From 93c203f3a38be7db9cd7bb6b4954f3eb655acc8e Mon Sep 17 00:00:00 2001 From: Patrick Williams Date: Wed, 6 Oct 2021 16:15:23 -0500 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit meta-security: de6712a806..a85fbe980e: Anton Antonov (1): Upgrade parsec-service 0.8.1 and parsec-tool 0.4.0 Armin Kuster (1): chkrootkit: update to 0.55 Bhupesh Sharma (1): recipes-security/fscrypt: Add fscrypt .bb file Christer Fletcher (1): dmverity: Make use of DATA_BLOCK_SIZE variable in initrdscript. Kristian Klausen (1): libtpm: update to 0.8.7 Zoltán Böszörményi (1): clamav: Set clamav:clamav ownership on /var/lib/clamav in do_install poky: 06dcace68b..80f2b56ad8: Anibal Limon (1): recipes-support/ptest-runner: Bump to v2.4.2 Bruce Ashfield (5): linux-yocto-dev: update to v5.15-rcX lttng-modules/dev-upstream: update to 2.13-latest lttng-modules: fix build against 5.15+ linux-yocto/5.13: drop recipes yocto-bsp/5.13: drop recipes Chandana kalluri (1): scriptutils.py: Add check before deleting path Daniel Wagenknecht (2): common-tasks: add note about license implications of bundled initramfs ref-manual: add note about license implications of bundled initramfs Joshua Watt (2): lib/oe/spdx.py: Add comments python3: Fix sysroot reproducibility Kenfe-Mickael Laventure (1): package_ipk: Use localdata store when signing packages Kiran Surendran (1): ffmpeg: fix CVE-2021-38171 Kristian Klausen (2): ovmf: add TPM PACKAGECONFIG and enable if tpm is in MACHINE_FEATURES wic/bootimg-efi: Add Unified Kernel Image option Markus Volk (1): wic:direct.py: ignore invalid mountpoints during fstab update Matt Madison (1): autotools.bbclass: use ordinary append for file-checksums update Michael Halstead (1): releases: update to include 3.1.11 Minjae Kim (1): vim: fix CVE-2021-3778 Quentin Schulz (1): ref-manual: fix missed override syntax change Rasmus Villemoes (1): kernel.bbclass: remove unnecessary dead code Richard Purdie (29): oeqa/qemurunner: Use oe._exit(), not sys.exit() pseudo: Add in ability to flush database with shutdown request packagegroup-core-tools-profile: Exclude systemtap from riscv32 as well bitbake: bitbake-worker: Allow shutdown/database flush of pseudo server at task exit bitbake: siggen: Fix sorting in diff output bitbake: cooker/command: Add a dummy event for tinfoil testing oeqa/selftest/gotoolchain: Fix temp file cleanup oeqa/buildproject: Ensure temp directories are cleaned up libc_package/buildstats: Fix python regex quoting warnings oeqa/selftest/tinfoil: Update to use test command glew: Stop polluting /tmp during builds rpm: Ensure compression parallelism isn't coded into rpms package: Ensure pclist files are deterministic and don't use full paths gnupg: Be deterministic about sendmail mesa: Ensure megadrivers runtime mappings are deterministic util-linux: Fix reproducibility libtool: Allow libtool-cross to reproduce gobject-introspection: Don't write $HOME into scripts oeqa/selftest/bbtests: Add uuid to force build test image: Exclude IMAGE_VERSION_SUFFIX from expansion in image tasks sstatesig: Revert "Test cross/native hashserv method extension" bitbake: data: Ensure functions are defined in a deterministic order bitbake.conf: Set vardepvalue for PARALLEL_MAKEINST externalsrc: Fix a source date epoch race in reproducible builds sstatesig: Add processing for full build paths in sysroot files python3: Drop broken pyc files image-artifact-names: Use SOURCE_DATE_EPOCH when making reproducible builds for deploy abi_version/sstate: Bump HASH_VERSION and SSTATE_VERSION reproducible_build: Work around caching issues Robert P. J. Day (3): ref-manual: extend explanation of PACKAGE_DEBUG_SPLIT_STYLE ref-manual: mention INHIBIT_PACKAGE_DEBUG_SPLIT variable overview-manual: delete bad backslashes in SSTATE_MIRRORS example Saul Wold (3): spdx-licenses.json: Use 3.14 tagged version spdx.py: Add SPDXAnnotation Object create-spdx: Use SPDXAnnotation to track native recipes Thomas Perrot (2): libevent: mark util/monotonic_prc_fallback as retriable ruby: fix the reproducibility issue Tom Pollard (2): bzip2: Update soname for libbz2 1.0.8 libsamplerate0: Set correct soname for 0.1.9 Trevor Woerner (1): hello-mod/hello.c: convert printk to pr_xxx William A. Kennington III (1): rm_work.bbclass: Fix for files starting with - Yi Zhao (1): inetutils: fix CVE-2021-40491 wangmy (1): strace: upgrade 5.13 -> 5.14 meta-openembedded: cff8331f96..23dc4f060f: Armin Kuster (1): README: update to main repo Chandana kalluri (1): python3-humanfriendly: Add nativesdk to BBCLASSEXTEND Changqing Li (1): layer.conf: add openembedded-layer as LAYERDEPENDS Khem Raj (3): smcroute: Add missing pkgconfig inherit packagegroup-meta-oe: Add new packages smarty and libjs-jquery-icheck gattlib: Upgrade to latest LiweiSong (1): chipsec: platform security assessment framework Martin Jansa (5): opencv: fix build with protobuf-3.18 when dnn PACKAGECONFIG is enabled libeigen: backport fix for -Werror=class-memaccess issues when NEON is enabled README: mention linux-libc-dev:i386 for luajit on ubuntu-21.10 gpsd: inherit pkgconfig pahole: use MACHINE_ARCH Matteo Croce (1): pahole: don't download vendored libbpf Mingli Yu (1): libqb: Upgrade to 2.0.3 Nandor Han (1): libiio: depend on avahi only when network backed is used Peter Kjellerstedt (1): netdata: Move the version to the file name and correct the SRC_URI Richard Purdie (1): gattlib: Place pkgconfig file in correct package Yi Zhao (1): phpmyadmin: upgrade 5.1.0 -> 5.1.1 wangmy (7): unionfs-fuse: upgrade 2.1 -> 2.2 smcroute: upgrade 2.4.4 -> 2.5.3 snort: upgrade 2.9.18 -> 2.9.18.1 libsass: upgrade 3.6.4 -> 3.6.5 sanlock: upgrade 3.8.3 -> 3.8.4 sassc: upgrade 3.6.1 -> 3.6.2 valijson: upgrade 0.5 -> 0.6 zangrc (8): python3-pychromecast: upgrade 9.2.0 -> 9.2.1 python3-pyro4: upgrade 4.80 -> 4.81 python3-pyzmq: upgrade 22.2.1 -> 22.3.0 python3-robotframework: upgrade 4.1 -> 4.1.1 python3-sqlparse: upgrade 0.4.1 -> 0.4.2 python3-tqdm: upgrade 4.62.2 -> 4.62.3 libjs-jquery-icheck: Add recipe smarty: Add recipe zhengruoqin (6): python3-cmd2: upgrade 2.1.2 -> 2.2.0 python3-huey: upgrade 2.4.0 -> 2.4.1 python3-humanfriendly: upgrade 9.2 -> 10.0 cifs-utils: upgrade 6.13 -> 6.14 cmark: upgrade 0.30.1 -> 0.30.2 gpsd: upgrade 3.23 -> 3.23.1 Signed-off-by: Patrick Williams Change-Id: Ie782ff5d7f3004fb1f1ac9a4c8644a178bae46ad --- .../inetutils/inetutils/CVE-2021-40491.patch | 88 ++++++++++++++++++++++ .../inetutils/inetutils_2.1.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch (limited to 'poky/meta/recipes-connectivity/inetutils') diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch new file mode 100644 index 0000000000..202488f75c --- /dev/null +++ b/poky/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch @@ -0,0 +1,88 @@ +From 98ccabf68e5b3f0a177bd1925581753d10041448 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson +Date: Wed, 1 Sep 2021 09:09:50 +0200 +Subject: [PATCH] ftp: check that PASV/LSPV addresses match. + +* NEWS: Mention change. +* ftp/ftp.c (initconn): Validate returned addresses. + +CVE: CVE-2021-40491 + +Upstream-Status: Backport +[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd] + +Signed-off-by: Yi Zhao +--- + NEWS | 9 +++++++++ + ftp/ftp.c | 21 +++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/NEWS b/NEWS +index 7c5e62c..bd9a4da 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,6 +4,15 @@ GNU inetutils NEWS -- history of user-visible changes. + + ** ftp + ++The ftp client now validate addresses returned by PASV/LSPV responses, ++to make sure they match the server address. Reported by ZeddYu Lu in ++. ++ ++Thanks to Luke Mewburn for discussion and fix to ++NetBSD code, we used a similar solution. ++ ++** ftp ++ + Disable use of readline when environment variable TERM is unset or set + to "dumb" (caused problems with Emacs AngeFTP on MacOS). Thanks to + Alex Bochannek for report, debugging and patch. +diff --git a/ftp/ftp.c b/ftp/ftp.c +index d21dbdd..7513539 100644 +--- a/ftp/ftp.c ++++ b/ftp/ftp.c +@@ -1365,6 +1365,13 @@ initconn (void) + uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr; + pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]); + } ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv4 */ + else /* IPv6 */ + { +@@ -1395,6 +1402,13 @@ initconn (void) + pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]); + pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]); + } ++ if (data_addr_sa6->sin6_addr.s6_addr ++ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* LPSV IPv6 */ + } + else /* !EPSV && !LPSV */ +@@ -1415,6 +1429,13 @@ initconn (void) + | ((a2 & 0xff) << 8) | (a3 & 0xff) ); + data_addr_sa4->sin_port = + htons (((p0 & 0xff) << 8) | (p1 & 0xff)); ++ if (data_addr_sa4->sin_addr.s_addr ++ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr) ++ { ++ printf ("Passive mode address mismatch.\n"); ++ (void) command ("ABOR"); /* Cancel any open connection. */ ++ goto bad; ++ } + } /* PASV */ + else + { +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/inetutils/inetutils_2.1.bb b/poky/meta/recipes-connectivity/inetutils/inetutils_2.1.bb index 0cf73cdb24..45b88b1d7f 100644 --- a/poky/meta/recipes-connectivity/inetutils/inetutils_2.1.bb +++ b/poky/meta/recipes-connectivity/inetutils/inetutils_2.1.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ file://tftpd.xinetd.inetutils \ file://inetutils-1.9-PATH_PROCNET_DEV.patch \ file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ + file://CVE-2021-40491.patch \ " inherit autotools gettext update-alternatives texinfo -- cgit v1.2.3