); !tc.ok && !ok { ++ t.Errorf("d.Decode: expected syntax error, got %v", err) ++ } ++ }) + } +- }) +- t.Run("LateEOF", func(t *testing.T) { +- d := NewTokenDecoder(&toks{t: []Token{ +- start, +- start.End(), +- }}) +- err := d.Decode(&struct { +- XMLName Name `xml:"test"` +- }{}) +- if err != nil { +- t.Error(err) ++ } ++} ++ ++type toksNil struct { ++ returnEOF bool ++ t []Token ++} ++ ++func (t *toksNil) Token() (Token, error) { ++ if len(t.t) == 0 { ++ if !t.returnEOF { ++ // Return nil, nil before returning an EOF. It's legal, but ++ // discouraged. ++ t.returnEOF = true ++ return nil, nil + } +- }) ++ return nil, io.EOF ++ } ++ var tok Token ++ tok, t.t = t.t[0], t.t[1:] ++ return tok, nil ++} ++ ++func TestDecodeNilToken(t *testing.T) { ++ for _, strict := range []bool{true, false} { ++ name := fmt.Sprintf("Strict=%v", strict) ++ t.Run(name, func(t *testing.T) { ++ start := StartElement{Name: Name{Local: "test"}} ++ bad := StartElement{Name: Name{Local: "bad"}} ++ d := NewTokenDecoder(&toksNil{ ++ // Malformed ++ t: []Token{start, bad, start.End()}, ++ }) ++ d.Strict = strict ++ err := d.Decode(&struct { ++ XMLName Name `xml:"test"` ++ }{}) ++ if _, ok := err.(*SyntaxError); !ok { ++ t.Errorf("d.Decode: expected syntax error, got %v", err) ++ } ++ }) ++ } + } + + const testInput = ` diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch new file mode 100644 index 0000000000..9c00d4ebb2 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch @@ -0,0 +1,101 @@ +From b7a85e0003cedb1b48a1fd3ae5b746ec6330102e Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 7 Jul 2021 16:34:34 -0700 +Subject: [PATCH] net/http/httputil: close incoming ReverseProxy request body + +Reading from an incoming request body after the request handler aborts +with a panic can cause a panic, becuse http.Server does not (contrary +to its documentation) close the request body in this case. + +Always close the incoming request body in ReverseProxy.ServeHTTP to +ensure that any in-flight outgoing requests using the body do not +read from it. + +Updates #46866 +Fixes CVE-2021-36221 + +Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df +Reviewed-on: https://go-review.googlesource.com/c/go/+/333191 +Trust: Damien Neil +Reviewed-by: Brad Fitzpatrick +Reviewed-by: Filippo Valsorda + +https://github.com/golang/go/commit/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e +CVE: CVE-2021-36221 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + src/net/http/httputil/reverseproxy.go | 9 +++++ + src/net/http/httputil/reverseproxy_test.go | 39 ++++++++++++++++++++++ + 2 files changed, 48 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 5d39955d62d15..8b63368386f43 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -235,6 +235,15 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + if req.ContentLength == 0 { + outreq.Body = nil // Issue 16036: nil Body for http.Transport retries + } ++ if outreq.Body != nil { ++ // Reading from the request body after returning from a handler is not ++ // allowed, and the RoundTrip goroutine that reads the Body can outlive ++ // this handler. This can lead to a crash if the handler panics (see ++ // Issue 46866). Although calling Close doesn't guarantee there isn't ++ // any Read in flight after the handle returns, in practice it's safe to ++ // read after closing it. ++ defer outreq.Body.Close() ++ } + if outreq.Header == nil { + outreq.Header = make(http.Header) // Issue 33142: historical behavior was to always allocate + } +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index 1898ed8b8afde..4b6ad77a29466 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -1122,6 +1122,45 @@ func TestReverseProxy_PanicBodyError(t *testing.T) { + rproxy.ServeHTTP(httptest.NewRecorder(), req) + } + ++// Issue #46866: panic without closing incoming request body causes a panic ++func TestReverseProxy_PanicClosesIncomingBody(t *testing.T) { ++ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ++ out := "this call was relayed by the reverse proxy" ++ // Coerce a wrong content length to induce io.ErrUnexpectedEOF ++ w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out)*2)) ++ fmt.Fprintln(w, out) ++ })) ++ defer backend.Close() ++ backendURL, err := url.Parse(backend.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ proxyHandler := NewSingleHostReverseProxy(backendURL) ++ proxyHandler.ErrorLog = log.New(io.Discard, "", 0) // quiet for tests ++ frontend := httptest.NewServer(proxyHandler) ++ defer frontend.Close() ++ frontendClient := frontend.Client() ++ ++ var wg sync.WaitGroup ++ for i := 0; i < 2; i++ { ++ wg.Add(1) ++ go func() { ++ defer wg.Done() ++ for j := 0; j < 10; j++ { ++ const reqLen = 6 * 1024 * 1024 ++ req, _ := http.NewRequest("POST", frontend.URL, &io.LimitedReader{R: neverEnding('x'), N: reqLen}) ++ req.ContentLength = reqLen ++ resp, _ := frontendClient.Transport.RoundTrip(req) ++ if resp != nil { ++ io.Copy(io.Discard, resp.Body) ++ resp.Body.Close() ++ } ++ } ++ }() ++ } ++ wg.Wait() ++} ++ + func TestSelectFlushInterval(t *testing.T) { + tests := []struct { + name string diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch new file mode 100644 index 0000000000..88fca9cad9 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch @@ -0,0 +1,79 @@ +From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 18 Aug 2021 11:49:29 -0700 +Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation + check from overflowing + +If the indicated directory size in the archive header is so large that +subtracting it from the archive size overflows a uint64, the check that +the indicated number of files in the archive can be effectively +bypassed. Prevent this from happening by checking that the indicated +directory size is less than the size of the archive. + +Thanks to the OSS-Fuzz project for discovering this issue and to +Emmanuel Odeke for reporting it. + +Fixes #47985 +Updates #47801 +Fixes CVE-2021-39293 + +Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24 +Reviewed-on: https://go-review.googlesource.com/c/go/+/343434 +Trust: Roland Shoemaker +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Reviewed-by: Russ Cox +(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b) +Reviewed-on: https://go-review.googlesource.com/c/go/+/345409 +Reviewed-by: Emmanuel Odeke +Run-TryBot: Emmanuel Odeke +Trust: Cherry Mui + +https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785 +CVE: CVE-2021-39293 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + src/archive/zip/reader.go | 2 +- + src/archive/zip/reader_test.go | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go +index ddef2b7b5a517..801d1313b6c32 100644 +--- a/src/archive/zip/reader.go ++++ b/src/archive/zip/reader.go +@@ -105,7 +105,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error { + // indicate it contains up to 1 << 128 - 1 files. Since each file has a + // header which will be _at least_ 30 bytes we can safely preallocate + // if (data size / 30) >= end.directoryRecords. +- if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { ++ if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords { + z.File = make([]*File, 0, end.directoryRecords) + } + z.Comment = end.comment +diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go +index 471be27bb1004..99f13345d8d06 100644 +--- a/src/archive/zip/reader_test.go ++++ b/src/archive/zip/reader_test.go +@@ -1225,3 +1225,21 @@ func TestCVE202133196(t *testing.T) { + t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) + } + } ++ ++func TestCVE202139293(t *testing.T) { ++ // directory size is so large, that the check in Reader.init ++ // overflows when subtracting from the archive size, causing ++ // the pre-allocation check to be bypassed. ++ data := []byte{ ++ 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, ++ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, ++ 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, ++ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, ++ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, ++ 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff, ++ } ++ _, err := NewReader(bytes.NewReader(data), int64(len(data))) ++ if err != ErrFormat { ++ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) ++ } ++} diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch new file mode 100644 index 0000000000..526796dbcb --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch @@ -0,0 +1,86 @@ +From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 14 Oct 2021 13:02:01 -0700 +Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic + symbol table command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fail out when loading a file that contains a dynamic symbol table +command that indicates a larger number of symbols than exist in the +loaded symbol table. + +Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for +reporting this issue. + +Updates #48990 +Fixes #48991 +Fixes CVE-2021-41771 + +Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5 +Reviewed-on: https://go-review.googlesource.com/c/go/+/355990 +Reviewed-by: Julie Qiu +Reviewed-by: Katie Hockman +Reviewed-by: Emmanuel Odeke +Run-TryBot: Roland Shoemaker +TryBot-Result: Go Bot +Trust: Katie Hockman +(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27) +Reviewed-on: https://go-review.googlesource.com/c/go/+/359454 +Reviewed-by: Dmitri Shuralyov + +https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede +CVE: CVE-2021-41771 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + src/debug/macho/file.go | 9 +++++++++ + src/debug/macho/file_test.go | 7 +++++++ + .../testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 | 1 + + 3 files changed, 17 insertions(+) + create mode 100644 src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 + +diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go +index 085b0c8219bad..73cfce3c7606e 100644 +--- a/src/debug/macho/file.go ++++ b/src/debug/macho/file.go +@@ -345,6 +345,15 @@ func NewFile(r io.ReaderAt) (*File, error) { + if err := binary.Read(b, bo, &hdr); err != nil { + return nil, err + } ++ if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) { ++ return nil, &FormatError{offset, fmt.Sprintf( ++ "undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)", ++ hdr.Iundefsym, len(f.Symtab.Syms)), nil} ++ } else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) { ++ return nil, &FormatError{offset, fmt.Sprintf( ++ "number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)", ++ hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil} ++ } + dat := make([]byte, hdr.Nindirectsyms*4) + if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil { + return nil, err +diff --git a/src/debug/macho/file_test.go b/src/debug/macho/file_test.go +index 03915c86e23d9..9beeb80dd27c1 100644 +--- a/src/debug/macho/file_test.go ++++ b/src/debug/macho/file_test.go +@@ -416,3 +416,10 @@ func TestTypeString(t *testing.T) { + t.Errorf("got %v, want %v", TypeExec.GoString(), "macho.Exec") + } + } ++ ++func TestOpenBadDysymCmd(t *testing.T) { ++ _, err := openObscured("testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64") ++ if err == nil { ++ t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command") ++ } ++} +diff --git a/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 +new file mode 100644 +index 0000000000000..8e0436639c109 +--- /dev/null ++++ b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 +@@ -0,0 +1 @@ ++z/rt/gcAAAEDAACAAgAAAAsAAABoBQAAhQAAAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA2AEAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAcAAAAFAAAABQAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAABQPAAABAAAAbQAAAAAAAAAUDwAAAgAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3ltYm9sX3N0dWIxAABfX1RFWFQAAAAAAAAAAAAAgQ8AAAEAAAAMAAAAAAAAAIEPAAAAAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAACQDwAAAQAAABgAAAAAAAAAkA8AAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAKgPAAABAAAADQAAAAAAAACoDwAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fZWhfZnJhbWUAAAAAAABfX1RFWFQAAAAAAAAAAAAAuA8AAAEAAABIAAAAAAAAALgPAAADAAAAAAAAAAAAAAALAABgAAAAAAAAAAAAAAAAGQAAADgBAABfX0RBVEEAAAAAAAAAAAAAABAAAAEAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAHAAAAAwAAAAMAAAAAAAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAAEAAAAQAAABwAAAAAAAAAABAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2R5bGQAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAACAQAAABAAAAOAAAAAAAAAAgEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fbGFfc3ltYm9sX3B0cgBfX0RBVEEAAAAAAAAAAAAAWBAAAAEAAAAQAAAAAAAAAFgQAAACAAAAAAAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAACAAAAEAAAAAEAAAAAAAAAAgAAAAAAAAQAEAAAAAAAAHAAAAAQAAAAAAAAAAAAAAAgAAABgAAAAAIAAACwAAAMAgAACAAAAACwAAAFAAAAAAAAAAAgAAAAIAAAAHAAAACQAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwIAAABAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAIAAAAAwAAAAvdXNyL2xpYi9keWxkAAAAAAAAABsAAAAYAAAAOyS4cg5FdtQoqu6JsMEhXQUAAAC4AAAABAAAACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAOAAAABgAAAACAAAAAAABAAAAAQAvdXNyL2xpYi9saWJnY2Nfcy4xLmR5bGliAAAAAAAAAAwAAAA4AAAAGAAAAAIAAAAEAW8AAAABAC91c3IvbGliL2xpYlN5c3RlbS5CLmR5bGliAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABqAEiJ5UiD5PBIi30ISI11EIn6g8IBweIDSAHySInR6wRIg8EISIM5AHX2SIPBCOgiAAAAicfoMgAAAPRBU0yNHafw//9BU/8lvwAAAA8fAP8lvgAAAFVIieVIjT0zAAAA6A0AAAC4AAAAAMnD/yXRAAAA/yXTAAAAAAAATI0dwQAAAOm0////TI0dvQAAAOmo////aGVsbG8sIHdvcmxkAAAAABQAAAAAAAAAAXpSAAF4EAEQDAcIkAEAACwAAAAcAAAAkv////////8XAAAAAAAAAAAEAQAAAA4QhgIEAwAAAA0GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDAX/9/AAAIEMBf/38AAAAAAAABAAAAGBAAAAEAAAAQEAAAAQAAAAgQAAABAAAAABAAAAEAAACQDwAAAQAAAJwPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAHgEAAFAPAAABAAAAGwAAAB4BAABkDwAAAQAAAC4AAAAPBgAAGBAAAAEAAAA2AAAADwYAABAQAAABAAAAPgAAAA8GAAAAEAAAAQAAAEoAAAADABAAAAAAAAEAAABeAAAADwYAAAgQAAABAAAAZwAAAA8BAABqDwAAAQAAAG0AAAAPAQAAFA8AAAEAAABzAAAAAQABAgAAAAAAAAAAeQAAAAEAAQIAAAAAAAAAAAkAAAAKAAAACQAAAAoAAAAgAGR5bGRfc3R1Yl9iaW5kaW5nX2hlbHBlcgBfX2R5bGRfZnVuY19sb29rdXAAX05YQXJnYwBfTlhBcmd2AF9fX3Byb2duYW1lAF9fbWhfZXhlY3V0ZV9oZWFkZXIAX2Vudmlyb24AX21haW4Ac3RhcnQAX2V4aXQAX3B1dHMAAA== +\ No newline at end of file diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch new file mode 100644 index 0000000000..238c3eac5b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch @@ -0,0 +1,68 @@ +From 48c9076dcfc2dc894842ff758c8cfae7957c9565 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 29 Sep 2022 17:06:18 +0530 +Subject: [PATCH] CVE-2022-27664 + +Upstream-Status: Backport [https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479] +CVE: CVE-2022-27664 +Signed-off-by: Hitendra Prajapati +--- + src/net/http/h2_bundle.go | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 65d851d..83f2a72 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -3254,10 +3254,11 @@ var ( + // name (key). See httpguts.ValidHeaderName for the base rules. + // + // Further, http2 says: +-// "Just as in HTTP/1.x, header field names are strings of ASCII +-// characters that are compared in a case-insensitive +-// fashion. However, header field names MUST be converted to +-// lowercase prior to their encoding in HTTP/2. " ++// ++// "Just as in HTTP/1.x, header field names are strings of ASCII ++// characters that are compared in a case-insensitive ++// fashion. However, header field names MUST be converted to ++// lowercase prior to their encoding in HTTP/2. " + func http2validWireHeaderFieldName(v string) bool { + if len(v) == 0 { + return false +@@ -3446,8 +3447,8 @@ func (s *http2sorter) SortStrings(ss []string) { + // validPseudoPath reports whether v is a valid :path pseudo-header + // value. It must be either: + // +-// *) a non-empty string starting with '/' +-// *) the string '*', for OPTIONS requests. ++// *) a non-empty string starting with '/' ++// *) the string '*', for OPTIONS requests. + // + // For now this is only used a quick check for deciding when to clean + // up Opaque URLs before sending requests from the Transport. +@@ -4897,6 +4898,9 @@ func (sc *http2serverConn) startGracefulShutdownInternal() { + func (sc *http2serverConn) goAway(code http2ErrCode) { + sc.serveG.check() + if sc.inGoAway { ++ if sc.goAwayCode == http2ErrCodeNo { ++ sc.goAwayCode = code ++ } + return + } + sc.inGoAway = true +@@ -6091,8 +6095,9 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) { + // prior to the headers being written. If the set of trailers is fixed + // or known before the header is written, the normal Go trailers mechanism + // is preferred: +-// https://golang.org/pkg/net/http/#ResponseWriter +-// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers ++// ++// https://golang.org/pkg/net/http/#ResponseWriter ++// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers + const http2TrailerPrefix = "Trailer:" + + // promoteUndeclaredTrailers permits http.Handlers to set trailers +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch new file mode 100644 index 0000000000..47313a547f --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch @@ -0,0 +1,47 @@ +From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 10:55:08 +0530 +Subject: [PATCH] CVE-2022-30629 + +Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c] +CVE: CVE-2022-30629 +Signed-off-by: Hitendra Prajapati +--- + src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +index 5432145..d91797e 100644 +--- a/src/crypto/tls/handshake_server_tls13.go ++++ b/src/crypto/tls/handshake_server_tls13.go +@@ -9,6 +9,7 @@ import ( + "crypto" + "crypto/hmac" + "crypto/rsa" ++ "encoding/binary" + "errors" + "hash" + "io" +@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error { + } + m.lifetime = uint32(maxSessionTicketLifetime / time.Second) + ++ // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1 ++ // The value is not stored anywhere; we never need to check the ticket age ++ // because 0-RTT is not supported. ++ ageAdd := make([]byte, 4) ++ _, err = hs.c.config.rand().Read(ageAdd) ++ if err != nil { ++ return err ++ } ++ m.ageAdd = binary.LittleEndian.Uint32(ageAdd) ++ ++ // ticket_nonce, which must be unique per connection, is always left at ++ // zero because we only ever send one ticket per connection. ++ + if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { + return err + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch new file mode 100644 index 0000000000..5dcfd27f16 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch @@ -0,0 +1,116 @@ +From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 11:01:21 +0530 +Subject: [PATCH] CVE-2022-30631 + +Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3] +CVE: CVE-2022-30631 +Signed-off-by: Hitendra Prajapati +--- + src/compress/gzip/gunzip.go | 60 +++++++++++++++----------------- + src/compress/gzip/gunzip_test.go | 16 +++++++++ + 2 files changed, 45 insertions(+), 31 deletions(-) + +diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go +index 924bce1..237b2b9 100644 +--- a/src/compress/gzip/gunzip.go ++++ b/src/compress/gzip/gunzip.go +@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) { + return 0, z.err + } + +- n, z.err = z.decompressor.Read(p) +- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n]) +- z.size += uint32(n) +- if z.err != io.EOF { +- // In the normal case we return here. +- return n, z.err +- } ++ for n == 0 { ++ n, z.err = z.decompressor.Read(p) ++ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n]) ++ z.size += uint32(n) ++ if z.err != io.EOF { ++ // In the normal case we return here. ++ return n, z.err ++ } + +- // Finished file; check checksum and size. +- if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil { +- z.err = noEOF(err) +- return n, z.err +- } +- digest := le.Uint32(z.buf[:4]) +- size := le.Uint32(z.buf[4:8]) +- if digest != z.digest || size != z.size { +- z.err = ErrChecksum +- return n, z.err +- } +- z.digest, z.size = 0, 0 ++ // Finished file; check checksum and size. ++ if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil { ++ z.err = noEOF(err) ++ return n, z.err ++ } ++ digest := le.Uint32(z.buf[:4]) ++ size := le.Uint32(z.buf[4:8]) ++ if digest != z.digest || size != z.size { ++ z.err = ErrChecksum ++ return n, z.err ++ } ++ z.digest, z.size = 0, 0 + +- // File is ok; check if there is another. +- if !z.multistream { +- return n, io.EOF +- } +- z.err = nil // Remove io.EOF ++ // File is ok; check if there is another. ++ if !z.multistream { ++ return n, io.EOF ++ } ++ z.err = nil // Remove io.EOF + +- if _, z.err = z.readHeader(); z.err != nil { +- return n, z.err ++ if _, z.err = z.readHeader(); z.err != nil { ++ return n, z.err ++ } + } + +- // Read from next file, if necessary. +- if n > 0 { +- return n, nil +- } +- return z.Read(p) ++ return n, nil + } + + // Close closes the Reader. It does not close the underlying io.Reader. +diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go +index 1b01404..95220ae 100644 +--- a/src/compress/gzip/gunzip_test.go ++++ b/src/compress/gzip/gunzip_test.go +@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) { + } + } + } ++ ++func TestCVE202230631(t *testing.T) { ++ var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00, ++ 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} ++ r := bytes.NewReader(bytes.Repeat(empty, 4e6)) ++ z, err := NewReader(r) ++ if err != nil { ++ t.Fatalf("NewReader: got %v, want nil", err) ++ } ++ // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due ++ // to stack exhaustion. ++ _, err = z.Read(make([]byte, 10)) ++ if err != io.EOF { ++ t.Errorf("Reader.Read: got %v, want %v", err, io.EOF) ++ } ++} +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch new file mode 100644 index 0000000000..c54ef56a0e --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch @@ -0,0 +1,71 @@ +From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 13:12:40 +0530 +Subject: [PATCH] CVE-2022-30632 + +Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df] +CVE: CVE-2022-30632 +Signed-off-by: Hitendra Prajapati +--- + src/path/filepath/match.go | 16 +++++++++++++++- + src/path/filepath/match_test.go | 10 ++++++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go +index 46badb5..ba68daa 100644 +--- a/src/path/filepath/match.go ++++ b/src/path/filepath/match.go +@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) { + // The only possible returned error is ErrBadPattern, when pattern + // is malformed. + func Glob(pattern string) (matches []string, err error) { ++ return globWithLimit(pattern, 0) ++} ++ ++func globWithLimit(pattern string, depth int) (matches []string, err error) { ++ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632. ++ const pathSeparatorsLimit = 10000 ++ if depth == pathSeparatorsLimit { ++ return nil, ErrBadPattern ++ } ++ ++ // Check pattern is well-formed. ++ if _, err := Match(pattern, ""); err != nil { ++ return nil, err ++ } + if !hasMeta(pattern) { + if _, err = os.Lstat(pattern); err != nil { + return nil, nil +@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) { + } + + var m []string +- m, err = Glob(dir) ++ m, err = globWithLimit(dir, depth+1) + if err != nil { + return + } +diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go +index b865762..c37c812 100644 +--- a/src/path/filepath/match_test.go ++++ b/src/path/filepath/match_test.go +@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) { + } + } + ++func TestCVE202230632(t *testing.T) { ++ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a ++ // large number of separators (more than 4,000,000). There is now a limit ++ // of 10,000. ++ _, err := Glob("/*" + strings.Repeat("/", 10001)) ++ if err != ErrBadPattern { ++ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err) ++ } ++} ++ + func TestGlobError(t *testing.T) { + _, err := Glob("[]") + if err == nil { +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch new file mode 100644 index 0000000000..c16cb5f50c --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch @@ -0,0 +1,131 @@ +From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 25 Aug 2022 13:29:55 +0530 +Subject: [PATCH] CVE-2022-30633 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827] +CVE: CVE-2022-30633 +Signed-off-by: Hitendra Prajapati +--- + src/encoding/xml/read.go | 27 +++++++++++++++++++-------- + src/encoding/xml/read_test.go | 14 ++++++++++++++ + 2 files changed, 33 insertions(+), 8 deletions(-) + +diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go +index 10a60ee..4ffed80 100644 +--- a/src/encoding/xml/read.go ++++ b/src/encoding/xml/read.go +@@ -148,7 +148,7 @@ func (d *Decoder) DecodeElement(v interface{}, start *StartElement) error { + if val.Kind() != reflect.Ptr { + return errors.New("non-pointer passed to Unmarshal") + } +- return d.unmarshal(val.Elem(), start) ++ return d.unmarshal(val.Elem(), start, 0) + } + + // An UnmarshalError represents an error in the unmarshaling process. +@@ -304,8 +304,15 @@ var ( + textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem() + ) + ++const maxUnmarshalDepth = 10000 ++ ++var errExeceededMaxUnmarshalDepth = errors.New("exceeded max depth") ++ + // Unmarshal a single XML element into val. +-func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error { ++func (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error { ++ if depth >= maxUnmarshalDepth { ++ return errExeceededMaxUnmarshalDepth ++ } + // Find start element if we need it. + if start == nil { + for { +@@ -398,7 +405,7 @@ func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error { + v.Set(reflect.Append(val, reflect.Zero(v.Type().Elem()))) + + // Recur to read element into slice. +- if err := d.unmarshal(v.Index(n), start); err != nil { ++ if err := d.unmarshal(v.Index(n), start, depth+1); err != nil { + v.SetLen(n) + return err + } +@@ -521,13 +528,15 @@ Loop: + case StartElement: + consumed := false + if sv.IsValid() { +- consumed, err = d.unmarshalPath(tinfo, sv, nil, &t) ++ // unmarshalPath can call unmarshal, so we need to pass the depth through so that ++ // we can continue to enforce the maximum recusion limit. ++ consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth) + if err != nil { + return err + } + if !consumed && saveAny.IsValid() { + consumed = true +- if err := d.unmarshal(saveAny, &t); err != nil { ++ if err := d.unmarshal(saveAny, &t, depth+1); err != nil { + return err + } + } +@@ -672,7 +681,7 @@ func copyValue(dst reflect.Value, src []byte) (err error) { + // The consumed result tells whether XML elements have been consumed + // from the Decoder until start's matching end element, or if it's + // still untouched because start is uninteresting for sv's fields. +-func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement) (consumed bool, err error) { ++func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) { + recurse := false + Loop: + for i := range tinfo.fields { +@@ -687,7 +696,7 @@ Loop: + } + if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local { + // It's a perfect match, unmarshal the field. +- return true, d.unmarshal(finfo.value(sv), start) ++ return true, d.unmarshal(finfo.value(sv), start, depth+1) + } + if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local { + // It's a prefix for the field. Break and recurse +@@ -716,7 +725,9 @@ Loop: + } + switch t := tok.(type) { + case StartElement: +- consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t) ++ // the recursion depth of unmarshalPath is limited to the path length specified ++ // by the struct field tag, so we don't increment the depth here. ++ consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth) + if err != nil { + return true, err + } +diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go +index 8c2e70f..6a20b1a 100644 +--- a/src/encoding/xml/read_test.go ++++ b/src/encoding/xml/read_test.go +@@ -5,6 +5,7 @@ + package xml + + import ( ++ "errors" + "io" + "reflect" + "strings" +@@ -1079,3 +1080,16 @@ func TestUnmarshalWhitespaceAttrs(t *testing.T) { + t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want) + } + } ++ ++func TestCVE202228131(t *testing.T) { ++ type nested struct { ++ Parent *nested `xml:",any"` ++ } ++ var n nested ++ err := Unmarshal(bytes.Repeat([]byte(""), maxUnmarshalDepth+1), &n) ++ if err == nil { ++ t.Fatal("Unmarshal did not fail") ++ } else if !errors.Is(err, errExeceededMaxUnmarshalDepth) { ++ t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth) ++ } ++} +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch new file mode 100644 index 0000000000..73959f70fa --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch @@ -0,0 +1,120 @@ +From fdd4316737ed5681689a1f40802ffa0805e5b11c Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 26 Aug 2022 12:17:05 +0530 +Subject: [PATCH] CVE-2022-30635 + +Upstream-Status: Backport [https://github.com/golang/go/commit/cd54600b866db0ad068ab8df06c7f5f6cb55c9b3] +CVE-2022-30635 +Signed-off-by: Hitendra Prajapati +--- + src/encoding/gob/decode.go | 19 ++++++++++++------- + src/encoding/gob/gobencdec_test.go | 24 ++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 7 deletions(-) + +diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go +index d2f6c74..0e0ec75 100644 +--- a/src/encoding/gob/decode.go ++++ b/src/encoding/gob/decode.go +@@ -871,8 +871,13 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg + return &op + } + ++var maxIgnoreNestingDepth = 10000 ++ + // decIgnoreOpFor returns the decoding op for a field that has no destination. +-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp { ++func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp { ++ if depth > maxIgnoreNestingDepth { ++ error_(errors.New("invalid nesting depth")) ++ } + // If this type is already in progress, it's a recursive type (e.g. map[string]*T). + // Return the pointer to the op we're already building. + if opPtr := inProgress[wireId]; opPtr != nil { +@@ -896,7 +901,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) + errorf("bad data: undefined type %s", wireId.string()) + case wire.ArrayT != nil: + elemId := wire.ArrayT.Elem +- elemOp := dec.decIgnoreOpFor(elemId, inProgress) ++ elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1) + op = func(i *decInstr, state *decoderState, value reflect.Value) { + state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len) + } +@@ -904,15 +909,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) + case wire.MapT != nil: + keyId := dec.wireType[wireId].MapT.Key + elemId := dec.wireType[wireId].MapT.Elem +- keyOp := dec.decIgnoreOpFor(keyId, inProgress) +- elemOp := dec.decIgnoreOpFor(elemId, inProgress) ++ keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1) ++ elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1) + op = func(i *decInstr, state *decoderState, value reflect.Value) { + state.dec.ignoreMap(state, *keyOp, *elemOp) + } + + case wire.SliceT != nil: + elemId := wire.SliceT.Elem +- elemOp := dec.decIgnoreOpFor(elemId, inProgress) ++ elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1) + op = func(i *decInstr, state *decoderState, value reflect.Value) { + state.dec.ignoreSlice(state, *elemOp) + } +@@ -1073,7 +1078,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de + func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine { + engine := new(decEngine) + engine.instr = make([]decInstr, 1) // one item +- op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp)) ++ op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0) + ovfl := overflow(dec.typeString(remoteId)) + engine.instr[0] = decInstr{*op, 0, nil, ovfl} + engine.numInstr = 1 +@@ -1118,7 +1123,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn + localField, present := srt.FieldByName(wireField.Name) + // TODO(r): anonymous names + if !present || !isExported(wireField.Name) { +- op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp)) ++ op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0) + engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl} + continue + } +diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go +index 6d2c8db..1b52ecc 100644 +--- a/src/encoding/gob/gobencdec_test.go ++++ b/src/encoding/gob/gobencdec_test.go +@@ -12,6 +12,7 @@ import ( + "fmt" + "io" + "net" ++ "reflect" + "strings" + "testing" + "time" +@@ -796,3 +797,26 @@ func TestNetIP(t *testing.T) { + t.Errorf("decoded to %v, want 1.2.3.4", ip.String()) + } + } ++ ++func TestIngoreDepthLimit(t *testing.T) { ++ // We don't test the actual depth limit because it requires building an ++ // extremely large message, which takes quite a while. ++ oldNestingDepth := maxIgnoreNestingDepth ++ maxIgnoreNestingDepth = 100 ++ defer func() { maxIgnoreNestingDepth = oldNestingDepth }() ++ b := new(bytes.Buffer) ++ enc := NewEncoder(b) ++ typ := reflect.TypeOf(int(0)) ++ nested := reflect.ArrayOf(1, typ) ++ for i := 0; i < 100; i++ { ++ nested = reflect.ArrayOf(1, nested) ++ } ++ badStruct := reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}})) ++ enc.Encode(badStruct.Interface()) ++ dec := NewDecoder(b) ++ var output struct{ Hello int } ++ expectedErr := "invalid nesting depth" ++ if err := dec.Decode(&output); err == nil || err.Error() != expectedErr { ++ t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err) ++ } ++} +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch new file mode 100644 index 0000000000..aab98e99fd --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch @@ -0,0 +1,49 @@ +From 0fe3adec199e8cd2c101933f75d8cd617de70350 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 26 Aug 2022 12:48:13 +0530 +Subject: [PATCH] CVE-2022-32148 + +Upstream-Status: Backport [https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e] +CVE: CVE-2022-32148 +Signed-off-by: Hitendra Prajapati +--- + src/net/http/header.go | 6 ++++++ + src/net/http/header_test.go | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/net/http/header.go b/src/net/http/header.go +index b9b5391..221f613 100644 +--- a/src/net/http/header.go ++++ b/src/net/http/header.go +@@ -100,6 +100,12 @@ func (h Header) Clone() Header { + sv := make([]string, nv) // shared backing array for headers' values + h2 := make(Header, len(h)) + for k, vv := range h { ++ if vv == nil { ++ // Preserve nil values. ReverseProxy distinguishes ++ // between nil and zero-length header values. ++ h2[k] = nil ++ continue ++ } + n := copy(sv, vv) + h2[k] = sv[:n:n] + sv = sv[n:] +diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go +index 4789362..80c0035 100644 +--- a/src/net/http/header_test.go ++++ b/src/net/http/header_test.go +@@ -235,6 +235,11 @@ func TestCloneOrMakeHeader(t *testing.T) { + in: Header{"foo": {"bar"}}, + want: Header{"foo": {"bar"}}, + }, ++ { ++ name: "nil value", ++ in: Header{"foo": nil}, ++ want: Header{"foo": nil}, ++ }, + } + + for _, tt := range tests { +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch new file mode 100644 index 0000000000..15fda7de1b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch @@ -0,0 +1,113 @@ +From 027e7e1578d3d7614f7586eff3894b83d9709e14 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Mon, 29 Aug 2022 10:08:34 +0530 +Subject: [PATCH] CVE-2022-32189 + +Upstream-Status: Backport [https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102] +CVE: CVE-2022-32189 +Signed-off-by: Hitendra Prajapati +--- + src/math/big/floatmarsh.go | 7 +++++++ + src/math/big/floatmarsh_test.go | 12 ++++++++++++ + src/math/big/ratmarsh.go | 6 ++++++ + src/math/big/ratmarsh_test.go | 12 ++++++++++++ + 4 files changed, 37 insertions(+) + +diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go +index d1c1dab..990e085 100644 +--- a/src/math/big/floatmarsh.go ++++ b/src/math/big/floatmarsh.go +@@ -8,6 +8,7 @@ package big + + import ( + "encoding/binary" ++ "errors" + "fmt" + ) + +@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error { + *z = Float{} + return nil + } ++ if len(buf) < 6 { ++ return errors.New("Float.GobDecode: buffer too small") ++ } + + if buf[0] != floatGobVersion { + return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0]) +@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error { + z.prec = binary.BigEndian.Uint32(buf[2:]) + + if z.form == finite { ++ if len(buf) < 10 { ++ return errors.New("Float.GobDecode: buffer too small for finite form float") ++ } + z.exp = int32(binary.BigEndian.Uint32(buf[6:])) + z.mant = z.mant.setBytes(buf[10:]) + } +diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go +index c056d78..401f45a 100644 +--- a/src/math/big/floatmarsh_test.go ++++ b/src/math/big/floatmarsh_test.go +@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) { + } + } + } ++ ++func TestFloatGobDecodeShortBuffer(t *testing.T) { ++ for _, tc := range [][]byte{ ++ []byte{0x1, 0x0, 0x0, 0x0}, ++ []byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0}, ++ } { ++ err := NewFloat(0).GobDecode(tc) ++ if err == nil { ++ t.Error("expected GobDecode to return error for malformed input") ++ } ++ } ++} +diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go +index fbc7b60..56102e8 100644 +--- a/src/math/big/ratmarsh.go ++++ b/src/math/big/ratmarsh.go +@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error { + *z = Rat{} + return nil + } ++ if len(buf) < 5 { ++ return errors.New("Rat.GobDecode: buffer too small") ++ } + b := buf[0] + if b>>1 != ratGobVersion { + return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1) + } + const j = 1 + 4 + i := j + binary.BigEndian.Uint32(buf[j-4:j]) ++ if len(buf) < int(i) { ++ return errors.New("Rat.GobDecode: buffer too small") ++ } + z.a.neg = b&1 != 0 + z.a.abs = z.a.abs.setBytes(buf[j:i]) + z.b.abs = z.b.abs.setBytes(buf[i:]) +diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go +index 351d109..55a9878 100644 +--- a/src/math/big/ratmarsh_test.go ++++ b/src/math/big/ratmarsh_test.go +@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) { + } + } + } ++ ++func TestRatGobDecodeShortBuffer(t *testing.T) { ++ for _, tc := range [][]byte{ ++ []byte{0x2}, ++ []byte{0x2, 0x0, 0x0, 0x0, 0xff}, ++ } { ++ err := NewRat(1, 2).GobDecode(tc) ++ if err == nil { ++ t.Error("expected GobDecode to return error for malformed input") ++ } ++ } ++} +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/python/python3/CVE-2021-28861.patch b/poky/meta/recipes-devtools/python/python3/CVE-2021-28861.patch new file mode 100644 index 0000000000..dc97c6b4eb --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/CVE-2021-28861.patch @@ -0,0 +1,135 @@ +From 4dc2cae3abd75f386374d0635d00443b897d0672 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Wed, 22 Jun 2022 01:42:52 -0700 +Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in + http.server. (GH-93879) (GH-94094) + +Fix an open redirection vulnerability in the `http.server` module when +an URI path starts with `//` that could produce a 301 Location header +with a misleading target. Vulnerability discovered, and logic fix +proposed, by Hamza Avvan (@hamzaavvan). + +Test and comments authored by Gregory P. Smith [Google]. +(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) + +Co-authored-by: Gregory P. Smith + +Signed-off-by: Riyaz Khan + +CVE: CVE-2021-28861 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672] + +--- + Lib/http/server.py | 7 +++ + Lib/test/test_httpservers.py | 53 ++++++++++++++++++- + ...2-06-15-20-09-23.gh-issue-87389.QVaC3f.rst | 3 ++ + 3 files changed, 61 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst + +diff --git a/Lib/http/server.py b/Lib/http/server.py +index 38f7accad7a3..39de35458c38 100644 +--- a/Lib/http/server.py ++++ b/Lib/http/server.py +@@ -332,6 +332,13 @@ def parse_request(self): + return False + self.command, self.path = command, path + ++ # gh-87389: The purpose of replacing '//' with '/' is to protect ++ # against open redirect attacks possibly triggered if the path starts ++ # with '//' because http clients treat //path as an absolute URI ++ # without scheme (similar to http://path) rather than a path. ++ if self.path.startswith('//'): ++ self.path = '/' + self.path.lstrip('/') # Reduce to a single / ++ + # Examine the headers and look for a Connection directive. + try: + self.headers = http.client.parse_headers(self.rfile, +diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py +index 87d4924a34b3..fb026188f0b4 100644 +--- a/Lib/test/test_httpservers.py ++++ b/Lib/test/test_httpservers.py +@@ -330,7 +330,7 @@ class request_handler(NoLogRequestHandler, SimpleHTTPRequestHandler): + pass + + def setUp(self): +- BaseTestCase.setUp(self) ++ super().setUp() + self.cwd = os.getcwd() + basetempdir = tempfile.gettempdir() + os.chdir(basetempdir) +@@ -358,7 +358,7 @@ def tearDown(self): + except: + pass + finally: +- BaseTestCase.tearDown(self) ++ super().tearDown() + + def check_status_and_reason(self, response, status, data=None): + def close_conn(): +@@ -414,6 +414,55 @@ def test_undecodable_filename(self): + self.check_status_and_reason(response, HTTPStatus.OK, + data=support.TESTFN_UNDECODABLE) + ++ def test_get_dir_redirect_location_domain_injection_bug(self): ++ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. ++ ++ //netloc/ in a Location header is a redirect to a new host. ++ https://github.com/python/cpython/issues/87389 ++ ++ This checks that a path resolving to a directory on our server cannot ++ resolve into a redirect to another server. ++ """ ++ os.mkdir(os.path.join(self.tempdir, 'existing_directory')) ++ url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory' ++ expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash ++ # Canonicalizes to /tmp/tempdir_name/existing_directory which does ++ # exist and is a dir, triggering the 301 redirect logic. ++ response = self.request(url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ location = response.getheader('Location') ++ self.assertEqual(location, expected_location, msg='non-attack failed!') ++ ++ # //python.org... multi-slash prefix, no trailing slash ++ attack_url = f'/{url}' ++ response = self.request(attack_url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ location = response.getheader('Location') ++ self.assertFalse(location.startswith('//'), msg=location) ++ self.assertEqual(location, expected_location, ++ msg='Expected Location header to start with a single / and ' ++ 'end with a / as this is a directory redirect.') ++ ++ # ///python.org... triple-slash prefix, no trailing slash ++ attack3_url = f'//{url}' ++ response = self.request(attack3_url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ self.assertEqual(response.getheader('Location'), expected_location) ++ ++ # If the second word in the http request (Request-URI for the http ++ # method) is a full URI, we don't worry about it, as that'll be parsed ++ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head ++ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen. ++ attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}' ++ expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/' ++ response = self.request(attack_scheme_netloc_2slash_url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ location = response.getheader('Location') ++ # We're just ensuring that the scheme and domain make it through, if ++ # there are or aren't multiple slashes at the start of the path that ++ # follows that isn't important in this Location: header. ++ self.assertTrue(location.startswith('https://pypi.org/'), msg=location) ++ + def test_get(self): + #constructs the path relative to the root directory of the HTTPServer + response = self.request(self.base_url + '/test') +diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst +new file mode 100644 +index 000000000000..029d437190de +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst +@@ -0,0 +1,3 @@ ++:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server ++when an URI path starts with ``//``. Vulnerability discovered, and initial ++fix proposed, by Hamza Avvan. diff --git a/poky/meta/recipes-devtools/python/python3_3.8.13.bb b/poky/meta/recipes-devtools/python/python3_3.8.13.bb index 040bacf97c..d87abe2351 100644 --- a/poky/meta/recipes-devtools/python/python3_3.8.13.bb +++ b/poky/meta/recipes-devtools/python/python3_3.8.13.bb @@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ file://makerace.patch \ + file://CVE-2021-28861.patch \ " SRC_URI_append_class-native = " \ diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index a773068499..368be9979a 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13791.patch \ file://CVE-2022-35414.patch \ file://CVE-2020-27821.patch \ + file://CVE-2020-13754-1.patch \ + file://CVE-2020-13754-2.patch \ + file://CVE-2020-13754-3.patch \ + file://CVE-2020-13754-4.patch \ + file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ + file://CVE-2021-3930.patch \ + file://CVE-2021-4206.patch \ + file://CVE-2021-4207.patch \ + file://CVE-2022-0216-1.patch \ + file://CVE-2022-0216-2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_WHITELIST += "CVE-2018-18438" +# the issue introduced in v5.1.0-rc0 +CVE_CHECK_WHITELIST += "CVE-2020-27661" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" @@ -257,6 +271,9 @@ PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" +# libnfs is currently provided by meta-kodi +PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs" +PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" INSANE_SKIP_${PN} = "arch" diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch @@ -0,0 +1,91 @@ +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 10 Jun 2020 09:47:49 -0400 +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in + memory_region_access_valid" + +Memory API documentation documents valid .min_access_size and .max_access_size +fields and explains that any access outside these boundaries is blocked. + +This is what devices seem to assume. + +However this is not what the implementation does: it simply +ignores the boundaries unless there's an "accepts" callback. + +Naturally, this breaks a bunch of devices. + +Revert to the documented behaviour. + +Devices that want to allow any access can just drop the valid field, +or add the impl field to have accesses converted to appropriate +length. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson +Fixes: CVE-2020-13754 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") +Signed-off-by: Michael S. Tsirkin +Message-Id: <20200610134731.1514409-1-mst@redhat.com> +Signed-off-by: Paolo Bonzini + +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + memory.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/memory.c b/memory.c +index 2f15a4b..9200b20 100644 +--- a/memory.c ++++ b/memory.c +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, + bool is_write, + MemTxAttrs attrs) + { +- int access_size_min, access_size_max; +- int access_size, i; +- +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ if (mr->ops->valid.accepts ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + return false; + } + +- if (!mr->ops->valid.accepts) { +- return true; +- } +- +- access_size_min = mr->ops->valid.min_access_size; +- if (!mr->ops->valid.min_access_size) { +- access_size_min = 1; ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ return false; + } + +- access_size_max = mr->ops->valid.max_access_size; ++ /* Treat zero as compatibility all valid */ + if (!mr->ops->valid.max_access_size) { +- access_size_max = 4; ++ return true; + } + +- access_size = MAX(MIN(size, access_size_max), access_size_min); +- for (i = 0; i < size; i += access_size) { +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, +- is_write, attrs)) { +- return false; +- } ++ if (size > mr->ops->valid.max_access_size ++ || size < mr->ops->valid.min_access_size) { ++ return false; + } +- + return true; + } + +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch @@ -0,0 +1,69 @@ +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 +From: Michael Tokarev +Date: Mon, 20 Jul 2020 19:06:27 +0300 +Subject: [PATCH] acpi: accept byte and word access to core ACPI registers + +All ISA registers should be accessible as bytes, words or dwords +(if wide enough). Fix the access constraints for acpi-pm-evt, +acpi-pm-tmr & acpi-cnt registers. + +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") +Fixes: afafe4bbe0 (apci: switch cnt to memory api) +Fixes: 77d58b1e47 (apci: switch timer to memory api) +Fixes: b5a7c024d2 (apci: switch evt to memory api) +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ +Buglink: https://bugs.debian.org/964793 +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 +BugLink: https://bugs.launchpad.net/bugs/1886318 +Reported-By: Simon John +Signed-off-by: Michael Tokarev +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/acpi/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index f6d9ec4..ac06db3 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_evt_ops = { + .read = acpi_pm_evt_read, + .write = acpi_pm_evt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_tmr_ops = { + .read = acpi_pm_tmr_read, + .write = acpi_pm_tmr_write, +- .valid.min_access_size = 4, ++ .impl.min_access_size = 4, ++ .valid.min_access_size = 1, + .valid.max_access_size = 4, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_cnt_ops = { + .read = acpi_pm_cnt_read, + .write = acpi_pm_cnt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch @@ -0,0 +1,65 @@ +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Tue, 21 Jul 2020 10:33:22 +0200 +Subject: [PATCH] xhci: fix valid.max_access_size to access address registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow +64-bit mode access in "runtime" and "operational" MemoryRegionOps. + +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. + +XHCI specs: +"If the xHC supports 64-bit addressing (AC64 = â1â), then software +should write 64-bit registers using only Qword accesses. If a +system is incapable of issuing Qword accesses, then writes to the +64-bit address fields shall be performed using 2 Dword accesses; +low Dword-first, high-Dword second. If the xHC supports 32-bit +addressing (AC64 = â0â), then the high Dword of registers containing +64-bit address fields are unused and software should write addresses +using only Dword accesses" + +The problem has been detected with SLOF, as linux kernel always accesses +registers using 32-bit access even if AC64 is set and revealed by +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") + +Suggested-by: Alexey Kardashevskiy +Signed-off-by: Laurent Vivier +Message-id: 20200721083322.90651-1-lvivier@redhat.com +Signed-off-by: Gerd Hoffmann + +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/usb/hcd-xhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index b330e36..67a18fe 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { + .read = xhci_oper_read, + .write = xhci_oper_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { + .read = xhci_runtime_read, + .write = xhci_runtime_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch new file mode 100644 index 0000000000..6bad07d03f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch @@ -0,0 +1,39 @@ +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Tue, 30 Jun 2020 13:12:11 -0700 +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT + +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 +"memory: Revert "memory: accept mismatching sizes in +memory_region_access_valid"" broke most RISC-V boards as they do 64 bit +accesses to the CLINT and QEMU would trigger a fault. Fix this failure +by allowing 8 byte accesses. + +Signed-off-by: Alistair Francis +Reviewed-by: LIU Zhiwei +Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/riscv/sifive_clint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c +index b11ffa0..669c21a 100644 +--- a/hw/riscv/sifive_clint.c ++++ b/hw/riscv/sifive_clint.c +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, +- .max_access_size = 4 ++ .max_access_size = 8 + } + }; + +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,67 @@ +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann +Reported-by: Chen Zhe +Reported-by: Tan Jingguo +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a +CVE: CVE-2021-3713 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/usb/dev-uas.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index 6d6d1073..0b8cd4dd 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + QTAILQ_FOREACH(st, &uas->results, next) { + if (st->stream == p->stream) { +@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++ error_report("%s: invalid stream %d", __func__, p->stream); ++ p->status = USB_RET_STALL; ++ return; + } + + static void usb_uas_unrealize(USBDevice *dev, Error **errp) diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..b291ade4e3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,124 @@ +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang + +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 +CVE: CVE-2021-3748 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 16d20cdee52a..f205331dcf8c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++ size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +- size_t offset, i, guest_offset; ++ size_t offset, i, guest_offset, j; ++ ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++ if (i == VIRTQUEUE_MAX_SIZE) { ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++ err = size; ++ goto err; ++ } ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +- return -1; ++ err = -1; ++ goto err; + } + + if (elem->in_num < 1) { +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +- return -1; ++ err = -1; ++ goto err; + } + + sg = elem->in_sg; +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +- return size; ++ err = size; ++ goto err; + } + +- /* signal other side */ +- virtqueue_fill(q->rx_vq, elem, total, i++); +- g_free(elem); ++ elems[i] = elem; ++ lens[i] = total; ++ i++; + } + + if (mhdr_cnt) { +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + &mhdr.num_buffers, sizeof mhdr.num_buffers); + } + ++ for (j = 0; j < i; j++) { ++ /* signal other side */ ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++ g_free(elems[j]); ++ } ++ + virtqueue_flush(q->rx_vq, i); + virtio_notify(vdev, q->rx_vq); + + return size; ++ ++err: ++ for (j = 0; j < i; j++) { ++ g_free(elems[j]); ++ } ++ ++ return err; + } + + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..b1b5558647 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 +CVE: CVE-2021-3930 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/scsi-disk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e8a547dbb7..d4914178ea 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++ assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++ if (page == MODE_PAGE_ALLS) { ++ return -1; ++ } ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, &p, 0); +-- +GitLab + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a +CVE: CVE-2021-4206 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 98c83474ad..45d06cbe25 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +GitLab + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..8418246247 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch @@ -0,0 +1,43 @@ +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb +CVE: CVE-2021-4207 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +GitLab + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch new file mode 100644 index 0000000000..6a7ce0e26c --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch @@ -0,0 +1,42 @@ +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index c8773f73f7..99ea42d49b 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +GitLab + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch @@ -0,0 +1,52 @@ +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/lsi53c895a.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 99ea42d49b..ad5f5e5f39 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +GitLab + diff --git a/poky/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch b/poky/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch new file mode 100644 index 0000000000..030ead6c66 --- /dev/null +++ b/poky/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch @@ -0,0 +1,146 @@ +From 61382fd8ea66000bd9ee8e203a6eab443220ee40 Mon Sep 17 00:00:00 2001 +From: Nathan Hartman +Date: Sun, 27 Mar 2022 05:59:18 +0000 +Subject: [PATCH] On the 1.14.x-r1899227 branch: Merge r1899227 from trunk + w/testlist variation + +git-svn-id: https://svn.apache.org/repos/asf/subversion/branches/1.14.x-r1899227@1899229 13f79535-47bb-0310-9956-ffa450edef68 + +CVE: CVE-2021-28544 [https://github.com/apache/subversion/commit/61382fd8ea66000bd9ee8e203a6eab443220ee40] +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + subversion/libsvn_repos/log.c | 26 +++++------- + subversion/tests/cmdline/authz_tests.py | 55 +++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 16 deletions(-) + +diff --git a/subversion/libsvn_repos/log.c b/subversion/libsvn_repos/log.c +index d9a1fb1085e16..41ca8aed27174 100644 +--- a/subversion/libsvn_repos/log.c ++++ b/subversion/libsvn_repos/log.c +@@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access_level_t *access_level, + if ( (change->change_kind == svn_fs_path_change_add) + || (change->change_kind == svn_fs_path_change_replace)) + { +- const char *copyfrom_path = change->copyfrom_path; +- svn_revnum_t copyfrom_rev = change->copyfrom_rev; +- + /* the following is a potentially expensive operation since on FSFS + we will follow the DAG from ROOT to PATH and that requires + actually reading the directories along the way. */ + if (!change->copyfrom_known) + { +- SVN_ERR(svn_fs_copied_from(©from_rev, ©from_path, ++ SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path, + root, path, iterpool)); + change->copyfrom_known = TRUE; + } + +- if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev)) ++ if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev)) + { +- svn_boolean_t readable = TRUE; +- + if (callbacks->authz_read_func) + { + svn_fs_root_t *copyfrom_root; ++ svn_boolean_t readable; + + SVN_ERR(svn_fs_revision_root(©from_root, fs, +- copyfrom_rev, iterpool)); ++ change->copyfrom_rev, iterpool)); + SVN_ERR(callbacks->authz_read_func(&readable, + copyfrom_root, +- copyfrom_path, ++ change->copyfrom_path, + callbacks->authz_read_baton, + iterpool)); + if (! readable) +- found_unreadable = TRUE; +- } +- +- if (readable) +- { +- change->copyfrom_path = copyfrom_path; +- change->copyfrom_rev = copyfrom_rev; ++ { ++ found_unreadable = TRUE; ++ change->copyfrom_path = NULL; ++ change->copyfrom_rev = SVN_INVALID_REVNUM; ++ } + } + } + } +diff --git a/subversion/tests/cmdline/authz_tests.py b/subversion/tests/cmdline/authz_tests.py +index 760cb3663d02f..92e8a5e1935c9 100755 +--- a/subversion/tests/cmdline/authz_tests.py ++++ b/subversion/tests/cmdline/authz_tests.py +@@ -1731,6 +1731,60 @@ def empty_group(sbox): + '--username', svntest.main.wc_author, + sbox.repo_url) + ++@Skip(svntest.main.is_ra_type_file) ++def log_inaccessible_copyfrom(sbox): ++ "log doesn't leak inaccessible copyfrom paths" ++ ++ sbox.build(empty=True) ++ sbox.simple_add_text('secret', 'private') ++ sbox.simple_commit(message='log message for r1') ++ sbox.simple_copy('private', 'public') ++ sbox.simple_commit(message='log message for r2') ++ ++ svntest.actions.enable_revprop_changes(sbox.repo_dir) ++ # Remove svn:date and svn:author for predictable output. ++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', ++ '-r2', 'svn:date', sbox.repo_url) ++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', ++ '-r2', 'svn:author', sbox.repo_url) ++ ++ write_restrictive_svnserve_conf(sbox.repo_dir) ++ ++ # First test with blanket access. ++ write_authz_file(sbox, ++ {"/" : "* = rw"}) ++ expected_output = svntest.verify.ExpectedOutput([ ++ "------------------------------------------------------------------------\n", ++ "r2 | (no author) | (no date) | 1 line\n", ++ "Changed paths:\n", ++ " A /public (from /private:1)\n", ++ "\n", ++ "log message for r2\n", ++ "------------------------------------------------------------------------\n", ++ ]) ++ svntest.actions.run_and_verify_svn(expected_output, [], ++ 'log', '-r2', '-v', ++ sbox.repo_url) ++ ++ # Now test with an inaccessible copy source (/private). ++ write_authz_file(sbox, ++ {"/" : "* = rw"}, ++ {"/private" : "* ="}) ++ expected_output = svntest.verify.ExpectedOutput([ ++ "------------------------------------------------------------------------\n", ++ "r2 | (no author) | (no date) | 1 line\n", ++ "Changed paths:\n", ++ # The copy is shown as a plain add with no copyfrom info. ++ " A /public\n", ++ "\n", ++ # No log message, as the revision is only partially visible. ++ "\n", ++ "------------------------------------------------------------------------\n", ++ ]) ++ svntest.actions.run_and_verify_svn(expected_output, [], ++ 'log', '-r2', '-v', ++ sbox.repo_url) ++ + + ######################################################################## + # Run the tests +@@ -1771,6 +1825,7 @@ def empty_group(sbox): + inverted_group_membership, + group_member_empty_string, + empty_group, ++ log_inaccessible_copyfrom, + ] + serial_only = True + diff --git a/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb b/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb index 34c0dbe5b8..5643191569 100644 --- a/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb +++ b/poky/meta/recipes-devtools/subversion/subversion_1.13.0.bb @@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0001-Fix-libtool-name-in-configure.ac.patch \ file://serfmacro.patch \ file://CVE-2020-17525.patch \ + file://CVE-2021-28544.patch \ " SRC_URI[md5sum] = "3004b4dae18bf45a0b6ea4ef8820064d" diff --git a/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch new file mode 100644 index 0000000000..555c7a47f7 --- /dev/null +++ b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch @@ -0,0 +1,183 @@ +Description: Fix handling of symbolic link ACLs + Published as CVE-2021-23177 +Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad +Bug-Debian: https://bugs.debian.org/1001986 +Author: Martin Matuska +Last-Updated: 2021-12-20 + +CVE: CVE-2021-23177 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod + +--- a/libarchive/archive_disk_acl_freebsd.c ++++ b/libarchive/archive_disk_acl_freebsd.c +@@ -319,7 +319,7 @@ + + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + int acl_type = 0; +@@ -364,6 +364,13 @@ + return (ARCHIVE_FAILED); + } + ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { ++ errno = EINVAL; ++ archive_set_error(a, errno, ++ "Cannot set default ACL on non-directory"); ++ return (ARCHIVE_WARN); ++ } ++ + acl = acl_init(entries); + if (acl == (acl_t)NULL) { + archive_set_error(a, errno, +@@ -542,7 +549,10 @@ + else if (acl_set_link_np(name, acl_type, acl) != 0) + #else + /* FreeBSD older than 8.0 */ +- else if (acl_set_file(name, acl_type, acl) != 0) ++ else if (S_ISLNK(mode)) { ++ /* acl_set_file() follows symbolic links, skip */ ++ ret = ARCHIVE_OK; ++ } else if (acl_set_file(name, acl_type, acl) != 0) + #endif + { + if (errno == EOPNOTSUPP) { +@@ -677,14 +687,14 @@ + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); + if (ret != ARCHIVE_OK) + return (ret); + } + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); + + /* Simultaneous POSIX.1e and NFSv4 is not supported */ +@@ -693,7 +703,7 @@ + #if ARCHIVE_ACL_FREEBSD_NFS4 + else if ((archive_acl_types(abstract_acl) & + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); + } + #endif +--- a/libarchive/archive_disk_acl_linux.c ++++ b/libarchive/archive_disk_acl_linux.c +@@ -343,6 +343,11 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Linux does not support RichACLs on symbolic links */ ++ return (ARCHIVE_OK); ++ } ++ + richacl = richacl_alloc(entries); + if (richacl == NULL) { + archive_set_error(a, errno, +@@ -455,7 +460,7 @@ + #if ARCHIVE_ACL_LIBACL + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + int acl_type = 0; +@@ -488,6 +493,18 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Linux does not support ACLs on symbolic links */ ++ return (ARCHIVE_OK); ++ } ++ ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { ++ errno = EINVAL; ++ archive_set_error(a, errno, ++ "Cannot set default ACL on non-directory"); ++ return (ARCHIVE_WARN); ++ } ++ + acl = acl_init(entries); + if (acl == (acl_t)NULL) { + archive_set_error(a, errno, +@@ -727,14 +744,14 @@ + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); + if (ret != ARCHIVE_OK) + return (ret); + } + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); + } + #endif /* ARCHIVE_ACL_LIBACL */ +--- a/libarchive/archive_disk_acl_sunos.c ++++ b/libarchive/archive_disk_acl_sunos.c +@@ -443,7 +443,7 @@ + + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + aclent_t *aclent; +@@ -467,7 +467,6 @@ + if (entries == 0) + return (ARCHIVE_OK); + +- + switch (ae_requested_type) { + case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E: + cmd = SETACL; +@@ -492,6 +491,12 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Skip ACLs on symbolic links */ ++ ret = ARCHIVE_OK; ++ goto exit_free; ++ } ++ + e = 0; + + while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type, +@@ -801,7 +806,7 @@ + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + /* Solaris writes POSIX.1e access and default ACLs together */ +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e"); + + /* Simultaneous POSIX.1e and NFSv4 is not supported */ +@@ -810,7 +815,7 @@ + #if ARCHIVE_ACL_SUNOS_NFS4 + else if ((archive_acl_types(abstract_acl) & + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); + } + #endif diff --git a/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch new file mode 100644 index 0000000000..c4a2fb612c --- /dev/null +++ b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch @@ -0,0 +1,23 @@ +Description: Never follow symlinks when setting file flags on Linux + Published as CVE-2021-31566 +Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b +Bug-Debian: https://bugs.debian.org/1001990 +Author: Martin Matuska +Last-Update: 2021-12-20 + +CVE: CVE-2021-31566 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod + +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -3927,7 +3927,8 @@ + + /* If we weren't given an fd, open it ourselves. */ + if (myfd < 0) { +- myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC); ++ myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | ++ O_CLOEXEC | O_NOFOLLOW); + __archive_ensure_cloexec_flag(myfd); + } + if (myfd < 0) diff --git a/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch new file mode 100644 index 0000000000..0dfcd1ac5c --- /dev/null +++ b/poky/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch @@ -0,0 +1,172 @@ +Description: Do not follow symlinks when processing the fixup list + Published as CVE-2021-31566 +Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 +Bug-Debian: https://bugs.debian.org/1001990 +Author: Martin Matuska +Last-Update: 2021-12-20 + +CVE: CVE-2021-31566 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod + +--- a/Makefile.am ++++ b/Makefile.am +@@ -556,6 +556,7 @@ + libarchive/test/test_write_disk.c \ + libarchive/test/test_write_disk_appledouble.c \ + libarchive/test/test_write_disk_failures.c \ ++ libarchive/test/test_write_disk_fixup.c \ + libarchive/test/test_write_disk_hardlink.c \ + libarchive/test/test_write_disk_hfs_compression.c \ + libarchive/test/test_write_disk_lookup.c \ +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -2461,6 +2461,7 @@ + { + struct archive_write_disk *a = (struct archive_write_disk *)_a; + struct fixup_entry *next, *p; ++ struct stat st; + int fd, ret; + + archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC, +@@ -2478,6 +2479,20 @@ + (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { + fd = open(p->name, + O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); ++ if (fd == -1) { ++ /* If we cannot lstat, skip entry */ ++ if (lstat(p->name, &st) != 0) ++ goto skip_fixup_entry; ++ /* ++ * If we deal with a symbolic link, mark ++ * it in the fixup mode to ensure no ++ * modifications are made to its target. ++ */ ++ if (S_ISLNK(st.st_mode)) { ++ p->mode &= ~S_IFMT; ++ p->mode |= S_IFLNK; ++ } ++ } + } + if (p->fixup & TODO_TIMES) { + set_times(a, fd, p->mode, p->name, +@@ -2492,7 +2507,12 @@ + fchmod(fd, p->mode); + else + #endif +- chmod(p->name, p->mode); ++#ifdef HAVE_LCHMOD ++ lchmod(p->name, p->mode); ++#else ++ if (!S_ISLNK(p->mode)) ++ chmod(p->name, p->mode); ++#endif + } + if (p->fixup & TODO_ACLS) + archive_write_disk_set_acls(&a->archive, fd, +@@ -2503,6 +2523,7 @@ + if (p->fixup & TODO_MAC_METADATA) + set_mac_metadata(a, p->name, p->mac_metadata, + p->mac_metadata_size); ++skip_fixup_entry: + next = p->next; + archive_acl_clear(&p->acl); + free(p->mac_metadata); +@@ -2643,6 +2664,7 @@ + fe->next = a->fixup_list; + a->fixup_list = fe; + fe->fixup = 0; ++ fe->mode = 0; + fe->name = strdup(pathname); + return (fe); + } +--- a/libarchive/test/CMakeLists.txt ++++ b/libarchive/test/CMakeLists.txt +@@ -208,6 +208,7 @@ + test_write_disk.c + test_write_disk_appledouble.c + test_write_disk_failures.c ++ test_write_disk_fixup.c + test_write_disk_hardlink.c + test_write_disk_hfs_compression.c + test_write_disk_lookup.c +--- /dev/null ++++ b/libarchive/test/test_write_disk_fixup.c +@@ -0,0 +1,77 @@ ++/*- ++ * Copyright (c) 2021 Martin Matuska ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#include "test.h" ++ ++/* ++ * Test fixup entries don't follow symlinks ++ */ ++DEFINE_TEST(test_write_disk_fixup) ++{ ++ struct archive *ad; ++ struct archive_entry *ae; ++ int r; ++ ++ if (!canSymlink()) { ++ skipping("Symlinks not supported"); ++ return; ++ } ++ ++ /* Write entries to disk. */ ++ assert((ad = archive_write_disk_new()) != NULL); ++ ++ /* ++ * Create a file ++ */ ++ assertMakeFile("victim", 0600, "a"); ++ ++ /* ++ * Create a directory and a symlink with the same name ++ */ ++ ++ /* Directory: dir */ ++ assert((ae = archive_entry_new()) != NULL); ++ archive_entry_copy_pathname(ae, "dir"); ++ archive_entry_set_mode(ae, AE_IFDIR | 0606); ++ assertEqualIntA(ad, 0, archive_write_header(ad, ae)); ++ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); ++ archive_entry_free(ae); ++ ++ /* Symbolic Link: dir -> foo */ ++ assert((ae = archive_entry_new()) != NULL); ++ archive_entry_copy_pathname(ae, "dir"); ++ archive_entry_set_mode(ae, AE_IFLNK | 0777); ++ archive_entry_set_size(ae, 0); ++ archive_entry_copy_symlink(ae, "victim"); ++ assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); ++ if (r >= ARCHIVE_WARN) ++ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); ++ archive_entry_free(ae); ++ ++ assertEqualInt(ARCHIVE_OK, archive_write_free(ad)); ++ ++ /* Test the entries on disk. */ ++ assertIsSymlink("dir", "victim", 0); ++ assertFileMode("victim", 0600); ++} diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.4.2.bb index b7426a1be8..7d2e7b711b 100644 --- a/poky/meta/recipes-extended/libarchive/libarchive_3.4.2.bb +++ b/poky/meta/recipes-extended/libarchive/libarchive_3.4.2.bb @@ -36,6 +36,9 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2021-36976-1.patch \ file://CVE-2021-36976-2.patch \ file://CVE-2021-36976-3.patch \ + file://CVE-2021-23177.patch \ + file://CVE-2021-31566-01.patch \ + file://CVE-2021-31566-02.patch \ " SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" diff --git a/poky/meta/recipes-extended/timezone/timezone.inc b/poky/meta/recipes-extended/timezone/timezone.inc index cdd1a2ac3c..d032fed356 100644 --- a/poky/meta/recipes-extended/timezone/timezone.inc +++ b/poky/meta/recipes-extended/timezone/timezone.inc @@ -6,7 +6,7 @@ SECTION = "base" LICENSE = "PD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2022a" +PV = "2022c" SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ @@ -14,6 +14,6 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" -SRC_URI[tzcode.sha256sum] = "f8575e7e33be9ee265df2081092526b81c80abac3f4a04399ae9d4d91cdadac7" -SRC_URI[tzdata.sha256sum] = "ef7fffd9f4f50f4f58328b35022a32a5a056b245c5cb3d6791dddb342f871664" +SRC_URI[tzcode.sha256sum] = "3e7ce1f3620cc0481907c7e074d69910793285bffe0ca331ef1a6d1ae3ea90cc" +SRC_URI[tzdata.sha256sum] = "6974f4e348bf2323274b56dff9e7500247e3159eaa4b485dfa0cd66e75c14bfe" diff --git a/poky/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/poky/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch new file mode 100644 index 0000000000..4a277bd4d0 --- /dev/null +++ b/poky/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch @@ -0,0 +1,100 @@ +From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001 +From: Gert Wollny +Date: Tue, 30 Nov 2021 10:17:26 +0100 +Subject: [PATCH] vrend: Add test to resource OOB write and fix it + +v2: Also check that no depth != 1 has been send when none is due + +Closes: #250 +Signed-off-by: Gert Wollny +Reviewed-by: Chia-I Wu + +https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec +Upstream-Status: Backport +CVE: CVE-2022-0135 +Signed-off-by: Chee Yang Lee +--- + src/vrend_renderer.c | 3 +++ + tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 28f669727..357b81b20 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx, + info->box->height) * elsize; + if (res->target == GL_TEXTURE_3D || + res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || + res->target == GL_TEXTURE_CUBE_MAP_ARRAY) + send_size *= info->box->depth; ++ else if (need_temp && info->box->depth != 1) ++ return EINVAL; + + if (need_temp) { + data = malloc(send_size); +diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c +index 59d6fb671..2de9a9a3f 100644 +--- a/tests/test_fuzzer_formats.c ++++ b/tests/test_fuzzer_formats.c +@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() { + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); + } + ++/* Test adapted from yaojun8558363@gmail.com: ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 ++*/ ++static void test_vrend_3d_resource_overflow() { ++ ++ struct virgl_renderer_resource_create_args resource; ++ resource.handle = 0x4c474572; ++ resource.target = PIPE_TEXTURE_2D_ARRAY; ++ resource.format = VIRGL_FORMAT_Z24X8_UNORM; ++ resource.nr_samples = 2; ++ resource.last_level = 0; ++ resource.array_size = 3; ++ resource.bind = VIRGL_BIND_SAMPLER_VIEW; ++ resource.depth = 1; ++ resource.width = 8; ++ resource.height = 4; ++ resource.flags = 0; ++ ++ virgl_renderer_resource_create(&resource, NULL, 0); ++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); ++ ++ uint32_t size = 0x400; ++ uint32_t cmd[size]; ++ int i = 0; ++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; ++ cmd[i++] = resource.handle; ++ cmd[i++] = 0; // level ++ cmd[i++] = 0; // usage ++ cmd[i++] = 0; // stride ++ cmd[i++] = 0; // layer_stride ++ cmd[i++] = 0; // x ++ cmd[i++] = 0; // y ++ cmd[i++] = 0; // z ++ cmd[i++] = 8; // w ++ cmd[i++] = 4; // h ++ cmd[i++] = 3; // d ++ memset(&cmd[i], 0, size - i); ++ ++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); ++} ++ ++ + int main() + { + initialize_environment(); +@@ -979,6 +1021,7 @@ int main() + test_cs_nullpointer_deference(); + test_vrend_set_signle_abo_heap_overflow(); + ++ test_vrend_3d_resource_overflow(); + + virgl_renderer_context_destroy(ctx_id); + virgl_renderer_cleanup(&cookie); +-- +GitLab + diff --git a/poky/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/poky/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb index 31c45ef89c..8185d6f7e8 100644 --- a/poky/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb +++ b/poky/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb @@ -13,6 +13,7 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \ file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ file://0001-meson.build-use-python3-directly-for-python.patch \ + file://CVE-2022-0135.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb b/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb index e4f7d1e372..d7c7918515 100644 --- a/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb +++ b/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb @@ -11,6 +11,7 @@ SRC_URI += " \ file://0001-Disable-installing-header-file-provided-by-another-p.patch \ file://0001-Fix-build-for-Linux-5.8-rc1.patch \ file://0001-Fix-build-for-Linux-5.9-rc1.patch \ +file://fix-build-for-Linux-5.11-rc1.patch \ " EXTRA_OEMAKE='KERNEL_DIR="${STAGING_KERNEL_DIR}" PREFIX="${D}"' diff --git a/poky/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch b/poky/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch new file mode 100644 index 0000000000..3ae77cb9d6 --- /dev/null +++ b/poky/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch @@ -0,0 +1,32 @@ +From 55c6315058fc0dd189ffd116f2cc27ba4fa84cb6 Mon Sep 17 00:00:00 2001 +From: Joan Bruguera +Date: Mon, 28 Dec 2020 01:41:31 +0100 +Subject: [PATCH] Fix build for Linux 5.11-rc1 + +ksys_close was removed, as far as I can tell, close_fd replaces it. + +See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8760c909f54a82aaa6e76da19afe798a0c77c3c3 + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572bfdf21d4d50e51941498ffe0b56c2289f783 + +Upstream-Status: Backport [https://github.com/cryptodev-linux/cryptodev-linux/commit/55c6315058fc0dd189ffd116f2cc27ba4fa84cb6] +Signed-off-by: Anuj Mittal +--- + ioctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ioctl.c b/ioctl.c +index 3d332380..95481d4f 100644 +--- a/ioctl.c ++++ b/ioctl.c +@@ -871,8 +871,10 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_) + if (unlikely(ret)) { + #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0)) + sys_close(fd); +-#else ++#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0)) + ksys_close(fd); ++#else ++ close_fd(fd); + #endif + return ret; + } diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220708.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220708.bb deleted file mode 100644 index 27146154be..0000000000 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220708.bb +++ /dev/null @@ -1,1070 +0,0 @@ -SUMMARY = "Firmware files for use with Linux kernel" -HOMEPAGE = "https://www.kernel.org/" -DESCRIPTION = "Linux firmware is a package distributed alongside the Linux kernel \ -that contains firmware binary blobs necessary for partial or full functionality \ -of certain hardware devices." -SECTION = "kernel" - -LICENSE = "\ - Firmware-Abilis \ - & Firmware-adsp_sst \ - & Firmware-agere \ - & Firmware-amdgpu \ - & Firmware-amd-ucode \ - & Firmware-amlogic_vdec \ - & Firmware-atheros_firmware \ - & Firmware-atmel \ - & Firmware-broadcom_bcm43xx \ - & Firmware-ca0132 \ - & Firmware-cavium \ - & Firmware-chelsio_firmware \ - & Firmware-cw1200 \ - & Firmware-cypress \ - & Firmware-dib0700 \ - & Firmware-e100 \ - & Firmware-ene_firmware \ - & Firmware-fw_sst_0f28 \ - & Firmware-go7007 \ - & Firmware-GPLv2 \ - & Firmware-hfi1_firmware \ - & Firmware-i915 \ - & Firmware-ibt_firmware \ - & Firmware-ice \ - & Firmware-it913x \ - & Firmware-iwlwifi_firmware \ - & Firmware-IntcSST2 \ - & Firmware-kaweth \ - & Firmware-Lontium \ - & Firmware-Marvell \ - & Firmware-moxa \ - & Firmware-myri10ge_firmware \ - & Firmware-netronome \ - & Firmware-nvidia \ - & Firmware-OLPC \ - & Firmware-ath9k-htc \ - & Firmware-phanfw \ - & Firmware-qat \ - & Firmware-qcom \ - & Firmware-qla1280 \ - & Firmware-qla2xxx \ - & Firmware-qualcommAthos_ar3k \ - & Firmware-qualcommAthos_ath10k \ - & Firmware-r8a779x_usb3 \ - & Firmware-radeon \ - & Firmware-ralink_a_mediatek_company_firmware \ - & Firmware-ralink-firmware \ - & Firmware-rtlwifi_firmware \ - & Firmware-imx-sdma_firmware \ - & Firmware-siano \ - & Firmware-ti-connectivity \ - & Firmware-ti-keystone \ - & Firmware-ueagle-atm4-firmware \ - & Firmware-via_vt6656 \ - & Firmware-wl1251 \ - & Firmware-xc4000 \ - & Firmware-xc5000 \ - & Firmware-xc5000c \ - & WHENCE \ -" - -LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ - file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \ - file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \ - file://LICENSE.amdgpu;md5=44c1166d052226cb2d6c8d7400090203 \ - file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \ - file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \ - file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \ - file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \ - file://LICENCE.broadcom_bcm43xx;md5=3160c14df7228891b868060e1951dfbc \ - file://LICENCE.ca0132;md5=209b33e66ee5be0461f13d31da392198 \ - file://LICENCE.cadence;md5=009f46816f6956cfb75ede13d3e1cee0 \ - file://LICENCE.cavium;md5=c37aaffb1ebe5939b2580d073a95daea \ - file://LICENCE.chelsio_firmware;md5=819aa8c3fa453f1b258ed8d168a9d903 \ - file://LICENCE.cw1200;md5=f0f770864e7a8444a5c5aa9d12a3a7ed \ - file://LICENCE.cypress;md5=48cd9436c763bf873961f9ed7b5c147b \ - file://LICENSE.dib0700;md5=f7411825c8a555a1a3e5eab9ca773431 \ - file://LICENCE.e100;md5=ec0f84136766df159a3ae6d02acdf5a8 \ - file://LICENCE.ene_firmware;md5=ed67f0f62f8f798130c296720b7d3921 \ - file://LICENCE.fw_sst_0f28;md5=6353931c988ad52818ae733ac61cd293 \ - file://LICENCE.go7007;md5=c0bb9f6aaaba55b0529ee9b30aa66beb \ - file://GPL-2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://LICENSE.hfi1_firmware;md5=5e7b6e586ce7339d12689e49931ad444 \ - file://LICENSE.i915;md5=2b0b2e0d20984affd4490ba2cba02570 \ - file://LICENCE.ibt_firmware;md5=fdbee1ddfe0fb7ab0b2fcd6b454a366b \ - file://LICENSE.ice;md5=742ab4850f2670792940e6d15c974b2f \ - file://LICENCE.IntcSST2;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ - file://LICENCE.it913x;md5=1fbf727bfb6a949810c4dbfa7e6ce4f8 \ - file://LICENCE.iwlwifi_firmware;md5=2ce6786e0fc11ac6e36b54bb9b799f1b \ - file://LICENCE.kaweth;md5=b1d876e562f4b3b8d391ad8395dfe03f \ - file://LICENSE.Lontium;md5=4ec8dc582ff7295f39e2ca6a7b0be2b6 \ - file://LICENCE.Marvell;md5=28b6ed8bd04ba105af6e4dcd6e997772 \ - file://LICENCE.mediatek;md5=7c1976b63217d76ce47d0a11d8a79cf2 \ - file://LICENCE.moxa;md5=1086614767d8ccf744a923289d3d4261 \ - file://LICENCE.myri10ge_firmware;md5=42e32fb89f6b959ca222e25ac8df8fed \ - file://LICENCE.Netronome;md5=4add08f2577086d44447996503cddf5f \ - file://LICENCE.nvidia;md5=4428a922ed3ba2ceec95f076a488ce07 \ - file://LICENCE.NXP;md5=58bb8ba632cd729b9ba6183bc6aed36f \ - file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \ - file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \ - file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \ - file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ - file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \ - file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \ - file://LICENCE.qla2xxx;md5=505855e921b75f1be4a437ad9b79dff0 \ - file://LICENSE.QualcommAtheros_ar3k;md5=b5fe244fb2b532311de1472a3bc06da5 \ - file://LICENSE.QualcommAtheros_ath10k;md5=cb42b686ee5f5cb890275e4321db60a8 \ - file://LICENCE.r8a779x_usb3;md5=4c1671656153025d7076105a5da7e498 \ - file://LICENSE.radeon;md5=68ec28bacb3613200bca44f404c69b16 \ - file://LICENCE.ralink_a_mediatek_company_firmware;md5=728f1a85fd53fd67fa8d7afb080bc435 \ - file://LICENCE.ralink-firmware.txt;md5=ab2c269277c45476fb449673911a2dfd \ - file://LICENCE.rtlwifi_firmware.txt;md5=00d06cfd3eddd5a2698948ead2ad54a5 \ - file://LICENSE.sdma_firmware;md5=51e8c19ecc2270f4b8ea30341ad63ce9 \ - file://LICENCE.siano;md5=4556c1bf830067f12ca151ad953ec2a5 \ - file://LICENCE.ti-connectivity;md5=c5e02be633f1499c109d1652514d85ec \ - file://LICENCE.ti-keystone;md5=3a86335d32864b0bef996bee26cc0f2c \ - file://LICENCE.ueagle-atm4-firmware;md5=4ed7ea6b507ccc583b9d594417714118 \ - file://LICENCE.via_vt6656;md5=e4159694cba42d4377a912e78a6e850f \ - file://LICENCE.wl1251;md5=ad3f81922bb9e197014bb187289d3b5b \ - file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ - file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ - file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ - file://WHENCE;md5=${WHENCE_CHKSUM} \ - " -# WHENCE checksum is defined separately to ease overriding it if -# class-devupstream is selected. -WHENCE_CHKSUM = "def08711eb23ba967fb7e1f8cff66178" - -# These are not common licenses, set NO_GENERIC_LICENSE for them -# so that the license files will be copied from fetched source -NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENCE.Abilis" -NO_GENERIC_LICENSE[Firmware-adsp_sst] = "LICENCE.adsp_sst" -NO_GENERIC_LICENSE[Firmware-agere] = "LICENCE.agere" -NO_GENERIC_LICENSE[Firmware-amdgpu] = "LICENSE.amdgpu" -NO_GENERIC_LICENSE[Firmware-amd-ucode] = "LICENSE.amd-ucode" -NO_GENERIC_LICENSE[Firmware-amlogic_vdec] = "LICENSE.amlogic_vdec" -NO_GENERIC_LICENSE[Firmware-atheros_firmware] = "LICENCE.atheros_firmware" -NO_GENERIC_LICENSE[Firmware-atmel] = "LICENSE.atmel" -NO_GENERIC_LICENSE[Firmware-broadcom_bcm43xx] = "LICENCE.broadcom_bcm43xx" -NO_GENERIC_LICENSE[Firmware-ca0132] = "LICENCE.ca0132" -NO_GENERIC_LICENSE[Firmware-cadence] = "LICENCE.cadence" -NO_GENERIC_LICENSE[Firmware-cavium] = "LICENCE.cavium" -NO_GENERIC_LICENSE[Firmware-chelsio_firmware] = "LICENCE.chelsio_firmware" -NO_GENERIC_LICENSE[Firmware-cw1200] = "LICENCE.cw1200" -NO_GENERIC_LICENSE[Firmware-cypress] = "LICENCE.cypress" -NO_GENERIC_LICENSE[Firmware-dib0700] = "LICENSE.dib0700" -NO_GENERIC_LICENSE[Firmware-e100] = "LICENCE.e100" -NO_GENERIC_LICENSE[Firmware-ene_firmware] = "LICENCE.ene_firmware" -NO_GENERIC_LICENSE[Firmware-fw_sst_0f28] = "LICENCE.fw_sst_0f28" -NO_GENERIC_LICENSE[Firmware-go7007] = "LICENCE.go7007" -NO_GENERIC_LICENSE[Firmware-GPLv2] = "GPL-2" -NO_GENERIC_LICENSE[Firmware-hfi1_firmware] = "LICENSE.hfi1_firmware" -NO_GENERIC_LICENSE[Firmware-i915] = "LICENSE.i915" -NO_GENERIC_LICENSE[Firmware-ibt_firmware] = "LICENCE.ibt_firmware" -NO_GENERIC_LICENSE[Firmware-ice] = "LICENSE.ice" -NO_GENERIC_LICENSE[Firmware-IntcSST2] = "LICENCE.IntcSST2" -NO_GENERIC_LICENSE[Firmware-it913x] = "LICENCE.it913x" -NO_GENERIC_LICENSE[Firmware-iwlwifi_firmware] = "LICENCE.iwlwifi_firmware" -NO_GENERIC_LICENSE[Firmware-kaweth] = "LICENCE.kaweth" -NO_GENERIC_LICENSE[Firmware-Lontium] = "LICENSE.Lontium" -NO_GENERIC_LICENSE[Firmware-Marvell] = "LICENCE.Marvell" -NO_GENERIC_LICENSE[Firmware-mediatek] = "LICENCE.mediatek" -NO_GENERIC_LICENSE[Firmware-moxa] = "LICENCE.moxa" -NO_GENERIC_LICENSE[Firmware-myri10ge_firmware] = "LICENCE.myri10ge_firmware" -NO_GENERIC_LICENSE[Firmware-netronome] = "LICENCE.Netronome" -NO_GENERIC_LICENSE[Firmware-nvidia] = "LICENCE.nvidia" -NO_GENERIC_LICENSE[Firmware-OLPC] = "LICENCE.OLPC" -NO_GENERIC_LICENSE[Firmware-ath9k-htc] = "LICENCE.open-ath9k-htc-firmware" -NO_GENERIC_LICENSE[Firmware-phanfw] = "LICENCE.phanfw" -NO_GENERIC_LICENSE[Firmware-qat] = "LICENCE.qat_firmware" -NO_GENERIC_LICENSE[Firmware-qcom] = "LICENSE.qcom" -NO_GENERIC_LICENSE[Firmware-qla1280] = "LICENCE.qla1280" -NO_GENERIC_LICENSE[Firmware-qla2xxx] = "LICENCE.qla2xxx" -NO_GENERIC_LICENSE[Firmware-qualcommAthos_ar3k] = "LICENSE.QualcommAtheros_ar3k" -NO_GENERIC_LICENSE[Firmware-qualcommAthos_ath10k] = "LICENSE.QualcommAtheros_ath10k" -NO_GENERIC_LICENSE[Firmware-r8a779x_usb3] = "LICENCE.r8a779x_usb3" -NO_GENERIC_LICENSE[Firmware-radeon] = "LICENSE.radeon" -NO_GENERIC_LICENSE[Firmware-ralink_a_mediatek_company_firmware] = "LICENCE.ralink_a_mediatek_company_firmware" -NO_GENERIC_LICENSE[Firmware-ralink-firmware] = "LICENCE.ralink-firmware.txt" -NO_GENERIC_LICENSE[Firmware-rtlwifi_firmware] = "LICENCE.rtlwifi_firmware.txt" -NO_GENERIC_LICENSE[Firmware-siano] = "LICENCE.siano" -NO_GENERIC_LICENSE[Firmware-imx-sdma_firmware] = "LICENSE.sdma_firmware" -NO_GENERIC_LICENSE[Firmware-ti-connectivity] = "LICENCE.ti-connectivity" -NO_GENERIC_LICENSE[Firmware-ti-keystone] = "LICENCE.ti-keystone" -NO_GENERIC_LICENSE[Firmware-ueagle-atm4-firmware] = "LICENCE.ueagle-atm4-firmware" -NO_GENERIC_LICENSE[Firmware-via_vt6656] = "LICENCE.via_vt6656" -NO_GENERIC_LICENSE[Firmware-wl1251] = "LICENCE.wl1251" -NO_GENERIC_LICENSE[Firmware-xc4000] = "LICENCE.xc4000" -NO_GENERIC_LICENSE[Firmware-xc5000] = "LICENCE.xc5000" -NO_GENERIC_LICENSE[Firmware-xc5000c] = "LICENCE.xc5000c" -NO_GENERIC_LICENSE[WHENCE] = "WHENCE" - -PE = "1" - -SRC_URI = "\ - ${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz \ -" - -BBCLASSEXTEND = "devupstream:target" -SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git;protocol=https;branch=main" -# Pin this to the 20220509 release, override this in local.conf -SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" - -SRC_URI[sha256sum] = "0abec827a035c82bdcabdf82aa37ded247bc682ef05861bd409ea6f477bab81d" - -inherit allarch - -CLEANBROKEN = "1" - -do_compile() { - : -} - -do_install() { - oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install - cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/ -} - - -PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ - ${PN}-mt7601u-license ${PN}-mt7601u \ - ${PN}-radeon-license ${PN}-radeon \ - ${PN}-marvell-license ${PN}-pcie8897 ${PN}-pcie8997 \ - ${PN}-sd8686 ${PN}-sd8688 ${PN}-sd8787 ${PN}-sd8797 ${PN}-sd8801 \ - ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ - ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \ - ${PN}-vt6656-license ${PN}-vt6656 \ - ${PN}-rs9113 ${PN}-rs9116 \ - ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ - ${PN}-rtl8168 \ - ${PN}-cypress-license \ - ${PN}-broadcom-license \ - ${PN}-bcm-0bb4-0306 \ - ${PN}-bcm43143 \ - ${PN}-bcm43236b \ - ${PN}-bcm43241b0 \ - ${PN}-bcm43241b4 \ - ${PN}-bcm43241b5 \ - ${PN}-bcm43242a \ - ${PN}-bcm4329 \ - ${PN}-bcm4329-fullmac \ - ${PN}-bcm4330 \ - ${PN}-bcm4334 \ - ${PN}-bcm43340 \ - ${PN}-bcm4335 \ - ${PN}-bcm43362 \ - ${PN}-bcm4339 \ - ${PN}-bcm43430 \ - ${PN}-bcm43430a0 \ - ${PN}-bcm43455 \ - ${PN}-bcm4350 \ - ${PN}-bcm4350c2 \ - ${PN}-bcm4354 \ - ${PN}-bcm4356 \ - ${PN}-bcm4356-pcie \ - ${PN}-bcm43569 \ - ${PN}-bcm43570 \ - ${PN}-bcm4358 \ - ${PN}-bcm43602 \ - ${PN}-bcm4366b \ - ${PN}-bcm4366c \ - ${PN}-bcm4371 \ - ${PN}-bcm4373 \ - ${PN}-bcm43xx \ - ${PN}-bcm43xx-hdr \ - ${PN}-atheros-license ${PN}-ar9170 ${PN}-ath6k ${PN}-ath9k \ - ${PN}-gplv2-license ${PN}-carl9170 \ - ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-ath11k ${PN}-qca \ - \ - ${PN}-imx-sdma-license ${PN}-imx-sdma-imx6q ${PN}-imx-sdma-imx7d \ - \ - ${PN}-iwlwifi-license ${PN}-iwlwifi \ - ${PN}-iwlwifi-135-6 \ - ${PN}-iwlwifi-3160-7 ${PN}-iwlwifi-3160-8 ${PN}-iwlwifi-3160-9 \ - ${PN}-iwlwifi-3160-10 ${PN}-iwlwifi-3160-12 ${PN}-iwlwifi-3160-13 \ - ${PN}-iwlwifi-3160-16 ${PN}-iwlwifi-3160-17 \ - ${PN}-iwlwifi-6000-4 ${PN}-iwlwifi-6000g2a-5 ${PN}-iwlwifi-6000g2a-6 \ - ${PN}-iwlwifi-6000g2b-5 ${PN}-iwlwifi-6000g2b-6 \ - ${PN}-iwlwifi-6050-4 ${PN}-iwlwifi-6050-5 \ - ${PN}-iwlwifi-7260 \ - ${PN}-iwlwifi-7265 \ - ${PN}-iwlwifi-7265d ${PN}-iwlwifi-8000c ${PN}-iwlwifi-8265 \ - ${PN}-iwlwifi-9000 \ - ${PN}-iwlwifi-misc \ - ${PN}-ibt-license ${PN}-ibt \ - ${PN}-ibt-11-5 ${PN}-ibt-12-16 ${PN}-ibt-hw-37-7 ${PN}-ibt-hw-37-8 \ - ${PN}-ibt-17 \ - ${PN}-ibt-20 \ - ${PN}-ibt-misc \ - ${PN}-i915-license ${PN}-i915 \ - ${PN}-ice-license ${PN}-ice \ - ${PN}-adsp-sst-license ${PN}-adsp-sst \ - ${PN}-bnx2-mips \ - ${PN}-liquidio \ - ${PN}-nvidia-license \ - ${PN}-nvidia-tegra-k1 ${PN}-nvidia-tegra \ - ${PN}-nvidia-gpu \ - ${PN}-netronome-license ${PN}-netronome \ - ${PN}-qat ${PN}-qat-license \ - ${PN}-qcom-license \ - ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \ - ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \ - ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 \ - ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \ - ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ - ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \ - ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \ - ${PN}-lt9611uxc ${PN}-lontium-license \ - ${PN}-whence-license \ - ${PN}-license \ - " - -# For atheros -LICENSE_${PN}-ar9170 = "Firmware-atheros_firmware" -LICENSE_${PN}-ath6k = "Firmware-atheros_firmware" -LICENSE_${PN}-ath9k = "Firmware-atheros_firmware" -LICENSE_${PN}-atheros-license = "Firmware-atheros_firmware" - -FILES_${PN}-atheros-license = "${nonarch_base_libdir}/firmware/LICENCE.atheros_firmware" -FILES_${PN}-ar9170 = " \ - ${nonarch_base_libdir}/firmware/ar9170*.fw \ -" -FILES_${PN}-ath6k = " \ - ${nonarch_base_libdir}/firmware/ath6k \ -" -FILES_${PN}-ath9k = " \ - ${nonarch_base_libdir}/firmware/ar9271.fw \ - ${nonarch_base_libdir}/firmware/ar7010*.fw \ - ${nonarch_base_libdir}/firmware/htc_9271.fw \ - ${nonarch_base_libdir}/firmware/htc_7010.fw \ - ${nonarch_base_libdir}/firmware/ath9k_htc/htc_7010-1.4.0.fw \ - ${nonarch_base_libdir}/firmware/ath9k_htc/htc_9271-1.4.0.fw \ -" - -RDEPENDS_${PN}-ar9170 += "${PN}-atheros-license" -RDEPENDS_${PN}-ath6k += "${PN}-atheros-license" -RDEPENDS_${PN}-ath9k += "${PN}-atheros-license" - -# For carl9170 -LICENSE_${PN}-carl9170 = "Firmware-GPLv2" -LICENSE_${PN}-gplv2-license = "Firmware-GPLv2" - -FILES_${PN}-gplv2-license = "${nonarch_base_libdir}/firmware/GPL-2" -FILES_${PN}-carl9170 = " \ - ${nonarch_base_libdir}/firmware/carl9170*.fw \ -" - -RDEPENDS_${PN}-carl9170 += "${PN}-gplv2-license" - -# For QualCommAthos -LICENSE_${PN}-ar3k = "Firmware-qualcommAthos_ar3k & Firmware-atheros_firmware" -LICENSE_${PN}-ar3k-license = "Firmware-qualcommAthos_ar3k" -LICENSE_${PN}-ath10k = "Firmware-qualcommAthos_ath10k" -LICENSE_${PN}-ath10k-license = "Firmware-qualcommAthos_ath10k" -LICENSE_${PN}-qca = "Firmware-qualcommAthos_ath10k" - -FILES_${PN}-ar3k-license = "${nonarch_base_libdir}/firmware/LICENSE.QualcommAtheros_ar3k" -FILES_${PN}-ar3k = " \ - ${nonarch_base_libdir}/firmware/ar3k \ -" - -FILES_${PN}-ath10k-license = "${nonarch_base_libdir}/firmware/LICENSE.QualcommAtheros_ath10k" -FILES_${PN}-ath10k = " \ - ${nonarch_base_libdir}/firmware/ath10k \ -" - -FILES_${PN}-ath11k = " \ - ${nonarch_base_libdir}/firmware/ath11k \ -" - -FILES_${PN}-qca = " \ - ${nonarch_base_libdir}/firmware/qca \ -" - -RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license ${PN}-atheros-license" -RDEPENDS_${PN}-ath10k += "${PN}-ath10k-license" -RDEPENDS_${PN}-ath11k += "${PN}-ath10k-license" -RDEPENDS_${PN}-qca += "${PN}-ath10k-license" - -# For ralink -LICENSE_${PN}-ralink = "Firmware-ralink-firmware" -LICENSE_${PN}-ralink-license = "Firmware-ralink-firmware" - -FILES_${PN}-ralink-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink-firmware.txt" -FILES_${PN}-ralink = " \ - ${nonarch_base_libdir}/firmware/rt*.bin \ -" - -RDEPENDS_${PN}-ralink += "${PN}-ralink-license" - -# For mediatek MT7601U -LICENSE_${PN}-mt7601u = "Firmware-ralink_a_mediatek_company_firmware" -LICENSE_${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware" - -FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware" -FILES_${PN}-mt7601u = " \ - ${nonarch_base_libdir}/firmware/mt7601u.bin \ -" - -RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license" - -# For radeon -LICENSE_${PN}-radeon = "Firmware-radeon" -LICENSE_${PN}-radeon-license = "Firmware-radeon" - -FILES_${PN}-radeon-license = "${nonarch_base_libdir}/firmware/LICENSE.radeon" -FILES_${PN}-radeon = " \ - ${nonarch_base_libdir}/firmware/radeon \ -" - -RDEPENDS_${PN}-radeon += "${PN}-radeon-license" - -# For lontium -LICENSE_${PN}-lt9611uxc = "Firmware-Lontium" - -FILES_${PN}-lontium-license = "${nonarch_base_libdir}/firmware/LICENSE.Lontium" -FILES_${PN}-lt9611uxc = "${nonarch_base_libdir}/firmware/lt9611uxc_fw.bin" - -# For marvell -LICENSE_${PN}-pcie8897 = "Firmware-Marvell" -LICENSE_${PN}-pcie8997 = "Firmware-Marvell" -LICENSE_${PN}-sd8686 = "Firmware-Marvell" -LICENSE_${PN}-sd8688 = "Firmware-Marvell" -LICENSE_${PN}-sd8787 = "Firmware-Marvell" -LICENSE_${PN}-sd8797 = "Firmware-Marvell" -LICENSE_${PN}-sd8801 = "Firmware-Marvell" -LICENSE_${PN}-sd8887 = "Firmware-Marvell" -LICENSE_${PN}-sd8897 = "Firmware-Marvell" -LICENSE_${PN}-sd8997 = "Firmware-Marvell" -LICENSE_${PN}-usb8997 = "Firmware-Marvell" -LICENSE_${PN}-marvell-license = "Firmware-Marvell" - -FILES_${PN}-marvell-license = "${nonarch_base_libdir}/firmware/LICENCE.Marvell" -FILES_${PN}-pcie8897 = " \ - ${nonarch_base_libdir}/firmware/mrvl/pcie8897_uapsta.bin \ -" -FILES_${PN}-pcie8997 = " \ - ${nonarch_base_libdir}/firmware/mrvl/pcie8997_wlan_v4.bin \ - ${nonarch_base_libdir}/firmware/mrvl/pcieuart8997_combo_v4.bin \ - ${nonarch_base_libdir}/firmware/mrvl/pcieusb8997_combo_v4.bin \ -" -FILES_${PN}-sd8686 = " \ - ${nonarch_base_libdir}/firmware/libertas/sd8686_v9* \ - ${nonarch_base_libdir}/firmware/sd8686* \ -" -FILES_${PN}-sd8688 = " \ - ${nonarch_base_libdir}/firmware/libertas/sd8688* \ - ${nonarch_base_libdir}/firmware/mrvl/sd8688* \ -" -FILES_${PN}-sd8787 = " \ - ${nonarch_base_libdir}/firmware/mrvl/sd8787_uapsta.bin \ -" -FILES_${PN}-sd8797 = " \ - ${nonarch_base_libdir}/firmware/mrvl/sd8797_uapsta.bin \ -" -FILES_${PN}-sd8801 = " \ - ${nonarch_base_libdir}/firmware/mrvl/sd8801_uapsta.bin \ -" -FILES_${PN}-sd8887 = " \ - ${nonarch_base_libdir}/firmware/mrvl/sd8887_uapsta.bin \ -" -FILES_${PN}-sd8897 = " \ - ${nonarch_base_libdir}/firmware/mrvl/sd8897_uapsta.bin \ -" -do_install_append() { - # The kernel 5.6.x driver still uses the old name, provide a symlink for - # older kernels - ln -fs sdsd8997_combo_v4.bin ${D}${nonarch_base_libdir}/firmware/mrvl/sd8997_uapsta.bin -} -FILES_${PN}-sd8997 = " \ - ${nonarch_base_libdir}/firmware/mrvl/sd8997_uapsta.bin \ - ${nonarch_base_libdir}/firmware/mrvl/sdsd8997_combo_v4.bin \ -" -FILES_${PN}-usb8997 = " \ - ${nonarch_base_libdir}/firmware/mrvl/usbusb8997_combo_v4.bin \ -" - -RDEPENDS_${PN}-sd8686 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8688 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8787 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8797 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8801 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8887 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8897 += "${PN}-marvell-license" -RDEPENDS_${PN}-sd8997 += "${PN}-marvell-license" -RDEPENDS_${PN}-usb8997 += "${PN}-marvell-license" - -# For netronome -LICENSE_${PN}-netronome = "Firmware-netronome" - -FILES_${PN}-netronome-license = " \ - ${nonarch_base_libdir}/firmware/LICENCE.Netronome \ -" -FILES_${PN}-netronome = " \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0081*.nffw \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \ - ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \ - ${nonarch_base_libdir}/firmware/netronome/bpf \ - ${nonarch_base_libdir}/firmware/netronome/flower \ - ${nonarch_base_libdir}/firmware/netronome/nic \ - ${nonarch_base_libdir}/firmware/netronome/nic-sriov \ -" - -RDEPENDS_${PN}-netronome += "${PN}-netronome-license" - -# For Nvidia -LICENSE_${PN}-nvidia-gpu = "Firmware-nvidia" -LICENSE_${PN}-nvidia-tegra = "Firmware-nvidia" -LICENSE_${PN}-nvidia-tegra-k1 = "Firmware-nvidia" -LICENSE_${PN}-nvidia-license = "Firmware-nvidia" - -FILES_${PN}-nvidia-gpu = "${nonarch_base_libdir}/firmware/nvidia" -FILES_${PN}-nvidia-tegra = " \ - ${nonarch_base_libdir}/firmware/nvidia/tegra* \ - ${nonarch_base_libdir}/firmware/nvidia/gm20b \ - ${nonarch_base_libdir}/firmware/nvidia/gp10b \ -" -FILES_${PN}-nvidia-tegra-k1 = " \ - ${nonarch_base_libdir}/firmware/nvidia/tegra124 \ - ${nonarch_base_libdir}/firmware/nvidia/gk20a \ -" -FILES_${PN}-nvidia-license = "${nonarch_base_libdir}/firmware/LICENCE.nvidia" - -RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license" -RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license" -RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license" - -# For RSI RS911x WiFi -LICENSE_${PN}-rs9113 = "WHENCE" -LICENSE_${PN}-rs9116 = "WHENCE" - -FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps " -FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps " - -RDEPENDS_${PN}-rs9113 += "${PN}-whence-license" -RDEPENDS_${PN}-rs9116 += "${PN}-whence-license" - -# For rtl -LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl8192ce = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl8192su = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl8723 = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl8821 = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl-license = "Firmware-rtlwifi_firmware" -LICENSE_${PN}-rtl8168 = "WHENCE" - -FILES_${PN}-rtl-license = " \ - ${nonarch_base_libdir}/firmware/LICENCE.rtlwifi_firmware.txt \ -" -FILES_${PN}-rtl8188 = " \ - ${nonarch_base_libdir}/firmware/rtlwifi/rtl8188*.bin \ -" -FILES_${PN}-rtl8192cu = " \ - ${nonarch_base_libdir}/firmware/rtlwifi/rtl8192cufw*.bin \ -" -FILES_${PN}-rtl8192ce = " \ - ${nonarch_base_libdir}/firmware/rtlwifi/rtl8192cfw*.bin \ -" -FILES_${PN}-rtl8192su = " \ - ${nonarch_base_libdir}/firmware/rtlwifi/rtl8712u.bin \ -" -FILES_${PN}-rtl8723 = " \ - ${nonarch_base_libdir}/firmware/rtlwifi/rtl8723*.bin \ -" -FILES_${PN}-rtl8821 = " \ - ${nonarch_base_libdir}/firmware/rtlwifi/rtl8821*.bin \ -" -FILES_${PN}-rtl8168 = " \ - ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \ -" - -RDEPENDS_${PN}-rtl8188 += "${PN}-rtl-license" -RDEPENDS_${PN}-rtl8192ce += "${PN}-rtl-license" -RDEPENDS_${PN}-rtl8192cu += "${PN}-rtl-license" -RDEPENDS_${PN}-rtl8192su = "${PN}-rtl-license" -RDEPENDS_${PN}-rtl8723 += "${PN}-rtl-license" -RDEPENDS_${PN}-rtl8821 += "${PN}-rtl-license" -RDEPENDS_${PN}-rtl8168 += "${PN}-whence-license" - -# For ti-connectivity -LICENSE_${PN}-wlcommon = "Firmware-ti-connectivity" -LICENSE_${PN}-wl12xx = "Firmware-ti-connectivity" -LICENSE_${PN}-wl18xx = "Firmware-ti-connectivity" -LICENSE_${PN}-ti-connectivity-license = "Firmware-ti-connectivity" - -FILES_${PN}-ti-connectivity-license = "${nonarch_base_libdir}/firmware/LICENCE.ti-connectivity" -# wl18xx optionally needs wl1271-nvs.bin (which itself is a symlink to -# wl127x-nvs.bin) - see linux/drivers/net/wireless/ti/wlcore/sdio.c -# and drivers/net/wireless/ti/wlcore/spi.c. -# While they're optional and actually only used to override the MAC -# address on wl18xx, driver loading will delay (by udev timout - 60s) -# if not there. So let's make it available always. Because it's a -# symlink, both need to go to wlcommon. -FILES_${PN}-wlcommon = " \ - ${nonarch_base_libdir}/firmware/ti-connectivity/TI* \ - ${nonarch_base_libdir}/firmware/ti-connectivity/wl127x-nvs.bin \ - ${nonarch_base_libdir}/firmware/ti-connectivity/wl1271-nvs.bin \ -" -FILES_${PN}-wl12xx = " \ - ${nonarch_base_libdir}/firmware/ti-connectivity/wl12* \ -" -FILES_${PN}-wl18xx = " \ - ${nonarch_base_libdir}/firmware/ti-connectivity/wl18* \ -" - -RDEPENDS_${PN}-wl12xx = "${PN}-ti-connectivity-license ${PN}-wlcommon" -RDEPENDS_${PN}-wl18xx = "${PN}-ti-connectivity-license ${PN}-wlcommon" - -# For vt6656 -LICENSE_${PN}-vt6656 = "Firmware-via_vt6656" -LICENSE_${PN}-vt6656-license = "Firmware-via_vt6656" - -FILES_${PN}-vt6656-license = "${nonarch_base_libdir}/firmware/LICENCE.via_vt6656" -FILES_${PN}-vt6656 = " \ - ${nonarch_base_libdir}/firmware/vntwusb.fw \ -" - -RDEPENDS_${PN}-vt6656 = "${PN}-vt6656-license" - -# For broadcom - -# for i in `grep brcm WHENCE | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo -e " \${PN}-$pkg \\"; done | sort -u - -LICENSE_${PN}-broadcom-license = "Firmware-broadcom_bcm43xx" -FILES_${PN}-broadcom-license = "${nonarch_base_libdir}/firmware/LICENCE.broadcom_bcm43xx" - -# for i in `grep brcm WHENCE | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo "$i - $pkg"; echo -e "FILES_\${PN}-$pkg = \"\${nonarch_base_libdir}/firmware/brcm/$i\""; done | grep ^FILES - -FILES_${PN}-bcm43xx = "${nonarch_base_libdir}/firmware/brcm/bcm43xx-0.fw" -FILES_${PN}-bcm43xx-hdr = "${nonarch_base_libdir}/firmware/brcm/bcm43xx_hdr-0.fw" -FILES_${PN}-bcm4329-fullmac = "${nonarch_base_libdir}/firmware/brcm/bcm4329-fullmac-4.bin" -FILES_${PN}-bcm43236b = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43236b.bin" -FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bin" -FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*" -FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin" -FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin" -FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \ -" -FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin" -FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin" -FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin" -FILES_${PN}-bcm43242a = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43242a.bin" -FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \ - ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \ -" -FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*" -FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \ -" -FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin" -FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin" -FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.* \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.* \ -" -FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin" -FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \ -" -FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin" -FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \ - ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \ -" -FILES_${PN}-bcm4366b = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4366b-pcie.bin" -FILES_${PN}-bcm4366c = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4366c-pcie.bin" -FILES_${PN}-bcm4371 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4371-pcie.bin" - -# for i in `grep brcm WHENCE | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo -e "LICENSE_\${PN}-$pkg = \"Firmware-broadcom_bcm43xx\"\nRDEPENDS_\${PN}-$pkg += \"\${PN}-broadcom-license\""; done -# Currently 1st one and last 6 have cypress LICENSE - -LICENSE_${PN}-bcm43xx = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43xx += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43xx-hdr = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43xx-hdr += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4329-fullmac = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4329-fullmac += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43236b = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43236b += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4329 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4329 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4330 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4330 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4334 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4334 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4335 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4335 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4339 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4339 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43241b0 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43241b0 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43241b4 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43241b4 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43241b5 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43241b5 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43242a = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43242a += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43143 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43143 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43430a0 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43430a0 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43455 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43455 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4350c2 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4350c2 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4350 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4350 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4356 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4356 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43569 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43569 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43570 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43570 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4358 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4358 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm43602 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm43602 += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4366b = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4366b += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4366c = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4366c += "${PN}-broadcom-license" -LICENSE_${PN}-bcm4371 = "Firmware-broadcom_bcm43xx" -RDEPENDS_${PN}-bcm4371 += "${PN}-broadcom-license" - -# For broadcom cypress - -LICENSE_${PN}-cypress-license = "Firmware-cypress" -FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress" - -FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd" -FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*" -FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*" -FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*" -FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \ -" -FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \ -" -FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \ - ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ - ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \ -" - -LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress" -RDEPENDS_${PN}-bcm-0bb4-0306 += "${PN}-cypress-license" -LICENSE_${PN}-bcm43340 = "Firmware-cypress" -RDEPENDS_${PN}-bcm43340 += "${PN}-cypress-license" -LICENSE_${PN}-bcm43362 = "Firmware-cypress" -RDEPENDS_${PN}-bcm43362 += "${PN}-cypress-license" -LICENSE_${PN}-bcm43430 = "Firmware-cypress" -RDEPENDS_${PN}-bcm43430 += "${PN}-cypress-license" -LICENSE_${PN}-bcm4354 = "Firmware-cypress" -RDEPENDS_${PN}-bcm4354 += "${PN}-cypress-license" -LICENSE_${PN}-bcm4356-pcie = "Firmware-cypress" -RDEPENDS_${PN}-bcm4356-pcie += "${PN}-cypress-license" -LICENSE_${PN}-bcm4373 = "Firmware-cypress" -RDEPENDS_${PN}-bcm4373 += "${PN}-cypress-license" - -# For Broadcom bnx2-mips -# -# which is a separate case to the other Broadcom firmwares since its -# license is contained in the shared WHENCE file. - -LICENSE_${PN}-bnx2-mips = "WHENCE" -LICENSE_${PN}-whence-license = "WHENCE" - -FILES_${PN}-bnx2-mips = "${nonarch_base_libdir}/firmware/bnx2/bnx2-mips-09-6.2.1b.fw" -FILES_${PN}-whence-license = "${nonarch_base_libdir}/firmware/WHENCE" - -RDEPENDS_${PN}-bnx2-mips += "${PN}-whence-license" - -# For imx-sdma -LICENSE_${PN}-imx-sdma-imx6q = "Firmware-imx-sdma_firmware" -LICENSE_${PN}-imx-sdma-imx7d = "Firmware-imx-sdma_firmware" -LICENSE_${PN}-imx-sdma-license = "Firmware-imx-sdma_firmware" - -FILES_${PN}-imx-sdma-imx6q = "${nonarch_base_libdir}/firmware/imx/sdma/sdma-imx6q.bin" - -RPROVIDES_${PN}-imx-sdma-imx6q = "firmware-imx-sdma-imx6q" -RREPLACES_${PN}-imx-sdma-imx6q = "firmware-imx-sdma-imx6q" -RCONFLICTS_${PN}-imx-sdma-imx6q = "firmware-imx-sdma-imx6q" - -FILES_${PN}-imx-sdma-imx7d = "${nonarch_base_libdir}/firmware/imx/sdma/sdma-imx7d.bin" - -FILES_${PN}-imx-sdma-license = "${nonarch_base_libdir}/firmware/LICENSE.sdma_firmware" - -RDEPENDS_${PN}-imx-sdma-imx6q += "${PN}-imx-sdma-license" -RDEPENDS_${PN}-imx-sdma-imx7d += "${PN}-imx-sdma-license" - -# For iwlwifi -LICENSE_${PN}-iwlwifi = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-135-6 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-7 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-8 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-9 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-10 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-12 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-13 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-16 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-3160-17 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6000-4 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6000g2a-5 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6000g2a-6 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6000g2b-5 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6000g2b-6 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6050-4 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-6050-5 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-7260 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-7265 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-7265d = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-8000c = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-8265 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-9000 = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-misc = "Firmware-iwlwifi_firmware" -LICENSE_${PN}-iwlwifi-license = "Firmware-iwlwifi_firmware" - - -FILES_${PN}-iwlwifi-license = "${nonarch_base_libdir}/firmware/LICENCE.iwlwifi_firmware" -FILES_${PN}-iwlwifi-135-6 = "${nonarch_base_libdir}/firmware/iwlwifi-135-6.ucode" -FILES_${PN}-iwlwifi-3160-7 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-7.ucode" -FILES_${PN}-iwlwifi-3160-8 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-8.ucode" -FILES_${PN}-iwlwifi-3160-9 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-9.ucode" -FILES_${PN}-iwlwifi-3160-10 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-10.ucode" -FILES_${PN}-iwlwifi-3160-12 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-12.ucode" -FILES_${PN}-iwlwifi-3160-13 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-13.ucode" -FILES_${PN}-iwlwifi-3160-16 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-16.ucode" -FILES_${PN}-iwlwifi-3160-17 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-17.ucode" -FILES_${PN}-iwlwifi-6000-4 = "${nonarch_base_libdir}/firmware/iwlwifi-6000-4.ucode" -FILES_${PN}-iwlwifi-6000g2a-5 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2a-5.ucode" -FILES_${PN}-iwlwifi-6000g2a-6 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2a-6.ucode" -FILES_${PN}-iwlwifi-6000g2b-5 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2b-5.ucode" -FILES_${PN}-iwlwifi-6000g2b-6 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2b-6.ucode" -FILES_${PN}-iwlwifi-6050-4 = "${nonarch_base_libdir}/firmware/iwlwifi-6050-4.ucode" -FILES_${PN}-iwlwifi-6050-5 = "${nonarch_base_libdir}/firmware/iwlwifi-6050-5.ucode" -FILES_${PN}-iwlwifi-7260 = "${nonarch_base_libdir}/firmware/iwlwifi-7260-*.ucode" -FILES_${PN}-iwlwifi-7265 = "${nonarch_base_libdir}/firmware/iwlwifi-7265-*.ucode" -FILES_${PN}-iwlwifi-7265d = "${nonarch_base_libdir}/firmware/iwlwifi-7265D-*.ucode" -FILES_${PN}-iwlwifi-8000c = "${nonarch_base_libdir}/firmware/iwlwifi-8000C-*.ucode" -FILES_${PN}-iwlwifi-8265 = "${nonarch_base_libdir}/firmware/iwlwifi-8265-*.ucode" -FILES_${PN}-iwlwifi-9000 = "${nonarch_base_libdir}/firmware/iwlwifi-9000-*.ucode" -FILES_${PN}-iwlwifi-misc = "${nonarch_base_libdir}/firmware/iwlwifi-*.ucode" - -RDEPENDS_${PN}-iwlwifi-135-6 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-7 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-8 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-9 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-10 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-12 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-13 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-16 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-3160-17 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6000-4 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6000g2a-5 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6000g2a-6 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6000g2b-5 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6000g2b-6 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6050-4 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-6050-5 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-7265d = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-8000c = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-8265 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-9000 = "${PN}-iwlwifi-license" -RDEPENDS_${PN}-iwlwifi-misc = "${PN}-iwlwifi-license" - -# -iwlwifi-misc is a "catch all" package that includes all the iwlwifi -# firmwares that are not already included in other -iwlwifi- packages. -# -iwlwifi is a virtual package that depends upon all iwlwifi packages. -# These are distinct in order to allow the -misc firmwares to be installed -# without pulling in every other iwlwifi package. -ALLOW_EMPTY_${PN}-iwlwifi = "1" -ALLOW_EMPTY_${PN}-iwlwifi-misc = "1" - -# Handle package updating for the newly merged iwlwifi groupings -RPROVIDES_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-7265-8 ${PN}-iwlwifi-7265-9" -RREPLACES_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-7265-8 ${PN}-iwlwifi-7265-9" -RCONFLICTS_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-7265-8 ${PN}-iwlwifi-7265-9" - -RPROVIDES_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-7260-7 ${PN}-iwlwifi-7260-8 ${PN}-iwlwifi-7260-9" -RREPLACES_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-7260-7 ${PN}-iwlwifi-7260-8 ${PN}-iwlwifi-7260-9" -RCONFLICTS_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-7260-7 ${PN}-iwlwifi-7260-8 ${PN}-iwlwifi-7260-9" - -# For ibt -LICENSE_${PN}-ibt-license = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-hw-37-7 = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-hw-37-8 = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-11-5 = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-12-16 = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-17 = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-20 = "Firmware-ibt_firmware" -LICENSE_${PN}-ibt-misc = "Firmware-ibt_firmware" - -FILES_${PN}-ibt-license = "${nonarch_base_libdir}/firmware/LICENCE.ibt_firmware" -FILES_${PN}-ibt-hw-37-7 = "${nonarch_base_libdir}/firmware/intel/ibt-hw-37.7*.bseq" -FILES_${PN}-ibt-hw-37-8 = "${nonarch_base_libdir}/firmware/intel/ibt-hw-37.8*.bseq" -FILES_${PN}-ibt-11-5 = "${nonarch_base_libdir}/firmware/intel/ibt-11-5.sfi ${nonarch_base_libdir}/firmware/intel/ibt-11-5.ddc" -FILES_${PN}-ibt-12-16 = "${nonarch_base_libdir}/firmware/intel/ibt-12-16.sfi ${nonarch_base_libdir}/firmware/intel/ibt-12-16.ddc" -FILES_${PN}-ibt-17 = "${nonarch_base_libdir}/firmware/intel/ibt-17-*.sfi ${nonarch_base_libdir}/firmware/intel/ibt-17-*.ddc" -FILES_${PN}-ibt-20 = "${nonarch_base_libdir}/firmware/intel/ibt-20-*.sfi ${nonarch_base_libdir}/firmware/intel/ibt-20-*.ddc" -FILES_${PN}-ibt-misc = "${nonarch_base_libdir}/firmware/intel/ibt-*" - -RDEPENDS_${PN}-ibt-hw-37-7 = "${PN}-ibt-license" -RDEPENDS_${PN}-ibt-hw-37.8 = "${PN}-ibt-license" -RDEPENDS_${PN}-ibt-11-5 = "${PN}-ibt-license" -RDEPENDS_${PN}-ibt-12-16 = "${PN}-ibt-license" -RDEPENDS_${PN}-ibt-17 = "${PN}-ibt-license" -RDEPENDS_${PN}-ibt-20 = "${PN}-ibt-license" -RDEPENDS_${PN}-ibt-misc = "${PN}-ibt-license" - -ALLOW_EMPTY_${PN}-ibt= "1" -ALLOW_EMPTY_${PN}-ibt-misc = "1" - -LICENSE_${PN}-i915 = "Firmware-i915" -LICENSE_${PN}-i915-license = "Firmware-i915" -FILES_${PN}-i915-license = "${nonarch_base_libdir}/firmware/LICENSE.i915" -FILES_${PN}-i915 = "${nonarch_base_libdir}/firmware/i915" -RDEPENDS_${PN}-i915 = "${PN}-i915-license" - -LICENSE_${PN}-ice = "Firmware-ice" -LICENSE_${PN}-ice-license = "Firmware-ice" -FILES_${PN}-ice-license = "${nonarch_base_libdir}/firmware/LICENSE.ice" -FILES_${PN}-ice = "${nonarch_base_libdir}/firmware/intel/ice" -RDEPENDS_${PN}-ice = "${PN}-ice-license" - -FILES_${PN}-adsp-sst-license = "${nonarch_base_libdir}/firmware/LICENCE.adsp_sst" -LICENSE_${PN}-adsp-sst = "Firmware-adsp_sst" -LICENSE_${PN}-adsp-sst-license = "Firmware-adsp_sst" -FILES_${PN}-adsp-sst = "${nonarch_base_libdir}/firmware/intel/dsp_fw*" -RDEPENDS_${PN}-adsp-sst = "${PN}-adsp-sst-license" - -# For QAT -LICENSE_${PN}-qat = "Firmware-qat" -LICENSE_${PN}-qat-license = "Firmware-qat" -FILES_${PN}-qat-license = "${nonarch_base_libdir}/firmware/LICENCE.qat_firmware" -FILES_${PN}-qat = "${nonarch_base_libdir}/firmware/qat*.bin" -RDEPENDS_${PN}-qat = "${PN}-qat-license" - -# For QCOM VPU/GPU and SDM845 -LICENSE_${PN}-qcom-license = "Firmware-qcom" -FILES_${PN}-qcom-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt" -FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*" -FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*" -FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*" -FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*" -FILES_${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*" -FILES_${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*" -FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a300_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" -FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*" -FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" -FILES_${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" -FILES_${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*" -FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*" -FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*" -FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" -FILES_${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*" -FILES_${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*" -RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-vpu-1.0 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-vpu-2.0 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-adreno-a3xx = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-adreno-a650 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-adreno-a660 = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-sm8250-audio = "${PN}-qcom-license" -RDEPENDS_${PN}-qcom-sm8250-compute = "${PN}-qcom-license" - -FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio" - -# For Amlogic VDEC -LICENSE_${PN}-amlogic-vdec = "Firmware-amlogic_vdec" -FILES_${PN}-amlogic-vdec-license = "${nonarch_base_libdir}/firmware/LICENSE.amlogic_vdec" -FILES_${PN}-amlogic-vdec = "${nonarch_base_libdir}/firmware/meson/vdec/*" -RDEPENDS_${PN}-amlogic-vdec = "${PN}-amlogic-vdec-license" - -# For other firmwares -# Maybe split out to separate packages when needed. -LICENSE_${PN} = "\ - Firmware-Abilis \ - & Firmware-agere \ - & Firmware-amdgpu \ - & Firmware-amd-ucode \ - & Firmware-amlogic_vdec \ - & Firmware-atmel \ - & Firmware-ca0132 \ - & Firmware-cavium \ - & Firmware-chelsio_firmware \ - & Firmware-cw1200 \ - & Firmware-dib0700 \ - & Firmware-e100 \ - & Firmware-ene_firmware \ - & Firmware-fw_sst_0f28 \ - & Firmware-go7007 \ - & Firmware-hfi1_firmware \ - & Firmware-ibt_firmware \ - & Firmware-it913x \ - & Firmware-IntcSST2 \ - & Firmware-kaweth \ - & Firmware-moxa \ - & Firmware-myri10ge_firmware \ - & Firmware-nvidia \ - & Firmware-OLPC \ - & Firmware-ath9k-htc \ - & Firmware-phanfw \ - & Firmware-qat \ - & Firmware-qcom \ - & Firmware-qla1280 \ - & Firmware-qla2xxx \ - & Firmware-r8a779x_usb3 \ - & Firmware-radeon \ - & Firmware-ralink_a_mediatek_company_firmware \ - & Firmware-ralink-firmware \ - & Firmware-imx-sdma_firmware \ - & Firmware-siano \ - & Firmware-ti-connectivity \ - & Firmware-ti-keystone \ - & Firmware-ueagle-atm4-firmware \ - & Firmware-wl1251 \ - & Firmware-xc4000 \ - & Firmware-xc5000 \ - & Firmware-xc5000c \ - & WHENCE \ -" - -FILES_${PN}-license += "${nonarch_base_libdir}/firmware/LICEN*" -FILES_${PN} += "${nonarch_base_libdir}/firmware/*" -RDEPENDS_${PN} += "${PN}-license" -RDEPENDS_${PN} += "${PN}-whence-license" - -# Make linux-firmware depend on all of the split-out packages. -# Make linux-firmware-iwlwifi depend on all of the split-out iwlwifi packages. -# Make linux-firmware-ibt depend on all of the split-out ibt packages. -python populate_packages_prepend () { - firmware_pkgs = oe.utils.packages_filter_out_system(d) - d.appendVar('RRECOMMENDS_linux-firmware', ' ' + ' '.join(firmware_pkgs)) - - iwlwifi_pkgs = filter(lambda x: x.find('-iwlwifi-') != -1, firmware_pkgs) - d.appendVar('RRECOMMENDS_linux-firmware-iwlwifi', ' ' + ' '.join(iwlwifi_pkgs)) - - ibt_pkgs = filter(lambda x: x.find('-ibt-') != -1, firmware_pkgs) - d.appendVar('RRECOMMENDS_linux-firmware-ibt', ' ' + ' '.join(ibt_pkgs)) -} - -# Firmware files are generally not ran on the CPU, so they can be -# allarch despite being architecture specific -INSANE_SKIP = "arch" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb new file mode 100644 index 0000000000..2baf4bbe49 --- /dev/null +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb @@ -0,0 +1,1101 @@ +SUMMARY = "Firmware files for use with Linux kernel" +HOMEPAGE = "https://www.kernel.org/" +DESCRIPTION = "Linux firmware is a package distributed alongside the Linux kernel \ +that contains firmware binary blobs necessary for partial or full functionality \ +of certain hardware devices." +SECTION = "kernel" + +LICENSE = "\ + Firmware-Abilis \ + & Firmware-adsp_sst \ + & Firmware-agere \ + & Firmware-amdgpu \ + & Firmware-amd-ucode \ + & Firmware-amlogic_vdec \ + & Firmware-atheros_firmware \ + & Firmware-atmel \ + & Firmware-broadcom_bcm43xx \ + & Firmware-ca0132 \ + & Firmware-cavium \ + & Firmware-chelsio_firmware \ + & Firmware-cw1200 \ + & Firmware-cypress \ + & Firmware-dib0700 \ + & Firmware-e100 \ + & Firmware-ene_firmware \ + & Firmware-fw_sst_0f28 \ + & Firmware-go7007 \ + & Firmware-GPLv2 \ + & Firmware-hfi1_firmware \ + & Firmware-i915 \ + & Firmware-ibt_firmware \ + & Firmware-ice \ + & Firmware-it913x \ + & Firmware-iwlwifi_firmware \ + & Firmware-IntcSST2 \ + & Firmware-kaweth \ + & Firmware-Lontium \ + & Firmware-Marvell \ + & Firmware-moxa \ + & Firmware-myri10ge_firmware \ + & Firmware-netronome \ + & Firmware-nvidia \ + & Firmware-OLPC \ + & Firmware-ath9k-htc \ + & Firmware-phanfw \ + & Firmware-qat \ + & Firmware-qcom \ + & Firmware-qla1280 \ + & Firmware-qla2xxx \ + & Firmware-qualcommAthos_ar3k \ + & Firmware-qualcommAthos_ath10k \ + & Firmware-r8a779x_usb3 \ + & Firmware-radeon \ + & Firmware-ralink_a_mediatek_company_firmware \ + & Firmware-ralink-firmware \ + & Firmware-rtlwifi_firmware \ + & Firmware-imx-sdma_firmware \ + & Firmware-siano \ + & Firmware-ti-connectivity \ + & Firmware-ti-keystone \ + & Firmware-ueagle-atm4-firmware \ + & Firmware-via_vt6656 \ + & Firmware-wl1251 \ + & Firmware-xc4000 \ + & Firmware-xc5000 \ + & Firmware-xc5000c \ + & WHENCE \ +" + +LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ + file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \ + file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \ + file://LICENSE.amdgpu;md5=44c1166d052226cb2d6c8d7400090203 \ + file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \ + file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \ + file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \ + file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \ + file://LICENCE.broadcom_bcm43xx;md5=3160c14df7228891b868060e1951dfbc \ + file://LICENCE.ca0132;md5=209b33e66ee5be0461f13d31da392198 \ + file://LICENCE.cadence;md5=009f46816f6956cfb75ede13d3e1cee0 \ + file://LICENCE.cavium;md5=c37aaffb1ebe5939b2580d073a95daea \ + file://LICENCE.chelsio_firmware;md5=819aa8c3fa453f1b258ed8d168a9d903 \ + file://LICENCE.cw1200;md5=f0f770864e7a8444a5c5aa9d12a3a7ed \ + file://LICENCE.cypress;md5=48cd9436c763bf873961f9ed7b5c147b \ + file://LICENSE.dib0700;md5=f7411825c8a555a1a3e5eab9ca773431 \ + file://LICENCE.e100;md5=ec0f84136766df159a3ae6d02acdf5a8 \ + file://LICENCE.ene_firmware;md5=ed67f0f62f8f798130c296720b7d3921 \ + file://LICENCE.fw_sst_0f28;md5=6353931c988ad52818ae733ac61cd293 \ + file://LICENCE.go7007;md5=c0bb9f6aaaba55b0529ee9b30aa66beb \ + file://GPL-2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://LICENSE.hfi1_firmware;md5=5e7b6e586ce7339d12689e49931ad444 \ + file://LICENSE.i915;md5=2b0b2e0d20984affd4490ba2cba02570 \ + file://LICENCE.ibt_firmware;md5=fdbee1ddfe0fb7ab0b2fcd6b454a366b \ + file://LICENSE.ice;md5=742ab4850f2670792940e6d15c974b2f \ + file://LICENCE.IntcSST2;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ + file://LICENCE.it913x;md5=1fbf727bfb6a949810c4dbfa7e6ce4f8 \ + file://LICENCE.iwlwifi_firmware;md5=2ce6786e0fc11ac6e36b54bb9b799f1b \ + file://LICENCE.kaweth;md5=b1d876e562f4b3b8d391ad8395dfe03f \ + file://LICENSE.Lontium;md5=4ec8dc582ff7295f39e2ca6a7b0be2b6 \ + file://LICENCE.Marvell;md5=28b6ed8bd04ba105af6e4dcd6e997772 \ + file://LICENCE.mediatek;md5=7c1976b63217d76ce47d0a11d8a79cf2 \ + file://LICENCE.moxa;md5=1086614767d8ccf744a923289d3d4261 \ + file://LICENCE.myri10ge_firmware;md5=42e32fb89f6b959ca222e25ac8df8fed \ + file://LICENCE.Netronome;md5=4add08f2577086d44447996503cddf5f \ + file://LICENCE.nvidia;md5=4428a922ed3ba2ceec95f076a488ce07 \ + file://LICENCE.NXP;md5=58bb8ba632cd729b9ba6183bc6aed36f \ + file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \ + file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \ + file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \ + file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ + file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \ + file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \ + file://LICENCE.qla2xxx;md5=505855e921b75f1be4a437ad9b79dff0 \ + file://LICENSE.QualcommAtheros_ar3k;md5=b5fe244fb2b532311de1472a3bc06da5 \ + file://LICENSE.QualcommAtheros_ath10k;md5=cb42b686ee5f5cb890275e4321db60a8 \ + file://LICENCE.r8a779x_usb3;md5=4c1671656153025d7076105a5da7e498 \ + file://LICENSE.radeon;md5=68ec28bacb3613200bca44f404c69b16 \ + file://LICENCE.ralink_a_mediatek_company_firmware;md5=728f1a85fd53fd67fa8d7afb080bc435 \ + file://LICENCE.ralink-firmware.txt;md5=ab2c269277c45476fb449673911a2dfd \ + file://LICENCE.rtlwifi_firmware.txt;md5=00d06cfd3eddd5a2698948ead2ad54a5 \ + file://LICENSE.sdma_firmware;md5=51e8c19ecc2270f4b8ea30341ad63ce9 \ + file://LICENCE.siano;md5=4556c1bf830067f12ca151ad953ec2a5 \ + file://LICENCE.ti-connectivity;md5=c5e02be633f1499c109d1652514d85ec \ + file://LICENCE.ti-keystone;md5=3a86335d32864b0bef996bee26cc0f2c \ + file://LICENCE.ueagle-atm4-firmware;md5=4ed7ea6b507ccc583b9d594417714118 \ + file://LICENCE.via_vt6656;md5=e4159694cba42d4377a912e78a6e850f \ + file://LICENCE.wl1251;md5=ad3f81922bb9e197014bb187289d3b5b \ + file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ + file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ + file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ + file://WHENCE;md5=${WHENCE_CHKSUM} \ + " +# WHENCE checksum is defined separately to ease overriding it if +# class-devupstream is selected. +WHENCE_CHKSUM = "98ecc3d3223df7ebdc23b0ec56aafb20" + +# These are not common licenses, set NO_GENERIC_LICENSE for them +# so that the license files will be copied from fetched source +NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENCE.Abilis" +NO_GENERIC_LICENSE[Firmware-adsp_sst] = "LICENCE.adsp_sst" +NO_GENERIC_LICENSE[Firmware-agere] = "LICENCE.agere" +NO_GENERIC_LICENSE[Firmware-amdgpu] = "LICENSE.amdgpu" +NO_GENERIC_LICENSE[Firmware-amd-ucode] = "LICENSE.amd-ucode" +NO_GENERIC_LICENSE[Firmware-amlogic_vdec] = "LICENSE.amlogic_vdec" +NO_GENERIC_LICENSE[Firmware-atheros_firmware] = "LICENCE.atheros_firmware" +NO_GENERIC_LICENSE[Firmware-atmel] = "LICENSE.atmel" +NO_GENERIC_LICENSE[Firmware-broadcom_bcm43xx] = "LICENCE.broadcom_bcm43xx" +NO_GENERIC_LICENSE[Firmware-ca0132] = "LICENCE.ca0132" +NO_GENERIC_LICENSE[Firmware-cadence] = "LICENCE.cadence" +NO_GENERIC_LICENSE[Firmware-cavium] = "LICENCE.cavium" +NO_GENERIC_LICENSE[Firmware-chelsio_firmware] = "LICENCE.chelsio_firmware" +NO_GENERIC_LICENSE[Firmware-cw1200] = "LICENCE.cw1200" +NO_GENERIC_LICENSE[Firmware-cypress] = "LICENCE.cypress" +NO_GENERIC_LICENSE[Firmware-dib0700] = "LICENSE.dib0700" +NO_GENERIC_LICENSE[Firmware-e100] = "LICENCE.e100" +NO_GENERIC_LICENSE[Firmware-ene_firmware] = "LICENCE.ene_firmware" +NO_GENERIC_LICENSE[Firmware-fw_sst_0f28] = "LICENCE.fw_sst_0f28" +NO_GENERIC_LICENSE[Firmware-go7007] = "LICENCE.go7007" +NO_GENERIC_LICENSE[Firmware-GPLv2] = "GPL-2" +NO_GENERIC_LICENSE[Firmware-hfi1_firmware] = "LICENSE.hfi1_firmware" +NO_GENERIC_LICENSE[Firmware-i915] = "LICENSE.i915" +NO_GENERIC_LICENSE[Firmware-ibt_firmware] = "LICENCE.ibt_firmware" +NO_GENERIC_LICENSE[Firmware-ice] = "LICENSE.ice" +NO_GENERIC_LICENSE[Firmware-IntcSST2] = "LICENCE.IntcSST2" +NO_GENERIC_LICENSE[Firmware-it913x] = "LICENCE.it913x" +NO_GENERIC_LICENSE[Firmware-iwlwifi_firmware] = "LICENCE.iwlwifi_firmware" +NO_GENERIC_LICENSE[Firmware-kaweth] = "LICENCE.kaweth" +NO_GENERIC_LICENSE[Firmware-Lontium] = "LICENSE.Lontium" +NO_GENERIC_LICENSE[Firmware-Marvell] = "LICENCE.Marvell" +NO_GENERIC_LICENSE[Firmware-mediatek] = "LICENCE.mediatek" +NO_GENERIC_LICENSE[Firmware-moxa] = "LICENCE.moxa" +NO_GENERIC_LICENSE[Firmware-myri10ge_firmware] = "LICENCE.myri10ge_firmware" +NO_GENERIC_LICENSE[Firmware-netronome] = "LICENCE.Netronome" +NO_GENERIC_LICENSE[Firmware-nvidia] = "LICENCE.nvidia" +NO_GENERIC_LICENSE[Firmware-OLPC] = "LICENCE.OLPC" +NO_GENERIC_LICENSE[Firmware-ath9k-htc] = "LICENCE.open-ath9k-htc-firmware" +NO_GENERIC_LICENSE[Firmware-phanfw] = "LICENCE.phanfw" +NO_GENERIC_LICENSE[Firmware-qat] = "LICENCE.qat_firmware" +NO_GENERIC_LICENSE[Firmware-qcom] = "LICENSE.qcom" +NO_GENERIC_LICENSE[Firmware-qla1280] = "LICENCE.qla1280" +NO_GENERIC_LICENSE[Firmware-qla2xxx] = "LICENCE.qla2xxx" +NO_GENERIC_LICENSE[Firmware-qualcommAthos_ar3k] = "LICENSE.QualcommAtheros_ar3k" +NO_GENERIC_LICENSE[Firmware-qualcommAthos_ath10k] = "LICENSE.QualcommAtheros_ath10k" +NO_GENERIC_LICENSE[Firmware-r8a779x_usb3] = "LICENCE.r8a779x_usb3" +NO_GENERIC_LICENSE[Firmware-radeon] = "LICENSE.radeon" +NO_GENERIC_LICENSE[Firmware-ralink_a_mediatek_company_firmware] = "LICENCE.ralink_a_mediatek_company_firmware" +NO_GENERIC_LICENSE[Firmware-ralink-firmware] = "LICENCE.ralink-firmware.txt" +NO_GENERIC_LICENSE[Firmware-rtlwifi_firmware] = "LICENCE.rtlwifi_firmware.txt" +NO_GENERIC_LICENSE[Firmware-siano] = "LICENCE.siano" +NO_GENERIC_LICENSE[Firmware-imx-sdma_firmware] = "LICENSE.sdma_firmware" +NO_GENERIC_LICENSE[Firmware-ti-connectivity] = "LICENCE.ti-connectivity" +NO_GENERIC_LICENSE[Firmware-ti-keystone] = "LICENCE.ti-keystone" +NO_GENERIC_LICENSE[Firmware-ueagle-atm4-firmware] = "LICENCE.ueagle-atm4-firmware" +NO_GENERIC_LICENSE[Firmware-via_vt6656] = "LICENCE.via_vt6656" +NO_GENERIC_LICENSE[Firmware-wl1251] = "LICENCE.wl1251" +NO_GENERIC_LICENSE[Firmware-xc4000] = "LICENCE.xc4000" +NO_GENERIC_LICENSE[Firmware-xc5000] = "LICENCE.xc5000" +NO_GENERIC_LICENSE[Firmware-xc5000c] = "LICENCE.xc5000c" +NO_GENERIC_LICENSE[WHENCE] = "WHENCE" + +PE = "1" + +SRC_URI = "\ + ${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz \ +" + +BBCLASSEXTEND = "devupstream:target" +SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git;protocol=https;branch=main" +# Pin this to the 20220509 release, override this in local.conf +SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" + +SRC_URI[sha256sum] = "26fd00f2d8e96c4af6f44269a6b893eb857253044f75ad28ef6706a2250cd8e9" + +inherit allarch + +CLEANBROKEN = "1" + +do_compile() { + : +} + +do_install() { + oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install + cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/ +} + + +PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ + ${PN}-mt7601u-license ${PN}-mt7601u \ + ${PN}-radeon-license ${PN}-radeon \ + ${PN}-marvell-license ${PN}-pcie8897 ${PN}-pcie8997 \ + ${PN}-sd8686 ${PN}-sd8688 ${PN}-sd8787 ${PN}-sd8797 ${PN}-sd8801 \ + ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ + ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \ + ${PN}-vt6656-license ${PN}-vt6656 \ + ${PN}-rs9113 ${PN}-rs9116 \ + ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ + ${PN}-rtl8168 \ + ${PN}-cypress-license \ + ${PN}-broadcom-license \ + ${PN}-bcm-0bb4-0306 \ + ${PN}-bcm43143 \ + ${PN}-bcm43236b \ + ${PN}-bcm43241b0 \ + ${PN}-bcm43241b4 \ + ${PN}-bcm43241b5 \ + ${PN}-bcm43242a \ + ${PN}-bcm4329 \ + ${PN}-bcm4329-fullmac \ + ${PN}-bcm4330 \ + ${PN}-bcm4334 \ + ${PN}-bcm43340 \ + ${PN}-bcm4335 \ + ${PN}-bcm43362 \ + ${PN}-bcm4339 \ + ${PN}-bcm43430 \ + ${PN}-bcm43430a0 \ + ${PN}-bcm43455 \ + ${PN}-bcm4350 \ + ${PN}-bcm4350c2 \ + ${PN}-bcm4354 \ + ${PN}-bcm4356 \ + ${PN}-bcm4356-pcie \ + ${PN}-bcm43569 \ + ${PN}-bcm43570 \ + ${PN}-bcm4358 \ + ${PN}-bcm43602 \ + ${PN}-bcm4366b \ + ${PN}-bcm4366c \ + ${PN}-bcm4371 \ + ${PN}-bcm4373 \ + ${PN}-bcm43xx \ + ${PN}-bcm43xx-hdr \ + ${PN}-atheros-license ${PN}-ar9170 ${PN}-ath6k ${PN}-ath9k \ + ${PN}-gplv2-license ${PN}-carl9170 \ + ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-ath11k ${PN}-qca \ + \ + ${PN}-imx-sdma-license ${PN}-imx-sdma-imx6q ${PN}-imx-sdma-imx7d \ + \ + ${PN}-iwlwifi-license ${PN}-iwlwifi \ + ${PN}-iwlwifi-135-6 \ + ${PN}-iwlwifi-3160-7 ${PN}-iwlwifi-3160-8 ${PN}-iwlwifi-3160-9 \ + ${PN}-iwlwifi-3160-10 ${PN}-iwlwifi-3160-12 ${PN}-iwlwifi-3160-13 \ + ${PN}-iwlwifi-3160-16 ${PN}-iwlwifi-3160-17 \ + ${PN}-iwlwifi-6000-4 ${PN}-iwlwifi-6000g2a-5 ${PN}-iwlwifi-6000g2a-6 \ + ${PN}-iwlwifi-6000g2b-5 ${PN}-iwlwifi-6000g2b-6 \ + ${PN}-iwlwifi-6050-4 ${PN}-iwlwifi-6050-5 \ + ${PN}-iwlwifi-7260 \ + ${PN}-iwlwifi-7265 \ + ${PN}-iwlwifi-7265d ${PN}-iwlwifi-8000c ${PN}-iwlwifi-8265 \ + ${PN}-iwlwifi-9000 \ + ${PN}-iwlwifi-misc \ + ${PN}-ibt-license ${PN}-ibt \ + ${PN}-ibt-11-5 ${PN}-ibt-12-16 ${PN}-ibt-hw-37-7 ${PN}-ibt-hw-37-8 \ + ${PN}-ibt-17 \ + ${PN}-ibt-20 \ + ${PN}-ibt-misc \ + ${PN}-i915-license ${PN}-i915 \ + ${PN}-ice-license ${PN}-ice \ + ${PN}-adsp-sst-license ${PN}-adsp-sst \ + ${PN}-bnx2-mips \ + ${PN}-liquidio \ + ${PN}-nvidia-license \ + ${PN}-nvidia-tegra-k1 ${PN}-nvidia-tegra \ + ${PN}-nvidia-gpu \ + ${PN}-netronome-license ${PN}-netronome \ + ${PN}-qat ${PN}-qat-license \ + ${PN}-qcom-license \ + ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \ + ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \ + ${PN}-qcom-adreno-a2xx ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a4xx ${PN}-qcom-adreno-a530 \ + ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \ + ${PN}-qcom-apq8096-audio ${PN}-qcom-apq8096-modem \ + ${PN}-qcom-sc8280xp-lenovo-x13s-compat \ + ${PN}-qcom-sc8280xp-lenovo-x13s-audio \ + ${PN}-qcom-sc8280xp-lenovo-x13s-adreno \ + ${PN}-qcom-sc8280xp-lenovo-x13s-compute \ + ${PN}-qcom-sc8280xp-lenovo-x13s-sensors \ + ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ + ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \ + ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \ + ${PN}-lt9611uxc ${PN}-lontium-license \ + ${PN}-whence-license \ + ${PN}-license \ + " + +# For atheros +LICENSE_${PN}-ar9170 = "Firmware-atheros_firmware" +LICENSE_${PN}-ath6k = "Firmware-atheros_firmware" +LICENSE_${PN}-ath9k = "Firmware-atheros_firmware" +LICENSE_${PN}-atheros-license = "Firmware-atheros_firmware" + +FILES_${PN}-atheros-license = "${nonarch_base_libdir}/firmware/LICENCE.atheros_firmware" +FILES_${PN}-ar9170 = " \ + ${nonarch_base_libdir}/firmware/ar9170*.fw \ +" +FILES_${PN}-ath6k = " \ + ${nonarch_base_libdir}/firmware/ath6k \ +" +FILES_${PN}-ath9k = " \ + ${nonarch_base_libdir}/firmware/ar9271.fw \ + ${nonarch_base_libdir}/firmware/ar7010*.fw \ + ${nonarch_base_libdir}/firmware/htc_9271.fw \ + ${nonarch_base_libdir}/firmware/htc_7010.fw \ + ${nonarch_base_libdir}/firmware/ath9k_htc/htc_7010-1.4.0.fw \ + ${nonarch_base_libdir}/firmware/ath9k_htc/htc_9271-1.4.0.fw \ +" + +RDEPENDS_${PN}-ar9170 += "${PN}-atheros-license" +RDEPENDS_${PN}-ath6k += "${PN}-atheros-license" +RDEPENDS_${PN}-ath9k += "${PN}-atheros-license" + +# For carl9170 +LICENSE_${PN}-carl9170 = "Firmware-GPLv2" +LICENSE_${PN}-gplv2-license = "Firmware-GPLv2" + +FILES_${PN}-gplv2-license = "${nonarch_base_libdir}/firmware/GPL-2" +FILES_${PN}-carl9170 = " \ + ${nonarch_base_libdir}/firmware/carl9170*.fw \ +" + +RDEPENDS_${PN}-carl9170 += "${PN}-gplv2-license" + +# For QualCommAthos +LICENSE_${PN}-ar3k = "Firmware-qualcommAthos_ar3k & Firmware-atheros_firmware" +LICENSE_${PN}-ar3k-license = "Firmware-qualcommAthos_ar3k" +LICENSE_${PN}-ath10k = "Firmware-qualcommAthos_ath10k" +LICENSE_${PN}-ath10k-license = "Firmware-qualcommAthos_ath10k" +LICENSE_${PN}-qca = "Firmware-qualcommAthos_ath10k" + +FILES_${PN}-ar3k-license = "${nonarch_base_libdir}/firmware/LICENSE.QualcommAtheros_ar3k" +FILES_${PN}-ar3k = " \ + ${nonarch_base_libdir}/firmware/ar3k \ +" + +FILES_${PN}-ath10k-license = "${nonarch_base_libdir}/firmware/LICENSE.QualcommAtheros_ath10k" +FILES_${PN}-ath10k = " \ + ${nonarch_base_libdir}/firmware/ath10k \ +" + +FILES_${PN}-ath11k = " \ + ${nonarch_base_libdir}/firmware/ath11k \ +" + +FILES_${PN}-qca = " \ + ${nonarch_base_libdir}/firmware/qca \ +" + +RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license ${PN}-atheros-license" +RDEPENDS_${PN}-ath10k += "${PN}-ath10k-license" +RDEPENDS_${PN}-ath11k += "${PN}-ath10k-license" +RDEPENDS_${PN}-qca += "${PN}-ath10k-license" + +# For ralink +LICENSE_${PN}-ralink = "Firmware-ralink-firmware" +LICENSE_${PN}-ralink-license = "Firmware-ralink-firmware" + +FILES_${PN}-ralink-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink-firmware.txt" +FILES_${PN}-ralink = " \ + ${nonarch_base_libdir}/firmware/rt*.bin \ +" + +RDEPENDS_${PN}-ralink += "${PN}-ralink-license" + +# For mediatek MT7601U +LICENSE_${PN}-mt7601u = "Firmware-ralink_a_mediatek_company_firmware" +LICENSE_${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware" + +FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware" +FILES_${PN}-mt7601u = " \ + ${nonarch_base_libdir}/firmware/mt7601u.bin \ +" + +RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license" + +# For radeon +LICENSE_${PN}-radeon = "Firmware-radeon" +LICENSE_${PN}-radeon-license = "Firmware-radeon" + +FILES_${PN}-radeon-license = "${nonarch_base_libdir}/firmware/LICENSE.radeon" +FILES_${PN}-radeon = " \ + ${nonarch_base_libdir}/firmware/radeon \ +" + +RDEPENDS_${PN}-radeon += "${PN}-radeon-license" + +# For lontium +LICENSE_${PN}-lt9611uxc = "Firmware-Lontium" + +FILES_${PN}-lontium-license = "${nonarch_base_libdir}/firmware/LICENSE.Lontium" +FILES_${PN}-lt9611uxc = "${nonarch_base_libdir}/firmware/lt9611uxc_fw.bin" + +# For marvell +LICENSE_${PN}-pcie8897 = "Firmware-Marvell" +LICENSE_${PN}-pcie8997 = "Firmware-Marvell" +LICENSE_${PN}-sd8686 = "Firmware-Marvell" +LICENSE_${PN}-sd8688 = "Firmware-Marvell" +LICENSE_${PN}-sd8787 = "Firmware-Marvell" +LICENSE_${PN}-sd8797 = "Firmware-Marvell" +LICENSE_${PN}-sd8801 = "Firmware-Marvell" +LICENSE_${PN}-sd8887 = "Firmware-Marvell" +LICENSE_${PN}-sd8897 = "Firmware-Marvell" +LICENSE_${PN}-sd8997 = "Firmware-Marvell" +LICENSE_${PN}-usb8997 = "Firmware-Marvell" +LICENSE_${PN}-marvell-license = "Firmware-Marvell" + +FILES_${PN}-marvell-license = "${nonarch_base_libdir}/firmware/LICENCE.Marvell" +FILES_${PN}-pcie8897 = " \ + ${nonarch_base_libdir}/firmware/mrvl/pcie8897_uapsta.bin \ +" +FILES_${PN}-pcie8997 = " \ + ${nonarch_base_libdir}/firmware/mrvl/pcie8997_wlan_v4.bin \ + ${nonarch_base_libdir}/firmware/mrvl/pcieuart8997_combo_v4.bin \ + ${nonarch_base_libdir}/firmware/mrvl/pcieusb8997_combo_v4.bin \ +" +FILES_${PN}-sd8686 = " \ + ${nonarch_base_libdir}/firmware/libertas/sd8686_v9* \ + ${nonarch_base_libdir}/firmware/sd8686* \ +" +FILES_${PN}-sd8688 = " \ + ${nonarch_base_libdir}/firmware/libertas/sd8688* \ + ${nonarch_base_libdir}/firmware/mrvl/sd8688* \ +" +FILES_${PN}-sd8787 = " \ + ${nonarch_base_libdir}/firmware/mrvl/sd8787_uapsta.bin \ +" +FILES_${PN}-sd8797 = " \ + ${nonarch_base_libdir}/firmware/mrvl/sd8797_uapsta.bin \ +" +FILES_${PN}-sd8801 = " \ + ${nonarch_base_libdir}/firmware/mrvl/sd8801_uapsta.bin \ +" +FILES_${PN}-sd8887 = " \ + ${nonarch_base_libdir}/firmware/mrvl/sd8887_uapsta.bin \ +" +FILES_${PN}-sd8897 = " \ + ${nonarch_base_libdir}/firmware/mrvl/sd8897_uapsta.bin \ +" +do_install_append() { + # The kernel 5.6.x driver still uses the old name, provide a symlink for + # older kernels + ln -fs sdsd8997_combo_v4.bin ${D}${nonarch_base_libdir}/firmware/mrvl/sd8997_uapsta.bin +} +FILES_${PN}-sd8997 = " \ + ${nonarch_base_libdir}/firmware/mrvl/sd8997_uapsta.bin \ + ${nonarch_base_libdir}/firmware/mrvl/sdsd8997_combo_v4.bin \ +" +FILES_${PN}-usb8997 = " \ + ${nonarch_base_libdir}/firmware/mrvl/usbusb8997_combo_v4.bin \ +" + +RDEPENDS_${PN}-sd8686 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8688 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8787 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8797 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8801 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8887 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8897 += "${PN}-marvell-license" +RDEPENDS_${PN}-sd8997 += "${PN}-marvell-license" +RDEPENDS_${PN}-usb8997 += "${PN}-marvell-license" + +# For netronome +LICENSE_${PN}-netronome = "Firmware-netronome" + +FILES_${PN}-netronome-license = " \ + ${nonarch_base_libdir}/firmware/LICENCE.Netronome \ +" +FILES_${PN}-netronome = " \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0081*.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \ + ${nonarch_base_libdir}/firmware/netronome/bpf \ + ${nonarch_base_libdir}/firmware/netronome/flower \ + ${nonarch_base_libdir}/firmware/netronome/nic \ + ${nonarch_base_libdir}/firmware/netronome/nic-sriov \ +" + +RDEPENDS_${PN}-netronome += "${PN}-netronome-license" + +# For Nvidia +LICENSE_${PN}-nvidia-gpu = "Firmware-nvidia" +LICENSE_${PN}-nvidia-tegra = "Firmware-nvidia" +LICENSE_${PN}-nvidia-tegra-k1 = "Firmware-nvidia" +LICENSE_${PN}-nvidia-license = "Firmware-nvidia" + +FILES_${PN}-nvidia-gpu = "${nonarch_base_libdir}/firmware/nvidia" +FILES_${PN}-nvidia-tegra = " \ + ${nonarch_base_libdir}/firmware/nvidia/tegra* \ + ${nonarch_base_libdir}/firmware/nvidia/gm20b \ + ${nonarch_base_libdir}/firmware/nvidia/gp10b \ +" +FILES_${PN}-nvidia-tegra-k1 = " \ + ${nonarch_base_libdir}/firmware/nvidia/tegra124 \ + ${nonarch_base_libdir}/firmware/nvidia/gk20a \ +" +FILES_${PN}-nvidia-license = "${nonarch_base_libdir}/firmware/LICENCE.nvidia" + +RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license" +RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license" +RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license" + +# For RSI RS911x WiFi +LICENSE_${PN}-rs9113 = "WHENCE" +LICENSE_${PN}-rs9116 = "WHENCE" + +FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps " +FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps " + +RDEPENDS_${PN}-rs9113 += "${PN}-whence-license" +RDEPENDS_${PN}-rs9116 += "${PN}-whence-license" + +# For rtl +LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl8192ce = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl8192su = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl8723 = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl8821 = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl-license = "Firmware-rtlwifi_firmware" +LICENSE_${PN}-rtl8168 = "WHENCE" + +FILES_${PN}-rtl-license = " \ + ${nonarch_base_libdir}/firmware/LICENCE.rtlwifi_firmware.txt \ +" +FILES_${PN}-rtl8188 = " \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8188*.bin \ +" +FILES_${PN}-rtl8192cu = " \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8192cufw*.bin \ +" +FILES_${PN}-rtl8192ce = " \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8192cfw*.bin \ +" +FILES_${PN}-rtl8192su = " \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8712u.bin \ +" +FILES_${PN}-rtl8723 = " \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8723*.bin \ +" +FILES_${PN}-rtl8821 = " \ + ${nonarch_base_libdir}/firmware/rtlwifi/rtl8821*.bin \ +" +FILES_${PN}-rtl8168 = " \ + ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \ +" + +RDEPENDS_${PN}-rtl8188 += "${PN}-rtl-license" +RDEPENDS_${PN}-rtl8192ce += "${PN}-rtl-license" +RDEPENDS_${PN}-rtl8192cu += "${PN}-rtl-license" +RDEPENDS_${PN}-rtl8192su = "${PN}-rtl-license" +RDEPENDS_${PN}-rtl8723 += "${PN}-rtl-license" +RDEPENDS_${PN}-rtl8821 += "${PN}-rtl-license" +RDEPENDS_${PN}-rtl8168 += "${PN}-whence-license" + +# For ti-connectivity +LICENSE_${PN}-wlcommon = "Firmware-ti-connectivity" +LICENSE_${PN}-wl12xx = "Firmware-ti-connectivity" +LICENSE_${PN}-wl18xx = "Firmware-ti-connectivity" +LICENSE_${PN}-ti-connectivity-license = "Firmware-ti-connectivity" + +FILES_${PN}-ti-connectivity-license = "${nonarch_base_libdir}/firmware/LICENCE.ti-connectivity" +# wl18xx optionally needs wl1271-nvs.bin (which itself is a symlink to +# wl127x-nvs.bin) - see linux/drivers/net/wireless/ti/wlcore/sdio.c +# and drivers/net/wireless/ti/wlcore/spi.c. +# While they're optional and actually only used to override the MAC +# address on wl18xx, driver loading will delay (by udev timout - 60s) +# if not there. So let's make it available always. Because it's a +# symlink, both need to go to wlcommon. +FILES_${PN}-wlcommon = " \ + ${nonarch_base_libdir}/firmware/ti-connectivity/TI* \ + ${nonarch_base_libdir}/firmware/ti-connectivity/wl127x-nvs.bin \ + ${nonarch_base_libdir}/firmware/ti-connectivity/wl1271-nvs.bin \ +" +FILES_${PN}-wl12xx = " \ + ${nonarch_base_libdir}/firmware/ti-connectivity/wl12* \ +" +FILES_${PN}-wl18xx = " \ + ${nonarch_base_libdir}/firmware/ti-connectivity/wl18* \ +" + +RDEPENDS_${PN}-wl12xx = "${PN}-ti-connectivity-license ${PN}-wlcommon" +RDEPENDS_${PN}-wl18xx = "${PN}-ti-connectivity-license ${PN}-wlcommon" + +# For vt6656 +LICENSE_${PN}-vt6656 = "Firmware-via_vt6656" +LICENSE_${PN}-vt6656-license = "Firmware-via_vt6656" + +FILES_${PN}-vt6656-license = "${nonarch_base_libdir}/firmware/LICENCE.via_vt6656" +FILES_${PN}-vt6656 = " \ + ${nonarch_base_libdir}/firmware/vntwusb.fw \ +" + +RDEPENDS_${PN}-vt6656 = "${PN}-vt6656-license" + +# For broadcom + +# for i in `grep brcm WHENCE | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo -e " \${PN}-$pkg \\"; done | sort -u + +LICENSE_${PN}-broadcom-license = "Firmware-broadcom_bcm43xx" +FILES_${PN}-broadcom-license = "${nonarch_base_libdir}/firmware/LICENCE.broadcom_bcm43xx" + +# for i in `grep brcm WHENCE | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo "$i - $pkg"; echo -e "FILES_\${PN}-$pkg = \"\${nonarch_base_libdir}/firmware/brcm/$i\""; done | grep ^FILES + +FILES_${PN}-bcm43xx = "${nonarch_base_libdir}/firmware/brcm/bcm43xx-0.fw" +FILES_${PN}-bcm43xx-hdr = "${nonarch_base_libdir}/firmware/brcm/bcm43xx_hdr-0.fw" +FILES_${PN}-bcm4329-fullmac = "${nonarch_base_libdir}/firmware/brcm/bcm4329-fullmac-4.bin" +FILES_${PN}-bcm43236b = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43236b.bin" +FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bin" +FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*" +FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin" +FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin" +FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \ +" +FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin" +FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin" +FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin" +FILES_${PN}-bcm43242a = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43242a.bin" +FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \ + ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \ +" +FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*" +FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \ +" +FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin" +FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin" +FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.* \ +" +FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin" +FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \ +" +FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin" +FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \ + ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \ +" +FILES_${PN}-bcm4366b = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4366b-pcie.bin" +FILES_${PN}-bcm4366c = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4366c-pcie.bin" +FILES_${PN}-bcm4371 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4371-pcie.bin" + +# for i in `grep brcm WHENCE | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo -e "LICENSE_\${PN}-$pkg = \"Firmware-broadcom_bcm43xx\"\nRDEPENDS_\${PN}-$pkg += \"\${PN}-broadcom-license\""; done +# Currently 1st one and last 6 have cypress LICENSE + +LICENSE_${PN}-bcm43xx = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43xx += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43xx-hdr = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43xx-hdr += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4329-fullmac = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4329-fullmac += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43236b = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43236b += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4329 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4329 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4330 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4330 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4334 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4334 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4335 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4335 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4339 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4339 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43241b0 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43241b0 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43241b4 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43241b4 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43241b5 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43241b5 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43242a = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43242a += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43143 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43143 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43430a0 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43430a0 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43455 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43455 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4350c2 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4350c2 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4350 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4350 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4356 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4356 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43569 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43569 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43570 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43570 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4358 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4358 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm43602 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm43602 += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4366b = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4366b += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4366c = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4366c += "${PN}-broadcom-license" +LICENSE_${PN}-bcm4371 = "Firmware-broadcom_bcm43xx" +RDEPENDS_${PN}-bcm4371 += "${PN}-broadcom-license" + +# For broadcom cypress + +LICENSE_${PN}-cypress-license = "Firmware-cypress" +FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress" + +FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd" +FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*" +FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*" +FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*" +FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \ +" +FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \ +" +FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \ + ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ + ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \ +" + +LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress" +RDEPENDS_${PN}-bcm-0bb4-0306 += "${PN}-cypress-license" +LICENSE_${PN}-bcm43340 = "Firmware-cypress" +RDEPENDS_${PN}-bcm43340 += "${PN}-cypress-license" +LICENSE_${PN}-bcm43362 = "Firmware-cypress" +RDEPENDS_${PN}-bcm43362 += "${PN}-cypress-license" +LICENSE_${PN}-bcm43430 = "Firmware-cypress" +RDEPENDS_${PN}-bcm43430 += "${PN}-cypress-license" +LICENSE_${PN}-bcm4354 = "Firmware-cypress" +RDEPENDS_${PN}-bcm4354 += "${PN}-cypress-license" +LICENSE_${PN}-bcm4356-pcie = "Firmware-cypress" +RDEPENDS_${PN}-bcm4356-pcie += "${PN}-cypress-license" +LICENSE_${PN}-bcm4373 = "Firmware-cypress" +RDEPENDS_${PN}-bcm4373 += "${PN}-cypress-license" + +# For Broadcom bnx2-mips +# +# which is a separate case to the other Broadcom firmwares since its +# license is contained in the shared WHENCE file. + +LICENSE_${PN}-bnx2-mips = "WHENCE" +LICENSE_${PN}-whence-license = "WHENCE" + +FILES_${PN}-bnx2-mips = "${nonarch_base_libdir}/firmware/bnx2/bnx2-mips-09-6.2.1b.fw" +FILES_${PN}-whence-license = "${nonarch_base_libdir}/firmware/WHENCE" + +RDEPENDS_${PN}-bnx2-mips += "${PN}-whence-license" + +# For imx-sdma +LICENSE_${PN}-imx-sdma-imx6q = "Firmware-imx-sdma_firmware" +LICENSE_${PN}-imx-sdma-imx7d = "Firmware-imx-sdma_firmware" +LICENSE_${PN}-imx-sdma-license = "Firmware-imx-sdma_firmware" + +FILES_${PN}-imx-sdma-imx6q = "${nonarch_base_libdir}/firmware/imx/sdma/sdma-imx6q.bin" + +RPROVIDES_${PN}-imx-sdma-imx6q = "firmware-imx-sdma-imx6q" +RREPLACES_${PN}-imx-sdma-imx6q = "firmware-imx-sdma-imx6q" +RCONFLICTS_${PN}-imx-sdma-imx6q = "firmware-imx-sdma-imx6q" + +FILES_${PN}-imx-sdma-imx7d = "${nonarch_base_libdir}/firmware/imx/sdma/sdma-imx7d.bin" + +FILES_${PN}-imx-sdma-license = "${nonarch_base_libdir}/firmware/LICENSE.sdma_firmware" + +RDEPENDS_${PN}-imx-sdma-imx6q += "${PN}-imx-sdma-license" +RDEPENDS_${PN}-imx-sdma-imx7d += "${PN}-imx-sdma-license" + +# For iwlwifi +LICENSE_${PN}-iwlwifi = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-135-6 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-7 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-8 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-9 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-10 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-12 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-13 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-16 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-3160-17 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6000-4 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6000g2a-5 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6000g2a-6 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6000g2b-5 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6000g2b-6 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6050-4 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-6050-5 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-7260 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-7265 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-7265d = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-8000c = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-8265 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-9000 = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-misc = "Firmware-iwlwifi_firmware" +LICENSE_${PN}-iwlwifi-license = "Firmware-iwlwifi_firmware" + + +FILES_${PN}-iwlwifi-license = "${nonarch_base_libdir}/firmware/LICENCE.iwlwifi_firmware" +FILES_${PN}-iwlwifi-135-6 = "${nonarch_base_libdir}/firmware/iwlwifi-135-6.ucode" +FILES_${PN}-iwlwifi-3160-7 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-7.ucode" +FILES_${PN}-iwlwifi-3160-8 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-8.ucode" +FILES_${PN}-iwlwifi-3160-9 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-9.ucode" +FILES_${PN}-iwlwifi-3160-10 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-10.ucode" +FILES_${PN}-iwlwifi-3160-12 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-12.ucode" +FILES_${PN}-iwlwifi-3160-13 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-13.ucode" +FILES_${PN}-iwlwifi-3160-16 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-16.ucode" +FILES_${PN}-iwlwifi-3160-17 = "${nonarch_base_libdir}/firmware/iwlwifi-3160-17.ucode" +FILES_${PN}-iwlwifi-6000-4 = "${nonarch_base_libdir}/firmware/iwlwifi-6000-4.ucode" +FILES_${PN}-iwlwifi-6000g2a-5 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2a-5.ucode" +FILES_${PN}-iwlwifi-6000g2a-6 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2a-6.ucode" +FILES_${PN}-iwlwifi-6000g2b-5 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2b-5.ucode" +FILES_${PN}-iwlwifi-6000g2b-6 = "${nonarch_base_libdir}/firmware/iwlwifi-6000g2b-6.ucode" +FILES_${PN}-iwlwifi-6050-4 = "${nonarch_base_libdir}/firmware/iwlwifi-6050-4.ucode" +FILES_${PN}-iwlwifi-6050-5 = "${nonarch_base_libdir}/firmware/iwlwifi-6050-5.ucode" +FILES_${PN}-iwlwifi-7260 = "${nonarch_base_libdir}/firmware/iwlwifi-7260-*.ucode" +FILES_${PN}-iwlwifi-7265 = "${nonarch_base_libdir}/firmware/iwlwifi-7265-*.ucode" +FILES_${PN}-iwlwifi-7265d = "${nonarch_base_libdir}/firmware/iwlwifi-7265D-*.ucode" +FILES_${PN}-iwlwifi-8000c = "${nonarch_base_libdir}/firmware/iwlwifi-8000C-*.ucode" +FILES_${PN}-iwlwifi-8265 = "${nonarch_base_libdir}/firmware/iwlwifi-8265-*.ucode" +FILES_${PN}-iwlwifi-9000 = "${nonarch_base_libdir}/firmware/iwlwifi-9000-*.ucode" +FILES_${PN}-iwlwifi-misc = "${nonarch_base_libdir}/firmware/iwlwifi-*.ucode" + +RDEPENDS_${PN}-iwlwifi-135-6 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-7 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-8 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-9 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-10 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-12 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-13 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-16 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-3160-17 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6000-4 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6000g2a-5 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6000g2a-6 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6000g2b-5 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6000g2b-6 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6050-4 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-6050-5 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-7265d = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-8000c = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-8265 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-9000 = "${PN}-iwlwifi-license" +RDEPENDS_${PN}-iwlwifi-misc = "${PN}-iwlwifi-license" + +# -iwlwifi-misc is a "catch all" package that includes all the iwlwifi +# firmwares that are not already included in other -iwlwifi- packages. +# -iwlwifi is a virtual package that depends upon all iwlwifi packages. +# These are distinct in order to allow the -misc firmwares to be installed +# without pulling in every other iwlwifi package. +ALLOW_EMPTY_${PN}-iwlwifi = "1" +ALLOW_EMPTY_${PN}-iwlwifi-misc = "1" + +# Handle package updating for the newly merged iwlwifi groupings +RPROVIDES_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-7265-8 ${PN}-iwlwifi-7265-9" +RREPLACES_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-7265-8 ${PN}-iwlwifi-7265-9" +RCONFLICTS_${PN}-iwlwifi-7265 = "${PN}-iwlwifi-7265-8 ${PN}-iwlwifi-7265-9" + +RPROVIDES_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-7260-7 ${PN}-iwlwifi-7260-8 ${PN}-iwlwifi-7260-9" +RREPLACES_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-7260-7 ${PN}-iwlwifi-7260-8 ${PN}-iwlwifi-7260-9" +RCONFLICTS_${PN}-iwlwifi-7260 = "${PN}-iwlwifi-7260-7 ${PN}-iwlwifi-7260-8 ${PN}-iwlwifi-7260-9" + +# For ibt +LICENSE_${PN}-ibt-license = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-hw-37-7 = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-hw-37-8 = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-11-5 = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-12-16 = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-17 = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-20 = "Firmware-ibt_firmware" +LICENSE_${PN}-ibt-misc = "Firmware-ibt_firmware" + +FILES_${PN}-ibt-license = "${nonarch_base_libdir}/firmware/LICENCE.ibt_firmware" +FILES_${PN}-ibt-hw-37-7 = "${nonarch_base_libdir}/firmware/intel/ibt-hw-37.7*.bseq" +FILES_${PN}-ibt-hw-37-8 = "${nonarch_base_libdir}/firmware/intel/ibt-hw-37.8*.bseq" +FILES_${PN}-ibt-11-5 = "${nonarch_base_libdir}/firmware/intel/ibt-11-5.sfi ${nonarch_base_libdir}/firmware/intel/ibt-11-5.ddc" +FILES_${PN}-ibt-12-16 = "${nonarch_base_libdir}/firmware/intel/ibt-12-16.sfi ${nonarch_base_libdir}/firmware/intel/ibt-12-16.ddc" +FILES_${PN}-ibt-17 = "${nonarch_base_libdir}/firmware/intel/ibt-17-*.sfi ${nonarch_base_libdir}/firmware/intel/ibt-17-*.ddc" +FILES_${PN}-ibt-20 = "${nonarch_base_libdir}/firmware/intel/ibt-20-*.sfi ${nonarch_base_libdir}/firmware/intel/ibt-20-*.ddc" +FILES_${PN}-ibt-misc = "${nonarch_base_libdir}/firmware/intel/ibt-*" + +RDEPENDS_${PN}-ibt-hw-37-7 = "${PN}-ibt-license" +RDEPENDS_${PN}-ibt-hw-37.8 = "${PN}-ibt-license" +RDEPENDS_${PN}-ibt-11-5 = "${PN}-ibt-license" +RDEPENDS_${PN}-ibt-12-16 = "${PN}-ibt-license" +RDEPENDS_${PN}-ibt-17 = "${PN}-ibt-license" +RDEPENDS_${PN}-ibt-20 = "${PN}-ibt-license" +RDEPENDS_${PN}-ibt-misc = "${PN}-ibt-license" + +ALLOW_EMPTY_${PN}-ibt= "1" +ALLOW_EMPTY_${PN}-ibt-misc = "1" + +LICENSE_${PN}-i915 = "Firmware-i915" +LICENSE_${PN}-i915-license = "Firmware-i915" +FILES_${PN}-i915-license = "${nonarch_base_libdir}/firmware/LICENSE.i915" +FILES_${PN}-i915 = "${nonarch_base_libdir}/firmware/i915" +RDEPENDS_${PN}-i915 = "${PN}-i915-license" + +LICENSE_${PN}-ice = "Firmware-ice" +LICENSE_${PN}-ice-license = "Firmware-ice" +FILES_${PN}-ice-license = "${nonarch_base_libdir}/firmware/LICENSE.ice" +FILES_${PN}-ice = "${nonarch_base_libdir}/firmware/intel/ice" +RDEPENDS_${PN}-ice = "${PN}-ice-license" + +FILES_${PN}-adsp-sst-license = "${nonarch_base_libdir}/firmware/LICENCE.adsp_sst" +LICENSE_${PN}-adsp-sst = "Firmware-adsp_sst" +LICENSE_${PN}-adsp-sst-license = "Firmware-adsp_sst" +FILES_${PN}-adsp-sst = "${nonarch_base_libdir}/firmware/intel/dsp_fw*" +RDEPENDS_${PN}-adsp-sst = "${PN}-adsp-sst-license" + +# For QAT +LICENSE_${PN}-qat = "Firmware-qat" +LICENSE_${PN}-qat-license = "Firmware-qat" +FILES_${PN}-qat-license = "${nonarch_base_libdir}/firmware/LICENCE.qat_firmware" +FILES_${PN}-qat = "${nonarch_base_libdir}/firmware/qat*.bin" +RDEPENDS_${PN}-qat = "${PN}-qat-license" + +# For QCOM VPU/GPU and SDM845 +LICENSE_${PN}-qcom-license = "Firmware-qcom" +FILES_${PN}-qcom-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt" +FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*" +FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*" +FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*" +FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*" +FILES_${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*" +FILES_${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*" +FILES_${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw" +FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a3*_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" +FILES_${PN}-qcom-adreno-a4xx = "${nonarch_base_libdir}/firmware/qcom/a4*_*.fw" +FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*" +FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" +FILES_${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" +FILES_${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*" +FILES_${PN}-qcom-apq8096-audio = "${nonarch_base_libdir}/firmware/qcom/apq8096/adsp*.*" +FILES_${PN}-qcom-apq8096-modem = "${nonarch_base_libdir}/firmware/qcom/apq8096/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8096/modem*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/wlanmdsp.mbn" +FILES_${PN}-qcom-sc8280xp-lenovo-x13s-compat = "${nonarch_base_libdir}/firmware/qcom/LENOVO/21BX" +FILES_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*adsp*.* ${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn" +FILES_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn" +FILES_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*cdsp*.*" +FILES_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*slpi*.*" +FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*" +FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*" +FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" +FILES_${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*" +FILES_${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*" +RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-vpu-1.0 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-vpu-2.0 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a2xx = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a3xx = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a4xx = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a650 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-adreno-a660 = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-apq8096-audio = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-apq8096-modem = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sm8250-audio = "${PN}-qcom-license" +RDEPENDS_${PN}-qcom-sm8250-compute = "${PN}-qcom-license" + +RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-sc8280xp-lenovo-x13s-compat" +RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${PN}-qcom-sc8280xp-lenovo-x13s-compat" +RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${PN}-qcom-sc8280xp-lenovo-x13s-compat" +RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${PN}-qcom-sc8280xp-lenovo-x13s-compat" + +FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio" + +# For Amlogic VDEC +LICENSE_${PN}-amlogic-vdec = "Firmware-amlogic_vdec" +FILES_${PN}-amlogic-vdec-license = "${nonarch_base_libdir}/firmware/LICENSE.amlogic_vdec" +FILES_${PN}-amlogic-vdec = "${nonarch_base_libdir}/firmware/meson/vdec/*" +RDEPENDS_${PN}-amlogic-vdec = "${PN}-amlogic-vdec-license" + +# For other firmwares +# Maybe split out to separate packages when needed. +LICENSE_${PN} = "\ + Firmware-Abilis \ + & Firmware-agere \ + & Firmware-amdgpu \ + & Firmware-amd-ucode \ + & Firmware-amlogic_vdec \ + & Firmware-atmel \ + & Firmware-ca0132 \ + & Firmware-cavium \ + & Firmware-chelsio_firmware \ + & Firmware-cw1200 \ + & Firmware-dib0700 \ + & Firmware-e100 \ + & Firmware-ene_firmware \ + & Firmware-fw_sst_0f28 \ + & Firmware-go7007 \ + & Firmware-hfi1_firmware \ + & Firmware-ibt_firmware \ + & Firmware-it913x \ + & Firmware-IntcSST2 \ + & Firmware-kaweth \ + & Firmware-moxa \ + & Firmware-myri10ge_firmware \ + & Firmware-nvidia \ + & Firmware-OLPC \ + & Firmware-ath9k-htc \ + & Firmware-phanfw \ + & Firmware-qat \ + & Firmware-qcom \ + & Firmware-qla1280 \ + & Firmware-qla2xxx \ + & Firmware-r8a779x_usb3 \ + & Firmware-radeon \ + & Firmware-ralink_a_mediatek_company_firmware \ + & Firmware-ralink-firmware \ + & Firmware-imx-sdma_firmware \ + & Firmware-siano \ + & Firmware-ti-connectivity \ + & Firmware-ti-keystone \ + & Firmware-ueagle-atm4-firmware \ + & Firmware-wl1251 \ + & Firmware-xc4000 \ + & Firmware-xc5000 \ + & Firmware-xc5000c \ + & WHENCE \ +" + +FILES_${PN}-license += "${nonarch_base_libdir}/firmware/LICEN*" +FILES_${PN} += "${nonarch_base_libdir}/firmware/*" +RDEPENDS_${PN} += "${PN}-license" +RDEPENDS_${PN} += "${PN}-whence-license" + +# Make linux-firmware depend on all of the split-out packages. +# Make linux-firmware-iwlwifi depend on all of the split-out iwlwifi packages. +# Make linux-firmware-ibt depend on all of the split-out ibt packages. +python populate_packages_prepend () { + firmware_pkgs = oe.utils.packages_filter_out_system(d) + d.appendVar('RRECOMMENDS_linux-firmware', ' ' + ' '.join(firmware_pkgs)) + + iwlwifi_pkgs = filter(lambda x: x.find('-iwlwifi-') != -1, firmware_pkgs) + d.appendVar('RRECOMMENDS_linux-firmware-iwlwifi', ' ' + ' '.join(iwlwifi_pkgs)) + + ibt_pkgs = filter(lambda x: x.find('-ibt-') != -1, firmware_pkgs) + d.appendVar('RRECOMMENDS_linux-firmware-ibt', ' ' + ' '.join(ibt_pkgs)) +} + +# Firmware files are generally not ran on the CPU, so they can be +# allarch despite being architecture specific +INSANE_SKIP = "arch" + +# Don't warn about already stripped files +INSANE_SKIP:${PN} = "already-stripped" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index 8e8fbb5b12..1a0e6d7b67 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "f6c9d6db383201a730e8d638995eae82acd4d8e7" -SRCREV_meta ?= "028688aaad2b64e353d771ba5505a8666cd01696" +SRCREV_machine ?= "03cd66d9814a26fff4681d3a053654848e519fd6" +SRCREV_meta ?= "2f18e629f78da51cacf531bed58a83568724a376" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.209" +LINUX_VERSION ?= "5.4.213" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index cdccebeb1c..0f71051d0f 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.209" +LINUX_VERSION ?= "5.4.213" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "8f087017ff03465fa8d318c06a7e4e072c533daf" -SRCREV_machine ?= "a4b7263158de8713dc85c5171aed99e3424a9f7c" -SRCREV_meta ?= "028688aaad2b64e353d771ba5505a8666cd01696" +SRCREV_machine_qemuarm ?= "284fd0f6e11db890ad6cfd246a2c47521db4a05f" +SRCREV_machine ?= "6d8cf8757864e674bb8f55b6ff68de5e3387d110" +SRCREV_meta ?= "2f18e629f78da51cacf531bed58a83568724a376" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 0f597fc3d6..d60a44e4a3 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "4fefb5a57ecb9bc5c6aab38319f773b02c894e6b" -SRCREV_machine_qemuarm64 ?= "407b5fa877ca8993a405542fa4c3d73584e8ea98" -SRCREV_machine_qemumips ?= "1bfe5d39c9f954f0ac2480115f4750f39500d4f4" -SRCREV_machine_qemuppc ?= "753def987b630ed41686223b5dc252436757e893" -SRCREV_machine_qemuriscv64 ?= "90d5f03a7c79ccd5c02e0579049d22cf2686da9b" -SRCREV_machine_qemux86 ?= "90d5f03a7c79ccd5c02e0579049d22cf2686da9b" -SRCREV_machine_qemux86-64 ?= "90d5f03a7c79ccd5c02e0579049d22cf2686da9b" -SRCREV_machine_qemumips64 ?= "b391bfc877fe8ae41e579ffd4bcd814b4ad438ea" -SRCREV_machine ?= "90d5f03a7c79ccd5c02e0579049d22cf2686da9b" -SRCREV_meta ?= "028688aaad2b64e353d771ba5505a8666cd01696" +SRCREV_machine_qemuarm ?= "bcf3f5cf5f1bcfac1df54a2a9f19c92a49fc7538" +SRCREV_machine_qemuarm64 ?= "fea87c9d80c7531f85f69fee97cf9500403cef6b" +SRCREV_machine_qemumips ?= "f1d654a16a5b5a3bbc9288936827628a4a4553a2" +SRCREV_machine_qemuppc ?= "f6bbc9d216fd3cef1df3ced215b0b22503c48906" +SRCREV_machine_qemuriscv64 ?= "c0b728020967728840c39994e472db7ed7b727cf" +SRCREV_machine_qemux86 ?= "c0b728020967728840c39994e472db7ed7b727cf" +SRCREV_machine_qemux86-64 ?= "c0b728020967728840c39994e472db7ed7b727cf" +SRCREV_machine_qemumips64 ?= "841245c9bd427e2e7cc786b92cecaf4390e5dd52" +SRCREV_machine ?= "c0b728020967728840c39994e472db7ed7b727cf" +SRCREV_meta ?= "2f18e629f78da51cacf531bed58a83568724a376" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.209" +LINUX_VERSION ?= "5.4.213" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb deleted file mode 100644 index 91775bce5c..0000000000 --- a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.06.06.bb +++ /dev/null @@ -1,43 +0,0 @@ -SUMMARY = "Wireless Central Regulatory Domain Database" -HOMEPAGE = "https://wireless.wiki.kernel.org/en/developers/regulatory/crda" -SECTION = "net" -LICENSE = "ISC" -LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" - -SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "ac00f97efecce5046ed069d1d93f3365fdf994c7c7854a8fc50831e959537230" - -inherit bin_package allarch - -do_install() { - install -d -m0755 ${D}${nonarch_libdir}/crda - install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys - install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin - install -m 0644 sforshee.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/sforshee.key.pub.pem - - install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db - install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s -} - -# Install static regulatory DB in /lib/firmware for kernel to load. -# This requires Linux kernel >= v4.15. -# For kernel <= v4.14, inherit the kernel_wireless_regdb.bbclass -# (in meta-networking) in kernel's recipe. -PACKAGES = "${PN}-static ${PN}" -RCONFLICTS_${PN} = "${PN}-static" - -FILES_${PN}-static = " \ - ${nonarch_base_libdir}/firmware/regulatory.db \ - ${nonarch_base_libdir}/firmware/regulatory.db.p7s \ -" - -# Native users might want to use the source of regulatory DB. -# This is for example used by Linux kernel <= v4.14 and -# kernel_wireless_regdb.bbclass in meta-networking. -do_install_append_class-native() { - install -m 0644 -D db.txt ${D}${libdir}/crda/db.txt -} - -RSUGGESTS_${PN} = "crda" - -BBCLASSEXTEND = "native" diff --git a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.08.12.bb b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.08.12.bb new file mode 100644 index 0000000000..7165a9f9b3 --- /dev/null +++ b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.08.12.bb @@ -0,0 +1,43 @@ +SUMMARY = "Wireless Central Regulatory Domain Database" +HOMEPAGE = "https://wireless.wiki.kernel.org/en/developers/regulatory/crda" +SECTION = "net" +LICENSE = "ISC" +LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" + +SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" +SRC_URI[sha256sum] = "59c8f7d17966db71b27f90e735ee8f5b42ca3527694a8c5e6e9b56bd379c3b84" + +inherit bin_package allarch + +do_install() { + install -d -m0755 ${D}${nonarch_libdir}/crda + install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys + install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin + install -m 0644 sforshee.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/sforshee.key.pub.pem + + install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db + install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s +} + +# Install static regulatory DB in /lib/firmware for kernel to load. +# This requires Linux kernel >= v4.15. +# For kernel <= v4.14, inherit the kernel_wireless_regdb.bbclass +# (in meta-networking) in kernel's recipe. +PACKAGES = "${PN}-static ${PN}" +RCONFLICTS_${PN} = "${PN}-static" + +FILES_${PN}-static = " \ + ${nonarch_base_libdir}/firmware/regulatory.db \ + ${nonarch_base_libdir}/firmware/regulatory.db.p7s \ +" + +# Native users might want to use the source of regulatory DB. +# This is for example used by Linux kernel <= v4.14 and +# kernel_wireless_regdb.bbclass in meta-networking. +do_install_append_class-native() { + install -m 0644 -D db.txt ${D}${libdir}/crda/db.txt +} + +RSUGGESTS_${PN} = "crda" + +BBCLASSEXTEND = "native" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch @@ -0,0 +1,59 @@ +From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 18 May 2022 10:23:15 +0300 +Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap + corruption in WavPack header handling code + +blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then +results in allocating a very small buffer. Into that buffer blocksize +data is memcpy'd later which then causes out of bound writes and can +potentially lead to anything from crashes to remote code execution. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1920 + +https://gstreamer.freedesktop.org/security/sa-2022-0004.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 + +Part-of: + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + .../gst/matroska/matroska-demux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 64cc6be60be..01d754c3eb9 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } else { + guint8 *outdata = NULL; + gsize buf_size, size; +- guint32 block_samples, flags, crc, blocksize; ++ guint32 block_samples, flags, crc; ++ gsize blocksize; + GstAdapter *adapter; + + adapter = gst_adapter_new (); +@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + return GST_FLOW_ERROR; + } + ++ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { ++ GST_ERROR_OBJECT (element, "Too big wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); ++ return GST_FLOW_ERROR; ++ } ++ + g_assert (newbuf == NULL); + + newbuf = +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch @@ -0,0 +1,69 @@ +From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 18 May 2022 12:00:48 +0300 +Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption + in DIB buffer inversion code + +Check that width*bpp/8 doesn't overflow a guint and also that +height*stride fits into the provided buffer without overflowing. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1921 + +See https://gstreamer.freedesktop.org/security/sa-2022-0001.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 + +Part-of: + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c +index eafe865494c..0d18a6495c7 100644 +--- a/gst/avi/gstavidemux.c ++++ b/gst/avi/gstavidemux.c +@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) + static GstBuffer * + gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) + { +- gint y, w, h; +- gint bpp, stride; ++ guint y, w, h; ++ guint bpp, stride; + guint8 *tmp = NULL; + GstMapInfo map; + guint32 fourcc; +@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) + h = stream->strf.vids->height; + w = stream->strf.vids->width; + bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; ++ ++ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { ++ GST_WARNING ("Width x stride overflows"); ++ return buf; ++ } ++ ++ if (w == 0 || h == 0) { ++ GST_WARNING ("Zero width or height"); ++ return buf; ++ } ++ + stride = GST_ROUND_UP_4 (w * (bpp / 8)); + + buf = gst_buffer_make_writable (buf); + + gst_buffer_map (buf, &map, GST_MAP_READWRITE); +- if (map.size < (stride * h)) { ++ if (map.size < ((guint64) stride * (guint64) h)) { + GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); + gst_buffer_unmap (buf, &map); + return buf; +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch @@ -0,0 +1,214 @@ +From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 18 May 2022 11:24:37 +0300 +Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc + decompression code + +Various variables were of smaller types than needed and there were no +checks for any overflows when doing additions on the sizes. This is all +checked now. + +In addition the size of the decompressed data is limited to 120MB now as +any larger sizes are likely pathological and we can avoid out of memory +situations in many cases like this. + +Also fix a bug where the available output size on the next iteration in +the zlib/bz2 decompression code was provided too large and could +potentially lead to out of bound writes. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + +https://gstreamer.freedesktop.org/security/sa-2022-0002.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 + +Part-of: + +CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- + 1 file changed, 61 insertions(+), 15 deletions(-) + +diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c +index eb317644cc5..6fadbba9567 100644 +--- a/gst/matroska/matroska-read-common.c ++++ b/gst/matroska/matroska-read-common.c +@@ -70,6 +70,10 @@ typedef struct + gboolean audio_only; + } TargetTypeContext; + ++/* 120MB as maximum decompressed data size. Anything bigger is likely ++ * pathological, and like this we avoid out of memory situations in many cases ++ */ ++#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) + + static gboolean + gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, +@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + GstMatroskaTrackCompressionAlgorithm algo) + { + guint8 *new_data = NULL; +- guint new_size = 0; ++ gsize new_size = 0; + guint8 *data = *data_out; +- guint size = *size_out; ++ const gsize size = *size_out; + gboolean ret = TRUE; + ++ if (size > G_MAXUINT32) { ++ GST_WARNING ("too large compressed data buffer."); ++ ret = FALSE; ++ goto out; ++ } ++ + if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { + #ifdef HAVE_ZLIB + /* zlib encoded data */ + z_stream zstream; +- guint orig_size; + int result; + +- orig_size = size; + zstream.zalloc = (alloc_func) 0; + zstream.zfree = (free_func) 0; + zstream.opaque = (voidpf) 0; +@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + goto out; + } + zstream.next_in = (Bytef *) data; +- zstream.avail_in = orig_size; +- new_size = orig_size; ++ zstream.avail_in = size; ++ new_size = size; + new_data = g_malloc (new_size); + zstream.avail_out = new_size; + zstream.next_out = (Bytef *) new_data; +@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + break; + } + ++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = Z_MEM_ERROR; ++ break; ++ } ++ + new_size += 4096; + new_data = g_realloc (new_data, new_size); + zstream.next_out = (Bytef *) (new_data + zstream.total_out); +- zstream.avail_out += 4096; ++ /* avail_out is an unsigned int */ ++ g_assert (new_size - zstream.total_out <= G_MAXUINT); ++ zstream.avail_out = new_size - zstream.total_out; + } while (zstream.avail_in > 0); + + if (result != Z_STREAM_END) { +@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + #ifdef HAVE_BZ2 + /* bzip2 encoded data */ + bz_stream bzstream; +- guint orig_size; + int result; + + bzstream.bzalloc = NULL; + bzstream.bzfree = NULL; + bzstream.opaque = NULL; +- orig_size = size; + + if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { + GST_WARNING ("bzip2 initialization failed."); +@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } + + bzstream.next_in = (char *) data; +- bzstream.avail_in = orig_size; +- new_size = orig_size; ++ bzstream.avail_in = size; ++ new_size = size; + new_data = g_malloc (new_size); + bzstream.avail_out = new_size; + bzstream.next_out = (char *) new_data; +@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + break; + } + ++ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = BZ_MEM_ERROR; ++ break; ++ } ++ + new_size += 4096; + new_data = g_realloc (new_data, new_size); +- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); +- bzstream.avail_out += 4096; ++ bzstream.next_out = ++ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32); ++ /* avail_out is an unsigned int */ ++ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32 <= G_MAXUINT); ++ bzstream.avail_out = ++ new_size - ((guint64) bzstream.total_out_hi32 << 32) + ++ bzstream.total_out_lo32; + } while (bzstream.avail_in > 0); + + if (result != BZ_STREAM_END) { + ret = FALSE; + g_free (new_data); + } else { +- new_size = bzstream.total_out_lo32; ++ new_size = ++ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; + } + BZ2_bzDecompressEnd (&bzstream); + +@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { + /* lzo encoded data */ + int result; +- int orig_size, out_size; ++ gint orig_size, out_size; ++ ++ if (size > G_MAXINT) { ++ GST_WARNING ("too large compressed data buffer."); ++ ret = FALSE; ++ goto out; ++ } + + orig_size = size; + out_size = size; +@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + result = lzo1x_decode (new_data, &out_size, data, &orig_size); + + if (orig_size > 0) { ++ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ result = LZO_ERROR; ++ break; ++ } + new_size += 4096; + new_data = g_realloc (new_data, new_size); + } +@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, + } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { + /* header stripped encoded data */ + if (enc->comp_settings_length > 0) { ++ if (size > G_MAXSIZE - enc->comp_settings_length ++ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ ret = FALSE; ++ goto out; ++ } ++ + new_data = g_malloc (size + enc->comp_settings_length); + new_size = size + enc->comp_settings_length; + +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch @@ -0,0 +1,60 @@ +From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 May 2022 10:15:37 +0300 +Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code + +Various variables were of smaller types than needed and there were no +checks for any overflows when doing additions on the sizes. This is all +checked now. + +In addition the size of the decompressed data is limited to 200MB now as +any larger sizes are likely pathological and we can avoid out of memory +situations in many cases like this. + +Also fix a bug where the available output size on the next iteration in +the zlib decompression code was provided too large and could +potentially lead to out of bound writes. + +Thanks to Adam Doupe for analyzing and reporting the issue. + +CVE: tbd + +https://gstreamer.freedesktop.org/security/sa-2022-0003.html + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 + +Part-of: + +https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 +CVE: CVE-2022-2122 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + gst/isomp4/qtdemux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 7cc346b1e63..97ba0799a8d 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) + break; + } + ++ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { ++ GST_WARNING ("too big decompressed data"); ++ ret = Z_MEM_ERROR; ++ break; ++ } ++ + *length += 4096; + buffer = (guint8 *) g_realloc (buffer, *length); + z.next_out = (Bytef *) (buffer + z.total_out); +- z.avail_out += 4096; ++ z.avail_out += *length - z.total_out; + } while (z.avail_in > 0); + + if (ret != Z_STREAM_END) { +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 1038cbf224..831a317a82 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb @@ -10,6 +10,10 @@ SRC_URI = " \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ file://CVE-2021-3497.patch \ file://CVE-2021-3498.patch \ + file://CVE-2022-1920.patch \ + file://CVE-2022-1921.patch \ + file://CVE-2022-1922-1923-1924-1925.patch \ + file://CVE-2022-2122.patch \ " SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 966a904eef..14793b7fdf 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb @@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522" # so we need to ignore the false hits CVE_CHECK_WHITELIST += "CVE-2021-3497" CVE_CHECK_WHITELIST += "CVE-2021-3498" +CVE_CHECK_WHITELIST += "CVE-2022-1920" +CVE_CHECK_WHITELIST += "CVE-2022-1921" +CVE_CHECK_WHITELIST += "CVE-2022-1922" +CVE_CHECK_WHITELIST += "CVE-2022-1923" +CVE_CHECK_WHITELIST += "CVE-2022-1924" +CVE_CHECK_WHITELIST += "CVE-2022-1925" +CVE_CHECK_WHITELIST += "CVE-2022-2122" require gstreamer1.0-ptest.inc diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch @@ -0,0 +1,159 @@ +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 9 Feb 2022 21:31:29 +0000 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + uint32_t underflow. + +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] +Signed-off-by: Virendra Thakur +--- +Index: tiff-4.1.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.1.0.orig/tools/tiffcrop.c ++++ tiff-4.1.0/tools/tiffcrop.c +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; +- +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32) (y1 - 1); ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas + bmargin = (uint32) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32) 0; +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, + i + 1, (uint32)zwidth, (uint32)zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + +-- +GitLab diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch new file mode 100644 index 0000000000..cf440ce55f --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch @@ -0,0 +1,29 @@ +From 06386cc9dff5dc162006abe11fd4d1a6fad616cc Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 18 Aug 2022 09:40:50 +0530 +Subject: [PATCH] CVE-2022-34526 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990] +CVE: CVE-2022-34526 +Signed-off-by: Hitendra Prajapati +--- + libtiff/tif_dirinfo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 52d53d4..4a1ca00 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -983,6 +983,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag) + default: + return 1; + } ++ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) { ++ return 0; ++ } + /* Check if codec specific tags are allowed for the current + * compression scheme (codec) */ + switch (tif->tif_dir.td_compression) { +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch new file mode 100644 index 0000000000..71b85cac10 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch @@ -0,0 +1,212 @@ +From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Dec 2021 14:37:46 +0100 +Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) + +to avoid having the size of the strip arrays inconsistent with the +number of strips returned by TIFFNumberOfStrips(), which may cause +out-ouf-bounds array read afterwards. + +One of the OJPEG hack that alters SamplesPerPixel may influence the +number of strips. Hence compute tif_dir.td_nstrips only afterwards. + +CVE: CVE-2022-1354 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798] + +Signed-off-by: Yi Zhao +--- + libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- + 1 file changed, 83 insertions(+), 79 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 8f434ef5..14c031d1 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif) + MissingRequired(tif,"ImageLength"); + goto bad; + } +- /* +- * Setup appropriate structures (by strip or by tile) +- */ +- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { +- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); +- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; +- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; +- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; +- tif->tif_flags &= ~TIFF_ISTILED; +- } else { +- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); +- tif->tif_flags |= TIFF_ISTILED; +- } +- if (!tif->tif_dir.td_nstrips) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Cannot handle zero number of %s", +- isTiled(tif) ? "tiles" : "strips"); +- goto bad; +- } +- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; +- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) +- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; +- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { +-#ifdef OJPEG_SUPPORT +- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && +- (isTiled(tif)==0) && +- (tif->tif_dir.td_nstrips==1)) { +- /* +- * XXX: OJPEG hack. +- * If a) compression is OJPEG, b) it's not a tiled TIFF, +- * and c) the number of strips is 1, +- * then we tolerate the absence of stripoffsets tag, +- * because, presumably, all required data is in the +- * JpegInterchangeFormat stream. +- */ +- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); +- } else +-#endif +- { +- MissingRequired(tif, +- isTiled(tif) ? "TileOffsets" : "StripOffsets"); +- goto bad; +- } +- } ++ + /* + * Second pass: extract other information. + */ +@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif) + } /* -- if (!dp->tdir_ignore) */ + } /* -- for-loop -- */ + +- if( tif->tif_mode == O_RDWR && +- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) +- { +- /* Directory typically created with TIFFDeferStrileArrayWriting() */ +- TIFFSetupStrips(tif); +- } +- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) +- { +- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) +- { +- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), +- tif->tif_dir.td_nstrips, +- &tif->tif_dir.td_stripoffset_p)) +- { +- goto bad; +- } +- } +- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) +- { +- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), +- tif->tif_dir.td_nstrips, +- &tif->tif_dir.td_stripbytecount_p)) +- { +- goto bad; +- } +- } +- } +- + /* + * OJPEG hack: + * - If a) compression is OJPEG, and b) photometric tag is missing, +@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif) + } + } + ++ /* ++ * Setup appropriate structures (by strip or by tile) ++ * We do that only after the above OJPEG hack which alters SamplesPerPixel ++ * and thus influences the number of strips in the separate planarconfig. ++ */ ++ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { ++ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); ++ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; ++ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; ++ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; ++ tif->tif_flags &= ~TIFF_ISTILED; ++ } else { ++ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); ++ tif->tif_flags |= TIFF_ISTILED; ++ } ++ if (!tif->tif_dir.td_nstrips) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot handle zero number of %s", ++ isTiled(tif) ? "tiles" : "strips"); ++ goto bad; ++ } ++ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; ++ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) ++ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; ++ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { ++#ifdef OJPEG_SUPPORT ++ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && ++ (isTiled(tif)==0) && ++ (tif->tif_dir.td_nstrips==1)) { ++ /* ++ * XXX: OJPEG hack. ++ * If a) compression is OJPEG, b) it's not a tiled TIFF, ++ * and c) the number of strips is 1, ++ * then we tolerate the absence of stripoffsets tag, ++ * because, presumably, all required data is in the ++ * JpegInterchangeFormat stream. ++ */ ++ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); ++ } else ++#endif ++ { ++ MissingRequired(tif, ++ isTiled(tif) ? "TileOffsets" : "StripOffsets"); ++ goto bad; ++ } ++ } ++ ++ if( tif->tif_mode == O_RDWR && ++ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) ++ { ++ /* Directory typically created with TIFFDeferStrileArrayWriting() */ ++ TIFFSetupStrips(tif); ++ } ++ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) ++ { ++ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) ++ { ++ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), ++ tif->tif_dir.td_nstrips, ++ &tif->tif_dir.td_stripoffset_p)) ++ { ++ goto bad; ++ } ++ } ++ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) ++ { ++ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), ++ tif->tif_dir.td_nstrips, ++ &tif->tif_dir.td_stripbytecount_p)) ++ { ++ goto bad; ++ } ++ } ++ } ++ + /* + * Make sure all non-color channels are extrasamples. + * If it's not the case, define them as such. +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch new file mode 100644 index 0000000000..e59f5aad55 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch @@ -0,0 +1,62 @@ +From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Apr 2022 22:33:31 +0200 +Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) + +CVE: CVE-2022-1355 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2] + +Signed-off-by: Yi Zhao +--- + tools/tiffcp.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index fd129bb7..8d944ff6 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -274,19 +274,34 @@ main(int argc, char* argv[]) + deftilewidth = atoi(optarg); + break; + case 'B': +- *mp++ = 'b'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'b'; *mp = '\0'; ++ } + break; + case 'L': +- *mp++ = 'l'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'l'; *mp = '\0'; ++ } + break; + case 'M': +- *mp++ = 'm'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'm'; *mp = '\0'; ++ } + break; + case 'C': +- *mp++ = 'c'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'c'; *mp = '\0'; ++ } + break; + case '8': +- *mp++ = '8'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode)-1)) ++ { ++ *mp++ = '8'; *mp = '\0'; ++ } + break; + case 'x': + pageInSeq = 1; +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 4383f7af8e..74ececb113 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -25,6 +25,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-0891.patch \ file://CVE-2022-0924.patch \ file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ + file://CVE-2022-34526.patch \ + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ + file://CVE-2022-1354.patch \ + file://CVE-2022-1355.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-35252.patch new file mode 100644 index 0000000000..a5160c01f4 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-35252.patch @@ -0,0 +1,72 @@ +From c9212bdb21f0cc90a1a60dfdbb716deefe78fd40 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb] + +Signed-off-by: Robert Joslyn +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index a9ad20a..66c7715 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -412,6 +412,30 @@ static bool bad_domain(const char *domain) + return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /**************************************************************************** + * + * Curl_cookie_add() +@@ -558,6 +582,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* this was a "=" with no content, and we must allow +-- +2.35.1 + diff --git a/poky/meta/recipes-support/curl/curl_7.69.1.bb b/poky/meta/recipes-support/curl/curl_7.69.1.bb index 7b67b68f1d..ed37094049 100644 --- a/poky/meta/recipes-support/curl/curl_7.69.1.bb +++ b/poky/meta/recipes-support/curl/curl_7.69.1.bb @@ -38,6 +38,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-32206.patch \ file://CVE-2022-32207.patch \ file://CVE-2022-32208.patch \ + file://CVE-2022-35252.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" diff --git a/poky/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/poky/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch new file mode 100644 index 0000000000..0bcb55e573 --- /dev/null +++ b/poky/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch @@ -0,0 +1,37 @@ +From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 22 Dec 2021 09:12:25 +0100 +Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length + input + +As Nettle's hash update functions internally call memcpy, providing +zero-length input may cause undefined behavior. + +Signed-off-by: Daiki Ueno + +https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 +Upstream-Status: Backport +CVE: CVE-2021-4209 +Signed-off-by: Chee Yang Lee +--- + lib/nettle/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c +index f9d4d7a8df..35e070fab0 100644 +--- a/lib/nettle/mac.c ++++ b/lib/nettle/mac.c +@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, + if (ret < 0) + return gnutls_assert_val(ret); + +- ctx.update(&ctx, text_size, text); ++ if (text_size > 0) { ++ ctx.update(&ctx, text_size, text); ++ } + ctx.digest(&ctx, ctx.length, digest); + + return 0; +-- +GitLab + diff --git a/poky/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/poky/meta/recipes-support/gnutls/gnutls_3.6.14.bb index e9af71c7bd..f1757871ce 100644 --- a/poky/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/poky/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -26,6 +26,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2021-20231.patch \ file://CVE-2021-20232.patch \ file://CVE-2022-2509.patch \ + file://CVE-2021-4209.patch \ " SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2020-35525.patch b/poky/meta/recipes-support/sqlite/files/CVE-2020-35525.patch new file mode 100644 index 0000000000..27d81d42d9 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2020-35525.patch @@ -0,0 +1,21 @@ +From: drh +Date: Thu, 20 Feb 2020 14:08:51 +0000 +Subject: [PATCH] Early-out on the INTERSECT query processing following an + error. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35525 +Signed-off-by: Virendra Thakur +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -130767,6 +130767,7 @@ static int multiSelect( + /* Generate code to take the intersection of the two temporary + ** tables. + */ ++ if( rc ) break; + assert( p->pEList ); + iBreak = sqlite3VdbeMakeLabel(pParse); + iCont = sqlite3VdbeMakeLabel(pParse); diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/poky/meta/recipes-support/sqlite/files/CVE-2020-35527.patch new file mode 100644 index 0000000000..d1dae389b0 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2020-35527.patch @@ -0,0 +1,22 @@ +From: dan +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested + FROM clause. Ticket [f50af3e8a565776b]. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35527 +Signed-off-by: Virendra Thakur +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke + pNew = sqlite3ExprListAppend(pParse, pNew, pExpr); + sqlite3TokenInit(&sColname, zColname); + sqlite3ExprListSetName(pParse, pNew, &sColname, 0); +- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){ ++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){ + struct ExprList_item *pX = &pNew->a[pNew->nExpr-1]; + sqlite3DbFree(db, pX->zEName); + if( pSub ){ diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2021-20223.patch b/poky/meta/recipes-support/sqlite/files/CVE-2021-20223.patch new file mode 100644 index 0000000000..e9d2e04d30 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2021-20223.patch @@ -0,0 +1,23 @@ +From d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b Mon Sep 17 00:00:00 2001 +From: dan +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Prevent fts5 tokenizer unicode61 from considering '\0' to be + a token characters, even if other characters of class "Cc" are. + +FossilOrigin-Name: b7b7bde9b7a03665e3691c6d51118965f216d2dfb1617f138b9f9e60e418ed2f + +CVE: CVE-2021-20223 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b.patch] +Comment: Removed manifest, manifest.uuid and fts5tok1.test as these files are not present in the amalgamated source code +Signed-Off-by: Sana.Kazi@kpit.com +--- +--- a/sqlite3.c 2022-09-09 13:54:30.010768197 +0530 ++++ b/sqlite3.c 2022-09-09 13:56:25.458769142 +0530 +@@ -227114,6 +227114,7 @@ + } + iTbl++; + } ++ aAscii[0] = 0; /* 0x00 is never a token character */ + } + + /* diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2022-35737.patch b/poky/meta/recipes-support/sqlite/files/CVE-2022-35737.patch new file mode 100644 index 0000000000..341e002913 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2022-35737.patch @@ -0,0 +1,29 @@ +From 2bbf4c999dbb4b520561a57e0bafc19a15562093 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 2 Sep 2022 11:22:29 +0530 +Subject: [PATCH] CVE-2022-35737 + +Upstream-Status: Backport [https://www.sqlite.org/src/info/aab790a16e1bdff7] +CVE: CVE-2022-35737 +Signed-off-by: Hitendra Prajapati +--- + sqlite3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sqlite3.c b/sqlite3.c +index f664217..33dfb78 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -28758,7 +28758,8 @@ SQLITE_API void sqlite3_str_vappendf( + case etSQLESCAPE: /* %q: Escape ' characters */ + case etSQLESCAPE2: /* %Q: Escape ' and enclose in '...' */ + case etSQLESCAPE3: { /* %w: Escape " characters */ +- int i, j, k, n, isnull; ++ i64 i, j, k, n; ++ int isnull; + int needQuote; + char ch; + char q = ((xtype==etSQLESCAPE3)?'"':'\''); /* Quote character */ +-- +2.25.1 + diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 877e80f5a3..ef12ef0db2 100644 --- a/poky/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/poky/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -13,6 +13,10 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-13630.patch \ file://CVE-2020-13631.patch \ file://CVE-2020-13632.patch \ + file://CVE-2022-35737.patch \ + file://CVE-2020-35525.patch \ + file://CVE-2020-35527.patch \ + file://CVE-2021-20223.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" diff --git a/poky/meta/recipes-support/vim/vim.inc b/poky/meta/recipes-support/vim/vim.inc index 30883384f6..f2cd235329 100644 --- a/poky/meta/recipes-support/vim/vim.inc +++ b/poky/meta/recipes-support/vim/vim.inc @@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".0115" -SRCREV = "6747cf1671bd41cddee77c65b3f9a70509f968db" +PV .= ".0598" +SRCREV = "8279af514ca7e5fd3c31cf13b0864163d1a0bfeb" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/poky/scripts/create-pull-request b/poky/scripts/create-pull-request index 8eefcf63a5..2f91a355b0 100755 --- a/poky/scripts/create-pull-request +++ b/poky/scripts/create-pull-request @@ -128,7 +128,7 @@ PROTO_RE="[a-z][a-z+]*://" GIT_RE="\(^\($PROTO_RE\)\?\)\($USER_RE@\)\?\([^:/]*\)[:/]\(.*\)" REMOTE_URL=${REMOTE_URL%.git} REMOTE_REPO=$(echo $REMOTE_URL | sed "s#$GIT_RE#\5#") -REMOTE_URL=$(echo $REMOTE_URL | sed "s#$GIT_RE#git://\4/\5#") +REMOTE_URL=$(echo $REMOTE_URL | sed "s#$GIT_RE#https://\4/\5#") if [ -z "$BRANCH" ]; then BRANCH=$(git branch | grep -e "^\* " | cut -d' ' -f2) diff --git a/poky/scripts/relocate_sdk.py b/poky/scripts/relocate_sdk.py index 8c0fdb986a..8079d13750 100755 --- a/poky/scripts/relocate_sdk.py +++ b/poky/scripts/relocate_sdk.py @@ -97,11 +97,12 @@ def change_interpreter(elf_file_name): if (len(new_dl_path) >= p_filesz): print("ERROR: could not relocate %s, interp size = %i and %i is needed." \ % (elf_file_name, p_memsz, len(new_dl_path) + 1)) - break + return False dl_path = new_dl_path + b("\0") * (p_filesz - len(new_dl_path)) f.seek(p_offset) f.write(dl_path) break + return True def change_dl_sysdirs(elf_file_name): if arch == 32: @@ -215,6 +216,7 @@ else: executables_list = sys.argv[3:] +errors = False for e in executables_list: perms = os.stat(e)[stat.ST_MODE] if os.access(e, os.W_OK|os.R_OK): @@ -240,7 +242,8 @@ for e in executables_list: arch = get_arch() if arch: parse_elf_header() - change_interpreter(e) + if not change_interpreter(e): + errors = True change_dl_sysdirs(e) """ change permissions back """ @@ -253,3 +256,6 @@ for e in executables_list: print("New file size for %s is different. Looks like a relocation error!", e) sys.exit(-1) +if errors: + print("Relocation of one or more executables failed.") + sys.exit(-1) -- cgit v1.2.3