[meta-oe,scarthgap,1/1] graphviz: fix CVE-2023-46045

Message ID	20240729104856.1955362-1-yogita.urade@windriver.com
State	New
Headers	show Return-Path: <Yogita.Urade@windriver.com> ip: 205.220.178.238, mailfrom: prvs=89408abb87=yogita.urade@windriver.com) From: yurade <yogita.urade@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [oe][meta-oe][scarthgap][PATCH 1/1] graphviz: fix CVE-2023-46045 Date: Mon, 29 Jul 2024 10:48:56 +0000 Message-ID: <20240729104856.1955362-1-yogita.urade@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[meta-oe,scarthgap,1/1] graphviz: fix CVE-2023-46045 \| expand [meta-oe,scarthgap,1/1] graphviz: fix CVE-2023-46045

diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0001.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0001.patch new file mode 100644 index 000000000..7b177370d --- /dev/null +++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0001.patch @@ -0,0 +1,37 @@ +From 361f274ca901c3c476697a6404662d95f4dd43cb Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <matthew.fernandez@gmail.com> +Date: Wed, 24 Jul 2024 13:19:03 +0800 +Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope + 'gv_api' + +CVE: CVE-2023-46045 +Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/gvc/gvconfig.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c +index d03de09..2f31b98 100644 +--- a/lib/gvc/gvconfig.c ++++ b/lib/gvc/gvconfig.c +@@ -174,7 +174,6 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) + { + char *package_path, *name, *api; + const char *type; +- api_t gv_api; + int quality; + int nest = 0; + gvplugin_package_t *package; +@@ -189,7 +188,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) + package = gvplugin_package_record(gvc, package_path, name); + do { + api = token(&nest, &s); +- gv_api = gvplugin_api(api); ++ const api_t gv_api = gvplugin_api(api); + do { + if (nest == 2) { + type = token(&nest, &s); +-- +2.25.1 diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0002.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0002.patch new file mode 100644 index 000000000..fbab10bb3 --- /dev/null +++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0002.patch @@ -0,0 +1,38 @@ +From 3f31704cafd7da3e86bb2861accf5e90c973e62a Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <matthew.fernandez@gmail.com> +Date: Wed, 24 Jul 2024 13:39:39 +0800 +Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope + 'api' + +CVE: CVE-2023-46045 +Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/gvc/gvconfig.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c +index 2f31b98..ea0d81b 100644 +--- a/lib/gvc/gvconfig.c ++++ b/lib/gvc/gvconfig.c +@@ -172,7 +172,7 @@ static char *token(int *nest, char **tokens) + + static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) + { +- char *package_path, *name, *api; ++ char *package_path, *name; + const char *type; + int quality; + int nest = 0; +@@ -187,7 +187,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) + name = "x"; + package = gvplugin_package_record(gvc, package_path, name); + do { +- api = token(&nest, &s); ++ const char *api = token(&nest, &s); + const api_t gv_api = gvplugin_api(api); + do { + if (nest == 2) { +-- +2.25.1 diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0003.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0003.patch new file mode 100644 index 000000000..372f44efe --- /dev/null +++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-0003.patch @@ -0,0 +1,33 @@ +From a95f977f5d809915ec4b14836d2b5b7f5e74881e Mon Sep 17 00:00:00 2001 +From: Matthew Fernandez <matthew.fernandez@gmail.com> +Date: Wed, 24 Jul 2024 15:02:06 +0800 +Subject: [PATCH] gvc: detect plugin installation failure and display an error + +Gitlab: fixes #2441 +Reported-by: GJDuck + +CVE: CVE-2023-46045 +Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/gvc/gvconfig.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c +index ea0d81b..1eccc70 100644 +--- a/lib/gvc/gvconfig.c ++++ b/lib/gvc/gvconfig.c +@@ -189,6 +189,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) + do { + const char *api = token(&nest, &s); + const api_t gv_api = gvplugin_api(api); ++ if (gv_api == (api_t)-1) { ++ agerr(AGERR, "config error: %s %s not found\n", package_path, api); ++ return 0; ++ } + do { + if (nest == 2) { + type = token(&nest, &s); +-- +2.25.1 diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb b/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb index 2700142e5..b3f02148b 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb @@ -20,6 +20,9 @@ inherit autotools-brokensep pkgconfig gettext qemu SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \ file://0001-Autotools-fix-do-not-put-prefix-based-paths-in-compi.patch \ + file://CVE-2023-46045-0001.patch \ + file://CVE-2023-46045-0002.patch \ + file://CVE-2023-46045-0003.patch \ " # Use native mkdefs SRC_URI:append:class-target = "\

[meta-oe,scarthgap,1/1] graphviz: fix CVE-2023-46045

Commit Message

Patch