new file mode 100644
@@ -0,0 +1,46 @@
+From d3880d9d3ba795138444da83f1153c3c3ac27640 Mon Sep 17 00:00:00 2001
+From: Michael Larabel <michael@phoronix.com>
+Date: Sat, 23 Jul 2022 07:32:43 -0500
+Subject: [PATCH] phoromatic: Explicitly check both $_GET abd $_POST in
+ phoromatic_quit_if_invalid_input_found()
+
+Fixes: https://github.com/phoronix-test-suite/phoronix-test-suite/issues/650#issuecomment-1193116678
+
+Upstream-Status: Backport
+CVE: CVE-2022-40704
+
+Reference to upstream patch:
+https://github.com/phoronix-test-suite/phoronix-test-suite/commit/d3880d9d3ba795138444da83f1153c3c3ac27640
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ pts-core/phoromatic/phoromatic_functions.php | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php
+index 74ccc5444c..c2313dcdea 100644
+--- a/pts-core/phoromatic/phoromatic_functions.php
++++ b/pts-core/phoromatic/phoromatic_functions.php
+@@ -37,9 +37,20 @@ function phoromatic_quit_if_invalid_input_found($input_keys = null)
+ {
+ foreach($input_keys as $key)
+ {
+- if(isset($_REQUEST[$key]) && !empty($_REQUEST[$key]))
++ if(isset($_GET[$key]) && !empty($_GET[$key]))
+ {
+- foreach(pts_arrays::to_array($_REQUEST[$key]) as $val_to_check)
++ foreach(pts_arrays::to_array($_GET[$key]) as $val_to_check)
++ {
++ if(stripos($val_to_check, $invalid_string) !== false)
++ {
++ echo '<strong>Exited due to invalid input ( ' . $invalid_string . ') attempted:</strong> ' . htmlspecialchars($val_to_check);
++ exit;
++ }
++ }
++ }
++ if(isset($_POST[$key]) && !empty($_POST[$key]))
++ {
++ foreach(pts_arrays::to_array($_POST[$key]) as $val_to_check)
+ {
+ if(stripos($val_to_check, $invalid_string) !== false)
+ {
@@ -5,7 +5,11 @@ LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SECTION = "console/tests"
-SRC_URI = "http://www.phoronix-test-suite.com/releases/${BP}.tar.gz"
+SRC_URI = "http://www.phoronix-test-suite.com/releases/${BP}.tar.gz \
+ file://CVE-2022-40704.patch \
+ "
+
+
SRC_URI[md5sum] = "459c3c45b39bb3d720ddc8ba5f944332"
SRC_URI[sha256sum] = "86681343d20415831ab16ef6c3d1c317e2345e771925e0698ae920a03a9eaab6"
Add fix created after latest release (10.8.4). Signed-off-by: Joe Slater <joe.slater@windriver.com> --- .../files/CVE-2022-40704.patch | 46 +++++++++++++++++++ .../phoronix-test-suite_10.8.2.bb | 6 ++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-benchmark/phoronix-test-suite/files/CVE-2022-40704.patch