From patchwork Thu Sep 5 12:40:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48693 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5018CD5BB9 for ; Thu, 5 Sep 2024 12:41:17 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web11.8283.1725540072745579395 for ; Thu, 05 Sep 2024 05:41:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tjaxYopD; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-205909af9b5so6253005ad.3 for ; Thu, 05 Sep 2024 05:41:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725540072; x=1726144872; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=u6oBP3JLc6J3IjqKI6I1WXkNgpa0zLZMMJRa2AW2HCQ=; b=tjaxYopDcy4Azj3ITUcQwiqaJFdpLugvMuZvT44gWmPo/0L2SdyiBqj3QZGhpnCcrw TdVhbmoCdWxqLFy+if7QsYb0c4hKfOTOJp/t+ZvZfP2sU24SdiuqaEpOhIITY2BLVF4T 43sGrgPwP/aUCXGMm2zJ1anVgR5MDYY5mKpRwg4MKOazcBKBcdMMSvV96h3ZPjgINAuE mH4xKJFFHDS0gpEQFy4zJFsHojUHXZ/plHwf6r+IaDmHCoNQneEvFCR8cSiX1r5wD/TP ifZIEpCzOTjACEGtLUMEVobs0NtvsoTr4gwaj9/DdAQB/1RTNVUUskHR+5186ymzkIHz l/5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725540072; x=1726144872; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u6oBP3JLc6J3IjqKI6I1WXkNgpa0zLZMMJRa2AW2HCQ=; b=DxUoknyLzo0xbu/+YZWGL2b1BYhaDff5erbv0tQhzklB2DDKh/xPZvZWyheGztKii3 IQG1uvQATUxhKYSZNNhNevYkGcs3XCNxCM2IecU18Y1BoiIzQjMOPD5VepOLflLuXA1g rOjQgIDHSCJ/4xOxyQHYJnaKKkmiE0b662i286M5ZX2fON6HPc/6hJktopu1fqLskb3B L1ZCdN0bP34X3NCliZ0MZYk3vLLmnCQfLhvQpcTj99rXCdqhCFSNDX17cL4j759pVzqO 3+eW9/7hoAj70KGO6sGtyFeiv4krg5hKeRd3GXLr9Z+KTi46OM6WaA11XmCvfbncfnhU LlCQ== X-Gm-Message-State: AOJu0Yyzdc+zEt/4HEyYjNmVCWZLLEDouX7SBGUNuQOE5I6Z8ArHba35 kH7eBVywbKuVy0an8nTgSsOEYAFbtJOgvykD89BqGBGYWi7RnWm+8uCahPDE80kpgj53GxiD57v jVf0= X-Google-Smtp-Source: AGHT+IFQmfDg/YseP36pqrFEIvRfCCNsRi51k6IgDwnB7bAaoFFIdedEk8Qe7h5r8Xmvv+p4nq+2Lg== X-Received: by 2002:a17:903:26c5:b0:202:4666:f018 with SMTP id d9443c01a7336-20584193b42mr93386155ad.15.1725540071372; Thu, 05 Sep 2024 05:41:11 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea38c31sm28107265ad.151.2024.09.05.05.41.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:41:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/6] qemu: fix CVE-2024-7409 Date: Thu, 5 Sep 2024 05:40:57 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Sep 2024 12:41:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204232 From: Hitendra Prajapati A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-7409 Upstream Patches: https://github.com/qemu/qemu/commit/fb1c2aaa981e0a2fa6362c9985f1296b74f055ac https://github.com/qemu/qemu/commit/c8a76dbd90c2f48df89b75bef74917f90a59b623 https://gitlab.com/qemu-project/qemu/-/commit/b9b72cb3ce15b693148bd09cef7e50110566d8a0 https://gitlab.com/qemu-project/qemu/-/commit/3e7ef738c8462c45043a1d39f702a0990406a3b3 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 4 + .../qemu/qemu/CVE-2024-7409-0001.patch | 162 ++++++++++++++++ .../qemu/qemu/CVE-2024-7409-0002.patch | 174 ++++++++++++++++++ .../qemu/qemu/CVE-2024-7409-0003.patch | 122 ++++++++++++ .../qemu/qemu/CVE-2024-7409-0004.patch | 163 ++++++++++++++++ 5 files changed, 625 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4747310ae4..4684e44524 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -109,6 +109,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ file://CVE-2023-42467.patch \ file://CVE-2023-6683.patch \ + file://CVE-2024-7409-0001.patch \ + file://CVE-2024-7409-0002.patch \ + file://CVE-2024-7409-0003.patch \ + file://CVE-2024-7409-0004.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch new file mode 100644 index 0000000000..f4dad65097 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch @@ -0,0 +1,162 @@ +From fb1c2aaa981e0a2fa6362c9985f1296b74f055ac Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Wed, 7 Aug 2024 08:50:01 -0500 +Subject: [PATCH] nbd/server: Plumb in new args to nbd_client_add() + +Upcoming patches to fix a CVE need to track an opaque pointer passed +in by the owner of a client object, as well as request for a time +limit on how fast negotiation must complete. Prepare for that by +changing the signature of nbd_client_new() and adding an accessor to +get at the opaque pointer, although for now the two servers +(qemu-nbd.c and blockdev-nbd.c) do not change behavior even though +they pass in a new default timeout value. + +Suggested-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: Eric Blake +Message-ID: <20240807174943.771624-11-eblake@redhat.com> +Reviewed-by: Daniel P. Berrangé +[eblake: s/LIMIT/MAX_SECS/ as suggested by Dan] +Signed-off-by: Eric Blake + +CVE: CVE-2024-7409 +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/fb1c2aaa981e0a2fa6362c9985f1296b74f055ac] +Signed-off-by: Hitendra Prajapati +--- + blockdev-nbd.c | 6 ++++-- + include/block/nbd.h | 11 ++++++++++- + nbd/server.c | 20 +++++++++++++++++--- + qemu-nbd.c | 4 +++- + 4 files changed, 34 insertions(+), 7 deletions(-) + +diff --git a/blockdev-nbd.c b/blockdev-nbd.c +index bdfa7ed3a..b9e8dc78f 100644 +--- a/blockdev-nbd.c ++++ b/blockdev-nbd.c +@@ -59,8 +59,10 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, + nbd_update_server_watch(nbd_server); + + qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server"); +- nbd_client_new(cioc, nbd_server->tlscreds, nbd_server->tlsauthz, +- nbd_blockdev_client_closed); ++ /* TODO - expose handshake timeout as QMP option */ ++ nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS, ++ nbd_server->tlscreds, nbd_server->tlsauthz, ++ nbd_blockdev_client_closed, NULL); + } + + static void nbd_update_server_watch(NBDServerData *s) +diff --git a/include/block/nbd.h b/include/block/nbd.h +index 78d101b77..b71a29724 100644 +--- a/include/block/nbd.h ++++ b/include/block/nbd.h +@@ -27,6 +27,12 @@ + + extern const BlockExportDriver blk_exp_nbd; + ++/* ++ * NBD_DEFAULT_HANDSHAKE_MAX_SECS: Number of seconds in which client must ++ * succeed at NBD_OPT_GO before being forcefully dropped as too slow. ++ */ ++#define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10 ++ + /* Handshake phase structs - this struct is passed on the wire */ + + struct NBDOption { +@@ -338,9 +344,12 @@ AioContext *nbd_export_aio_context(NBDExport *exp); + NBDExport *nbd_export_find(const char *name); + + void nbd_client_new(QIOChannelSocket *sioc, ++ uint32_t handshake_max_secs, + QCryptoTLSCreds *tlscreds, + const char *tlsauthz, +- void (*close_fn)(NBDClient *, bool)); ++ void (*close_fn)(NBDClient *, bool), ++ void *owner); ++void *nbd_client_owner(NBDClient *client); + void nbd_client_get(NBDClient *client); + void nbd_client_put(NBDClient *client); + +diff --git a/nbd/server.c b/nbd/server.c +index 4630dd732..12680c8dc 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -121,9 +121,11 @@ struct NBDClient { + int refcount; + void (*close_fn)(NBDClient *client, bool negotiated); + ++ void *owner; + NBDExport *exp; + QCryptoTLSCreds *tlscreds; + char *tlsauthz; ++ uint32_t handshake_max_secs; + QIOChannelSocket *sioc; /* The underlying data channel */ + QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */ + +@@ -2703,6 +2705,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) + + qemu_co_mutex_init(&client->send_lock); + ++ /* TODO - utilize client->handshake_max_secs */ + if (nbd_negotiate(client, &local_err)) { + if (local_err) { + error_report_err(local_err); +@@ -2715,14 +2718,17 @@ static coroutine_fn void nbd_co_client_start(void *opaque) + } + + /* +- * Create a new client listener using the given channel @sioc. ++ * Create a new client listener using the given channel @sioc and @owner. + * Begin servicing it in a coroutine. When the connection closes, call +- * @close_fn with an indication of whether the client completed negotiation. ++ * @close_fn with an indication of whether the client completed negotiation ++ * within @handshake_max_secs seconds (0 for unbounded). + */ + void nbd_client_new(QIOChannelSocket *sioc, ++ uint32_t handshake_max_secs, + QCryptoTLSCreds *tlscreds, + const char *tlsauthz, +- void (*close_fn)(NBDClient *, bool)) ++ void (*close_fn)(NBDClient *, bool), ++ void *owner) + { + NBDClient *client; + Coroutine *co; +@@ -2734,12 +2740,20 @@ void nbd_client_new(QIOChannelSocket *sioc, + object_ref(OBJECT(client->tlscreds)); + } + client->tlsauthz = g_strdup(tlsauthz); ++ client->handshake_max_secs = handshake_max_secs; + client->sioc = sioc; + object_ref(OBJECT(client->sioc)); + client->ioc = QIO_CHANNEL(sioc); + object_ref(OBJECT(client->ioc)); + client->close_fn = close_fn; ++ client->owner = owner; + + co = qemu_coroutine_create(nbd_co_client_start, client); + qemu_coroutine_enter(co); + } ++ ++void * ++nbd_client_owner(NBDClient *client) ++{ ++ return client->owner; ++} +diff --git a/qemu-nbd.c b/qemu-nbd.c +index c6c20df68..f48abf379 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -363,7 +363,9 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, + + nb_fds++; + nbd_update_server_watch(); +- nbd_client_new(cioc, tlscreds, tlsauthz, nbd_client_closed); ++ /* TODO - expose handshake timeout as command line option */ ++ nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS, ++ tlscreds, tlsauthz, nbd_client_closed, NULL); + } + + static void nbd_update_server_watch(void) +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch new file mode 100644 index 0000000000..ccef8b36c5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch @@ -0,0 +1,174 @@ +From c8a76dbd90c2f48df89b75bef74917f90a59b623 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Tue, 6 Aug 2024 13:53:00 -0500 +Subject: [PATCH] nbd/server: CVE-2024-7409: Cap default max-connections to 100 + +Allowing an unlimited number of clients to any web service is a recipe +for a rudimentary denial of service attack: the client merely needs to +open lots of sockets without closing them, until qemu no longer has +any more fds available to allocate. + +For qemu-nbd, we default to allowing only 1 connection unless more are +explicitly asked for (-e or --shared); this was historically picked as +a nice default (without an explicit -t, a non-persistent qemu-nbd goes +away after a client disconnects, without needing any additional +follow-up commands), and we are not going to change that interface now +(besides, someday we want to point people towards qemu-storage-daemon +instead of qemu-nbd). + +But for qemu proper, and the newer qemu-storage-daemon, the QMP +nbd-server-start command has historically had a default of unlimited +number of connections, in part because unlike qemu-nbd it is +inherently persistent until nbd-server-stop. Allowing multiple client +sockets is particularly useful for clients that can take advantage of +MULTI_CONN (creating parallel sockets to increase throughput), +although known clients that do so (such as libnbd's nbdcopy) typically +use only 8 or 16 connections (the benefits of scaling diminish once +more sockets are competing for kernel attention). Picking a number +large enough for typical use cases, but not unlimited, makes it +slightly harder for a malicious client to perform a denial of service +merely by opening lots of connections withot progressing through the +handshake. + +This change does not eliminate CVE-2024-7409 on its own, but reduces +the chance for fd exhaustion or unlimited memory usage as an attack +surface. On the other hand, by itself, it makes it more obvious that +with a finite limit, we have the problem of an unauthenticated client +holding 100 fds opened as a way to block out a legitimate client from +being able to connect; thus, later patches will further add timeouts +to reject clients that are not making progress. + +This is an INTENTIONAL change in behavior, and will break any client +of nbd-server-start that was not passing an explicit max-connections +parameter, yet expects more than 100 simultaneous connections. We are +not aware of any such client (as stated above, most clients aware of +MULTI_CONN get by just fine on 8 or 16 connections, and probably cope +with later connections failing by relying on the earlier connections; +libvirt has not yet been passing max-connections, but generally +creates NBD servers with the intent for a single client for the sake +of live storage migration; meanwhile, the KubeSAN project anticipates +a large cluster sharing multiple clients [up to 8 per node, and up to +100 nodes in a cluster], but it currently uses qemu-nbd with an +explicit --shared=0 rather than qemu-storage-daemon with +nbd-server-start). + +We considered using a deprecation period (declare that omitting +max-parameters is deprecated, and make it mandatory in 3 releases - +then we don't need to pick an arbitrary default); that has zero risk +of breaking any apps that accidentally depended on more than 100 +connections, and where such breakage might not be noticed under unit +testing but only under the larger loads of production usage. But it +does not close the denial-of-service hole until far into the future, +and requires all apps to change to add the parameter even if 100 was +good enough. It also has a drawback that any app (like libvirt) that +is accidentally relying on an unlimited default should seriously +consider their own CVE now, at which point they are going to change to +pass explicit max-connections sooner than waiting for 3 qemu releases. +Finally, if our changed default breaks an app, that app can always +pass in an explicit max-parameters with a larger value. + +It is also intentional that the HMP interface to nbd-server-start is +not changed to expose max-connections (any client needing to fine-tune +things should be using QMP). + +Suggested-by: Daniel P. Berrangé +Signed-off-by: Eric Blake +Message-ID: <20240807174943.771624-12-eblake@redhat.com> +Reviewed-by: Daniel P. Berrangé +[ericb: Expand commit message to summarize Dan's argument for why we +break corner-case back-compat behavior without a deprecation period] +Signed-off-by: Eric Blake + +CVE: CVE-2024-7409 +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/c8a76dbd90c2f48df89b75bef74917f90a59b623] +Signed-off-by: Hitendra Prajapati +--- + block/monitor/block-hmp-cmds.c | 3 ++- + blockdev-nbd.c | 8 ++++++++ + include/block/nbd.h | 7 +++++++ + qapi/block-export.json | 4 ++-- + 4 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c +index 2ac4aedff..32a666b5d 100644 +--- a/block/monitor/block-hmp-cmds.c ++++ b/block/monitor/block-hmp-cmds.c +@@ -411,7 +411,8 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict) + goto exit; + } + +- nbd_server_start(addr, NULL, NULL, 0, &local_err); ++ nbd_server_start(addr, NULL, NULL, NBD_DEFAULT_MAX_CONNECTIONS, ++ &local_err); + qapi_free_SocketAddress(addr); + if (local_err != NULL) { + goto exit; +diff --git a/blockdev-nbd.c b/blockdev-nbd.c +index b9e8dc78f..4bd90bac1 100644 +--- a/blockdev-nbd.c ++++ b/blockdev-nbd.c +@@ -171,6 +171,10 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds, + + void nbd_server_start_options(NbdServerOptions *arg, Error **errp) + { ++ if (!arg->has_max_connections) { ++ arg->max_connections = NBD_DEFAULT_MAX_CONNECTIONS; ++ } ++ + nbd_server_start(arg->addr, arg->tls_creds, arg->tls_authz, + arg->max_connections, errp); + } +@@ -183,6 +187,10 @@ void qmp_nbd_server_start(SocketAddressLegacy *addr, + { + SocketAddress *addr_flat = socket_address_flatten(addr); + ++ if (!has_max_connections) { ++ max_connections = NBD_DEFAULT_MAX_CONNECTIONS; ++ } ++ + nbd_server_start(addr_flat, tls_creds, tls_authz, max_connections, errp); + qapi_free_SocketAddress(addr_flat); + } +diff --git a/include/block/nbd.h b/include/block/nbd.h +index b71a29724..a31c34a8a 100644 +--- a/include/block/nbd.h ++++ b/include/block/nbd.h +@@ -33,6 +33,13 @@ extern const BlockExportDriver blk_exp_nbd; + */ + #define NBD_DEFAULT_HANDSHAKE_MAX_SECS 10 + ++/* ++ * NBD_DEFAULT_MAX_CONNECTIONS: Number of client sockets to allow at ++ * once; must be large enough to allow a MULTI_CONN-aware client like ++ * nbdcopy to create its typical number of 8-16 sockets. ++ */ ++#define NBD_DEFAULT_MAX_CONNECTIONS 100 ++ + /* Handshake phase structs - this struct is passed on the wire */ + + struct NBDOption { +diff --git a/qapi/block-export.json b/qapi/block-export.json +index c1b92ce1c..181d7238f 100644 +--- a/qapi/block-export.json ++++ b/qapi/block-export.json +@@ -21,7 +21,7 @@ + # recreated on the fly while the NBD server is active. + # If missing, it will default to denying access (since 4.0). + # @max-connections: The maximum number of connections to allow at the same +-# time, 0 for unlimited. (since 5.2; default: 0) ++# time, 0 for unlimited. (since 5.2; default: 100) + # + # Since: 4.2 + ## +@@ -50,7 +50,7 @@ + # recreated on the fly while the NBD server is active. + # If missing, it will default to denying access (since 4.0). + # @max-connections: The maximum number of connections to allow at the same +-# time, 0 for unlimited. (since 5.2; default: 0) ++# time, 0 for unlimited. (since 5.2; default: 100) + # + # Returns: error if the server is already running. + # +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch new file mode 100644 index 0000000000..1d27f4712c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch @@ -0,0 +1,122 @@ +From b9b72cb3ce15b693148bd09cef7e50110566d8a0 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Thu, 8 Aug 2024 16:05:08 -0500 +Subject: [PATCH] nbd/server: CVE-2024-7409: Drop non-negotiating clients + +A client that opens a socket but does not negotiate is merely hogging +qemu's resources (an open fd and a small amount of memory); and a +malicious client that can access the port where NBD is listening can +attempt a denial of service attack by intentionally opening and +abandoning lots of unfinished connections. The previous patch put a +default bound on the number of such ongoing connections, but once that +limit is hit, no more clients can connect (including legitimate ones). +The solution is to insist that clients complete handshake within a +reasonable time limit, defaulting to 10 seconds. A client that has +not successfully completed NBD_OPT_GO by then (including the case of +where the client didn't know TLS credentials to even reach the point +of NBD_OPT_GO) is wasting our time and does not deserve to stay +connected. Later patches will allow fine-tuning the limit away from +the default value (including disabling it for doing integration +testing of the handshake process itself). + +Note that this patch in isolation actually makes it more likely to see +qemu SEGV after nbd-server-stop, as any client socket still connected +when the server shuts down will now be closed after 10 seconds rather +than at the client's whims. That will be addressed in the next patch. + +For a demo of this patch in action: +$ qemu-nbd -f raw -r -t -e 10 file & +$ nbdsh --opt-mode -c ' +H = list() +for i in range(20): + print(i) + H.insert(i, nbd.NBD()) + H[i].set_opt_mode(True) + H[i].connect_uri("nbd://localhost") +' +$ kill $! + +where later connections get to start progressing once earlier ones are +forcefully dropped for taking too long, rather than hanging. + +Suggested-by: Daniel P. Berrangé +Signed-off-by: Eric Blake +Message-ID: <20240807174943.771624-13-eblake@redhat.com> +Reviewed-by: Daniel P. Berrangé +[eblake: rebase to changes earlier in series, reduce scope of timer] +Signed-off-by: Eric Blake + +CVE: CVE-2024-7409 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/b9b72cb3ce15b693148bd09cef7e50110566d8a0] +Signed-off-by: Hitendra Prajapati +--- + nbd/server.c | 28 +++++++++++++++++++++++++++- + nbd/trace-events | 1 + + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/nbd/server.c b/nbd/server.c +index 12680c8dc..1bb253726 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -2698,22 +2698,48 @@ static void nbd_client_receive_next_request(NBDClient *client) + } + } + ++static void nbd_handshake_timer_cb(void *opaque) ++{ ++ QIOChannel *ioc = opaque; ++ ++ trace_nbd_handshake_timer_cb(); ++ qio_channel_shutdown(ioc, QIO_CHANNEL_SHUTDOWN_BOTH, NULL); ++} ++ + static coroutine_fn void nbd_co_client_start(void *opaque) + { + NBDClient *client = opaque; + Error *local_err = NULL; ++ QEMUTimer *handshake_timer = NULL; + + qemu_co_mutex_init(&client->send_lock); + +- /* TODO - utilize client->handshake_max_secs */ ++ /* ++ * Create a timer to bound the time spent in negotiation. If the ++ * timer expires, it is likely nbd_negotiate will fail because the ++ * socket was shutdown. ++ */ ++ if (client->handshake_max_secs > 0) { ++ handshake_timer = aio_timer_new(qemu_get_aio_context(), ++ QEMU_CLOCK_REALTIME, ++ SCALE_NS, ++ nbd_handshake_timer_cb, ++ client->sioc); ++ timer_mod(handshake_timer, ++ qemu_clock_get_ns(QEMU_CLOCK_REALTIME) + ++ client->handshake_max_secs * NANOSECONDS_PER_SECOND); ++ } ++ + if (nbd_negotiate(client, &local_err)) { + if (local_err) { + error_report_err(local_err); + } ++ timer_free(handshake_timer); + client_close(client, false); + return; + } + ++ timer_free(handshake_timer); + nbd_client_receive_next_request(client); + } + +diff --git a/nbd/trace-events b/nbd/trace-events +index c4919a2dd..553546f1f 100644 +--- a/nbd/trace-events ++++ b/nbd/trace-events +@@ -73,3 +73,4 @@ nbd_co_receive_request_decode_type(uint64_t handle, uint16_t type, const char *n + nbd_co_receive_request_payload_received(uint64_t handle, uint32_t len) "Payload received: handle = %" PRIu64 ", len = %" PRIu32 + nbd_co_receive_align_compliance(const char *op, uint64_t from, uint32_t len, uint32_t align) "client sent non-compliant unaligned %s request: from=0x%" PRIx64 ", len=0x%" PRIx32 ", align=0x%" PRIx32 + nbd_trip(void) "Reading request" ++nbd_handshake_timer_cb(void) "client took too long to negotiate" +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch new file mode 100644 index 0000000000..ffdb1b0d94 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch @@ -0,0 +1,163 @@ +From 3e7ef738c8462c45043a1d39f702a0990406a3b3 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Wed, 7 Aug 2024 12:23:13 -0500 +Subject: [PATCH] nbd/server: CVE-2024-7409: Close stray clients at server-stop + +A malicious client can attempt to connect to an NBD server, and then +intentionally delay progress in the handshake, including if it does +not know the TLS secrets. Although the previous two patches reduce +this behavior by capping the default max-connections parameter and +killing slow clients, they did not eliminate the possibility of a +client waiting to close the socket until after the QMP nbd-server-stop +command is executed, at which point qemu would SEGV when trying to +dereference the NULL nbd_server global which is no longer present. +This amounts to a denial of service attack. Worse, if another NBD +server is started before the malicious client disconnects, I cannot +rule out additional adverse effects when the old client interferes +with the connection count of the new server (although the most likely +is a crash due to an assertion failure when checking +nbd_server->connections > 0). + +For environments without this patch, the CVE can be mitigated by +ensuring (such as via a firewall) that only trusted clients can +connect to an NBD server. Note that using frameworks like libvirt +that ensure that TLS is used and that nbd-server-stop is not executed +while any trusted clients are still connected will only help if there +is also no possibility for an untrusted client to open a connection +but then stall on the NBD handshake. + +Given the previous patches, it would be possible to guarantee that no +clients remain connected by having nbd-server-stop sleep for longer +than the default handshake deadline before finally freeing the global +nbd_server object, but that could make QMP non-responsive for a long +time. So intead, this patch fixes the problem by tracking all client +sockets opened while the server is running, and forcefully closing any +such sockets remaining without a completed handshake at the time of +nbd-server-stop, then waiting until the coroutines servicing those +sockets notice the state change. nbd-server-stop now has a second +AIO_WAIT_WHILE_UNLOCKED (the first is indirectly through the +blk_exp_close_all_type() that disconnects all clients that completed +handshakes), but forced socket shutdown is enough to progress the +coroutines and quickly tear down all clients before the server is +freed, thus finally fixing the CVE. + +This patch relies heavily on the fact that nbd/server.c guarantees +that it only calls nbd_blockdev_client_closed() from the main loop +(see the assertion in nbd_client_put() and the hoops used in +nbd_client_put_nonzero() to achieve that); if we did not have that +guarantee, we would also need a mutex protecting our accesses of the +list of connections to survive re-entrancy from independent iothreads. + +Although I did not actually try to test old builds, it looks like this +problem has existed since at least commit 862172f45c (v2.12.0, 2017) - +even back when that patch started using a QIONetListener to handle +listening on multiple sockets, nbd_server_free() was already unaware +that the nbd_blockdev_client_closed callback can be reached later by a +client thread that has not completed handshakes (and therefore the +client's socket never got added to the list closed in +nbd_export_close_all), despite that patch intentionally tearing down +the QIONetListener to prevent new clients. + +Reported-by: Alexander Ivanov +Fixes: CVE-2024-7409 +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake +Message-ID: <20240807174943.771624-14-eblake@redhat.com> +Reviewed-by: Daniel P. Berrangé + +CVE: CVE-2024-7409 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/3e7ef738c8462c45043a1d39f702a0990406a3b3] +Signed-off-by: Hitendra Prajapati +--- + blockdev-nbd.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/blockdev-nbd.c b/blockdev-nbd.c +index 4bd90bac1..c71ca38d2 100644 +--- a/blockdev-nbd.c ++++ b/blockdev-nbd.c +@@ -21,12 +21,18 @@ + #include "io/channel-socket.h" + #include "io/net-listener.h" + ++typedef struct NBDConn { ++ QIOChannelSocket *cioc; ++ QLIST_ENTRY(NBDConn) next; ++} NBDConn; ++ + typedef struct NBDServerData { + QIONetListener *listener; + QCryptoTLSCreds *tlscreds; + char *tlsauthz; + uint32_t max_connections; + uint32_t connections; ++ QLIST_HEAD(, NBDConn) conns; + } NBDServerData; + + static NBDServerData *nbd_server; +@@ -46,6 +52,14 @@ bool nbd_server_is_running(void) + + static void nbd_blockdev_client_closed(NBDClient *client, bool ignored) + { ++ NBDConn *conn = nbd_client_owner(client); ++ ++ assert(qemu_mutex_iothread_locked() && nbd_server); ++ ++ object_unref(OBJECT(conn->cioc)); ++ QLIST_REMOVE(conn, next); ++ g_free(conn); ++ + nbd_client_put(client); + assert(nbd_server->connections > 0); + nbd_server->connections--; +@@ -55,14 +69,20 @@ static void nbd_blockdev_client_closed(NBDClient *client, bool ignored) + static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, + gpointer opaque) + { ++ NBDConn *conn = g_new0(NBDConn, 1); ++ ++ assert(qemu_mutex_iothread_locked() && nbd_server); + nbd_server->connections++; ++ object_ref(OBJECT(cioc)); ++ conn->cioc = cioc; ++ QLIST_INSERT_HEAD(&nbd_server->conns, conn, next); + nbd_update_server_watch(nbd_server); + + qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server"); + /* TODO - expose handshake timeout as QMP option */ + nbd_client_new(cioc, NBD_DEFAULT_HANDSHAKE_MAX_SECS, + nbd_server->tlscreds, nbd_server->tlsauthz, +- nbd_blockdev_client_closed, NULL); ++ nbd_blockdev_client_closed, conn); + } + + static void nbd_update_server_watch(NBDServerData *s) +@@ -76,12 +96,25 @@ static void nbd_update_server_watch(NBDServerData *s) + + static void nbd_server_free(NBDServerData *server) + { ++ NBDConn *conn, *tmp; ++ + if (!server) { + return; + } + ++ /* ++ * Forcefully close the listener socket, and any clients that have ++ * not yet disconnected on their own. ++ */ + qio_net_listener_disconnect(server->listener); + object_unref(OBJECT(server->listener)); ++ QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) { ++ qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH, ++ NULL); ++ } ++ ++ AIO_WAIT_WHILE(NULL, server->connections > 0); ++ + if (server->tlscreds) { + object_unref(OBJECT(server->tlscreds)); + } +-- +2.25.1 + From patchwork Thu Sep 5 12:40:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48690 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB73CCD5BBE for ; Thu, 5 Sep 2024 12:41:17 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.8285.1725540074368386262 for ; Thu, 05 Sep 2024 05:41:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ybWeSGom; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-20551eeba95so7076805ad.2 for ; Thu, 05 Sep 2024 05:41:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725540074; x=1726144874; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=HtvdG5Ct9dFs4vc7+VYh+FjpjxpfWolb0U+QtCfxVZY=; b=ybWeSGomd+ty7Slegx6GRd50Try2/cKUtTNkYDY0sbPJ8c8NvZU77U76OF/Yb4YP0U s/Jfrpx3uf/fT4THv3WqWwr4LSfSIgQ9c143SepGg+NG9ecwArgNFFpBKCDADj//dlnc JcasecN4s6bgdTubkQzmJowEox4fyI4oZXmp93y6d1ZNvnqoNykexlpSrA3VcdgZkU1k UUIHA+Jn92PnN/aPimLM6w8N3nxMvL3903H3S1oy/rsErd6TxkVH/zWXCU9cfFwYBPGC 9584ZQYyzJQqdn/mxDQxKt2+NXO55x84Erk0f0r53Zt36wOzbIqrZHl+TGXnM07U0U03 Fk9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725540074; x=1726144874; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HtvdG5Ct9dFs4vc7+VYh+FjpjxpfWolb0U+QtCfxVZY=; b=cqtD/FmpMTrESwXPrcN28Ttnnp9XEVESWmdCYKx7f4ThHbzUuZCSuHbQFIxRCvw+sE a3/N4qIVf5gdQDwIZOcN66/m9Gm060Lrgxz1htXQPpEaXD/FkmQ5c8oIxPV9KbgWBcKn 9KELtuxERPjIdgOBT8SeRFPpRX3UY9D4hLdtpwNvG9hVzwNf59z+tkDyEN8V+1bIoq7Y nePt2mjYtNyaLq/I/mikCYkNzc9wX4QKko2peTQKdXtMbZ94bRuxWNvafX6R0W3UvlTW ADoYeckpEog4eN9PBwMMHgGtYUHH4fHIKXRCnSNfQ/Je9vTcuoVA6j5Zd7fqbXFW8tqr HLeg== X-Gm-Message-State: AOJu0Yxh0mUEag8lx4+hpP5PEFYNwNqVDwuXUs2HjzzlqoZg5AANxhta xlfmwBG43tQNNE5V48szZnJkoixoT47Sw2ba+LeKsz06r+lw3TNfH988R5y0ACepYamcIcxYytC VC8U= X-Google-Smtp-Source: AGHT+IGnpMOmX03h5ElMfUPgCtrvWNB+t1VC5ZTahL1IoaPLHYgfPawj53PUp/ahI51t0vsOeF18Kw== X-Received: by 2002:a17:902:d507:b0:206:c675:66d5 with SMTP id d9443c01a7336-206c6756979mr49400985ad.15.1725540073448; Thu, 05 Sep 2024 05:41:13 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea38c31sm28107265ad.151.2024.09.05.05.41.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:41:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/6] sqlite3: CVE-ID correction for CVE-2023-7104 Date: Thu, 5 Sep 2024 05:40:58 -0700 Message-Id: <9d7f21f3d0ae24d0005076396e9a929bb32d648e.1725539924.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Sep 2024 12:41:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204233 From: Vrushti Dabhi - The commit [https://sqlite.org/src/info/0e4e7a05c4204b47] ("Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.") fixes CVE-2023-7104 instead of CVE-2022-46908. - Hence, corrected the CVE-ID in CVE-2023-7104.patch. - Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-7104 Signed-off-by: Vrushti Dabhi Signed-off-by: Steve Sakoman --- meta/recipes-support/sqlite/files/CVE-2023-7104.patch | 10 ++++++---- meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch index 25c6ba017c..5f3681070e 100644 --- a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch +++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch @@ -1,18 +1,20 @@ -From 09f1652f36c5c4e8a6a640ce887f9ea0f48a7958 Mon Sep 17 00:00:00 2001 +From f388a0c44d2abdbd582686e511fef36c1b96ae43 Mon Sep 17 00:00:00 2001 From: dan Date: Thu, 7 Sep 2023 13:53:09 +0000 Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset. Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47] -CVE: CVE-2022-46908 +CVE: CVE-2023-7104 + Signed-off-by: Peter Marko +Signed-off-by: Vrushti Dabhi --- sqlite3.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) -diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c -index 9f862f2465..0491549231 100644 +diff --git a/sqlite3.c b/sqlite3.c +index a16db27..0b979f7 100644 --- a/sqlite3.c +++ b/sqlite3.c @@ -213482,15 +213482,19 @@ static int sessionReadRecord( diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb index cece207eae..b3d5029365 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb @@ -8,7 +8,7 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2022-46908.patch \ file://CVE-2023-36191.patch \ file://CVE-2023-7104.patch \ -" + " SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c" # -19242 is only an issue in specific development branch commits From patchwork Thu Sep 5 12:40:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48692 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6ACDCD5BC0 for ; Thu, 5 Sep 2024 12:41:17 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.8286.1725540076128852638 for ; Thu, 05 Sep 2024 05:41:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=11gO9D5e; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-206e614953aso1416745ad.1 for ; Thu, 05 Sep 2024 05:41:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725540075; x=1726144875; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PV+swu2KClsWqEifwO7xBeW9n/9LeVxK597hSoEpFO8=; b=11gO9D5esuCy7WRbj080JmIZAGqFgR3SbbKonPCpf1sQ94geejmFapt4VEMFVf9PDu kdAo2dwFzeo2wzSDE48z2jtYQcXwfjEjjIuxnehIU4g4VjtvVBB0nfxkAxBSkadL09ua 16UC/PkHBdBa32Vz38lEi8dMCBSC1rCBVgFb71zVbcublT6GyN7k31EkTwwTeatAh2Z5 u9LgcZsv12ycgraBj2in4EIaByfNa6Qtnhj9xNJusuGzh1bTCupamWp5/gIEUs3tpRR1 pJ2bNrzGG8xXhKyO8XXuGN3usqSrfzjxXXyOyX/szhraNzCqvqMoIboiChYmAaCb3LGH BlKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725540075; x=1726144875; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PV+swu2KClsWqEifwO7xBeW9n/9LeVxK597hSoEpFO8=; b=bdzCHZxO993exLL/49t5lenZ/zP3mqwyLYxjXHe9Xafv9Jy6ArwAF/37wVIHLPGMt6 YBQX04vV9WpcXX0VPYHj4zJjJiw1aghVba8ZE7zo1rPgnk/yEEgqOuHb6Q1leJ/wJhwM W+U2MByN4tPkxbV0D0ggMuNshhx4x8YWc9zKZOMK7taMoyJqGlS9njvSJI5/nSxHc4mr aQuyJSTf6JLhp3/kqA93aIUfwZHq0xkFrLEEtIIjPczDKZwC43wfv5iI8jgJLTNNDfVu v0tyyYVtIDdvaVatLxQZkLAJMEkl5WD5hWRsLBK4ZtEuBYxHSprNnfjOZCMoCEGFIrNk uPlw== X-Gm-Message-State: AOJu0YzUPGLGbqMtOgTzLpBfJULoaWCQDBh56mRHoLqQb/SblnIcJGcO tduzLb9HbAsZz/8/LHKjRGx5lG663/B6bezqWIBvQRGV2059w1UQLnvsPmMtXaALKUXZSFYCwPN ekPI= X-Google-Smtp-Source: AGHT+IEP+1ZYbBWwRahmpAFOxWmP6oQ4LYpkawm8t2hGeIeQSrTVB7Oi4f4lIY/ZnZhe0Bz6mJCgDA== X-Received: by 2002:a17:902:ecd2:b0:205:608d:2475 with SMTP id d9443c01a7336-205608d2657mr160560255ad.44.1725540075271; Thu, 05 Sep 2024 05:41:15 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea38c31sm28107265ad.151.2024.09.05.05.41.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:41:14 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/6] sqlite3: Rename patch for CVE-2022-35737 Date: Thu, 5 Sep 2024 05:40:59 -0700 Message-Id: <9a875873e566a6673a65a8264fd0868c568e2a2c.1725539924.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Sep 2024 12:41:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204234 From: Vrushti Dabhi The patch "0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch" fixes CVE-2022-35737. Signed-off-by: Vrushti Dabhi Signed-off-by: Steve Sakoman --- ...-in-the-printf-implementation.patch => CVE-2022-35737.patch} | 0 meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-support/sqlite/files/{0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch => CVE-2022-35737.patch} (100%) diff --git a/meta/recipes-support/sqlite/files/0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch similarity index 100% rename from meta/recipes-support/sqlite/files/0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch rename to meta/recipes-support/sqlite/files/CVE-2022-35737.patch diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb index b3d5029365..0a7a136c53 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb @@ -4,7 +4,7 @@ LICENSE = "PD" LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \ - file://0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch \ + file://CVE-2022-35737.patch \ file://CVE-2022-46908.patch \ file://CVE-2023-36191.patch \ file://CVE-2023-7104.patch \ From patchwork Thu Sep 5 12:41:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48696 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1521CD5BC0 for ; Thu, 5 Sep 2024 12:41:27 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web10.8184.1725540077906353284 for ; Thu, 05 Sep 2024 05:41:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Ft7AVHd3; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-20570b42f24so9961825ad.1 for ; Thu, 05 Sep 2024 05:41:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725540077; x=1726144877; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=W0PRZ8rAgkZM/pxYMYXVrAmpf0FHoTNNEWV57d5Y594=; b=Ft7AVHd3cZWSG3wNLpnoJxHBu+4yiYQ/DFaDwyWkJNAumTP8/NDtzciSXbwEPJO8se dYkI5gu7C0MLH1xHE95UPrVNtE9MjJ9AIu+hvhTMHJs/4YQ4SuiJYWr2pQdgVJFXycX4 4txYYFSAAHrW04EyHll+CJbPIgy+ri+7h1NJv4FEhoFoZHJvTspdceVhyMoVFBs66G2T wwz/aywZPyQaF74wDIIFb7/YPPD89jNF6m30Umil/+JT3tacFK0uMpZWzACDtD0hD7UW 3W5GYYCEpeOr7Sm+Zurg0xPz+PvvlRO28qHhn3IOUg4/gdruuuN/y8zvANqLpIyw8qdd fUjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725540077; x=1726144877; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=W0PRZ8rAgkZM/pxYMYXVrAmpf0FHoTNNEWV57d5Y594=; b=GCHVTHRn+IdImOZWSPYT1OG/lplcIDyIznlEX+KhpUrRJVm3nCo511CkhMa/ljshyt Wpr2T7/RTiRjLaUJ6hgkxlX0bAfF4cd+8YGGEkd0wHHYMXvJjJS5fY4oCQWMuOPbhxfU iOlb8axfvzK9X779Srr9UtUC/cW/D+Q6qZ7/ic26LfK6Ww2uQVF/UHg7PdgprU9Ja4xB /CwMJrEh7J0HmqWctgRN5XPshkn4xUxepkKZWajSU+8PyOInOzy7t8jJ4iQMF1nzPZHA PD6by81stb8pAPUqih82UgVMSDpAgxiGcmL7I0PM9alKW0m/U5tGfuU48d5cBGwSLyUP ok6g== X-Gm-Message-State: AOJu0YwUeYz8sryK7E1ueZ5+PM+/OyeaKgXR3zQaz2rJcGt4sr7mhkLc NIEL/Iat824B552BkrHpqQ9ys5dxFUdf9YF5w9miEGKBnEixYAQx6x6bsAQpoTgsAxYwxqjTf9i /NOg= X-Google-Smtp-Source: AGHT+IFcWbu2m8lPCiIWIUn44Z7mNKh4wixd13GwBdUpSuGbgczc25pnnpKEXAFemn9Hbe+VB5/k4Q== X-Received: by 2002:a17:902:da8c:b0:206:98c8:4a71 with SMTP id d9443c01a7336-20699afc7f3mr114532165ad.38.1725540077115; Thu, 05 Sep 2024 05:41:17 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea38c31sm28107265ad.151.2024.09.05.05.41.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:41:16 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/6] python3: Security fix for CVE-2024-8088 Date: Thu, 5 Sep 2024 05:41:00 -0700 Message-Id: <295addec33c83443423a3ef87905c3a70f44a4e7.1725539924.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Sep 2024 12:41:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204235 From: Rohini Sangam CVE fixed: - CVE-2024-8088: python: cpython: denial of service in zipfile Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db Signed-off-by: Rohini Sangam Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- .../python/python3/CVE-2024-8088.patch | 124 ++++++++++++++++++ .../python/python3_3.10.14.bb | 1 + 2 files changed, 125 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch new file mode 100644 index 0000000000..10d28a9e65 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch @@ -0,0 +1,124 @@ +From e0264a61119d551658d9445af38323ba94fc16db Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Thu, 22 Aug 2024 19:24:33 -0400 +Subject: [PATCH] CVE-2024-8088: Sanitize names in zipfile.Path. (GH-122906) + +Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db +CVE: CVE-2024-8088 + +Signed-off-by: Rohini Sangam +--- + Lib/test/test_zipfile.py | 17 ++++++ + Lib/zipfile.py | 61 ++++++++++++++++++- + 2 files changed, 77 insertions(+), 1 deletion(-) + +diff --git a/Lib/test/test_zipfile.py b/Lib/test/test_zipfile.py +index 32c0170..a60dc11 100644 +--- a/Lib/test/test_zipfile.py ++++ b/Lib/test/test_zipfile.py +@@ -3280,6 +3280,23 @@ with zipfile.ZipFile(io.BytesIO(), "w") as zf: + zipfile.Path(zf) + zf.extractall(source_path.parent) + ++ def test_malformed_paths(self): ++ """ ++ Path should handle malformed paths. ++ """ ++ data = io.BytesIO() ++ zf = zipfile.ZipFile(data, "w") ++ zf.writestr("/one-slash.txt", b"content") ++ zf.writestr("//two-slash.txt", b"content") ++ zf.writestr("../parent.txt", b"content") ++ zf.filename = '' ++ root = zipfile.Path(zf) ++ assert list(map(str, root.iterdir())) == [ ++ 'one-slash.txt', ++ 'two-slash.txt', ++ 'parent.txt', ++ ] ++ + + class StripExtraTests(unittest.TestCase): + # Note: all of the "z" characters are technically invalid, but up +diff --git a/Lib/zipfile.py b/Lib/zipfile.py +index 7d18bc2..cbac8d9 100644 +--- a/Lib/zipfile.py ++++ b/Lib/zipfile.py +@@ -9,6 +9,7 @@ import io + import itertools + import os + import posixpath ++import re + import shutil + import stat + import struct +@@ -2182,7 +2183,65 @@ def _difference(minuend, subtrahend): + return itertools.filterfalse(set(subtrahend).__contains__, minuend) + + +-class CompleteDirs(ZipFile): ++class SanitizedNames: ++ """ ++ ZipFile mix-in to ensure names are sanitized. ++ """ ++ ++ def namelist(self): ++ return list(map(self._sanitize, super().namelist())) ++ ++ @staticmethod ++ def _sanitize(name): ++ r""" ++ Ensure a relative path with posix separators and no dot names. ++ Modeled after ++ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 ++ but provides consistent cross-platform behavior. ++ >>> san = SanitizedNames._sanitize ++ >>> san('/foo/bar') ++ 'foo/bar' ++ >>> san('//foo.txt') ++ 'foo.txt' ++ >>> san('foo/.././bar.txt') ++ 'foo/bar.txt' ++ >>> san('foo../.bar.txt') ++ 'foo../.bar.txt' ++ >>> san('\\foo\\bar.txt') ++ 'foo/bar.txt' ++ >>> san('D:\\foo.txt') ++ 'D/foo.txt' ++ >>> san('\\\\server\\share\\file.txt') ++ 'server/share/file.txt' ++ >>> san('\\\\?\\GLOBALROOT\\Volume3') ++ '?/GLOBALROOT/Volume3' ++ >>> san('\\\\.\\PhysicalDrive1\\root') ++ 'PhysicalDrive1/root' ++ Retain any trailing slash. ++ >>> san('abc/') ++ 'abc/' ++ Raises a ValueError if the result is empty. ++ >>> san('../..') ++ Traceback (most recent call last): ++ ... ++ ValueError: Empty filename ++ """ ++ ++ def allowed(part): ++ return part and part not in {'..', '.'} ++ ++ # Remove the drive letter. ++ # Don't use ntpath.splitdrive, because that also strips UNC paths ++ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) ++ clean = bare.replace('\\', '/') ++ parts = clean.split('/') ++ joined = '/'.join(filter(allowed, parts)) ++ if not joined: ++ raise ValueError("Empty filename") ++ return joined + '/' * name.endswith('/') ++ ++ ++class CompleteDirs(SanitizedNames, ZipFile): + """ + A ZipFile subclass that ensures that implied directories + are always included in the namelist. +-- +2.35.7 + diff --git a/meta/recipes-devtools/python/python3_3.10.14.bb b/meta/recipes-devtools/python/python3_3.10.14.bb index b5bc80ab88..14ab3f6155 100644 --- a/meta/recipes-devtools/python/python3_3.10.14.bb +++ b/meta/recipes-devtools/python/python3_3.10.14.bb @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ file://0001-test_storlines-skip-due-to-load-variability.patch \ + file://CVE-2024-8088.patch \ " SRC_URI:append:class-native = " \ From patchwork Thu Sep 5 12:41:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48695 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C28D6CD5BAE for ; Thu, 5 Sep 2024 12:41:27 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.8287.1725540079383731572 for ; Thu, 05 Sep 2024 05:41:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uHeqIodK; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1fc47abc040so7049205ad.0 for ; Thu, 05 Sep 2024 05:41:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725540079; x=1726144879; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hO5qZu7EkNJLdrqcpwzCBunbZOGj1a4U12aUf0YU+TY=; b=uHeqIodKfU86KJ+tCp92fNrKbD/jv0yI8Q9SugP60KWOZvsB06PDjkR6QHDNfs1w4W IbUo5SbjM1AprRYzAsvEMeGO+RHyJf2FLlKpUy2C7NLP3GHTMF2FwmZ1Wv3P545SSOr/ JVHojpgJMKWaezP0mrGYAedp2b0jlTsF2LWr5446QmbjzDf6CnFxXQEV7FQu4eun6o1q m3SiCm33JJIyScJNPAJQeDBFeYALVVhX6rA5ojDvFtyLGBamg4ku+/+yWgwuVFpV1YG2 paaIPa260xq8raInYP3utFBNZi1puz20k6tYgz6eIBL9WcNYUUHnHyHvThsKZ5tu03AZ t9Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725540079; x=1726144879; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hO5qZu7EkNJLdrqcpwzCBunbZOGj1a4U12aUf0YU+TY=; b=hKIZ2oIivaM2cJbO+fVXjznx5qsBCgQjy0srLE0b3gaSkxDh2GSmOZivczjDim0GZS cQvhoDsLILga04qzJdgJo2JXFBSqCJgN4YPlLgt39lTe1QoBiXuwbRh2LuOBgjys4UIz VzBcIb+I6yrkUhycqXCsUHJ6rpXiSWrWFAlYvV+0IAhWvCnCgOi4PlbZVNcVgH+Y2EG4 QiNgPsco64uwuZjN4uRkzhUkFOhZvwtZ6oLXsebSJbVzK08sp7+TNrXL3N+9Sc4711lg tBWCYPhLdmiAmzGsh46GRQ2fhSmyQmnQ06lRIZRswsdOAAffcTsIw/v5eAjnMaBWMiFy b5hQ== X-Gm-Message-State: AOJu0YwqVVL0EZGSs/WAnS5BNbLifVaHGR1aGxafQIbR0wDuuCDK6l1j J+ieYC3C1+pVMnKpl5f8PXVcgyV4m+IiK+6i0DQNpOsjYQ2tZgMz7HasVDudl8G/kTrR3cNi23B khN8= X-Google-Smtp-Source: AGHT+IGQFXFKN+8cuRNX79PSpfNJw8Ix+w6nuIjJHJB7grkkR9unA8Lq2zdWDZLaIxV4JQEtsXOTUA== X-Received: by 2002:a17:903:32c7:b0:205:7db3:fdd1 with SMTP id d9443c01a7336-2057db3ff8dmr145731175ad.36.1725540078640; Thu, 05 Sep 2024 05:41:18 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea38c31sm28107265ad.151.2024.09.05.05.41.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:41:18 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/6] apr: upgrade 1.7.2 -> 1.7.5 Date: Thu, 5 Sep 2024 05:41:01 -0700 Message-Id: <4eb12d8683bd22b6503a64070b81b52f0d2f373a.1725539924.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Sep 2024 12:41:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204236 From: Vijay Anusuri Refreshed patch 0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch Includes security fix CVE-2023-49582 changelog: https://downloads.apache.org/apr/CHANGES-APR-1.7 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- ...1-configure-Remove-runtime-test-for-mmap-that-can-map-.patch | 2 +- meta/recipes-support/apr/{apr_1.7.2.bb => apr_1.7.5.bb} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-support/apr/{apr_1.7.2.bb => apr_1.7.5.bb} (98%) diff --git a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch index a78b16284f..3480deaa4d 100644 --- a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch +++ b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch @@ -34,7 +34,7 @@ index 3663220..dce9789 100644 -#ifdef HAVE_SYS_MMAN_H -#include -#endif -- int main() +- int main(int argc, const char *argv[]) - { - int fd; - void *m; diff --git a/meta/recipes-support/apr/apr_1.7.2.bb b/meta/recipes-support/apr/apr_1.7.5.bb similarity index 98% rename from meta/recipes-support/apr/apr_1.7.2.bb rename to meta/recipes-support/apr/apr_1.7.5.bb index c9059c9921..c58204063c 100644 --- a/meta/recipes-support/apr/apr_1.7.2.bb +++ b/meta/recipes-support/apr/apr_1.7.5.bb @@ -24,7 +24,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \ " -SRC_URI[sha256sum] = "75e77cc86776c030c0a5c408dfbd0bf2a0b75eed5351e52d5439fa1e5509a43e" +SRC_URI[sha256sum] = "cd0f5d52b9ab1704c72160c5ee3ed5d3d4ca2df4a7f8ab564e3cb352b67232f2" inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script From patchwork Thu Sep 5 12:41:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48694 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFD98CD5BBF for ; Thu, 5 Sep 2024 12:41:27 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.8186.1725540081094097231 for ; Thu, 05 Sep 2024 05:41:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mJ0FMSTL; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2053525bd90so7145155ad.0 for ; Thu, 05 Sep 2024 05:41:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725540080; x=1726144880; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VZIAXRx5pEh2wU8lQRQ2d2P1fhhOzTLFhVrZtYFclNg=; b=mJ0FMSTLbTuy9V0a/fhbY5pz3mmxFwFbc0xumpy/mFZz/YYu3I2XobY/NKXvT14Pru p9ujPW6HGRkDzofjUslq0S4YaBmYk5EY1oZLifuX2BWVYDez4/3gNvNy0T/xWvjbb6yu +yQfcL935SK5/qNNMJXt/nelCgacC1sDvesSotPyU8m0p5ozwjw/zZzFH0qq3hjuMlZY CKsTxmYzukq072RM76qm4OYBYsJvYZDrM2IZTWMFw+aFtEHpX8Kk9PH/Go7s3K50rEm2 nKGRMZUWV0ReeDi92uHn4xBtt1C6ie+AUmT9jI5E1YfDB9V8R4ZD/tUWI34iB2RDK7ws v2IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725540080; x=1726144880; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VZIAXRx5pEh2wU8lQRQ2d2P1fhhOzTLFhVrZtYFclNg=; b=GLC9fvIEUE/DEaI71FNjK2YTsPrIKQoT9/zCl+crHqeFk47ZUHGgnH05zF+71oQ1ai ra7L7CCfn0tgJ1OkAEndK0+bRW+CQnkmyT0i0b5D9/2+9e7FhYTvEdxpYEn1Oso0rVem BntUo397Z5zVK1z1W5qqghNzQAhA+a/xwYKEJ0BnvBUxa19sqIC2O6NhhN0BDNMrxhK5 Wu/NBV73PrrJWVPcJkkgJW3UQxUtAY94wbEC1QYBaFGHnvasJDgWFh1EW1nKJg7RUVwo CzR32hJZCNllQ2ag6S2jGmBTIvF7w7SXhbf4Hqs9BipbKwWXuGB9eIJabeEgpXExzwgY r20Q== X-Gm-Message-State: AOJu0YzEQjbI+nkglepJoATsDrQQZ+R8YzWztg85nvMJhPrqJ064jSfm 77vsOra3/zTC8zcRDpgqDJ2RboeEjY14Z9wXLrsYPFiwmQeGjLCl9zBo+1ptJaTav0h74RC2v1g aD+U= X-Google-Smtp-Source: AGHT+IF5sTdJZfW85lqqHVUFYXqIhiuw4WXjjrmI73jU5qkZvESO0yxH94FQLUflN08BNNOEvJAeNw== X-Received: by 2002:a17:902:f601:b0:1fb:2bed:6418 with SMTP id d9443c01a7336-2054ca754e7mr189890685ad.57.1725540080305; Thu, 05 Sep 2024 05:41:20 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea38c31sm28107265ad.151.2024.09.05.05.41.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:41:20 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/6] wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 Date: Thu, 5 Sep 2024 05:41:02 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Sep 2024 12:41:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204237 From: Wang Mingyu Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit b460d2d55a35450564ea04255153b0a3bf715530) Signed-off-by: Steve Sakoman --- ...ireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} (94%) diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb similarity index 94% rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb index 95e33d9fb1..daf5e6dfcd 100644 --- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb +++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "9aee1d86ebebb363b714bec941b2820f31e3b7f1a485ddc9fcbd9985c7d3e7c4" +SRC_URI[sha256sum] = "9832a14e1be24abff7be30dee3c9a1afb5fdfcf475a0d91aafef039f8d85f5eb" inherit bin_package allarch