From 841583d6ba5918b60868b708ff0b89cf0409efa7 Mon Sep 17 00:00:00 2001 From: Patrick Williams Date: Wed, 3 May 2023 21:37:45 -0500 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit poky: 90a6f6a110..a631bfc3a3: Alban Bedel (1): systemd: Fix systemd when used with busybox less Alex Kiernan (1): openssl: upgrade 1.1.1q to 1.1.1s Alexander Kanavin (12): tzdata: update to 2022d linux-firmware: upgrade 20220913 -> 20221012 tzdata: update 2022d -> 2022g linux-firmware: upgrade 20221109 -> 20221214 selftest/virgl: use pkg-config from the host oeqa/qemurunner: do not use Popen.poll() when terminating runqemu with a signal vim: update 9.0.1211 -> 9.0.1293 to resolve open CVEs linux-firmware: upgrade 20221214 -> 20230117 linux-firmware: upgrade 20230117 -> 20230210 wireless-regdb: upgrade 2022.08.12 -> 2023.02.13 apr: update 1.7.0 -> 1.7.2 apr-util: update 1.6.1 -> 1.6.3 Alexey Smirnov (1): classes: make TOOLCHAIN more permissive for kernel Andrej Valek (1): libarchive: fix CVE-2022-26280 Antonin Godard (2): busybox: always start do_compile with orig config files busybox: rm temporary files if do_compile was interrupted Bartosz Golaszewski (1): bluez5: add dbus to RDEPENDS Benoît Mauduit (1): lib/oe/reproducible: Use git log without gpg signature Bhabu Bindu (4): libxml2: Fix CVE-2022-40303 libxml2: Fix CVE-2022-40304 ffmpeg: Fix CVE-2022-3109 ffmpeg: fix for CVE-2022-3341 Bruce Ashfield (12): linux-yocto/5.4: update to v5.4.216 linux-yocto/5.4: update to v5.4.219 linux-yocto/5.4: update to v5.4.221 linux-yocto/5.4: update to v5.4.224 linux-yocto/5.4: update to v5.4.225 linux-yocto/5.4: update to v5.4.228 linux-yocto/5.4: update to v5.4.229 linux-yocto/5.4: update to v5.4.230 linux-yocto/5.4: update to v5.4.231 linux-yocto/5.4: update to v5.4.233 linux-yocto/5.4: update to v5.4.234 linux-yocto/5.4: update to v5.4.237 Changqing Li (1): base.bbclass: Fix way to check ccache path Charlie Davies (1): bitbake: bitbake: fetch/git: use shlex.quote() to support spaces in SRC_URI url Chee Yang Lee (6): libksba: fix CVE-2022-47629 tiff: fix multiple CVEs ghostscript: add CVE tag for check-stack-limits-after-function-evalution.patch libksba: fix CVE-2022-3515 qemu: fix multple CVEs git: ignore CVE-2023-22743 Chen Qi (3): kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild psplash: consider the situation of psplash not exist for systemd bc: extend to nativesdk Christoph Lauer (1): populate_sdk_base: add zip options Daniel McGregor (1): coreutils: add openssl PACKAGECONFIG Dmitry Baryshkov (3): linux-firmware: upgrade 20221012 -> 20221109 linux-firmware: properly set license for all Qualcomm firmware linux-firmware: add yamato fw files to qcom-adreno-a2xx package Frank de Brabander (1): cve-update-db-native: add timeout to urlopen() calls Gaurav Gupta (1): qemu: fix build error introduced by CVE-2021-3929 fix Geoffrey GIRY (1): cve-check: Fix false negative version issue Harald Seiler (1): opkg: Set correct info_dir and status_file in opkg.conf Hitendra Prajapati (21): dhcp: Fix CVE-2022-2928 & CVE-2022-2929 qemu: CVE-2021-3750 hcd-ehci: DMA reentrancy issue leads to use-after-free golang: CVE-2022-2880 ReverseProxy should not forward unparseable query parameters libX11: CVE-2022-3554 Fix memory leak bluez: CVE-2022-3637 A DoS exists in monitor/jlink.c sudo: CVE-2022-43995 heap-based overflow with very small passwords libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c sysstat: fix CVE-2022-39377 golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be loaded grub2: Fix CVE-2022-2601 & CVE-2022-3775 xserver-xorg: Fix Multiple CVEs git: CVE-2022-23521 gitattributes parsing integer overflow curl: fix CVE-2022-43552 Use-after-free triggered by an HTTP proxy deny response QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read curl: CVE-2023-23916 HTTP multi-header compression denial of service qemu: fix compile error which imported by CVE-2022-4144 ruby: CVE-2023-28756 ReDoS vulnerability in Time curl: CVE-2023-27534 SFTP path ~ resolving discrepancy curl: CVE-2023-27538 fix SSH connection too eager reuse screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Hugo SIMELIERE (2): bluez5: Exclude CVE-2022-39177 from cve-check openssl: upgrade 1.1.1s to 1.1.1t Jagadeesh Krishnanjanappa (1): qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel image Jan Kircher (1): toolchain-scripts: compatibility with unbound variable protection Jermain Horsman (1): cve-check: write the cve manifest to IMGDEPLOYDIR John Edward Broadbent (1): externalsrc: git submodule--helper list unsupported Joshua Watt (6): sudo: Use specific BSD license variant classes/create-spdx: Backport classes/package: Add extended packaged data licenses: Add GPL+ licenses to map create-spdx: Use gzip for compression classes/package: Use gzip for extended package data Kenfe-Mickael Laventure (3): buildtools-tarball: Handle spaces within user $PATH toolchain-scripts: Handle spaces within user $PATH populate_sdk_ext: Handle spaces within user $PATH Khem Raj (3): libtirpc: Check if file exists before operating on it apr: Use correct strerror_r implementation based on libc type apr: Cache configure tests which use AC_TRY_RUN Lee Chee Yang (1): dropbear: fix CVE-2021-36369 Luis (1): rm_work.bbclass: use HOSTTOOLS 'rm' binary exclusively Manuel Leonhardt (1): sstate: Account for reserved characters when shortening sstate filenames Marek Vasut (2): bitbake: fetch2/git: Prevent git fetcher from fetching gitlab repository metadata bitbake: fetch2/git: Clarify the meaning of namespace Marta Rybczynska (1): cve-update-db-native: avoid incomplete updates Martin Jansa (3): externalsrc.bbclass: fix git repo detection meta: remove True option to getVar and getVarFlag calls (again) bmap-tools: switch to main branch Mathieu Dubois-Briand (1): curl: Fix CVE CVE-2022-35260 Mauro Queiros (1): image.bbclass: print all QA functions exceptions Michael Halstead (1): uninative: Upgrade to 3.7 to work with glibc 2.36 Michael Opdenacker (4): dev-manual: update session about multiconfig ref-manual: document SSTATE_EXCLUDEDEPS_SYSROOT profile-manual: update WireShark hyperlinks overview-manual: update patchwork instance URL Mike Crowe (1): kernel: improve transformation from KERNEL_IMAGETYPE_FOR_MAKE Mikko Rapeli (2): oeqa context.py: fix --target-ip comment to include ssh port number oeqa rtc.py: skip if read-only-rootfs Ming Liu (1): linux: inherit pkgconfig in kernel.bbclass Minjae Kim (2): xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553 ppp: fix CVE-2022-4603 Nikhil R (1): openssl: Fix CVE-2023-0464 Niko Mauno (2): systemd: Consider PACKAGECONFIG in RRECOMMENDS Fix missing leading whitespace with ':append' Omkar (2): dbus: upgrade 1.12.22 -> 1.12.24 python3: Fix CVE-2022-45061 Omkar Patil (3): sudo: Fix CVE-2023-22809 openssl: Fix CVE-2023-0465 openssl: Fix CVE-2023-0466 Paul Eggleton (1): classes/kernel-fitimage: add ability to add additional signing options Pavel Zhukov (1): oeqa/rpm.py: Increase timeout and add debug output Pawan Badganchi (1): python3: Fix CVE-2022-37454 Pawel Zalewski (1): classes/fs-uuid: Fix command output decoding issue Peter Kjellerstedt (2): externalsrc.bbclass: Remove a trailing slash from ${B} devshell: Do not add scripts/git-intercept to PATH Peter Marko (2): externalsrc: fix lookup for .gitmodules go: ignore CVE-2022-41716 Piotr Łobacz (1): systemd: fix wrong nobody-group assignment Qiu, Zheng (1): vim: upgrade 9.0.0820 -> 9.0.0947 Quentin Schulz (2): cairo: update patch for CVE-2019-6461 with upstream solution cairo: fix CVE patches assigned wrong CVE number Ralph Siemsen (11): golang: fix CVE-2021-33195 golang: fix CVE-2021-33198 golang: fix CVE-2021-44716 golang: fix CVE-2022-24291 golang: fix CVE-2022-28131 golang: fix CVE-2022-28327 golang: ignore CVE-2022-29804 golang: ignore CVE-2021-33194 golang: ignore CVE-2021-41772 golang: ignore CVE-2022-30580 golang: ignore CVE-2022-30630 Randy MacLeod (2): vim: upgrade 9.0.0947 -> 9.0.1211 vim: upgrade 9.0.1403 -> 9.0.1429 Ranjitsinh Rathod (3): expat: Fix CVE-2022-43680 for expat systemd: Fix CVE-2022-3821 issue libsdl2: Add fix for CVE-2022-4743 Ravula Adhitya Siddartha (1): linux-yocto/5.4: update genericx86* machines to v5.4.219 Richard Purdie (28): bitbake: tests/fetch: Allow handling of a file:// url within a submodule qemu: Avoid accidental librdmacm linkage build-appliance-image: Update to dunfell head revision bitbake: utils: Handle lockfile filenames that are too long for filesystems bitbake: utils: Fix lockfile path length issues build-appliance-image: Update to dunfell head revision oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file() build-appliance-image: Update to dunfell head revision build-appliance-image: Update to dunfell head revision bitbake: runqueue: Fix multiconfig deferred task sstate validity caching issue bitbake: runqueue: Handle deferred task rehashing in multiconfig builds bitbake: runqueue: Improve multiconfig deferred task issues bitbake: runqueue: Avoid deadlock avoidance task graph corruption bitbake: runqueue: Fix issues with multiconfig deferred task deadlock messages bitbake: runqueue: Ensure deferred tasks are sorted by multiconfig bitbake: cooker: Drop sre_constants usage nativesdk: Handle chown/chgrp calls in nativesdk do_install tasks make-mod-scripts: Ensure kernel build output is deterministic libc-locale: Fix on target locale generation apr: Fix to work with autoconf 2.70 apr-util: Fix CFLAGS used in build oeqa/selftest/prservice: Improve debug output for failure build-appliance-image: Update to dunfell head revision staging: Separate out different multiconfig manifests staging/multilib: Fix manifest corruption glibc: Add missing binutils dependency base-files: Drop localhost.localdomain from hosts file pybootchartui: Fix python syntax issue Riyaz Khan (1): rpm: Fix rpm CVE CVE-2021-3521 Robert Andersson (1): go-crosssdk: avoid host contamination by GOCACHE Rodolfo Quesada Zumbado (1): tar: CVE-2022-48303 Ross Burton (14): sanity: check for GNU tar specifically pixman: backport fix for CVE-2022-44638 lib/buildstats: fix parsing of trees with reduced_proc_pressure directories bitbake: bb/utils: include SSL certificate paths in export_proxies cve-update-db-native: add more logging when fetching cve-update-db-native: show IP on failure quilt: fix intermittent failure in faildiff.test quilt: use upstreamed faildiff.test fix git: ignore CVE-2022-41953 shadow: ignore CVE-2016-15024 vim: add missing pkgconfig inherit vim: upgrade to 9.0.1403 vim: set modified-by to the recipe MAINTAINER lib/resulttool: fix typo breaking resulttool log --ptest Shubham Kulkarni (5): glibc: Security fix for CVE-2023-0687 go-runtime: Security fix for CVE-2022-41723 go-runtime: Security fix for CVE-2022-41722 go: Security fix for CVE-2020-29510 go: Ignore CVE-2022-1705 Siddharth Doshi (1): harfbuzz: Security fix for CVE-2023-25193 Steve Sakoman (30): selftest: skip virgl test on ubuntu 22.04 qemu: Avoid accidental libvdeplug linkage qemu: Add PACKAGECONFIG for rbd devtool: add HostKeyAlgorithms option to ssh and scp commands selftest: skip virgl test on all Alma Linux documentation: update for 3.1.21 poky.conf: bump version for 3.1.21 maintainers: update gcc version to 9.5 documentation: update for 3.1.22 poky.conf: bump version for 3.1.22 ovmf: fix gcc12 warning in GenFfs ovmf: fix gcc12 warning in LzmaEnc ovmf: fix gcc12 warning for device path handling documentation: update for 3.1.23 python3: fix packaging of Windows distutils installer stubs lttng-modules: update 2.11.6 -> 2.11.7 lttng-modules: update 2.11.7 -> 2.11.8 lttng-modules: update 2.11.8 -> 2.11.9 lttng-modules: fix build with 5.4.229 kernel poky.conf: bump version for 3.1.23 poky.conf: Update SANITY_TESTED_DISTROS to match autobuilder ref-system-requirements.rst: add Fedora 35, Fedora 36, and Ubuntu 22.04 to list of supported distros ref-system-requirements.rst: add AlmaLinux 8.7 to list of supported distros qemu: Fix slirp determinism issue documentation: update for 3.1.24 poky.conf: bump version for 3.1.24 bitbake: tests/fetch.py: fix link to project documentation documentation: update for 3.1.25 poky.conf: bump version for 3.1.25 build-appliance-image: Update to dunfell head revision Sundeep KOKKONDA (3): binutils: stable 2.34 branch updates glibc : stable 2.31 branch updates. gcc: upgrade to v9.5 Sunil Kumar (1): go: Security Fix for CVE-2022-2879 Teoh Jay Shen (1): vim: Upgrade 9.0.0598 -> 9.0.0614 Thomas Roos (1): devtool: fix devtool finish when gitmodules file is empty Tim Orling (2): python3: upgrade 3.8.13 -> 3.8.14 vim: upgrade 9.0.0614 -> 9.0.0820 Ulrich Ölmann (1): kernel-yocto: fix kernel-meta data detection Vijay Anusuri (4): git: Security fix for CVE-2022-41903 git: Security fix for CVE-2023-22490 and CVE-2023-23946 sudo: Security fix for CVE-2023-28486 and CVE-2023-28487 curl: Security fix CVE-2023-27533, CVE-2023-27535 and CVE-2023-27536 Virendra Thakur (2): gcc: Fix inconsistent noexcept specifier for valarray in libstdc++ qemu: Whitelist CVE-2023-0664 Vivek Kumbhar (13): curl: fix CVE-2022-32221 POST following PUT qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write libtasn1: fix CVE-2021-46848 off-by-one in asn1_encode_simple_der qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead to guest crash go: fix CVE-2022-41717 Excessive memory use in got server rsync: fix CVE-2022-29154 remote arbitrary files write inside the directories of connecting peers libx11: fix CVE-2022-3555 memory leak in _XFreeX11XCBStructure() of xcb_disp.c qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data transfers go: fix CVE-2022-1962 go/parser stack exhaustion in all Parse* functions qemu: fix CVE-2021-3929 nvme DMA reentrancy issue leads to use-after-free gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code go: fix CVE-2023-24537 Infinite loop in parsing go: fix CVE-2023-24534 denial of service from excessive memory allocation Wang Mingyu (1): mobile-broadband-provider-info: upgrade 20220725 -> 20221107 Xiaobing Luo (1): devtool: Fix _copy_file() TypeError ciarancourtney (1): wic: swap partitions are not added to fstab jan (1): cve-update-db-native: Allow to overrule the URL in a bbappend. rajmohan r (1): systemd: Fix CVE-2023-26604 wangmy (1): dbus: upgrade 1.12.20 -> 1.12.22 meta-openembedded: 6792ebdd96..7007d14c25: Armin Kuster (1): mariadb: Update to latest lts 10.4.28 Chris Rogers (1): xterm: Remove undeclared variables introduced by backport Colin Finck (1): [dunfell] wireguard: Upgrade to 1.0.20220627 (module) and 1.0.20210914 (tools) Hitendra Prajapati (9): postgresql: CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox dnsmasq: CVE-2022-0934 Heap use after free in dhcp6_no_relay nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module postgresql: Fix CVE-2022-2625 proftpd: CVE-2021-46854 memory disclosure to radius server net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception krb5: CVE-2022-42898 integer overflow vulnerabilities in PAC parsing postgresql: CVE-2022-41862 Client memory disclosure when connecting with Kerberos to modified server syslog-ng: CVE-2022-38725 An integer overflow in the RFC3164 parser Ivan Stepic (1): flatbuffers: adapt for cross-compilation environments Mathieu Dubois-Briand (4): networkmanager: Update to 1.22.16 nss: Add missing CVE product nss: Whitelist CVEs related to libnssdbm nss: Fix CVE-2020-25648 Omkar Patil (1): ntfs-3g-ntfsprogs: Upgrade 2022.5.17 to 2022.10.3 Poonam Jadhav (4): nodejs: Fix CVE-2022-32212 nodejs: Fix CVE-2022-35255 nodejs: Fix CVE-2022-43548 nodejs: Fix CVEs for nodejs Priyal Doshi (1): open-vm-tools: Security fix for CVE-2022-31676 Ranjitsinh Rathod (1): strongswan: Fix CVE-2022-40617 Roger Knecht (1): zeromq: 4.3.2 -> 4.3.4 Shubham Kulkarni (1): python3-pillow: Security fix for CVE-2022-45198 Siddharth Doshi (1): xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063 Valeria Petrov (1): php: update 7.4.28 -> 7.4.33 Virendra Thakur (2): capnproto: Fix CVE-2022-46149 nss: Fix CVE CVE-2023-0767 Wang Mingyu (2): apache2: upgrade 2.4.54 -> 2.4.55 apache2: upgrade 2.4.55 -> 2.4.56 Yi Zhao (1): postfix: upgrade 3.4.23 -> 3.4.27 vkumbhar (2): dnsmasq: fix CVE-2023-28450 default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 mariadb: fix CVE-2022-47015 NULL pointer dereference in spider_db_mbase::print_warnings() wangmy (1): apache2: upgrade 2.4.53 -> 2.4.54 meta-security: c62970fda8..eb631c12be: Hitendra Prajapati (1): sssd: CVE-2022-4254 libsss_certmap fails to sanitise certificate data used in LDAP filters Signed-off-by: Patrick Williams Change-Id: I0ebec73eb7e68d1ca95866bc758e49990731c8bf --- .../recipes-support/nss/nss/CVE-2020-25648.patch | 163 +++++++++++++++++++++ .../recipes-support/nss/nss/CVE-2023-0767.patch | 124 ++++++++++++++++ .../meta-oe/recipes-support/nss/nss_3.51.1.bb | 8 + 3 files changed, 295 insertions(+) create mode 100644 meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch create mode 100644 meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch (limited to 'meta-openembedded/meta-oe/recipes-support/nss') diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch new file mode 100644 index 0000000000..f30d4d32cd --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch @@ -0,0 +1,163 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1602524521 0 +# Node ID 57bbefa793232586d27cee83e74411171e128361 +# Parent 6e3bc17f05086854ffd2b06f7fae9371f7a0c174 +Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt + +This makes the server reject CCS when the client doesn't indicate the +use of the middlebox compatibility mode with a non-empty +ClientHello.legacy_session_id, or it sends multiple CCS in a row. + +Differential Revision: https://phabricator.services.mozilla.com/D79994 + +Upstream-Status: Backport +CVE: CVE-2020-25648 +Reference to upstream patch: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 +Signed-off-by: Mathieu Dubois-Briand + +diff --color -Naur nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +--- nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:05:47.447142660 +0100 ++++ nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:12:32.645932052 +0100 +@@ -348,6 +348,85 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + ++// The server rejects a ChangeCipherSpec if the client advertises an ++// empty session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The server rejects multiple ChangeCipherSpec even if the client ++// indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ // Send CCS twice in a row ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS. ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects a ChangeCipherSpec if it advertises an empty ++// session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // Send CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects multiple ChangeCipherSpec in a row even if the ++// client indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // the ServerHello is followed by CCS ++ // Send another CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ + // If we negotiate 1.2, we abort. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) { + EnsureTlsSetup(); +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/ssl3con.c nss-3.51.1/nss/lib/ssl/ssl3con.c +--- nss-3.51.1_old/nss/lib/ssl/ssl3con.c 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/ssl3con.c 2022-12-08 16:12:42.037994262 +0100 +@@ -6711,7 +6711,11 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- return sidMatch; ++ if (sidMatch) { ++ ss->ssl3.hs.allowCcs = PR_TRUE; ++ return PR_TRUE; ++ } ++ return PR_FALSE; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8730,6 +8734,7 @@ + errCode = PORT_GetError(); + goto alert_loser; + } ++ ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13058,8 +13063,15 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- /* Ignore the CCS. */ +- return SECSuccess; ++ if (ss->ssl3.hs.allowCcs) { ++ /* Ignore the first CCS. */ ++ ss->ssl3.hs.allowCcs = PR_FALSE; ++ return SECSuccess; ++ } ++ ++ /* Compatibility mode is not negotiated. */ ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + + if (IS_DTLS(ss) || +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/sslimpl.h nss-3.51.1/nss/lib/ssl/sslimpl.h +--- nss-3.51.1_old/nss/lib/ssl/sslimpl.h 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/sslimpl.h 2022-12-08 16:12:45.106014567 +0100 +@@ -711,6 +711,10 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ ++ PRBool allowCcs; /* A server allows ChangeCipherSpec ++ * as the middlebox compatibility mode ++ * is explicitly indicarted by ++ * legacy_session_id in TLS 1.3 ClientHello. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch new file mode 100644 index 0000000000..ec3b4a092a --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch @@ -0,0 +1,124 @@ + +# HG changeset patch +# User John M. Schanck +# Date 1675974326 0 +# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18 +# Parent 52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4 +Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D167443 + +CVE: CVE-2023-0767 +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz] +Signed-off-by: Virendra Thakur + +diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c +--- a/nss/lib/pkcs12/p12d.c ++++ b/nss/lib/pkcs12/p12d.c +@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind) + { + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + + /* notify function for decoding safeBags. This function is + * used to filter safeBag types which are not supported, + * initiate the decoding of nested safe contents, and decode +diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h +--- a/nss/lib/pkcs12/p12t.h ++++ b/nss/lib/pkcs12/p12t.h +@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr { + /* Dependent upon the type of bag being used. */ + union { + SECKEYPrivateKeyInfo *pkcs8KeyBag; + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ + SECOidData *bagTypeTag; + PLArenaPool *arena; + unsigned int nAttribs; +diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c +--- a/nss/lib/pkcs12/p12tmpl.c ++++ b/nss/lib/pkcs12/p12tmpl.c +@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr + if (src_or_dest == NULL) { + return NULL; + } + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + theTemplate = sec_PKCS12PointerToCertBagTemplate; + break; + case SEC_OID_PKCS12_V1_CRL_BAG_ID: + diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb index 8b59f7ea8f..1de2a40094 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -39,8 +39,10 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://CVE-2020-6829_12400.patch \ file://CVE-2020-12403_1.patch \ file://CVE-2020-12403_2.patch \ + file://CVE-2020-25648.patch \ file://CVE-2021-43527.patch \ file://CVE-2022-22747.patch \ + file://CVE-2023-0767.patch \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" @@ -291,5 +293,11 @@ RDEPENDS_${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" +CVE_PRODUCT += "network_security_services" + # CVE-2006-5201 affects only Sun Solaris CVE_CHECK_WHITELIST += "CVE-2006-5201" + +# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect +# the legacy db (libnssdbm), only compiled with --enable-legacy-db. +CVE_CHECK_WHITELIST += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" -- cgit v1.2.3