From bba38f38e7e41525c30116a2fe990d113b8157da Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Thu, 23 Aug 2018 16:11:46 +0800 Subject: poky: sumo refresh 51872d3f99..3b8dc3a88e Update poky to sumo HEAD. Andrej Valek (1): wpa-supplicant: fix CVE-2018-14526 Armin Kuster (2): xserver-xorg: config: fix NULL value detection for ID_INPUT being unset binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active. Bruce Ashfield (3): linux-yocto/4.12: update to v4.12.28 linux-yocto/4.14: update to v4.14.62 linux-yocto/4.14: update to v4.14.67 Changqing Li (6): libexif: patch for CVE-2017-7544 squashfs-tools: patch for CVE-2015-4645(4646) libcroco: patch for CVE-2017-7960 libid3tag: patch for CVE-2004-2779 libice: patch for CVE-2017-2626 apr-util: fix ptest fail problem Chen Qi (2): util-linux: upgrade 2.32 -> 2.32.1 busybox: move init related configs to init.cfg Jagadeesh Krishnanjanappa (2): libarchive: CVE-2017-14501 libcgroup: CVE-2018-14348 Jon Szymaniak (1): cve-check.bbclass: detect CVE IDs listed on multiple lines Joshua Lock (1): os-release: fix to install in the expected location Khem Raj (1): serf: Fix Sconstruct build with python 3.7 Konstantin Shemyak (1): cve-check.bbclass: do not download the CVE DB in package-specific tasks Mike Looijmans (1): busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail Ross Burton (1): lrzsz: fix CVE-2018-10195 Sinan Kaya (3): busybox: CVE-2017-15874 libpng: CVE-2018-13785 sqlite3: CVE-2018-8740 Yadi.hu (1): busybox: handle syslog Yi Zhao (2): blktrace: Security fix CVE-2018-10689 taglib: Security fix CVE-2018-11439 Zheng Ruoqin (1): glibc: fix CVE-2018-11237 Change-Id: I2eb1fe6574638de745e4bfc106b86fe797b977c8 Signed-off-by: Brad Bishop --- poky/meta/recipes-core/busybox/busybox.inc | 14 ++-- .../busybox/busybox/CVE-2017-15874.patch | 30 ++++++++ poky/meta/recipes-core/busybox/busybox/defconfig | 12 ++-- poky/meta/recipes-core/busybox/busybox/init.cfg | 7 +- poky/meta/recipes-core/busybox/busybox_1.27.2.bb | 1 + poky/meta/recipes-core/busybox/files/mdev-mount.sh | 4 +- .../recipes-core/glibc/glibc/CVE-2018-11237.patch | 82 ++++++++++++++++++++++ poky/meta/recipes-core/glibc/glibc_2.27.bb | 1 + .../libcgroup/libcgroup/CVE-2018-14348.patch | 37 ++++++++++ poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb | 3 +- poky/meta/recipes-core/os-release/os-release.bb | 9 ++- .../recipes-core/util-linux/util-linux_2.32.1.bb | 30 ++++++++ .../recipes-core/util-linux/util-linux_2.32.bb | 30 -------- 13 files changed, 212 insertions(+), 48 deletions(-) create mode 100644 poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch create mode 100644 poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch create mode 100644 poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch create mode 100644 poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb delete mode 100644 poky/meta/recipes-core/util-linux/util-linux_2.32.bb (limited to 'poky/meta/recipes-core') diff --git a/poky/meta/recipes-core/busybox/busybox.inc b/poky/meta/recipes-core/busybox/busybox.inc index d1675c37aa..8c6dbbaf9b 100644 --- a/poky/meta/recipes-core/busybox/busybox.inc +++ b/poky/meta/recipes-core/busybox/busybox.inc @@ -315,20 +315,24 @@ do_install () { fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + if grep -q "CONFIG_KLOGD=y" ${B}/.config; then + install -d ${D}${systemd_unitdir}/system + sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \ + > ${D}${systemd_unitdir}/system/busybox-klogd.service + fi + if grep -q "CONFIG_SYSLOGD=y" ${B}/.config; then install -d ${D}${systemd_unitdir}/system sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-syslog.service.in \ > ${D}${systemd_unitdir}/system/busybox-syslog.service + if [ ! -e ${D}${systemd_unitdir}/system/busybox-klogd.service ] ; then + sed -i '/klog/d' ${D}${systemd_unitdir}/system/busybox-syslog.service + fi if [ -f ${WORKDIR}/busybox-syslog.default ] ; then install -d ${D}${sysconfdir}/default install -m 0644 ${WORKDIR}/busybox-syslog.default ${D}${sysconfdir}/default/busybox-syslog fi fi - if grep -q "CONFIG_KLOGD=y" ${B}/.config; then - install -d ${D}${systemd_unitdir}/system - sed 's,@base_sbindir@,${base_sbindir},g' < ${WORKDIR}/busybox-klogd.service.in \ - > ${D}${systemd_unitdir}/system/busybox-klogd.service - fi fi # Remove the sysvinit specific configuration file for systemd systems to avoid confusion diff --git a/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch new file mode 100644 index 0000000000..67b4ed7e11 --- /dev/null +++ b/poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch @@ -0,0 +1,30 @@ +From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Fri, 27 Oct 2017 15:37:03 +0200 +Subject: [PATCH] unlzma: fix SEGV, closes 10436 + +Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b] +Signed-off-by: Denys Vlasenko +Signed-off-by: Sinan Kaya +--- + archival/libarchive/decompress_unlzma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c +index 29eee2a..41e492f 100644 +--- a/archival/libarchive/decompress_unlzma.c ++++ b/archival/libarchive/decompress_unlzma.c +@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate) + pos = buffer_pos - rep0; + if ((int32_t)pos < 0) { + pos += header.dict_size; ++ /* bug 10436 has an example file where this triggers: */ ++ if ((int32_t)pos < 0) ++ goto bad; ++ + /* see unzip_bad_lzma_2.zip: */ + if (pos >= buffer_size) + goto bad; +-- +2.19.0 + diff --git a/poky/meta/recipes-core/busybox/busybox/defconfig b/poky/meta/recipes-core/busybox/busybox/defconfig index fbb5fd852c..59d93c7079 100644 --- a/poky/meta/recipes-core/busybox/busybox/defconfig +++ b/poky/meta/recipes-core/busybox/busybox/defconfig @@ -468,21 +468,21 @@ CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y # CONFIG_BOOTCHARTD is not set # CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set # CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set -CONFIG_HALT=y -CONFIG_POWEROFF=y -CONFIG_REBOOT=y +# CONFIG_HALT is not set +# CONFIG_POWEROFF is not set +# CONFIG_REBOOT is not set # CONFIG_FEATURE_CALL_TELINIT is not set -CONFIG_TELINIT_PATH="" +# CONFIG_TELINIT_PATH is not set # CONFIG_INIT is not set # CONFIG_LINUXRC is not set # CONFIG_FEATURE_USE_INITTAB is not set # CONFIG_FEATURE_KILL_REMOVED is not set -CONFIG_FEATURE_KILL_DELAY=0 +# CONFIG_FEATURE_KILL_DELAY is not set # CONFIG_FEATURE_INIT_SCTTY is not set # CONFIG_FEATURE_INIT_SYSLOG is not set # CONFIG_FEATURE_INIT_QUIET is not set # CONFIG_FEATURE_INIT_COREDUMPS is not set -CONFIG_INIT_TERMINAL_TYPE="" +# CONFIG_INIT_TERMINAL_TYPE is not set # CONFIG_FEATURE_INIT_MODIFY_CMDLINE is not set # diff --git a/poky/meta/recipes-core/busybox/busybox/init.cfg b/poky/meta/recipes-core/busybox/busybox/init.cfg index 006d4c633e..3c1fdd42b6 100644 --- a/poky/meta/recipes-core/busybox/busybox/init.cfg +++ b/poky/meta/recipes-core/busybox/busybox/init.cfg @@ -1,3 +1,8 @@ CONFIG_INIT=y CONFIG_FEATURE_USE_INITTAB=y - +CONFIG_HALT=y +CONFIG_POWEROFF=y +CONFIG_REBOOT=y +CONFIG_FEATURE_KILL_DELAY=0 +CONFIG_TELINIT_PATH="" +CONFIG_INIT_TERMINAL_TYPE="" diff --git a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb index 1ce4823d47..bab29728ee 100644 --- a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb @@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://busybox-CVE-2017-16544.patch \ file://busybox-fix-lzma-segfaults.patch \ file://umount-ignore-c.patch \ + file://CVE-2017-15874.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " diff --git a/poky/meta/recipes-core/busybox/files/mdev-mount.sh b/poky/meta/recipes-core/busybox/files/mdev-mount.sh index b4385a157f..130e9472f3 100644 --- a/poky/meta/recipes-core/busybox/files/mdev-mount.sh +++ b/poky/meta/recipes-core/busybox/files/mdev-mount.sh @@ -25,7 +25,7 @@ case "$ACTION" in fi # check for full-disk partition if [ "${DEVBASE}" = "${MDEV}" ] ; then - if [ -d /sys/block/${DEVBASE}/${DEVBASE}*1 ] ; then + if [ -f /sys/block/${DEVBASE}/${DEVBASE}*1/partition ] ; then # Partition detected, just quit exit 0 fi @@ -43,7 +43,7 @@ case "$ACTION" in then MOUNTPOINT="${MDEV_AUTOMOUNT_ROOT}/$MDEV" mkdir -p "$MOUNTPOINT" - mount -t auto /dev/$MDEV "$MOUNTPOINT" + mount -t auto /dev/$MDEV "$MOUNTPOINT" || rmdir "$MOUNTPOINT" fi ;; remove) diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch new file mode 100644 index 0000000000..632aa565e4 --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch @@ -0,0 +1,82 @@ +From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Tue, 22 May 2018 10:37:59 +0200 +Subject: [PATCH] Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (bug 23196) + +When compiled as mempcpy, the return value is the end of the destination +buffer, thus it cannot be used to refer to the start of it. + +2018-05-23 Andreas Schwab + + [BZ #23196] + CVE-2018-11237 + * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S + (L(preloop_large)): Save initial destination pointer in %r11 and + use it instead of %rax after the loop. + * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. + +CVE: CVE-2018-11237 +Upstream-Status: Backport +Signed-off-by: Zheng Ruoqin +--- + ChangeLog | 9 +++++++++ + string/test-mempcpy.c | 1 + + sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fa0a07c..bc09dec 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,12 @@ ++2018-05-23 Andreas Schwab ++ ++ [BZ #23196] ++ CVE-2018-11237 ++ * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++ (L(preloop_large)): Save initial destination pointer in %r11 and ++ use it instead of %rax after the loop. ++ * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. ++ + 2018-05-09 Paul Pluzhnikov + + [BZ #22786] +diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c +index c08fba8..d98ecdd 100644 +--- a/string/test-mempcpy.c ++++ b/string/test-mempcpy.c +@@ -18,6 +18,7 @@ + . */ + + #define MEMCPY_RESULT(dst, len) (dst) + (len) ++#define MIN_PAGE_SIZE 131072 + #define TEST_MAIN + #define TEST_NAME "mempcpy" + #include "test-string.h" +diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +index 23c0f7a..a55cf6f 100644 +--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S ++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +@@ -335,6 +335,7 @@ L(preloop_large): + ja L(preloop_large_bkw) + vmovups (%rsi), %zmm4 + vmovups 0x40(%rsi), %zmm5 ++ mov %rdi, %r11 + + /* Align destination for access with non-temporal stores in the loop. */ + mov %rdi, %r8 +@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): + cmp $256, %rdx + ja L(gobble_256bytes_nt_loop) + sfence +- vmovups %zmm4, (%rax) +- vmovups %zmm5, 0x40(%rax) ++ vmovups %zmm4, (%r11) ++ vmovups %zmm5, 0x40(%r11) + jmp L(check) + + L(preloop_large_bkw): +-- +2.7.4 + diff --git a/poky/meta/recipes-core/glibc/glibc_2.27.bb b/poky/meta/recipes-core/glibc/glibc_2.27.bb index 22a9881eaf..adee494c2e 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.27.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.27.bb @@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0030-plural_c_no_preprocessor_lines.patch \ file://CVE-2017-18269.patch \ file://CVE-2018-11236.patch \ + file://CVE-2018-11237.patch \ " NATIVESDKFIXES ?= "" diff --git a/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch new file mode 100644 index 0000000000..d133703dec --- /dev/null +++ b/poky/meta/recipes-core/libcgroup/libcgroup/CVE-2018-14348.patch @@ -0,0 +1,37 @@ +From 0d88b73d189ea3440ccaab00418d6469f76fa590 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Wed, 18 Jul 2018 11:24:29 +0200 +Subject: [PATCH] cgrulesengd: remove umask(0) + +One of our partners has noticed that cgred daemon is creating a log file +(/var/log/cgred) with too wide permissions (0666) and that is seen as +a security bug because an untrusted user can write to otherwise +restricted area. CVE-2018-14348 has been assigned to this issue. + +CVE: CVE-2018-14348 +Upstream-Status: Backport [https://sourceforge.net/p/libcg/libcg/ci/0d88b73d189ea3440ccaab00418d6469f76fa590] + +Signed-off-by: Michal Hocko +Acked-by: Balbir Singh +Signed-off-by: Jagadeesh Krishnanjanappa +--- + src/daemon/cgrulesengd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c +index ea51f11..0d288f3 100644 +--- a/src/daemon/cgrulesengd.c ++++ b/src/daemon/cgrulesengd.c +@@ -889,9 +889,6 @@ int cgre_start_daemon(const char *logp, const int logf, + } else if (pid > 0) { + exit(EXIT_SUCCESS); + } +- +- /* Change the file mode mask. */ +- umask(0); + } else { + flog(LOG_DEBUG, "Not using daemon mode\n"); + pid = getpid(); +-- +2.13.3 + diff --git a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb index 7ddc81e9b7..92d7261b0d 100644 --- a/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb +++ b/poky/meta/recipes-core/libcgroup/libcgroup_0.41.bb @@ -11,7 +11,8 @@ inherit autotools pkgconfig DEPENDS = "bison-native flex-native" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/libcg/${BPN}/v0.41/${BPN}-${PV}.tar.bz2 \ + file://CVE-2018-14348.patch" SRC_URI_append_libc-musl = " file://musl-decls-compat.patch" SRC_URI[md5sum] = "3dea9d50b8a5b73ff0bf1cdcb210f63f" diff --git a/poky/meta/recipes-core/os-release/os-release.bb b/poky/meta/recipes-core/os-release/os-release.bb index f988704756..bf4f815a10 100644 --- a/poky/meta/recipes-core/os-release/os-release.bb +++ b/poky/meta/recipes-core/os-release/os-release.bb @@ -1,7 +1,7 @@ inherit allarch SUMMARY = "Operating system identification" -DESCRIPTION = "The /etc/os-release file contains operating system identification data." +DESCRIPTION = "The /usr/lib/os-release file contains operating system identification data." LICENSE = "MIT" INHIBIT_DEFAULT_DEPS = "1" @@ -42,6 +42,9 @@ python do_compile () { do_compile[vardeps] += "${OS_RELEASE_FIELDS}" do_install () { - install -d ${D}${sysconfdir} - install -m 0644 os-release ${D}${sysconfdir}/ + install -d ${D}${libdir} ${D}${sysconfdir} + install -m 0644 os-release ${D}${libdir}/ + lnr ${D}${libdir}/os-release ${D}${sysconfdir}/os-release } + +FILES_${PN} += "${libdir}/os-release" diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb new file mode 100644 index 0000000000..455b9377b3 --- /dev/null +++ b/poky/meta/recipes-core/util-linux/util-linux_2.32.1.bb @@ -0,0 +1,30 @@ +MAJOR_VERSION = "2.32" +require util-linux.inc + +# To support older hosts, we need to patch and/or revert +# some upstream changes. Only do this for native packages. +OLDHOST = "" +OLDHOST_class-native = "file://util-linux-native-qsort.patch" + +SRC_URI += "file://configure-sbindir.patch \ + file://runuser.pamd \ + file://runuser-l.pamd \ + ${OLDHOST} \ + file://ptest.patch \ + file://run-ptest \ + file://display_testname_for_subtest.patch \ + file://avoid_parallel_tests.patch \ +" +SRC_URI[md5sum] = "9e5b1b8c1dc99455bdb6b462cf9436d9" +SRC_URI[sha256sum] = "86e6707a379c7ff5489c218cfaf1e3464b0b95acf7817db0bc5f179e356a67b2" + +CACHED_CONFIGUREVARS += "scanf_cv_alloc_modifier=ms" + +EXTRA_OECONF_class-native = "${SHARED_EXTRA_OECONF} \ + --disable-fallocate \ + --disable-use-tty-group \ +" +EXTRA_OECONF_class-nativesdk = "${SHARED_EXTRA_OECONF} \ + --disable-fallocate \ + --disable-use-tty-group \ +" diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb b/poky/meta/recipes-core/util-linux/util-linux_2.32.bb deleted file mode 100644 index 55cc98c200..0000000000 --- a/poky/meta/recipes-core/util-linux/util-linux_2.32.bb +++ /dev/null @@ -1,30 +0,0 @@ -MAJOR_VERSION = "2.32" -require util-linux.inc - -# To support older hosts, we need to patch and/or revert -# some upstream changes. Only do this for native packages. -OLDHOST = "" -OLDHOST_class-native = "file://util-linux-native-qsort.patch" - -SRC_URI += "file://configure-sbindir.patch \ - file://runuser.pamd \ - file://runuser-l.pamd \ - ${OLDHOST} \ - file://ptest.patch \ - file://run-ptest \ - file://display_testname_for_subtest.patch \ - file://avoid_parallel_tests.patch \ -" -SRC_URI[md5sum] = "e0d8a25853f88cd15ff557e5d8cb4ea7" -SRC_URI[sha256sum] = "6c7397abc764e32e8159c2e96042874a190303e77adceb4ac5bd502a272a4734" - -CACHED_CONFIGUREVARS += "scanf_cv_alloc_modifier=ms" - -EXTRA_OECONF_class-native = "${SHARED_EXTRA_OECONF} \ - --disable-fallocate \ - --disable-use-tty-group \ -" -EXTRA_OECONF_class-nativesdk = "${SHARED_EXTRA_OECONF} \ - --disable-fallocate \ - --disable-use-tty-group \ -" -- cgit v1.2.3