From 91c4060797737f563a7b975d726f2efcb088e45f Mon Sep 17 00:00:00 2001 From: Patrick Williams Date: Thu, 15 Jun 2023 05:43:17 -0500 Subject: kirkstone: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit meta-raspberrypi: 2a06e4e84b..43683cb14b: Florin Sarbu (1): udev-rules-rpi: Use 99-com.rules directly from upstream meta-openembedded: df452d9d98..f95484417e: Arsalan H. Awan (1): meta-networking/licenses/netperf: remove unused license Bhargav Das (2): tslib: Add native & nativestdk package support pointercal: Add native & nativestdk package support Changqing Li (1): redis: fix do_patch fuzz warning Chee Yang Lee (3): tinyproxy: fix CVE-2022-40468 capnproto: upgrade to 0.9.2 freerdp: fix CVE-2022-39316/39318/39319 Gianluigi Spagnuolo (1): libbpf: add native and nativesdk BBCLASSEXTEND Jasper Orschulko (1): python3-gcovr: Add missing runtime dependency Jonas Gorski (3): frr: Security fix CVE-2022-36440 / CVE-2022-40302 frr: Security fix CVE-2022-40318 frr: Security fix CVE-2022-43681 Khem Raj (1): nodejs: Fix build with gcc13 Martin Jansa (1): abseil-cpp: backport a fix for build with gcc-13 Narpat Mali (3): python3-werkzeug: fix for CVE-2023-25577 python3-django: upgrade 4.0.2 -> 4.2.1 python3-m2crypto: fix for CVE-2020-25657 Natasha Bailey (1): libyang: backport a fix for CVE-2023-26916 Valeria Petrov (1): apache2: upgrade 2.4.56 -> 2.4.57 Xiangyu Chen (3): pahole: fix native package build error Revert "pahole: fix native package build error" libbpf: installing uapi headers for native package poky: 4cc0e9438b..43b94d2b84: Alexander Kanavin (1): dhcpcd: use git instead of tarballs Archana Polampalli (4): nasm: fix CVE-2022-44370 git: fix CVE-2023-29007 git: fix CVE-2023-25652 git: ignore CVE-2023-25815 Arturo Buzarra (1): run-postinsts: Set dependency for ldconfig to avoid boot issues Bhabu Bindu (4): curl: Fix CVE-2023-28319 curl: Fix CVE-2023-28320 curl: Fix CVE-2023-28321 curl: Fix CVE-2023-28322 Bruce Ashfield (9): linux-yocto/5.15: update to v5.15.106 linux-yocto/5.15: update to v5.15.107 linux-yocto/5.15: update to v5.15.108 kernel: improve initramfs bundle processing time linux-yocto/5.10: update to v5.10.176 linux-yocto/5.10: update to v5.10.177 linux-yocto/5.10: update to v5.10.178 linux-yocto/5.10: update to v5.10.179 linux-yocto/5.10: update to v5.10.180 C. Andy Martin (1): systemd-networkd: backport fix for rm unmanaged wifi Christoph Lauer (1): populate_sdk_base: add zip options Daniel Ammann (1): overview-manual: concepts.rst: Fix a typo Deepthi Hemraj (5): glibc: stable 2.35 branch updates. binutils : Fix CVE-2023-25584 binutils : Fix CVE-2023-25585 binutils : Fix CVE-2023-1972 binutils : Fix CVE-2023-25588 Dmitry Baryshkov (1): linux-firmware: upgrade 20230210 -> 20230404 Eero Aaltonen (1): avahi: fix D-Bus introspection Enrico Jörns (1): package_manager/ipk: fix config path generation in _create_custom_config() Hitendra Prajapati (2): connman: fix CVE-2023-28488 DoS in client.c sysstat: Fix CVE-2023-33204 Jan Luebbe (1): p11-kit: add native to BBCLASSEXTEND Joe Slater (1): ghostscript: fix CVE-2023-29979 Kai Kang (1): webkitgtk: fix CVE-2022-32888 & CVE-2022-32923 Khem Raj (2): gcc-runtime: Use static dummy libstdc++ quilt: Fix merge.test race condition Lee Chee Yang (1): migration-guides: add release notes for 4.0.10 Marek Vasut (1): cpio: Fix wrong CRC with ASCII CRC for large files Martin Jansa (3): populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override llvm: backport a fix for build with gcc-13 kernel-devicetree: make shell scripts posix compliant Martin Siegumfeldt (1): systemd-systemctl: fix instance template WantedBy symlink construction Michael Halstead (2): uninative: Upgrade to 3.10 to support gcc 13 uninative: Upgrade to 4.0 to include latest gcc 13.1.1 Michael Opdenacker (2): conf.py: add macro for Mitre CVE links migration-guides: use new cve_mitre macro Ming Liu (1): weston: add xwayland to DEPENDS for PACKAGECONFIG xwayland Mingli Yu (1): ruby: Fix CVE-2023-28755 Narpat Mali (3): ffmpeg: fix for CVE-2022-48434 python3-cryptography: fix for CVE-2023-23931 python3-requests: fix for CVE-2023-32681 Omkar Patil (1): curl: Correction for CVE-2023-27536 Pablo Saavedra (1): gstreamer1.0: upgrade 1.20.5 -> 1.20.6 Pascal Bach (1): cmake: add CMAKE_SYSROOT to generated toolchain file Peter Bergin (1): update-alternatives.bbclass: fix old override syntax Peter Kjellerstedt (1): license.bbclass: Include LICENSE in the output when it fails to parse Peter Marko (2): libxml2: patch CVE-2023-28484 and CVE-2023-29469 openssl: Upgrade 3.0.8 -> 3.0.9 Piotr Łobacz (1): libarchive: Enable acls, xattr for native as well as target Quentin Schulz (1): Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0" Randolph Sapp (4): wic/bootimg-efi: if fixed-size is set then use that for mkdosfs kernel-devicetree: allow specification of dtb directory package: enable recursion on file globs kernel-devicetree: recursively search for dtbs Ranjitsinh Rathod (1): libbsd: Add correct license for all packages Richard Purdie (3): maintainers.inc: Fix email address typo maintainers.inc: Move repo to unassigned selftest/reproducible: Allow native/cross reuse in test Riyaz Khan (1): openssh: Remove BSD-4-clause contents completely from codebase Ross Burton (1): xserver-xorg: backport fix for CVE-2023-1393 Sakib Sajal (1): go: fix CVE-2023-24540 Shubham Kulkarni (1): go: Security fix for CVE-2023-24538 Soumya (1): perl: fix CVE-2023-31484 Steve Sakoman (3): Revert "xserver-xorg: backport fix for CVE-2023-1393" poky.conf: bump version for 4.0.10 build-appliance-image: Update to kirkstone head revision Thomas Roos (1): oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set Tom Hochstein (2): piglit: Add PACKAGECONFIG for glx and opencl piglit: Add missing glslang dependencies Upgrade Helper (1): waffle: upgrade 1.7.0 -> 1.7.2 Virendra Thakur (1): qemu: Whitelist CVE-2023-0664 Vivek Kumbhar (3): freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c go: fix CVE-2023-24534 denial of service from excessive memory allocation go: fix CVE-2023-24539 html/template improper sanitization of CSS values Wang Mingyu (2): wpebackend-fdo: upgrade 1.14.0 -> 1.14.2 xserver-xorg: upgrade 21.1.7 -> 21.1.8 Yoann Congal (1): linux-yocto: Exclude 121 CVEs already fixed upstream Yogita Urade (2): xorg-lib-common: Add variable to set tarball type libxpm: upgrade 3.5.13 -> 3.5.15 Zhixiong Chi (1): libpam: Fix the xtests/tst-pam_motd[1|3] failures Zoltan Boszormenyi (1): piglit: Fix build time dependency bkylerussell@gmail.com (1): kernel-devsrc: depend on python3-core instead of python3 leimaohui (1): nghttp2: Deleted the entries for -client and -server, and removed a dependency on them from the main package. meta-security: cc20e2af2a..d398cc6ea6: Armin Kuster (1): apparmor: fix ownership issues Josh Harley (1): Add EROFS support to dm-verity-img class Maciej Borzęcki (1): dm-verity-img.bbclass: add squashfs images Peter Marko (1): tpm2-tss: upgrade to 3.2.2 to fix CVE-2023-22745 Signed-off-by: Patrick Williams Change-Id: I683201033cfd1b1135738f49b0faf6df2e6348b6 --- .../recipes-devtools/binutils/binutils-2.38.inc | 6 + .../binutils/binutils/0022-CVE-2023-25584-1.patch | 56 +++ .../binutils/binutils/0022-CVE-2023-25584-2.patch | 38 ++ .../binutils/binutils/0022-CVE-2023-25584-3.patch | 534 +++++++++++++++++++++ .../binutils/binutils/0023-CVE-2023-25585.patch | 54 +++ .../binutils/binutils/0025-CVE-2023-25588.patch | 147 ++++++ .../binutils/binutils/0026-CVE-2023-1972.patch | 41 ++ poky/meta/recipes-devtools/gcc/gcc-runtime.inc | 3 +- .../recipes-devtools/git/git/CVE-2023-25652.patch | 94 ++++ .../recipes-devtools/git/git/CVE-2023-29007.patch | 162 +++++++ poky/meta/recipes-devtools/git/git_2.35.7.bb | 4 + poky/meta/recipes-devtools/go/go-1.17.13.inc | 4 + .../go/go-1.18/CVE-2023-24534.patch | 200 ++++++++ .../go/go-1.18/CVE-2023-24538.patch | 208 ++++++++ .../go/go-1.18/CVE-2023-24539.patch | 53 ++ .../go/go-1.19/CVE-2023-24540.patch | 93 ++++ ...t-Add-missing-cstdint-header-to-Signals.h.patch | 31 ++ poky/meta/recipes-devtools/llvm/llvm_git.bb | 1 + .../nasm/nasm/CVE-2022-44370.patch | 104 ++++ poky/meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 + .../perl/files/CVE-2023-31484.patch | 29 ++ poky/meta/recipes-devtools/perl/perl_5.34.1.bb | 1 + .../python3-cryptography/CVE-2023-23931.patch | 49 ++ .../python/python3-cryptography_36.0.2.bb | 1 + .../python/python3-requests/CVE-2023-32681.patch | 63 +++ .../python/python3-requests_2.27.1.bb | 2 + poky/meta/recipes-devtools/qemu/qemu.inc | 5 + poky/meta/recipes-devtools/quilt/quilt.inc | 1 + ...1-test-Fix-a-race-condition-in-merge.test.patch | 48 ++ .../ruby/ruby/CVE-2023-28755.patch | 68 +++ poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 + .../run-postinsts/run-postinsts.service | 2 +- 32 files changed, 2102 insertions(+), 2 deletions(-) create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch create mode 100644 poky/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch create mode 100644 poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch create mode 100644 poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch create mode 100644 poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch create mode 100644 poky/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch create mode 100644 poky/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch create mode 100644 poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch create mode 100644 poky/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch create mode 100644 poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch create mode 100644 poky/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch create mode 100644 poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch (limited to 'poky/meta/recipes-devtools') diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.38.inc b/poky/meta/recipes-devtools/binutils/binutils-2.38.inc index bf44e6c762..5c3ff3d93a 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -50,5 +50,11 @@ SRC_URI = "\ file://0021-CVE-2023-1579-2.patch \ file://0021-CVE-2023-1579-3.patch \ file://0021-CVE-2023-1579-4.patch \ + file://0022-CVE-2023-25584-1.patch \ + file://0022-CVE-2023-25584-2.patch \ + file://0022-CVE-2023-25584-3.patch \ + file://0023-CVE-2023-25585.patch \ + file://0026-CVE-2023-1972.patch \ + file://0025-CVE-2023-25588.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch b/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch new file mode 100644 index 0000000000..990243f5c9 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch @@ -0,0 +1,56 @@ +From: Alan Modra +Date: Thu, 17 Mar 2022 09:35:39 +0000 (+1030) +Subject: ubsan: Null dereference in parse_module +X-Git-Tag: gdb-12.1-release~59 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2 + +ubsan: Null dereference in parse_module + + * vms-alpha.c (parse_module): Sanity check that DST__K_RTNBEG + has set module->func_table for DST__K_RTNEND. Check return + of bfd_zalloc. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 4a92574c850..1129c98f0e2 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4352,9 +4352,13 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + /* Initialize tables with zero element. */ + curr_srec = (struct srecinfo *) bfd_zalloc (abfd, sizeof (struct srecinfo)); ++ if (!curr_srec) ++ return false; + module->srec_table = curr_srec; + + curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo)); ++ if (!curr_line) ++ return false; + module->line_table = curr_line; + + while (length == -1 || ptr < maxptr) +@@ -4389,6 +4393,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + case DST__K_RTNBEG: + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); ++ if (!funcinfo) ++ return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, + maxptr - (ptr + DST_S_B_RTNBEG_NAME)); +@@ -4401,6 +4407,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++ if (!module->func_table) ++ return false; + module->func_table->high = module->func_table->low + + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1; + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch b/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch new file mode 100644 index 0000000000..f4c5ed2aff --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch @@ -0,0 +1,38 @@ +From da928f639002002dfc649ed9f50492d5d6cb4cee Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 5 Dec 2022 11:11:44 +0000 +Subject: [PATCH] Fix an illegal memory access when parsing a corrupt VMS Alpha + file. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix an illegal memory access when parsing a corrupt VMS Alpha file. + + PR 29848 + * vms-alpha.c (parse_module): Fix potential out of bounds memory + access. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=942fa4fb32738ecbb447546d54f1e5f0312d2ed4] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj + +--- + bfd/vms-alpha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index c548722c..53b3f1bf 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || ptr < maxptr) ++ while (length == -1 || (ptr + 3) < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; diff --git a/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch b/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch new file mode 100644 index 0000000000..abe501e570 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch @@ -0,0 +1,534 @@ +From: Alan Modra +Date: Mon, 12 Dec 2022 07:58:49 +0000 (+1030) +Subject: Lack of bounds checking in vms-alpha.c parse_module +X-Git-Tag: gdb-13-branchpoint~87 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44 + +Lack of bounds checking in vms-alpha.c parse_module + + PR 29873 + PR 29874 + PR 29875 + PR 29876 + PR 29877 + PR 29878 + PR 29879 + PR 29880 + PR 29881 + PR 29882 + PR 29883 + PR 29884 + PR 29885 + PR 29886 + PR 29887 + PR 29888 + PR 29889 + PR 29890 + PR 29891 + * vms-alpha.c (parse_module): Make length param bfd_size_type. + Delete length == -1 checks. Sanity check record_length. + Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. + Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements + before accessing. + (build_module_list): Pass dst_section size to parse_module. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index c0eb5bc5a2a..3b63259cc81 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4340,7 +4340,7 @@ new_module (bfd *abfd) + + static bool + parse_module (bfd *abfd, struct module *module, unsigned char *ptr, +- int length) ++ bfd_size_type length) + { + unsigned char *maxptr = ptr + length; + unsigned char *src_ptr, *pcl_ptr; +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || (ptr + 3) < maxptr) ++ while (ptr + 3 < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; +@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); + +- if (length == -1 && rec_type == DST__K_MODEND) ++ if (rec_length > maxptr - ptr) ++ break; ++ if (rec_type == DST__K_MODEND) + break; + + switch (rec_type) + { + case DST__K_MODBEG: ++ if (rec_length <= DST_S_B_MODBEG_NAME) ++ break; + module->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, +- maxptr - (ptr + DST_S_B_MODBEG_NAME)); ++ rec_length - DST_S_B_MODBEG_NAME); + + curr_pc = 0; + prev_pc = 0; +@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNBEG: ++ if (rec_length <= DST_S_B_RTNBEG_NAME) ++ break; + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); + if (!funcinfo) + return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, +- maxptr - (ptr + DST_S_B_RTNBEG_NAME)); ++ rec_length - DST_S_B_RTNBEG_NAME); + funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); + funcinfo->next = module->func_table; + module->func_table = funcinfo; +@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++ if (rec_length < DST_S_L_RTNEND_SIZE + 4) ++ break; + if (!module->func_table) + return false; + module->func_table->high = module->func_table->low +@@ -4439,10 +4447,63 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((3, "source info\n")); + +- while (src_ptr < ptr + rec_length) ++ while (src_ptr - ptr < rec_length) + { + int cmd = src_ptr[0], cmd_length, data; + ++ switch (cmd) ++ { ++ case DST__K_SRC_DECLFILE: ++ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length) ++ cmd_length = 0x10000; ++ else ++ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_INCRLNUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_SETFILE: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETLNUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETLNUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETREC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETREC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_FORMFEED: ++ cmd_length = 1; ++ break; ++ ++ default: ++ cmd_length = 2; ++ break; ++ } ++ ++ if (src_ptr - ptr + cmd_length > rec_length) ++ break; ++ + switch (cmd) + { + case DST__K_SRC_DECLFILE: +@@ -4467,7 +4528,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + module->file_table [fileid].name = filename; + module->file_table [fileid].srec = 1; +- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; + vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n", + fileid, module->file_table [fileid].name)); + } +@@ -4484,7 +4544,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data)); + break; + +@@ -4499,14 +4558,12 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data)); + break; + + case DST__K_SRC_INCRLNUM_B: + data = src_ptr[DST_S_B_SRC_UNSBYTE]; + curr_srec->line += data; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data)); + break; + +@@ -4514,21 +4571,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->sfile = data; + curr_srec->srec = module->file_table[data].srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_L: + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->line = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_W: + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->line = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data)); + break; + +@@ -4536,7 +4590,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data)); + break; + +@@ -4544,19 +4597,16 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data)); + break; + + case DST__K_SRC_FORMFEED: +- cmd_length = 1; + vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n")); + break; + + default: + _bfd_error_handler (_("unknown source command %d"), + cmd); +- cmd_length = 2; + break; + } + +@@ -4569,18 +4619,114 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((3, "line info\n")); + +- while (pcl_ptr < ptr + rec_length) ++ while (pcl_ptr - ptr < rec_length) + { + /* The command byte is signed so we must sign-extend it. */ + int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data; + ++ switch (cmd) ++ { ++ case DST__K_DELTA_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_DELTA_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_INCR_LINUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_INCR_LINUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_INCR_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_LINUM_INCR: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM_INCR_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_RESET_LINUM_INCR: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_BEG_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_END_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_SET_LINUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_PC: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_STMTNUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_TERM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_ABS_PC: ++ cmd_length = 5; ++ break; ++ ++ default: ++ if (cmd <= 0) ++ cmd_length = 1; ++ else ++ cmd_length = 2; ++ break; ++ } ++ ++ if (pcl_ptr - ptr + cmd_length > rec_length) ++ break; ++ + switch (cmd) + { + case DST__K_DELTA_PC_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data)); + break; + +@@ -4588,131 +4734,111 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data)); + break; + + case DST__K_INCR_LINUM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data)); + break; + + case DST__K_INCR_LINUM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data)); + break; + + case DST__K_INCR_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR"); +- cmd_length = 2; + break; + + case DST__K_SET_LINUM_INCR_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W"); +- cmd_length = 3; + break; + + case DST__K_RESET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_RESET_LINUM_INCR"); +- cmd_length = 1; + break; + + case DST__K_BEG_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_BEG_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_END_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_END_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_SET_LINUM_B: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum = data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data)); + break; + + case DST__K_SET_LINUM: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum = data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data)); + break; + + case DST__K_SET_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_PC: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC"); +- cmd_length = 2; + break; + + case DST__K_SET_PC_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_W"); +- cmd_length = 3; + break; + + case DST__K_SET_PC_L: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_L"); +- cmd_length = 5; + break; + + case DST__K_SET_STMTNUM: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_STMTNUM"); +- cmd_length = 2; + break; + + case DST__K_TERM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_pc += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_TERM: %d\n", data)); + break; + + case DST__K_TERM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_TERM_W: %d\n", data)); + break; + + case DST__K_TERM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_TERM_L: %d\n", data)); + break; + + case DST__K_SET_ABS_PC: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data)); + break; + +@@ -4721,15 +4847,11 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + { + curr_pc -= cmd; + curr_linenum += 1; +- cmd_length = 1; + vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n", + (unsigned long)curr_pc, curr_linenum)); + } + else +- { +- _bfd_error_handler (_("unknown line command %d"), cmd); +- cmd_length = 2; +- } ++ _bfd_error_handler (_("unknown line command %d"), cmd); + break; + } + +@@ -4859,7 +4981,8 @@ build_module_list (bfd *abfd) + return NULL; + + module = new_module (abfd); +- if (!parse_module (abfd, module, PRIV (dst_section)->contents, -1)) ++ if (!parse_module (abfd, module, PRIV (dst_section)->contents, ++ PRIV (dst_section)->size)) + return NULL; + list = module; + } diff --git a/poky/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch b/poky/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch new file mode 100644 index 0000000000..e31a027b9f --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch @@ -0,0 +1,54 @@ +From: Alan Modra +Date: Mon, 12 Dec 2022 08:31:08 +0000 (+1030) +Subject: PR29892, Field file_table of struct module is uninitialized +X-Git-Tag: gdb-13-branchpoint~86 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7 + +PR29892, Field file_table of struct module is uninitialized + + PR 29892 + * vms-alphs.c (new_module): Use bfd_zmalloc to alloc file_table. + (parse_module): Rewrite file_table reallocation code and clear. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7] + +CVE: CVE-2023-25585 + +Signed-off-by: Deepthi Hemraj + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 3b63259cc81..6ee7060b0b2 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4337,7 +4337,7 @@ new_module (bfd *abfd) + = (struct module *) bfd_zalloc (abfd, sizeof (struct module)); + module->file_table_count = 16; /* Arbitrary. */ + module->file_table +- = bfd_malloc (module->file_table_count * sizeof (struct fileinfo)); ++ = bfd_zmalloc (module->file_table_count * sizeof (struct fileinfo)); + return module; + } + +@@ -4520,15 +4520,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + src_ptr + DST_S_B_SRC_DF_FILENAME, + ptr + rec_length - (src_ptr + DST_S_B_SRC_DF_FILENAME)); + +- while (fileid >= module->file_table_count) ++ if (fileid >= module->file_table_count) + { +- module->file_table_count *= 2; ++ unsigned int old_count = module->file_table_count; ++ module->file_table_count += fileid; + module->file_table + = bfd_realloc_or_free (module->file_table, + module->file_table_count + * sizeof (struct fileinfo)); + if (module->file_table == NULL) + return false; ++ memset (module->file_table + old_count, 0, ++ fileid * sizeof (struct fileinfo)); + } + + module->file_table [fileid].name = filename; diff --git a/poky/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/poky/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch new file mode 100644 index 0000000000..142d201c40 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch @@ -0,0 +1,147 @@ +From: Alan Modra +Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030) +Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised +X-Git-Tag: gdb-13-branchpoint~871 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1 + +PR29677, Field `the_bfd` of `asymbol` is uninitialised + +Besides not initialising the_bfd of synthetic symbols, counting +symbols when sizing didn't match symbols created if there were any +dynsyms named "". We don't want synthetic symbols without names +anyway, so get rid of them. Also, simplify and correct sanity checks. + + PR 29677 + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] + +CVE: CVE-2023-25588 + +Signed-off-by: Deepthi Hemraj + +--- + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index acb35e7f0c6..5279343768c 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + bfd_mach_o_symtab_command *symtab = mdata->symtab; + asymbol *s; + char * s_start; +- char * s_end; + unsigned long count, i, j, n; + size_t size; + char *names; +- char *nul_name; + const char stub [] = "$stub"; + + *ret = NULL; +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + /* We need to allocate a bfd symbol for every indirect symbol and to + allocate the memory for its name. */ + count = dysymtab->nindirectsyms; +- size = count * sizeof (asymbol) + 1; +- ++ size = 0; + for (j = 0; j < count; j++) + { +- const char * strng; + unsigned int isym = dysymtab->indirect_syms[j]; ++ const char *str; + + /* Some indirect symbols are anonymous. */ +- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) +- /* PR 17512: file: f5b8eeba. */ +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); ++ if (isym < symtab->nsyms ++ && (str = symtab->symbols[isym].symbol.name) != NULL) ++ { ++ /* PR 17512: file: f5b8eeba. */ ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ size += sizeof (stub); ++ } + } + +- s_start = bfd_malloc (size); ++ s_start = bfd_malloc (size + count * sizeof (asymbol)); + s = *ret = (asymbol *) s_start; + if (s == NULL) + return -1; + names = (char *) (s + count); +- nul_name = names; +- *names++ = 0; +- s_end = s_start + size; + + n = 0; + for (i = 0; i < mdata->nsects; i++) +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); + + /* PR 17512: file: 08e15eec. */ +- if (first >= count || last >= count || first > last) ++ if (first >= count || last > count || first > last) + goto fail; + + for (j = first; j < last; j++) + { + unsigned int isym = dysymtab->indirect_syms[j]; +- +- /* PR 17512: file: 04d64d9b. */ +- if (((char *) s) + sizeof (* s) > s_end) +- goto fail; +- +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC; +- s->section = sec->bfdsection; +- s->value = addr - sec->addr; +- s->udata.p = NULL; ++ const char *str; ++ size_t len; + + if (isym < symtab->nsyms +- && symtab->symbols[isym].symbol.name) ++ && (str = symtab->symbols[isym].symbol.name) != NULL) + { +- const char *sym = symtab->symbols[isym].symbol.name; +- size_t len; +- +- s->name = names; +- len = strlen (sym); +- /* PR 17512: file: 47dfd4d2. */ +- if (names + len >= s_end) ++ /* PR 17512: file: 04d64d9b. */ ++ if (n >= count) + goto fail; +- memcpy (names, sym, len); +- names += len; +- /* PR 17512: file: 18f340a4. */ +- if (names + sizeof (stub) >= s_end) ++ len = strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */ ++ if (size < len + sizeof (stub)) + goto fail; +- memcpy (names, stub, sizeof (stub)); +- names += sizeof (stub); ++ memcpy (names, str, len); ++ memcpy (names + len, stub, sizeof (stub)); ++ s->name = names; ++ names += len + sizeof (stub); ++ size -= len + sizeof (stub); ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd; ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC; ++ s->section = sec->bfdsection; ++ s->value = addr - sec->addr; ++ s->udata.p = NULL; ++ s++; ++ n++; + } +- else +- s->name = nul_name; +- + addr += entry_size; +- s++; +- n++; + } + break; + default: diff --git a/poky/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch b/poky/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch new file mode 100644 index 0000000000..f86adad217 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch @@ -0,0 +1,41 @@ +From: Nick Clifton +Date: Thu, 30 Mar 2023 09:10:09 +0000 (+0100) +Subject: Fix an illegal memory access when an accessing a zer0-lengthverdef table. +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57 + +Fix an illegal memory access when an accessing a zer0-lengthverdef table. + + PR 30285 + * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57] + +CVE: CVE-2023-1972 + +Signed-off-by: Deepthi Hemraj + +--- + +diff --git a/bfd/elf.c b/bfd/elf.c +index 027d0143735..185028cbd97 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verdef; + } ++ ++ if (amt == 0) ++ goto error_return_verdef; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return_verdef; +@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return; + } ++ if (amt == 0) ++ goto error_return; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; diff --git a/poky/meta/recipes-devtools/gcc/gcc-runtime.inc b/poky/meta/recipes-devtools/gcc/gcc-runtime.inc index 8074bf1025..d019b0790b 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-runtime.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-runtime.inc @@ -68,7 +68,8 @@ do_configure () { # libstdc++ isn't built yet so CXX would error not able to find it which breaks stdc++'s configure # tests. Create a dummy empty lib for the purposes of configure. mkdir -p ${WORKDIR}/dummylib - ${CC} -x c /dev/null -nostartfiles -shared -o ${WORKDIR}/dummylib/libstdc++.so + ${CC} -x c /dev/null -c -o ${WORKDIR}/dummylib/dummylib.o + ${AR} rcs ${WORKDIR}/dummylib/libstdc++.a ${WORKDIR}/dummylib/dummylib.o for d in libgcc ${RUNTIMETARGET}; do echo "Configuring $d" rm -rf ${B}/${TARGET_SYS}/$d/ diff --git a/poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch new file mode 100644 index 0000000000..825701eaff --- /dev/null +++ b/poky/meta/recipes-devtools/git/git/CVE-2023-25652.patch @@ -0,0 +1,94 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Thu Mar 9 16:02:54 2023 +0100 +Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it + exists + + The `git apply --reject` is expected to write out `.rej` files in case + one or more hunks fail to apply cleanly. Historically, the command + overwrites any existing `.rej` files. The idea being that + apply/reject/edit cycles are relatively common, and the generated `.rej` + files are not considered precious. + + But the command does not overwrite existing `.rej` symbolic links, and + instead follows them. This is unsafe because the same patch could + potentially create such a symbolic link and point at arbitrary paths + outside the current worktree, and `git apply` would write the contents + of the `.rej` file into that location. + + Therefore, let's make sure that any existing `.rej` file or symbolic + link is removed before writing it. + + Reported-by: RyotaK + Helped-by: Taylor Blau + Helped-by: Junio C Hamano + Helped-by: Linus Torvalds + Signed-off-by: Johannes Schindelin + +CVE: CVE-2023-25652 +Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] + +Signed-off-by: Archana Polampalli +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/apply.c b/apply.c +index fc6f484..47f2686 100644 +--- a/apply.c ++++ b/apply.c +@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh +index 65ac7df..e95e6d4 100755 +--- a/t/t4115-apply-symlink.sh ++++ b/t/t4115-apply-symlink.sh +@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch b/poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch new file mode 100644 index 0000000000..472f4022b2 --- /dev/null +++ b/poky/meta/recipes-devtools/git/git/CVE-2023-29007.patch @@ -0,0 +1,162 @@ +From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001 +From: Taylor Blau +Date: Fri, 14 Apr 2023 11:46:59 -0400 +Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection' + +Avoids issues with renaming or deleting sections with long lines, where +configuration values may be interpreted as sections, leading to +configuration injection. Addresses CVE-2023-29007. + +* tb/config-copy-or-rename-in-file-injection: + config.c: disallow overly-long lines in `copy_or_rename_section_in_file()` + config.c: avoid integer truncation in `copy_or_rename_section_in_file()` + config: avoid fixed-sized buffer when renaming/deleting a section + t1300: demonstrate failure when renaming sections with long lines + +Signed-off-by: Taylor Blau + +Upstream-Status: Backport +CVE: CVE-2023-29007 + +Reference to upstream patch: +https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4 + +Signed-off-by: Archana Polampalli +--- + config.c | 36 +++++++++++++++++++++++++----------- + t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 11 deletions(-) + +diff --git a/config.c b/config.c +index 2bffa8d..6a01938 100644 +--- a/config.c ++++ b/config.c +@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const char *value, + flags); + } + +-static int section_name_match (const char *buf, const char *name) ++static size_t section_name_match (const char *buf, const char *name) + { +- int i = 0, j = 0, dot = 0; ++ size_t i = 0, j = 0; ++ int dot = 0; + if (buf[i] != '[') + return 0; + for (i = 1; buf[i] && buf[i] != ']'; i++) { +@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name) + return 1; + } + ++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) ++ + /* if new_name == NULL, the section is removed instead */ + static int git_config_copy_or_rename_section_in_file(const char *config_filename, + const char *old_name, +@@ -3256,11 +3259,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + char *filename_buf = NULL; + struct lock_file lock = LOCK_INIT; + int out_fd; +- char buf[1024]; ++ struct strbuf buf = STRBUF_INIT; + FILE *config_file = NULL; + struct stat st; + struct strbuf copystr = STRBUF_INIT; + struct config_store_data store; ++ uint32_t line_nr = 0; + + memset(&store, 0, sizeof(store)); + +@@ -3297,16 +3301,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + goto out; + } + +- while (fgets(buf, sizeof(buf), config_file)) { +- unsigned i; +- int length; ++ while (!strbuf_getwholeline(&buf, config_file, '\n')) { ++ size_t i, length; + int is_section = 0; +- char *output = buf; +- for (i = 0; buf[i] && isspace(buf[i]); i++) ++ char *output = buf.buf; ++ ++ line_nr++; ++ ++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { ++ ret = error(_("refusing to work with overly long line " ++ "in '%s' on line %"PRIuMAX), ++ config_filename, (uintmax_t)line_nr); ++ goto out; ++ } ++ ++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ +- if (buf[i] == '[') { ++ if (buf.buf[i] == '[') { + /* it's a section */ +- int offset; ++ size_t offset; + is_section = 1; + + /* +@@ -3323,7 +3336,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + strbuf_reset(©str); + } + +- offset = section_name_match(&buf[i], old_name); ++ offset = section_name_match(&buf.buf[i], old_name); + if (offset > 0) { + ret++; + if (new_name == NULL) { +@@ -3398,6 +3411,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + out_no_rollback: + free(filename_buf); + config_store_data_clear(&store); ++ strbuf_release(&buf); + return ret; + } + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 78359f1..b07feb1 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -617,6 +617,36 @@ test_expect_success 'renaming to bogus section is rejected' ' + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + ++test_expect_success 'renaming a section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y b.e ++' ++ ++test_expect_success 'renaming an embedded section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] [foo] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y foo.e ++' ++ ++test_expect_success 'renaming a section with an overly-long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %525000s e" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ test_must_fail git config -f y --rename-section a xyz 2>err && ++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/git/git_2.35.7.bb b/poky/meta/recipes-devtools/git/git_2.35.7.bb index faf0b67051..9e7b0a8cff 100644 --- a/poky/meta/recipes-devtools/git/git_2.35.7.bb +++ b/poky/meta/recipes-devtools/git/git_2.35.7.bb @@ -10,6 +10,8 @@ PROVIDES:append:class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://fixsort.patch \ file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \ + file://CVE-2023-29007.patch \ + file://CVE-2023-25652.patch \ " S = "${WORKDIR}/git-${PV}" @@ -35,6 +37,8 @@ CVE_CHECK_IGNORE += "CVE-2022-24975" CVE_CHECK_IGNORE += "CVE-2022-41953" # specific to Git for Windows CVE_CHECK_IGNORE += "CVE-2023-22743" +# This is specific to Git-for-Windows +CVE_CHECK_IGNORE += "CVE-2023-25815" PACKAGECONFIG ??= "expat curl" PACKAGECONFIG[cvsserver] = "" diff --git a/poky/meta/recipes-devtools/go/go-1.17.13.inc b/poky/meta/recipes-devtools/go/go-1.17.13.inc index cda9227042..d430e0669d 100644 --- a/poky/meta/recipes-devtools/go/go-1.17.13.inc +++ b/poky/meta/recipes-devtools/go/go-1.17.13.inc @@ -28,6 +28,10 @@ SRC_URI += "\ file://cve-2022-41725.patch \ file://CVE-2022-41722.patch \ file://CVE-2023-24537.patch \ + file://CVE-2023-24534.patch \ + file://CVE-2023-24538.patch \ + file://CVE-2023-24540.patch \ + file://CVE-2023-24539.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch new file mode 100644 index 0000000000..c65c7852d5 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch @@ -0,0 +1,200 @@ +From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 10 Mar 2023 14:21:05 -0800 +Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting + the number of MIME header keys + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452 +Run-TryBot: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-by: Julie Qiu +(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393 +Reviewed-by: Damien Neil +Run-TryBot: Roland Shoemaker +Change-Id: I675451438d619a9130360c56daf529559004903f +Reviewed-on: https://go-review.googlesource.com/c/go/+/481982 +Run-TryBot: Michael Knyszek +TryBot-Result: Gopher Robot +Reviewed-by: Matthew Dempsky +Auto-Submit: Michael Knyszek + +Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96] +CVE: CVE-2023-24534 +Signed-off-by: Vivek Kumbhar + +--- + src/bytes/bytes.go | 14 ++++++++ + src/net/textproto/reader.go | 30 ++++++++++------ + src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 11 deletions(-) + +diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go +index ce52649..95ff31c 100644 +--- a/src/bytes/bytes.go ++++ b/src/bytes/bytes.go +@@ -1174,3 +1174,17 @@ func Index(s, sep []byte) int { + } + return -1 + } ++ ++// Cut slices s around the first instance of sep, ++// returning the text before and after sep. ++// The found result reports whether sep appears in s. ++// If sep does not appear in s, cut returns s, nil, false. ++// ++// Cut returns slices of the original slice s, not copies. ++func Cut(s, sep []byte) (before, after []byte, found bool) { ++ if i := Index(s, sep); i >= 0 { ++ return s[:i], s[i+len(sep):], true ++ } ++ return s, nil, false ++} ++ +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 6a680f4..fcbede8 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -493,8 +493,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + // large one ahead of time which we'll cut up into smaller + // slices. If this isn't big enough later, we allocate small ones. + var strs []string +- hint := r.upcomingHeaderNewlines() ++ hint := r.upcomingHeaderKeys() + if hint > 0 { ++ if hint > 1000 { ++ hint = 1000 // set a cap to avoid overallocation ++ } + strs = make([]string, hint) + } + +@@ -589,9 +592,11 @@ func mustHaveFieldNameColon(line []byte) error { + return nil + } + +-// upcomingHeaderNewlines returns an approximation of the number of newlines ++var nl = []byte("\n") ++ ++// upcomingHeaderKeys returns an approximation of the number of keys + // that will be in this header. If it gets confused, it returns 0. +-func (r *Reader) upcomingHeaderNewlines() (n int) { ++func (r *Reader) upcomingHeaderKeys() (n int) { + // Try to determine the 'hint' size. + r.R.Peek(1) // force a buffer load if empty + s := r.R.Buffered() +@@ -599,17 +604,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) { + return + } + peek, _ := r.R.Peek(s) +- for len(peek) > 0 { +- i := bytes.IndexByte(peek, '\n') +- if i < 3 { +- // Not present (-1) or found within the next few bytes, +- // implying we're at the end ("\r\n\r\n" or "\n\n") +- return ++ for len(peek) > 0 && n < 1000 { ++ var line []byte ++ line, peek, _ = bytes.Cut(peek, nl) ++ if len(line) == 0 || (len(line) == 1 && line[0] == '\r') { ++ // Blank line separating headers from the body. ++ break ++ } ++ if line[0] == ' ' || line[0] == '\t' { ++ // Folded continuation of the previous line. ++ continue + } + n++ +- peek = peek[i+1:] + } +- return ++ return n + } + + // CanonicalMIMEHeaderKey returns the canonical format of the +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3124d43..3ae0de1 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -9,6 +9,7 @@ import ( + "bytes" + "io" + "reflect" ++ "runtime" + "strings" + "testing" + ) +@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) { + } + } + ++// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very ++// difficult to test well via the external API. ++func TestReaderUpcomingHeaderKeys(t *testing.T) { ++ for _, test := range []struct { ++ input string ++ want int ++ }{{ ++ input: "", ++ want: 0, ++ }, { ++ input: "A: v", ++ want: 1, ++ }, { ++ input: "A: v\r\nB: v\r\n", ++ want: 2, ++ }, { ++ input: "A: v\nB: v\n", ++ want: 2, ++ }, { ++ input: "A: v\r\n continued\r\n still continued\r\nB: v\r\n\r\n", ++ want: 2, ++ }, { ++ input: "A: v\r\n\r\nB: v\r\nC: v\r\n", ++ want: 1, ++ }, { ++ input: "A: v" + strings.Repeat("\n", 1000), ++ want: 1, ++ }} { ++ r := reader(test.input) ++ got := r.upcomingHeaderKeys() ++ if test.want != got { ++ t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want) ++ } ++ } ++} ++ + func TestReadMIMEHeaderNoKey(t *testing.T) { + r := reader(": bar\ntest-1: 1\n\n") + m, err := r.ReadMIMEHeader() +@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) { + } + } + ++// Test that reading a header doesn't overallocate. Issue 58975. ++func TestReadMIMEHeaderAllocations(t *testing.T) { ++ var totalAlloc uint64 ++ const count = 200 ++ for i := 0; i < count; i++ { ++ r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096)) ++ var m1, m2 runtime.MemStats ++ runtime.ReadMemStats(&m1) ++ _, err := r.ReadMIMEHeader() ++ if err != nil { ++ t.Fatalf("ReadMIMEHeader: %v", err) ++ } ++ runtime.ReadMemStats(&m2) ++ totalAlloc += m2.TotalAlloc - m1.TotalAlloc ++ } ++ // 32k is large and we actually allocate substantially less, ++ // but prior to the fix for #58975 we allocated ~400k in this case. ++ if got, want := totalAlloc/count, uint64(32768); got > want { ++ t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want) ++ } ++} ++ + type readResponseTest struct { + in string + inCode int +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch new file mode 100644 index 0000000000..502486befc --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch @@ -0,0 +1,208 @@ +From 07cc3b8711a8efbb5885f56dd90d854049ad2f7d Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 20 Mar 2023 11:01:13 -0700 +Subject: [PATCH] html/template: disallow actions in JS template literals + +ECMAScript 6 introduced template literals[0][1] which are delimited with +backticks. These need to be escaped in a similar fashion to the +delimiters for other string literals. Additionally template literals can +contain special syntax for string interpolation. + +There is no clear way to allow safe insertion of actions within JS +template literals, as handling (JS) string interpolation inside of these +literals is rather complex. As such we've chosen to simply disallow +template actions within these template literals. + +A new error code is added for this parsing failure case, errJsTmplLit, +but it is unexported as it is not backwards compatible with other minor +release versions to introduce an API change in a minor release. We will +export this code in the next major release. + +The previous behavior (with the cavet that backticks are now escaped +properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. + +This change subsumes CL471455. + +Thanks to Sohom Datta, Manipal Institute of Technology, for reporting +this issue. + +Fixes CVE-2023-24538 +For #59234 +Fixes #59271 + +[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals +[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 +Reviewed-by: Damien Neil +Run-TryBot: Damien Neil +Reviewed-by: Julie Qiu +Reviewed-by: Roland Shoemaker +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612 +Run-TryBot: Roland Shoemaker +Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c +Reviewed-on: https://go-review.googlesource.com/c/go/+/481987 +Auto-Submit: Michael Knyszek +TryBot-Result: Gopher Robot +Run-TryBot: Michael Knyszek +Reviewed-by: Matthew Dempsky + +Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni +--- + src/html/template/context.go | 2 ++ + src/html/template/error.go | 13 +++++++++++++ + src/html/template/escape.go | 11 +++++++++++ + src/html/template/js.go | 2 ++ + src/html/template/jsctx_string.go | 9 +++++++++ + src/html/template/transition.go | 7 ++++++- + 6 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f7d4849..0b65313 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -116,6 +116,8 @@ const ( + stateJSDqStr + // stateJSSqStr occurs inside a JavaScript single quoted string. + stateJSSqStr ++ // stateJSBqStr occurs inside a JavaScript back quoted string. ++ stateJSBqStr + // stateJSRegexp occurs inside a JavaScript regexp literal. + stateJSRegexp + // stateJSBlockCmt occurs inside a JavaScript /* block comment */. +diff --git a/src/html/template/error.go b/src/html/template/error.go +index 0e52706..fd26b64 100644 +--- a/src/html/template/error.go ++++ b/src/html/template/error.go +@@ -211,6 +211,19 @@ const ( + // pipeline occurs in an unquoted attribute value context, "html" is + // disallowed. Avoid using "html" and "urlquery" entirely in new templates. + ErrPredefinedEscaper ++ ++ // errJSTmplLit: "... appears in a JS template literal" ++ // Example: ++ // ++ // Discussion: ++ // Package html/template does not support actions inside of JS template ++ // literals. ++ // ++ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor ++ // release, since it is backwards incompatible with the other minor ++ // releases. As such we need to leave it unexported, and then we'll add it ++ // in the next major release. ++ errJSTmplLit + ) + + func (e *Error) Error() string { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 8739735..ca078f4 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -8,6 +8,7 @@ import ( + "bytes" + "fmt" + "html" ++ "internal/godebug" + "io" + "text/template" + "text/template/parse" +@@ -205,6 +206,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + c.jsCtx = jsCtxDivOp + case stateJSDqStr, stateJSSqStr: + s = append(s, "_html_template_jsstrescaper") ++ case stateJSBqStr: ++ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp") ++ if debugAllowActionJSTmpl == "1" { ++ s = append(s, "_html_template_jsstrescaper") ++ } else { ++ return context{ ++ state: stateError, ++ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n), ++ } ++ } + case stateJSRegexp: + s = append(s, "_html_template_jsregexpescaper") + case stateCSS: +diff --git a/src/html/template/js.go b/src/html/template/js.go +index ea9c183..b888eaf 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{ + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. + '"': `\u0022`, ++ '`': `\u0060`, + '&': `\u0026`, + '\'': `\u0027`, + '+': `\u002b`, +@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{ + '"': `\u0022`, + '&': `\u0026`, + '\'': `\u0027`, ++ '`': `\u0060`, + '+': `\u002b`, + '/': `\/`, + '<': `\u003c`, +diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go +index dd1d87e..2394893 100644 +--- a/src/html/template/jsctx_string.go ++++ b/src/html/template/jsctx_string.go +@@ -4,6 +4,15 @@ package template + + import "strconv" + ++func _() { ++ // An "invalid array index" compiler error signifies that the constant values have changed. ++ // Re-run the stringer command to generate them again. ++ var x [1]struct{} ++ _ = x[jsCtxRegexp-0] ++ _ = x[jsCtxDivOp-1] ++ _ = x[jsCtxUnknown-2] ++} ++ + const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown" + + var _jsCtx_index = [...]uint8{0, 11, 21, 33} +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index 06df679..92eb351 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateJS: tJS, + stateJSDqStr: tJSDelimited, + stateJSSqStr: tJSDelimited, ++ stateJSBqStr: tJSDelimited, + stateJSRegexp: tJSDelimited, + stateJSBlockCmt: tBlockCmt, + stateJSLineCmt: tLineCmt, +@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) { + + // tJS is the context transition function for the JS state. + func tJS(c context, s []byte) (context, int) { +- i := bytes.IndexAny(s, `"'/`) ++ i := bytes.IndexAny(s, "\"`'/") + if i == -1 { + // Entire input is non string, comment, regexp tokens. + c.jsCtx = nextJSCtx(s, c.jsCtx) +@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) { + c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp + case '\'': + c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp ++ case '`': ++ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp + case '/': + switch { + case i+1 < len(s) && s[i+1] == '/': +@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) { + switch c.state { + case stateJSSqStr: + specials = `\'` ++ case stateJSBqStr: ++ specials = "`\\" + case stateJSRegexp: + specials = `\/[]` + } +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch new file mode 100644 index 0000000000..fa19e18264 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch @@ -0,0 +1,53 @@ +From e49282327b05192e46086bf25fd3ac691205fe80 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 13 Apr 2023 15:40:44 -0700 +Subject: [PATCH] [release-branch.go1.19] html/template: disallow angle + brackets in CSS values + +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 +Reviewed-by: Julie Qiu +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496 +Run-TryBot: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/491335 +Run-TryBot: Carlos Amedee +Reviewed-by: Dmitri Shuralyov +TryBot-Result: Gopher Robot + +Upstream-Status: Backport [https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80] +CVE: CVE-2023-24539 +Signed-off-by: Vivek Kumbhar +--- + src/html/template/css.go | 2 +- + src/html/template/css_test.go | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/css.go b/src/html/template/css.go +index 890a0c6b227fe..f650d8b3e843a 100644 +--- a/src/html/template/css.go ++++ b/src/html/template/css.go +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { + // inside a string that might embed JavaScript source. + for i, c := range b { + switch c { +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': + return filterFailsafe + case '-': + // Disallow . +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go +index a735638b0314f..2b76256a766e9 100644 +--- a/src/html/template/css_test.go ++++ b/src/html/template/css_test.go +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, + {`-expre\0000073sion`, "-expre\x073sion"}, + {`@import url evil.css`, "ZgotmplZ"}, ++ {"<", "ZgotmplZ"}, ++ {">", "ZgotmplZ"}, + } + for _, test := range tests { + got := cssValueFilter(test.css) diff --git a/poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch new file mode 100644 index 0000000000..7e6e871e38 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch @@ -0,0 +1,93 @@ +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 11 Apr 2023 16:27:43 +0100 +Subject: [PATCH] html/template: handle all JS whitespace characters + +Rather than just a small set. Character class as defined by \s [0]. + +Thanks to Juho Nurminen of Mattermost for reporting this. + +For #59721 +Fixes #59813 +Fixes CVE-2023-24540 + +[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes + +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 +Reviewed-by: Julie Qiu +Run-TryBot: Roland Shoemaker +Reviewed-by: Damien Neil +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 +Run-TryBot: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Carlos Amedee +TryBot-Bypass: Carlos Amedee +Run-TryBot: Carlos Amedee + +CVE: CVE-2023-24540 +Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] + +Signed-off-by: Sakib Sajal +--- + src/html/template/js.go | 8 +++++++- + src/html/template/js_test.go | 11 +++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index b888eaf..35994f0 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -13,6 +13,11 @@ import ( + "unicode/utf8" + ) + ++// jsWhitespace contains all of the JS whitespace characters, as defined ++// by the \s character class. ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" ++ + // nextJSCtx returns the context that determines whether a slash after the + // given run of tokens starts a regular expression instead of a division + // operator: / or /=. +@@ -26,7 +31,8 @@ import ( + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: + // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") ++ // Trim all JS whitespace characters ++ s = bytes.TrimRight(s, jsWhitespace) + if len(s) == 0 { + return preceding + } +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index d7ee47b..8f5d76d 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) { + {jsCtxDivOp, "0"}, + // Dots that are part of a number are div preceders. + {jsCtxDivOp, "0."}, ++ // Some JS interpreters treat NBSP as a normal space, so ++ // we must too in order to properly escape things. ++ {jsCtxRegexp, "=\u00A0"}, + } + + for _, test := range tests { +- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } +- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } + } + +-- +2.40.0 + diff --git a/poky/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch b/poky/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch new file mode 100644 index 0000000000..fdb6307ab5 --- /dev/null +++ b/poky/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch @@ -0,0 +1,31 @@ +From a94bf34221fc4519bd8ec72560c2d363ffe2de4c Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Mon, 23 May 2022 08:03:23 +0100 +Subject: [PATCH] [Support] Add missing header to Signals.h + +Without the change llvm build fails on this week's gcc-13 snapshot as: + + [ 0%] Building CXX object lib/Support/CMakeFiles/LLVMSupport.dir/Signals.cpp.o + In file included from llvm/lib/Support/Signals.cpp:14: + llvm/include/llvm/Support/Signals.h:119:8: error: variable or field 'CleanupOnSignal' declared void + 119 | void CleanupOnSignal(uintptr_t Context); + | ^~~~~~~~~~~~~~~ + +Upstream-Status: Backport [llvmorg-15.0.0 ff1681ddb303223973653f7f5f3f3435b48a1983] +Signed-off-by: Martin Jansa +--- + llvm/include/llvm/Support/Signals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/llvm/include/llvm/Support/Signals.h b/llvm/include/llvm/Support/Signals.h +index 44f5a750ff5c..937e0572d4a7 100644 +--- a/llvm/include/llvm/Support/Signals.h ++++ b/llvm/include/llvm/Support/Signals.h +@@ -14,6 +14,7 @@ + #ifndef LLVM_SUPPORT_SIGNALS_H + #define LLVM_SUPPORT_SIGNALS_H + ++#include + #include + + namespace llvm { diff --git a/poky/meta/recipes-devtools/llvm/llvm_git.bb b/poky/meta/recipes-devtools/llvm/llvm_git.bb index 9400bf0821..cedbfb138e 100644 --- a/poky/meta/recipes-devtools/llvm/llvm_git.bb +++ b/poky/meta/recipes-devtools/llvm/llvm_git.bb @@ -32,6 +32,7 @@ SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=http file://0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;striplevel=2 \ file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \ file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \ + file://0001-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \ " UPSTREAM_CHECK_GITTAGREGEX = "llvmorg-(?P\d+(\.\d+)+)" diff --git a/poky/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/poky/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch new file mode 100644 index 0000000000..1bd49c9fd9 --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch @@ -0,0 +1,104 @@ +From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Mon, 7 Nov 2022 10:26:03 -0800 +Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault + +while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix, +introduce mempset() to make these kinds of errors less likely in the +future. + +Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815 +Reported-by: <13579and24680@gmail.com> +Signed-off-by: H. Peter Anvin + +Upstream-Status: Backport +CVE: CVE-2022-4437 + +Reference to upstream patch: +[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d] + +Signed-off-by: Archana Polampalli +--- + asm/nasm.c | 12 +++++------- + configure.ac | 1 + + include/compiler.h | 7 +++++++ + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 7a7f8b4..675cff4 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -1,6 +1,6 @@ + /* ----------------------------------------------------------------------- * + * +- * Copyright 1996-2020 The NASM Authors - All Rights Reserved ++ * Copyright 1996-2022 The NASM Authors - All Rights Reserved + * See the file AUTHORS included with the NASM distribution for + * the specific copyright holders. + * +@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str) + } + + /* Convert N backslashes at the end of filename to 2N backslashes */ +- if (nbs) +- n += nbs; ++ n += nbs; + + os = q = nasm_malloc(n); + +@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str) + switch (*p) { + case ' ': + case '\t': +- while (nbs--) +- *q++ = '\\'; ++ q = mempset(q, '\\', nbs); + *q++ = '\\'; + *q++ = *p; ++ nbs = 0; + break; + case '$': + *q++ = *p; +@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str) + break; + } + } +- while (nbs--) +- *q++ = '\\'; + ++ q = mempset(q, '\\', nbs); + *q = '\0'; + + return os; +diff --git a/configure.ac b/configure.ac +index 39680b1..940ebe2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul) + AC_CHECK_FUNCS(iscntrl) + AC_CHECK_FUNCS(isascii) + AC_CHECK_FUNCS(mempcpy) ++AC_CHECK_FUNCS(mempset) + + AC_CHECK_FUNCS(getuid) + AC_CHECK_FUNCS(getgid) +diff --git a/include/compiler.h b/include/compiler.h +index db3d6d6..b64da6a 100644 +--- a/include/compiler.h ++++ b/include/compiler.h +@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n) + } + #endif + ++#ifndef HAVE_MEMPSET ++static inline void *mempset(void *dst, int c, size_t n) ++{ ++ return (char *)memset(dst, c, n) + n; ++} ++#endif ++ + /* + * Hack to support external-linkage inline functions + */ +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/nasm/nasm_2.15.05.bb b/poky/meta/recipes-devtools/nasm/nasm_2.15.05.bb index edc17aeebf..59b1121bd4 100644 --- a/poky/meta/recipes-devtools/nasm/nasm_2.15.05.bb +++ b/poky/meta/recipes-devtools/nasm/nasm_2.15.05.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-stdlib-Add-strlcat.patch \ file://0002-Add-debug-prefix-map-option.patch \ + file://CVE-2022-44370.patch \ " SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0" diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch new file mode 100644 index 0000000000..1f7cbd0da1 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch @@ -0,0 +1,29 @@ +From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist +Date: Tue, 28 Feb 2023 11:54:06 +0100 +Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server + identity + +Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0] + +CVE: CVE-2023-31484 + +Signed-off-by: Soumya +--- + cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +index 4fc792c..a616fee 100644 +--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm ++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +@@ -32,6 +32,7 @@ sub mirror { + + my $want_proxy = $self->_want_proxy($uri); + my $http = HTTP::Tiny->new( ++ verify_SSL => 1, + $want_proxy ? (proxy => $self->{proxy}) : () + ); + +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/perl/perl_5.34.1.bb b/poky/meta/recipes-devtools/perl/perl_5.34.1.bb index 42bcb8b1bc..e0ee006e50 100644 --- a/poky/meta/recipes-devtools/perl/perl_5.34.1.bb +++ b/poky/meta/recipes-devtools/perl/perl_5.34.1.bb @@ -18,6 +18,7 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ file://0001-Fix-build-with-gcc-12.patch \ + file://CVE-2023-31484.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ diff --git a/poky/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/poky/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch new file mode 100644 index 0000000000..5fc4878978 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch @@ -0,0 +1,49 @@ +From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) + +CVE: CVE-2023-23931 + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696] + +Signed-off-by: Narpat Mali +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f93..075d68fb9 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ class _CipherContext: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9c..bf3b047de 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ class TestCipherUpdateInto: + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/poky/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index 9ef5ff39c8..c3ae0c1ab9 100644 --- a/poky/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/poky/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb @@ -17,6 +17,7 @@ SRC_URI += " \ file://0001-Cargo.toml-specify-pem-version.patch \ file://0002-Cargo.toml-edition-2018-2021.patch \ file://fix-leak-metric.patch \ + file://CVE-2023-23931.patch \ " inherit pypi python_setuptools3_rust diff --git a/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch b/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch new file mode 100644 index 0000000000..35b4241bde --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch @@ -0,0 +1,63 @@ +From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Mon, 5 Jun 2023 09:31:36 +0000 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +CVE: CVE-2023-32681 + +Upstream-Status: Backport [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] + +Signed-off-by: Narpat Mali +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index 3f59cab..648cffa 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -293,7 +293,9 @@ class SessionRedirectMixin(object): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers['Proxy-Authorization'] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index 29b3aca..6a37777 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -601,6 +601,26 @@ class TestRequests: + + assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + ++ ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ('user', 'pass') + wrong_auth = ('wronguser', 'wrongpass') +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/poky/meta/recipes-devtools/python/python3-requests_2.27.1.bb index af52b7caf5..635a6af31f 100644 --- a/poky/meta/recipes-devtools/python/python3-requests_2.27.1.bb +++ b/poky/meta/recipes-devtools/python/python3-requests_2.27.1.bb @@ -3,6 +3,8 @@ HOMEPAGE = "http://python-requests.org" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" +SRC_URI += "file://CVE-2023-32681.patch" + SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61" inherit pypi setuptools3 diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index a6ee958e4b..7f2b52fa88 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -112,6 +112,11 @@ CVE_CHECK_IGNORE += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_IGNORE += "CVE-2018-18438" +# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 +# https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +# this bug related to windows specific. +CVE_CHECK_IGNORE += "CVE-2023-0664" + COMPATIBLE_HOST:mipsarchn32 = "null" COMPATIBLE_HOST:mipsarchn64 = "null" COMPATIBLE_HOST:riscv32 = "null" diff --git a/poky/meta/recipes-devtools/quilt/quilt.inc b/poky/meta/recipes-devtools/quilt/quilt.inc index fce81016d8..72deb24915 100644 --- a/poky/meta/recipes-devtools/quilt/quilt.inc +++ b/poky/meta/recipes-devtools/quilt/quilt.inc @@ -14,6 +14,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quilt/quilt-${PV}.tar.gz \ file://0001-tests-Allow-different-output-from-mv.patch \ file://fix-grep-3.8.patch \ file://faildiff-order.patch \ + file://0001-test-Fix-a-race-condition-in-merge.test.patch \ " SRC_URI:append:class-target = " file://gnu_patch_test_fix_target.patch" diff --git a/poky/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch b/poky/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch new file mode 100644 index 0000000000..01d4c8befc --- /dev/null +++ b/poky/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch @@ -0,0 +1,48 @@ +From c1ce964f3e9312100a60f03c1e1fdd601e1911f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= + +Date: Tue, 28 Feb 2023 18:45:15 +0100 +Subject: [PATCH] test: Fix a race condition in merge.test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Just like commit 4dfe7f9, (test: Fix a race condition, 2023-01-20), +this fix a test race when stdout and stderr in any order. + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/quilt.git/commit/?id=c1ce964f3e9312100a60f03c1e1fdd601e1911f2] +Signed-off-by: Đoàn Trần Công Danh +Signed-off-by: Jean Delvare +--- + test/merge.test | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/test/merge.test b/test/merge.test +index c64b33d..2e67d4f 100644 +--- a/test/merge.test ++++ b/test/merge.test +@@ -39,8 +39,9 @@ Test the patch merging functionality of `quilt diff'. + > Applying patch %{P}c.diff + > Now at patch %{P}c.diff + +- $ quilt diff -P b.diff | grep -v "^\\(---\\|+++\\)" ++ $ quilt diff -P b.diff >/dev/null + > Warning: more recent patches modify files in patch %{P}b.diff ++ $ quilt diff -P b.diff 2>/dev/null | grep -v "^\\(---\\|+++\\)" + >~ Index: [^/]+/abc\.txt + > =================================================================== + > @@ -1,3 +1,3 @@ +@@ -49,8 +50,9 @@ Test the patch merging functionality of `quilt diff'. + > +b+ + > c + +- $ quilt diff --combine a.diff -P b.diff | grep -v "^\\(---\\|+++\\)" ++ $ quilt diff --combine a.diff -P b.diff >/dev/null + > Warning: more recent patches modify files in patch %{P}b.diff ++ $ quilt diff --combine a.diff -P b.diff 2>/dev/null | grep -v "^\\(---\\|+++\\)" + >~ Index: [^/]+/abc\.txt + > =================================================================== + > @@ -1,3 +1,3 @@ +-- +2.40.0 + diff --git a/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch new file mode 100644 index 0000000000..d611c41dcc --- /dev/null +++ b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch @@ -0,0 +1,68 @@ +From db4bb57d4af6d097a0c29490536793d95f1d8983 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Mon, 24 Apr 2023 08:27:24 +0000 +Subject: [PATCH] Merge URI-0.12.1 + +CVE: CVE-2023-28755 + +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300] + +Signed-off-by: Mingli Yu +--- + lib/uri/rfc3986_parser.rb | 4 ++-- + lib/uri/version.rb | 2 +- + test/uri/test_common.rb | 11 +++++++++++ + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3e07de4..3c89311 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module URI + class RFC3986_Parser # :nodoc: + # URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?\g(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*+):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?\g(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize +diff --git a/lib/uri/version.rb b/lib/uri/version.rb +index 82188e2..7497a7d 100644 +--- a/lib/uri/version.rb ++++ b/lib/uri/version.rb +@@ -1,6 +1,6 @@ + module URI + # :stopdoc: +- VERSION_CODE = '001100'.freeze ++ VERSION_CODE = '001201'.freeze + VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze + # :startdoc: + end +diff --git a/test/uri/test_common.rb b/test/uri/test_common.rb +index 5e30cda..1d34783 100644 +--- a/test/uri/test_common.rb ++++ b/test/uri/test_common.rb +@@ -78,6 +78,17 @@ class TestCommon < Test::Unit::TestCase + assert_raise(NoMethodError) { Object.new.URI("http://www.ruby-lang.org/") } + end + ++ def test_parse_timeout ++ pre = ->(n) { ++ 'https://example.com/dir/' + 'a' * (n * 100) + '/##.jpg' ++ } ++ assert_linear_performance((1..10).map {|i| i * 100}, rehearsal: 1000, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ URI.parse(uri) ++ end ++ end ++ end ++ + def test_encode_www_form_component + assert_equal("%00+%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F09%3A%3B%3C%3D%3E%3F%40" \ + "AZ%5B%5C%5D%5E_%60az%7B%7C%7D%7E", +-- +2.35.5 + diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 92efc5db91..72030508dd 100644 --- a/poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -30,6 +30,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ file://CVE-2023-28756.patch \ + file://CVE-2023-28755.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" diff --git a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service index 7f72f3388a..b6b81d5c1a 100644 --- a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service +++ b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service @@ -1,7 +1,7 @@ [Unit] Description=Run pending postinsts DefaultDependencies=no -After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount +After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service Before=sysinit.target [Service] -- cgit v1.2.3