From patchwork Tue Jan 7 13:31:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55114 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40362E77198 for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web10.20201.1736256688346541602 for ; Tue, 07 Jan 2025 05:31:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=EbII+m58; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2163dc5155fso224171115ad.0 for ; Tue, 07 Jan 2025 05:31:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256688; x=1736861488; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YgJ5lkKbtkihq25A31L+dQAtS3C1kuL/kq/KY4N++/A=; b=EbII+m58T+9gdTpY5c2r/YL1qnT0cnZvl++V3vfIYU81vztyzMCbmqKS4SKcD89mcy SrJa464tIg6YMq3iDHImxH8J7hPdJ91H1+D89HHHl+lEaY2R2GYjRPm+uSJGlhtQUgBW Mj1Lfyp5SJMpQtYfpp0AQl/su7BU7bNmtVTkyjvuYPBKLWsBnIoscqCeUgeXVotiHMLj j3SFUBUn/7kXvvwPK2+d3taeukxRw8TlYkvHFJpCnfcBy9Hr3YLh3AbPRWlDUgdC8cdP p959qIa6sCLc4k9e09awKV4AMLXKJiU4zq9t44boh5bnTlBvrmfXytcR1sOwMlJJBc5W 45nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256688; x=1736861488; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YgJ5lkKbtkihq25A31L+dQAtS3C1kuL/kq/KY4N++/A=; b=gHB701bXC7oxwcYj6YQ2g38eYA+Gag02d90maWle3Fx/lTw8JGCp1W1OnGQ3Zwgll9 JwsppfrF6pe7jTRKfbp2POdGi0aSdVI9xyYCyIW6vMlrJ/yO+cXeZ15KdXMo+uYu1IOF a0NKe2Br8K/bFsnIHDY9Mu8AK1+zZD/63i4/sBV8u5VqqoVRnen8cYQocKHnkjf/a0IW WqYeJakWYuuK0BSE5qFHqc7bMhyAZZg3EFEqDAdm/5KK7sxZUPpiLhCA5f9cjemxnsIk 57Q4y2bcj7PSGcBlpDS+YXHNW6TqgJofAbXYfo1EgWIjqmsiSqMinbllezkRUPJ03Yrj oEgA== X-Gm-Message-State: AOJu0YzrLTBzbKI24oEevbWMhHStzs8QatsahZAyjIp4WBsAZMLYlWR5 4f/Md/ETayuN3MR3rnCblLxmT1AGaInTwblytZga5E7t+zCWVSnZSM9lt67Xq9MGnp1pHrpWtQA Q X-Gm-Gg: ASbGncsvvk027MMtHLdU0Bz1MrrXKu2x/L4IkXwGRUerB30Thrc0+569ad92eft78U/ Uwds21IQOHwhhdux8WEtj8/hvW6tZIZrMwA8Iti2NXJggGjBxMa0JaXPg5kiPkJU2SFQOh2+Vp6 D96sLheoJHy0tihtNJSe6ingJFLhiag06kW4rURxzAQTJOkNxXnasRDrDb8YfpdLWn1VTp6U+Y8 iu17blNnUvLc+2Bwh4+l+2TyIHL9z8Put1mP0nEaNcU8g== X-Google-Smtp-Source: AGHT+IG4IfH30i1GYTLQL5WsNTfTQo+JBbJsEG9C935XpCVwbX+PONMphN0AN4OLt1Q7B6AUDAmM6Q== X-Received: by 2002:a05:6a20:2d1f:b0:1e1:ac71:2b6a with SMTP id adf61e73a8af0-1e5e0803f98mr94242841637.28.1736256686491; Tue, 07 Jan 2025 05:31:26 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:26 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/13] libsndfile1: Backport fix for CVE-2022-33065 Date: Tue, 7 Jan 2025 05:31:05 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209454 From: Vijay Anusuri Added missing commits for complete CVE fix Ref: https://github.com/libsndfile/libsndfile/issues/833 https://ubuntu.com/security/CVE-2022-33065 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- ...022-33065.patch => CVE-2022-33065-1.patch} | 0 .../libsndfile1/CVE-2022-33065-10.patch | 39 +++ .../libsndfile1/CVE-2022-33065-11.patch | 35 +++ .../libsndfile1/CVE-2022-33065-12.patch | 40 +++ .../libsndfile1/CVE-2022-33065-13.patch | 58 +++++ .../libsndfile1/CVE-2022-33065-2.patch | 58 +++++ .../libsndfile1/CVE-2022-33065-3.patch | 34 +++ .../libsndfile1/CVE-2022-33065-4.patch | 60 +++++ .../libsndfile1/CVE-2022-33065-5.patch | 39 +++ .../libsndfile1/CVE-2022-33065-6.patch | 82 +++++++ .../libsndfile1/CVE-2022-33065-7.patch | 48 ++++ .../libsndfile1/CVE-2022-33065-8.patch | 179 ++++++++++++++ .../libsndfile1/CVE-2022-33065-9.patch | 231 ++++++++++++++++++ .../libsndfile/libsndfile1_1.0.31.bb | 14 +- 14 files changed, 916 insertions(+), 1 deletion(-) rename meta/recipes-multimedia/libsndfile/libsndfile1/{CVE-2022-33065.patch => CVE-2022-33065-1.patch} (100%) create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-1.patch similarity index 100% rename from meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch rename to meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-1.patch diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch new file mode 100644 index 0000000000..17867fc308 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch @@ -0,0 +1,39 @@ +From cd44bfaf3708e778c8670cb7f707a597c3334376 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 11:50:53 -0400 +Subject: [PATCH 14/17] nms_adpcm: fix int overflow in sf.frames calc + +When calculating sf.frames from the blocks_total PNMS variable, it is +theoretically possible to overflow the blocks_total int boundaries, +leading to undefined behavior. + +Cast blocks_total to a long-sized sf_count_t before the calculation, to +provide it with enough numeric space and because that is the final +typing regardless. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-10.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/cd44bfaf3708e778c8670cb7f707a597c3334376] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/nms_adpcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c +index dca85f0b0..61d171c73 100644 +--- a/src/nms_adpcm.c ++++ b/src/nms_adpcm.c +@@ -1090,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf) + else + pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ; + +- psf->sf.frames = pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ; ++ psf->sf.frames = (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ; + psf->codec_close = nms_adpcm_close ; + psf->seek = nms_adpcm_seek ; + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch new file mode 100644 index 0000000000..a147a0d593 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch @@ -0,0 +1,35 @@ +From 915e154e2deb327612ca413c838365b7c9bfbf16 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 11:57:23 -0400 +Subject: [PATCH 15/17] pcm: fix int overflow in pcm_init() + +Cast the int-sized bytewidth variable to a long-sized sf_count_t type +prior to calculating the blockwidth, to provide the calculation with +enough numeric space and sf_count_t is the final typing regardless. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-11.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/915e154e2deb327612ca413c838365b7c9bfbf16] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pcm.c b/src/pcm.c +index bdf461839..a42e48681 100644 +--- a/src/pcm.c ++++ b/src/pcm.c +@@ -127,7 +127,7 @@ pcm_init (SF_PRIVATE *psf) + return SFE_INTERNAL ; + } ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8) + chars = SF_CHARS_SIGNED ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch new file mode 100644 index 0000000000..659a6a4c22 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch @@ -0,0 +1,40 @@ +From ec149a79d457916479489d71b55e4d63015a08ea Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 12:01:00 -0400 +Subject: [PATCH 16/17] rf64: fix int overflow in rf64_read_header() + +When checking for mismatches between the filelength and riff_size, it is +possible to overflow the temporary riff_size value used in the +comparison by adding a static offset; which is probably fine, but it is +offensive to overflow fuzzers. + +Since filelength is always a positive value, simply move the offset to +the other side of the comparison operator as a negative value, avoid the +possibility of an overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-12.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/ec149a79d457916479489d71b55e4d63015a08ea] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/rf64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rf64.c b/src/rf64.c +index 123db445a..c60399fb3 100644 +--- a/src/rf64.c ++++ b/src/rf64.c +@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock) + } ; + } ; + +- if (psf->filelength != riff_size + 8) ++ if (psf->filelength - 8 != riff_size) + psf_log_printf (psf, " Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ; + else + psf_log_printf (psf, " Riff size : %D\n", riff_size) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch new file mode 100644 index 0000000000..107b1dcae4 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch @@ -0,0 +1,58 @@ +From 9f097e492a07c96e3b250d6ac0044499f64f6cea Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Tue, 17 Oct 2023 12:19:12 -0400 +Subject: [PATCH 17/17] ima_adpcm: fix int overflow in ima_reader_init() + +When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to +provide the calculation with enough numeric space to avoid overflows. + +Other changes in this commit are syntactic, and only to satisfy the git +pre-commit syntax checker. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-13.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/9f097e492a07c96e3b250d6ac0044499f64f6cea] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/ima_adpcm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- libsndfile-1.0.31.orig/src/ima_adpcm.c ++++ libsndfile-1.0.31/src/ima_adpcm.c +@@ -182,7 +182,12 @@ ima_reader_init (SF_PRIVATE *psf, int bl + if (psf->file.mode != SFM_READ) + return SFE_BAD_MODE_RW ; + +- pimasize = sizeof (IMA_ADPCM_PRIVATE) + blockalign * psf->sf.channels + 3 * psf->sf.channels * samplesperblock ; ++ /* ++ ** Allocate enough space for 1 more than a multiple of 8 samples ++ ** to avoid having to branch when pulling apart the nibbles. ++ */ ++ count = ((samplesperblock - 2) | 7) + 2 ; ++ pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof (short) * count) ; + + if (! (pima = calloc (1, pimasize))) + return SFE_MALLOC_FAILED ; +@@ -233,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int bl + case SF_FORMAT_AIFF : + psf_log_printf (psf, "still need to check block count\n") ; + pima->decode_block = aiff_ima_decode_block ; +- psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ; + break ; + + default : +@@ -386,7 +391,7 @@ aiff_ima_encode_block (SF_PRIVATE *psf, + static int + wavlike_ima_decode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima) + { int chan, k, predictor, blockindx, indx, indxstart, diff ; +- short step, bytecode, stepindx [2] ; ++ short step, bytecode, stepindx [2] = { 0 } ; + + pima->blockcount ++ ; + pima->samplecount = 0 ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch new file mode 100644 index 0000000000..93b8856e41 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch @@ -0,0 +1,58 @@ +From 56e6c5408f1ee6d476b234c105fb28b4998e811b Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:36:02 -0400 +Subject: [PATCH 06/17] au: avoid int overflow while calculating data_end + +At several points in au_read_header(), we calculate the functional end +of the data segment by adding the (int)au_fmt.dataoffset and the +(int)au_fmt.datasize. This can overflow the implicit int_32 return value +and cause undefined behavior. + +Instead, precalculate the value and assign it to a 64-bit +(sf_count_t)data_end variable. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-2.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/56e6c5408f1ee6d476b234c105fb28b4998e811b] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/au.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/au.c b/src/au.c +index 62bd691d6..f68f25871 100644 +--- a/src/au.c ++++ b/src/au.c +@@ -291,6 +291,7 @@ static int + au_read_header (SF_PRIVATE *psf) + { AU_FMT au_fmt ; + int marker, dword ; ++ sf_count_t data_end ; + + memset (&au_fmt, 0, sizeof (au_fmt)) ; + psf_binheader_readf (psf, "pm", 0, &marker) ; +@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf) + return SFE_AU_EMBED_BAD_LEN ; + } ; + ++ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ; + if (psf->fileoffset > 0) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } +- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength) ++ else if (au_fmt.datasize == -1 || data_end == psf->filelength) + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; +- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength) +- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ; ++ else if (data_end < psf->filelength) ++ { psf->filelength = data_end ; + psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ; + } + else diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch new file mode 100644 index 0000000000..80af387081 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch @@ -0,0 +1,34 @@ +From 839fa9131820d689b2038c81531b618b2932fbe3 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:46:29 -0400 +Subject: [PATCH 07/17] avr: fix int overflow in avr_read_header() + +Pre-cast hdr.frames to sf_count_t, to provide the calculation with +enough numeric space to avoid an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-3.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/839fa9131820d689b2038c81531b618b2932fbe3] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/avr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/avr.c b/src/avr.c +index 6c78ff69b..1bc1ffc90 100644 +--- a/src/avr.c ++++ b/src/avr.c +@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf) + psf->endian = SF_ENDIAN_BIG ; + + psf->dataoffset = AVR_HDR_SIZE ; +- psf->datalength = hdr.frames * (hdr.rez / 8) ; ++ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ; + + if (psf->fileoffset > 0) + psf->filelength = AVR_HDR_SIZE + psf->datalength ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch new file mode 100644 index 0000000000..2c1e10f66c --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch @@ -0,0 +1,60 @@ +From 1116fa173ea8785c9d881936b2174be6a58c0055 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:54:21 -0400 +Subject: [PATCH 08/17] sds: fix int overflow warning in sample calculations + +The sds_*byte_read() functions compose their uint_32 sample buffers by +shifting 7bit samples into a 32bit wide buffer, and adding them +together. Because the 7bit samples are stored in 32bit ints, code +fuzzers become concerned that the addition operation can overflow and +cause undefined behavior. + +Instead, bitwise-OR the bytes together - which should accomplish the +same arithmetic operation, without risking an int-overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Do the same for the 3byte and 4byte read functions. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-4.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/1116fa173ea8785c9d881936b2174be6a58c0055] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/sds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 6bc761716..2a0f164c3 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 2) +- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ; ++ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ; + psds->read_samples [k / 2] = (int) (sample - 0x80000000) ; + } ; + +@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 3) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ; + psds->read_samples [k / 3] = (int) (sample - 0x80000000) ; + } ; + +@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds) + + ucptr = psds->read_data + 5 ; + for (k = 0 ; k < 120 ; k += 4) +- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ; ++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ; + psds->read_samples [k / 4] = (int) (sample - 0x80000000) ; + } ; + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch new file mode 100644 index 0000000000..a96e5fefa4 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch @@ -0,0 +1,39 @@ +From 23188c9b1c34f06ca7f17243425d59403e9eb0db Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 17:26:51 -0400 +Subject: [PATCH 09/17] aiff: fix int overflow when counting header elements + +aiff_read_basc_chunk() tries to count the AIFF header size by keeping +track of the bytes returned by psf_binheader_readf(). Though improbable, +it is technically possible for these added bytes to exceed the int-sized +`count` accumulator. + +Use a 64-bit sf_count_t type for `count`, to ensure that it always has +enough numeric space. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-5.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/23188c9b1c34f06ca7f17243425d59403e9eb0db] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/aiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/aiff.c b/src/aiff.c +index ac3655e9d..6d8f1bc83 100644 +--- a/src/aiff.c ++++ b/src/aiff.c +@@ -1702,7 +1702,7 @@ static int + aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize) + { const char * type_str ; + basc_CHUNK bc ; +- int count ; ++ sf_count_t count ; + + count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ; + count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch new file mode 100644 index 0000000000..0f89c47d59 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch @@ -0,0 +1,82 @@ +From 00bd0320d895ef5f3027c75a9df26546bc18f8b7 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 17:43:02 -0400 +Subject: [PATCH 10/17] ircam: fix int overflow in ircam_read_header() + +When reading the IRCAM header, it is possible for the calculated +blockwidth to exceed the bounds of a signed int32. + +Use a 64bit sf_count_t to store the blockwidth. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-6.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/00bd0320d895ef5f3027c75a9df26546bc18f8b7] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/common.h | 2 +- + src/ircam.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/common.h b/src/common.h +index cd9ac8b07..01f6ae095 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -439,7 +439,7 @@ typedef struct sf_private_tag + sf_count_t datalength ; /* Length in bytes of the audio data. */ + sf_count_t dataend ; /* Offset to file tailer. */ + +- int blockwidth ; /* Size in bytes of one set of interleaved samples. */ ++ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */ + int bytewidth ; /* Size in bytes of one sample (one channel). */ + + void *dither ; +diff --git a/src/ircam.c b/src/ircam.c +index 8e7cdba81..3d73ba442 100644 +--- a/src/ircam.c ++++ b/src/ircam.c +@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf) + switch (encoding) + { case IRCAM_PCM_16 : + psf->bytewidth = 2 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ; + break ; + + case IRCAM_PCM_32 : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ; + break ; + + case IRCAM_FLOAT : + psf->bytewidth = 4 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ; + break ; + + case IRCAM_ALAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ; + break ; + + case IRCAM_ULAW : + psf->bytewidth = 1 ; +- psf->blockwidth = psf->sf.channels * psf->bytewidth ; ++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ; + + psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ; + break ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch new file mode 100644 index 0000000000..a26c14294d --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch @@ -0,0 +1,48 @@ +From 590608bbbded2ca0966dc89c5d9b6bf659f4cb71 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Wed, 11 Oct 2023 16:12:22 -0400 +Subject: [PATCH 11/17] mat4/mat5: fix int overflow when calculating blockwidth + +Pre-cast the components of the blockwidth calculation to sf_count_t to +avoid overflowing integers during calculation. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-7.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/590608bbbded2ca0966dc89c5d9b6bf659f4cb71] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/mat4.c | 2 +- + src/mat5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mat4.c b/src/mat4.c +index 575683ba1..9f046f0c6 100644 +--- a/src/mat4.c ++++ b/src/mat4.c +@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf) + + psf->container_close = mat4_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_16 : +diff --git a/src/mat5.c b/src/mat5.c +index da5a6eca0..20f0ea64b 100644 +--- a/src/mat5.c ++++ b/src/mat5.c +@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf) + + psf->container_close = mat5_close ; + +- psf->blockwidth = psf->bytewidth * psf->sf.channels ; ++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ; + + switch (subformat) + { case SF_FORMAT_PCM_U8 : diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch new file mode 100644 index 0000000000..641f73ad55 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch @@ -0,0 +1,179 @@ +From 4ec860910a4ee91ed4fdf1c0a49f2dad96d595c9 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Mon, 16 Oct 2023 12:37:47 -0400 +Subject: [PATCH 12/17] common: fix int overflow in psf_binheader_readf() + +The psf_binheader_readf() function attempts to count and return the +number of bytes traversed in the header. During this accumulation, it is +possible to overflow the int-sized byte_count variable. + +Avoid this overflow by checking that the accumulated bytes do not exceed +INT_MAX and throwing an error if they do. This implies that files with +multi-gigabyte headers threaten to produce this error, but I imagine +those files don't really exist - and this error is better than the +undefined behavior which would have resulted previously. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-8.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/4ec860910a4ee91ed4fdf1c0a49f2dad96d595c9] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/common.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +--- libsndfile-1.0.31.orig/src/common.c ++++ libsndfile-1.0.31/src/common.c +@@ -18,6 +18,7 @@ + + #include + ++#include + #include + #include + #if HAVE_UNISTD_H +@@ -962,6 +963,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + double *doubleptr ; + char c ; + int byte_count = 0, count = 0 ; ++ int read_bytes = 0 ; + + if (! format) + return psf_ftell (psf) ; +@@ -970,6 +972,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + + while ((c = *format++)) + { ++ read_bytes = 0 ; + if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16)) + return count ; + +@@ -986,7 +989,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + *intptr = GET_MARKER (ucptr) ; + break ; + +@@ -994,7 +997,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; ++ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ; + { int k ; + intdata = 0 ; + for (k = 0 ; k < 16 ; k++) +@@ -1006,14 +1009,14 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case '1' : + charptr = va_arg (argptr, char*) ; + *charptr = 0 ; +- byte_count += header_read (psf, charptr, sizeof (char)) ; ++ read_bytes = header_read (psf, charptr, sizeof (char)) ; + break ; + + case '2' : /* 2 byte value with the current endian-ness */ + shortptr = va_arg (argptr, unsigned short*) ; + *shortptr = 0 ; + ucptr = (unsigned char*) shortptr ; +- byte_count += header_read (psf, ucptr, sizeof (short)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (short)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *shortptr = GET_BE_SHORT (ucptr) ; + else +@@ -1023,7 +1026,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case '3' : /* 3 byte value with the current endian-ness */ + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 3) ; ++ read_bytes = header_read (psf, sixteen_bytes, 3) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = GET_BE_3BYTE (sixteen_bytes) ; + else +@@ -1034,7 +1037,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + intptr = va_arg (argptr, unsigned int*) ; + *intptr = 0 ; + ucptr = (unsigned char*) intptr ; +- byte_count += header_read (psf, ucptr, sizeof (int)) ; ++ read_bytes = header_read (psf, ucptr, sizeof (int)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *intptr = psf_get_be32 (ucptr, 0) ; + else +@@ -1044,7 +1047,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case '8' : /* 8 byte value with the current endian-ness */ + countptr = va_arg (argptr, sf_count_t *) ; + *countptr = 0 ; +- byte_count += header_read (psf, sixteen_bytes, 8) ; ++ read_bytes = header_read (psf, sixteen_bytes, 8) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + countdata = psf_get_be64 (sixteen_bytes, 0) ; + else +@@ -1055,7 +1058,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case 'f' : /* Float conversion */ + floatptr = va_arg (argptr, float *) ; + *floatptr = 0.0 ; +- byte_count += header_read (psf, floatptr, sizeof (float)) ; ++ read_bytes = header_read (psf, floatptr, sizeof (float)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *floatptr = float32_be_read ((unsigned char*) floatptr) ; + else +@@ -1065,7 +1068,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case 'd' : /* double conversion */ + doubleptr = va_arg (argptr, double *) ; + *doubleptr = 0.0 ; +- byte_count += header_read (psf, doubleptr, sizeof (double)) ; ++ read_bytes = header_read (psf, doubleptr, sizeof (double)) ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + *doubleptr = double64_be_read ((unsigned char*) doubleptr) ; + else +@@ -1089,7 +1092,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + charptr = va_arg (argptr, char*) ; + count = va_arg (argptr, size_t) ; + memset (charptr, 0, count) ; +- byte_count += header_read (psf, charptr, count) ; ++ read_bytes = header_read (psf, charptr, count) ; + break ; + + case 'G' : +@@ -1100,7 +1103,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count)) + return 0 ; + +- byte_count += header_gets (psf, charptr, count) ; ++ read_bytes = header_gets (psf, charptr, count) ; + break ; + + case 'z' : +@@ -1124,7 +1127,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + case 'j' : /* Seek to position from current position. */ + count = va_arg (argptr, size_t) ; + header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ read_bytes = count ; + break ; + + default : +@@ -1132,8 +1135,17 @@ psf_binheader_readf (SF_PRIVATE *psf, ch + psf->error = SFE_INTERNAL ; + break ; + } ; ++ ++ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes)) ++ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ; ++ psf->error = SFE_INTERNAL ; ++ break ; ++ } else ++ { byte_count += read_bytes ; + } ; + ++ } ; /*end while*/ ++ + va_end (argptr) ; + + return byte_count ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch new file mode 100644 index 0000000000..88dc80addf --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch @@ -0,0 +1,231 @@ +From 6e162cb767e81cd15f4dc2a2fa253d2e36adfd70 Mon Sep 17 00:00:00 2001 +From: Alex Stewart +Date: Thu, 19 Oct 2023 14:07:19 -0400 +Subject: [PATCH 13/17] nms_adpcm: fix int overflow in signal estimate + +It is possible (though functionally incorrect) for the signal estimate +calculation in nms_adpcm_update() to overflow the int value of s_e, +resulting in undefined behavior. + +Since adpcm state signal values are never practically larger than +16 bits, use smaller numeric sizes throughout the file to avoid the +overflow. + +CVE: CVE-2022-33065 +Fixes: https://github.com/libsndfile/libsndfile/issues/833 + +Authored-by: Arthur Taylor +Signed-off-by: Alex Stewart + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-9.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/libsndfile/libsndfile/commit/6e162cb767e81cd15f4dc2a2fa253d2e36adfd70] +CVE: CVE-2022-33065 +Signed-off-by: Vijay Anusuri +--- + src/nms_adpcm.c | 81 ++++++++++++++++++++++++------------------------- + 1 file changed, 40 insertions(+), 41 deletions(-) + +--- libsndfile-1.2.0.orig/src/nms_adpcm.c ++++ libsndfile-1.2.0/src/nms_adpcm.c +@@ -48,36 +48,36 @@ + /* Variable names from ITU G.726 spec */ + struct nms_adpcm_state + { /* Log of the step size multiplier. Operated on by codewords. */ +- int yl ; ++ short yl ; + + /* Quantizer step size multiplier. Generated from yl. */ +- int y ; ++ short y ; + + /* Coefficents of the pole predictor */ +- int a [2] ; ++ short a [2] ; + + /* Coefficents of the zero predictor */ +- int b [6] ; ++ short b [6] ; + + /* Previous quantized deltas (multiplied by 2^14) */ +- int d_q [7] ; ++ short d_q [7] ; + + /* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */ +- int p [3] ; ++ short p [3] ; + + /* Previous reconstructed signal values. */ +- int s_r [2] ; ++ short s_r [2] ; + + /* Zero predictor components of the signal estimate. */ +- int s_ez ; ++ short s_ez ; + + /* Signal estimate, (including s_ez). */ +- int s_e ; ++ short s_e ; + + /* The most recent codeword (enc:generated, dec:inputted) */ +- int Ik ; ++ char Ik ; + +- int parity ; ++ char parity ; + + /* + ** Offset into code tables for the bitrate. +@@ -109,7 +109,7 @@ typedef struct + } NMS_ADPCM_PRIVATE ; + + /* Pre-computed exponential interval used in the antilog approximation. */ +-static unsigned int table_expn [] = ++static unsigned short table_expn [] = + { 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a, + 0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892, + 0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954, +@@ -117,21 +117,21 @@ static unsigned int table_expn [] = + } ; + + /* Table mapping codewords to scale factor deltas. */ +-static int table_scale_factor_step [] = ++static short table_scale_factor_step [] = + { 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */ + -0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */ + -0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */ + } ; + + /* Table mapping codewords to quantized delta interval steps. */ +-static unsigned int table_step [] = ++static unsigned short table_step [] = + { 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */ + 0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */ + 0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */ + } ; + + /* Binary search lookup table for quantizing using table_step. */ +-static int table_step_search [] = ++static short table_step_search [] = + { 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */ + 0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */ + 0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */ +@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRI + ** Maps [1,20480] to [1,1024] in an exponential relationship. This is + ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385 + */ +-static inline int +-nms_adpcm_antilog (int exp) +-{ int ret ; +- +- ret = 0x1000 ; +- ret += (((exp & 0x3f) * 0x166b) >> 12) ; +- ret *= table_expn [(exp & 0x7c0) >> 6] ; +- ret >>= (26 - (exp >> 11)) ; ++static inline short ++nms_adpcm_antilog (short exp) ++{ int_fast32_t r ; ++ ++ r = 0x1000 ; ++ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ; ++ r *= table_expn [(exp & 0x7c0) >> 6] ; ++ r >>= (26 - (exp >> 11)) ; + +- return ret ; ++ return (short) r ; + } /* nms_adpcm_antilog */ + + static void + nms_adpcm_update (struct nms_adpcm_state *s) + { /* Variable names from ITU G.726 spec */ +- int a1ul ; +- int fa1 ; ++ short a1ul, fa1 ; ++ int_fast32_t se ; + int i ; + + /* Decay and Modify the scale factor in the log domain based on the codeword. */ +@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state + else if (fa1 > 256) + fa1 = 256 ; + +- s->a [0] = (0xff * s->a [0]) >> 8 ; ++ s->a [0] = (s->a [0] * 0xff) >> 8 ; + if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0)) + s->a [0] -= 192 ; + else +@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state + fa1 = -fa1 ; + } + +- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ; ++ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ; + if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0)) + s->a [1] -= 128 ; + else +@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state + s->a [0] = a1ul ; + } ; + +- /* Compute the zero predictor estimate. Rotate past deltas too. */ +- s->s_ez = 0 ; ++ /* Compute the zero predictor estimate and rotate past deltas. */ ++ se = 0 ; + for (i = 5 ; i >= 0 ; i--) +- { s->s_ez += s->d_q [i] * s->b [i] ; ++ { se += (int_fast32_t) s->d_q [i] * s->b [i] ; + s->d_q [i + 1] = s->d_q [i] ; + } ; ++ s->s_ez = se >> 14 ; + +- /* Compute the signal estimate. */ +- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ; +- +- /* Return to scale */ +- s->s_ez >>= 14 ; +- s->s_e >>= 14 ; ++ /* Complete the signal estimate. */ ++ se += (int_fast32_t) s->a [0] * s->s_r [0] ; ++ se += (int_fast32_t) s->a [1] * s->s_r [1] ; ++ s->s_e = se >> 14 ; + + /* Rotate members to prepare for next iteration. */ + s->s_r [1] = s->s_r [0] ; +@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state + static int16_t + nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I) + { /* Variable names from ITU G.726 spec */ +- int dqx ; ++ int_fast32_t dqx ; + + /* + ** The ordering of the 12-bit right-shift is a precision loss. It agrees +@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_s + /* + ** nms_adpcm_encode_sample() + ** +-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword ++** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword + ** using and updating the predictor state. + */ + static uint8_t + nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl) + { /* Variable names from ITU G.726 spec */ +- int d ; ++ int_fast32_t d ; + uint8_t I ; + + /* Down scale the sample from 16 => ~14 bits. */ +- sl = (sl * 0x1fdf) / 0x7fff ; ++ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ; + + /* Compute estimate, and delta from actual value */ + nms_adpcm_update (s) ; +@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpc + */ + static int16_t + nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I) +-{ int sl ; ++{ int_fast32_t sl ; + + nms_adpcm_update (s) ; + sl = nms_adpcm_reconstruct_sample (s, I) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb index 20240635f7..6a6ccf7567 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb @@ -11,7 +11,19 @@ LICENSE = "LGPL-2.1-only" SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \ file://noopus.patch \ file://0001-flac-Fix-improper-buffer-reusing-732.patch \ - file://CVE-2022-33065.patch \ + file://CVE-2022-33065-1.patch \ + file://CVE-2022-33065-2.patch \ + file://CVE-2022-33065-3.patch \ + file://CVE-2022-33065-4.patch \ + file://CVE-2022-33065-5.patch \ + file://CVE-2022-33065-6.patch \ + file://CVE-2022-33065-7.patch \ + file://CVE-2022-33065-8.patch \ + file://CVE-2022-33065-9.patch \ + file://CVE-2022-33065-10.patch \ + file://CVE-2022-33065-11.patch \ + file://CVE-2022-33065-12.patch \ + file://CVE-2022-33065-13.patch \ file://CVE-2024-50612.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/" From patchwork Tue Jan 7 13:31:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55119 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6450AE7719F for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.20159.1736256688705521887 for ; Tue, 07 Jan 2025 05:31:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=R/T/dTHc; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-215770613dbso169538075ad.2 for ; Tue, 07 Jan 2025 05:31:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256688; x=1736861488; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Lqqme70HuquJi1+Xd4SskF0LlgfqfzzdirmzrwXZIb4=; b=R/T/dTHcvynmqvHvjdUVaJMZuxkB8o1W8OTU6HSi4ROl56+JYjuhSk/Vd6ezb2NLpZ v/xo9L5/JsmM8hLDRNfAqNqli4eQ7dGkHEa/3LjfxaAePgieQJG7ElUOE8Z5qukzhYhj bfy503Ubl1z6b3CBNryMRJW/ota8N5BvES/Xpq949fzOuIwpM5ci7T8W1eW/Q8d+LEGC VbU6DGMndvzNxcGqPP0gBbH4H6f2qfhekeBajX8Q4hcDs0Uq4gMe3gOyR030KcgoyNq/ 17WAcvMcYPsSvkIFwX/7qqMp21NziTHAmTKjz6LfyojNP7TO6jyBTmUpJAI+Ta/Mt4CH nlFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256688; x=1736861488; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Lqqme70HuquJi1+Xd4SskF0LlgfqfzzdirmzrwXZIb4=; b=BXb8hcoxfD3lrJ7VRRYYcu3PmS4YmwERB/icHnCLjoPrR2H+ghWegahJ0vZJ8a5LPf hsaNYcX2M9LTCL+aHI1otYpPj6M23PpUnfad2AX2I0ZoiWxv47mVsn+lpU9C3q59H5hr bpE1gxQeo3SFBSLbYvk7mQcoRHTSY2tDY4CysHIuj8RYEdSsDGafxwmUxBfdTweJdqhv BcVBbAAawMqpbohPIdPTdA626JLoTFQsjSgZONgnmbBR1xbnoQ+oM1QvZxiOhkB/6L79 R6/kVHu6tnJMo46En7++Ke+cHPBiYyF6Ku1s/ynnpyztRiKFa8OBwzFwHj2TP43Avkis pwjg== X-Gm-Message-State: AOJu0YyrXFd9ejBP4FSdixelEm4kWCaJo1MvWZc3ijjoneFX3sxpPMVP KCI8o+ejVopHQsK5hwfiTHCxzlp371kSzQ2jabSGyLrdJUWvD97G/LOBim3LYqxUYAPd34N9/Oc 1 X-Gm-Gg: ASbGncvw5OmVWeWP+0NZfrnVBygAsnoKpAF+mqgjsib1ntdpZ1MTsFZcJUQIfIzd2de ZfYxH2eUQu8Ejyz5/0gnfYS0OgNK3+0RCyIcVII1vd4LsFBU6c8J0sB218+GJGTkxzG86E1xzIJ w9+4lGnJpCSsuVumjE0FLNWz/uK4nDER7RLMNCm5b2cFM455SsvjnM6CCIPSfuNpWLmEHnkgRxS Sy1UoUMQh0gAEAIcoKB4fRZSOJq93NcN8+/pNOwEP1DAA== X-Google-Smtp-Source: AGHT+IFRjiH0dViERHvb408JMChZqaxzQ1otNi/ywApTIzWDxA/CSWPDluPx6HCUd7t78d0kWuqbDw== X-Received: by 2002:a05:6a20:9c9a:b0:1e1:b062:f403 with SMTP id adf61e73a8af0-1e5e07ffc53mr98944351637.34.1736256687921; Tue, 07 Jan 2025 05:31:27 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:27 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/13] ghostscript: ignore CVE-2024-46954 Date: Tue, 7 Jan 2025 05:31:06 -0800 Message-ID: <7f1b174b8f12fcf377c45c27022bac99b6652823.1736256495.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209455 From: Peter Marko Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. [1] points to [2] as patch, while file base/gp_utf8.c is not part of ghostscript source tarball. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-46954 [2] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=55f587dd039282316f512e1bea64218fd991f934 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index cd0a7de70e..6d425710b5 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -24,7 +24,7 @@ UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)\.tar" CVE_CHECK_IGNORE += "CVE-2013-6629" # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. -CVE_CHECK_IGNORE += "CVE-2023-38560" +CVE_CHECK_IGNORE += "CVE-2023-38560 CVE-2024-46954" def gs_verdir(v): return "".join(v.split(".")) From patchwork Tue Jan 7 13:31:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55113 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B690E77197 for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.20161.1736256690289047730 for ; Tue, 07 Jan 2025 05:31:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WzWE6oxA; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2162c0f6a39so235050715ad.0 for ; Tue, 07 Jan 2025 05:31:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256689; x=1736861489; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FdKIkL5p0UQDjWCIzG3Fg6LxgrWEDuDpYBtq/k7WXl4=; b=WzWE6oxA1q9rn54oK6EisHqsD1Joiz4mqvk4BYf+wXcGh++ZRVzhf9AASMV+vYlUz5 O5TdIHXhHQ3KLbDixHbWZundHyxXlLsovI6ywi5W0udW4tZxm7Dy46C/ensv3AwFDqJm xfH/VgqOSg1UL8bEEYUl/PrWTf18touJK6OFJ+Mj3oKRLPAVmnkI2vbf2fKn+ET3sGwA OH78kB4NXjjcheAytzcdwGqkgeSADWbKg9mfPB9hn/XeGV7ZYfZ8ICpoRcVUXF+qT/5j hOyW5eTouRJyFl1ExZK48wXFriBiG8HgmxY5+A8LbmH+sSd/XyLeANj4qPi5aDoYfFpp o18Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256689; x=1736861489; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FdKIkL5p0UQDjWCIzG3Fg6LxgrWEDuDpYBtq/k7WXl4=; b=ccr8NA4XLW4+LYlMsICT9HJ9YdZ0CIZv2dc+WHoQNNlY02VLn6GE+zleV2CnjXR1gO GUhw4m5KHpJIpEX+P+++XeUHN/7p6hQmNGKJflMckLG9CdzyqEpBZWZfAB88VaxcOtkh qX7O/jlDNeJxaFjoGjP5EiVx7tIdCMwKJmO2vSGeHlJ1ag3CmYgZ0Aqi3nlk+/LWxAUT 1vilKIZI/EIF3hMlfWuX6un5uLiXjdvMKbtonCRZHrHvL5ofd4qqp4UgSTVbz3H/sZsp 4YZan0CyUp8tgakbTAIMHobjiukKksh32VX/mT+V18I2KBxaiQHogxCQKvl1o0PlDJmt jeJg== X-Gm-Message-State: AOJu0Yyd0eR+LrO0pjbMZHl5NgW6y/uR/oTcpJ4ayXyjvK8t7WpFGxmP bAy1R2FbgBGbjgIg2J45CjUbexQv0izNPyBbIlR+/Gi5XkqnqBafA/etz62NXOp29p/WFswAUg2 Y X-Gm-Gg: ASbGncscaQlbMevVdhs6RpfLTIXhRYi88ookF3lk0I/t+lwvNjxahR1CgZg+BHOdiSO ytf6pcjuvLsHw8npEb/rZ3PJyn77+QGj2hgh8lXSzKx+qH0oCyAc9X0LfX+EJ4wfHOB+3Wy51jX AF//EqW0VCFTpKziCezly3YSYTVBtk/JWJFEFdKp8ahxqETEIQq8rx6REemV6Jw5wMaHF7MB7Rk G5+T8wUVBQn1dExmQOoZQ9mxLtqIzo9l2/Z0ULWPtASeg== X-Google-Smtp-Source: AGHT+IHoQXgRZrGPpBovtmh8j/KH4RS5xx0RoefSP7KzxgkBTWA3Hq1gKpaluDmNQlwONow3viqlIQ== X-Received: by 2002:a05:6a00:a909:b0:725:e386:3c5b with SMTP id d2e1a72fcca58-72d103994cbmr5488144b3a.5.1736256689525; Tue, 07 Jan 2025 05:31:29 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:29 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/13] tiff: ignore CVE-2023-2731 Date: Tue, 7 Jan 2025 05:31:07 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209456 From: Peter Marko This further tweaks fix for CVE-2022-1622/CVE-2022-1623 by adding it to one additional goto label. Previous fix: https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Additional fix: https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 27bb306e94..a47fc4bd34 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -65,8 +65,8 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P\d+(\.\d+)+).tar" # and 4.3.0 doesn't have the issue CVE_CHECK_IGNORE += "CVE-2015-7313" # These issues only affect libtiff post-4.3.0 but before 4.4.0, -# caused by 3079627e and fixed by b4e79bfa. -CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" +# caused by 3079627e and fixed by b4e79bfa and again by 9be22b63 +CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623 CVE-2023-2731" # Issue is in jbig which we don't enable CVE_CHECK_IGNORE += "CVE-2022-1210" From patchwork Tue Jan 7 13:31:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55120 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 583ECE7719C for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.20163.1736256692669786093 for ; Tue, 07 Jan 2025 05:31:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PIcjRcx5; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2164b1f05caso222616715ad.3 for ; Tue, 07 Jan 2025 05:31:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256692; x=1736861492; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OfTEfDkHvpN5GlivzAVZtx24CR28gnTC6xapaFw2/tY=; b=PIcjRcx5YRE7VVrSmCVv1c3VT9aoC0s6UCryzJGkCUwJITGal6eS7hG1NEQ2dt4eq0 FYY7yFpVCZxGoWXT+kyzMwRi6meMzpJD3ves3ScxfM/GlPrFhTJ+fdfEJnO4zu0G4uAa YTCptmFjXZjabvPYBvVsAw6HUleU3ZT4RZrCP9KR5HdpEXvZd5rBaWk14CaEmsuVsiUj /2W8FePJVtI2sF7dUqxUeZzx7rrRsfvaA83ifEW7uxF9oYRGFGUcIdQZf1K69faClcOS EzlmK8Ho5+y0Yz0zqurJQKmy/VZ9lkDHlLAm0E08iUPhTM8td467FVUzGiW4gROXQrBS 2w5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256692; x=1736861492; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OfTEfDkHvpN5GlivzAVZtx24CR28gnTC6xapaFw2/tY=; b=eEWpcBfaZkES5AF6h31AkvmM0gkdAWh0QSTZnW2xtFm31SjTQ5JclMuwSo2ufRDwUv oVfDvAsiDy1i3BTzZxxnk5w1GpmE8QPsWllakOj+6csxQ0iyT8/YaWE+u+f01bwK8Oe/ ibadeweAzDcJqePghmF7vHDCASW5i6/6683PPyiuEZgxgZQfSqYxiiW6bEHSkVxqMRH+ locvjbmUqIoBvW5JOonbnfLV8HrIgjAedeU0r+n2kcu1CJ9OdSi20mf7hjx5wQW8XKvx pN6yHtlJsXIXizbRB3Frp+Tbgni/ottKNtQwy8hHG/6gjW9L4d3fkUGVPrZTevtmumyI I/dQ== X-Gm-Message-State: AOJu0Yxy4B00gLlcpdJZWxQMStFaeWdkZvPMHOLd+0IPUhF+siFbaZCe eoNCUUSSUbpsUiZAPcV2/JjLSyDmso9TQOChpKKfK0kzh5UB5+D1dbJPaStvhmTl6ePZH72XGF1 2 X-Gm-Gg: ASbGncubmGqr5jcZMXHji4tAvD5croqtz85lmX+zvWNv2Fm2EgaVngUk/N1N0aNN7GO Vj+VJtzU3jTH5d5FjExKXBe+4GDNaDoBHNHjcuDGzVk5Oub2Wu8tlX8FHb1cHC2KQL+ExeVIjBv ASWka0Rtii/40TJEX+T8BMGw1NdNxPqUuwHt/oCw7HQOgl36DsYNYy3ki9H5Miqw4wHR4KQk5KE NJqBM5SpbyqbH7/48EZERWRagjymmMhP7cVAk3ufXBdzQ== X-Google-Smtp-Source: AGHT+IFuu97XspS6HF9QsI15LfqfOdHYAEbm+z1XkltFFuRAhP3mC+6VQg92Hrg23+cbDBlK47j4ew== X-Received: by 2002:aa7:888c:0:b0:72a:a9b5:ed91 with SMTP id d2e1a72fcca58-72abde0e6b7mr91640804b3a.13.1736256691127; Tue, 07 Jan 2025 05:31:31 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:30 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/13] tiff: patch CVE-2023-3164 Date: Tue, 7 Jan 2025 05:31:08 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209457 From: Peter Marko Backport fix from upstream. There was style refactoring done in the code meanwhile, so the patch mas assembled manually by applying each change on 4.3.0 sources. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2023-3164.patch | 114 ++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 + 2 files changed, 115 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch new file mode 100644 index 0000000000..4a47db8789 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch @@ -0,0 +1,114 @@ +From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 17 May 2024 15:11:10 +0000 +Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after + free) + +CVE: CVE-2023-3164 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/a20298c4785c369469510613dfbc5bf230164fed] +Signed-off-by: Peter Marko +--- + tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b11fec93a..aaf6bb280 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -449,6 +449,7 @@ static uint16_t defcompression = (uint16_t) -1; + static uint16_t defpredictor = (uint16_t) -1; + static int pageNum = 0; + static int little_endian = 1; ++static tmsize_t check_buffsize = 0; + + /* Functions adapted from tiffcp with additions or significant modifications */ + static int readContigStripsIntoBuffer (TIFF*, uint8_t*); +@@ -2081,6 +2082,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS); + exit (EXIT_FAILURE); + } ++ if ((page->cols * page->rows) < 1) ++ { ++ TIFFError("No subdivisions", "%d", (page->cols * page->rows)); ++ exit(EXIT_FAILURE); ++ } + page->mode |= PAGE_MODE_ROWSCOLS; + break; + case 'U': /* units for measurements and offsets */ +@@ -4433,7 +4439,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out, + dst = out + (row * dst_rowsize); + src_offset = row * src_rowsize; + #ifdef DEVELMODE +- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d", ++ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd", + row, src_offset, dst - out); + #endif + for (col = 0; col < cols; col++) +@@ -5028,7 +5034,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + break; + } + #ifdef DEVELMODE +- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d", ++ TIFFError("", "Strip %2"PRIu32", read %5zd bytes for %4"PRIu32" scanlines, shift width %d", + strip, bytes_read, rows_this_strip, shift_width); + #endif + } +@@ -6446,6 +6452,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate read buffer"); + return (-1); + } ++ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES; + + read_buff[buffsize] = 0; + read_buff[buffsize+1] = 0; +@@ -7076,6 +7083,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset); + #endif ++ if (src_offset + full_bytes >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + _TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes); + dst_offset += full_bytes; + } +@@ -7110,6 +7122,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + bytebuff1 = bytebuff2 = 0; + if (shift1 == 0) /* the region is byte and sample aligned */ + { ++ if (offset1 + full_bytes >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + _TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes); + + #ifdef DEVELMODE +@@ -7129,6 +7146,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + if (trailing_bits != 0) + { + /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ if (offset1 + full_bytes >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE +@@ -7154,6 +7176,11 @@ extractImageSection(struct image_data *image, struct pageseg *section, + { + /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ + /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ if (offset1 + j + 1 >= check_buffsize) ++ { ++ printf("Bad input. Preventing reading outside of input buffer.\n"); ++ return(-1); ++ } + bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); + bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index a47fc4bd34..5ec7b20e61 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -54,6 +54,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-6277-3.patch \ file://CVE-2023-6277-4.patch \ file://CVE-2024-7006.patch \ + file://CVE-2023-3164.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Tue Jan 7 13:31:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55116 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4967DE7719B for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web10.20203.1736256693403205170 for ; Tue, 07 Jan 2025 05:31:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=S/Ptha/v; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2166022c5caso201112935ad.2 for ; Tue, 07 Jan 2025 05:31:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256693; x=1736861493; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=66XfwDJcWjfTZ2e1e4Znn6ZZ63vU79SlJRoY1h3FkOY=; b=S/Ptha/v0F+BsUiYZf40MdRt7lTBtNrBj2J+F8YKmuiTu7vhqX3QBLX2W8IvNWKnVn t5LzyvArtjSOdZWtUrYrP0KhGkKJ+5rDdgbM4/EA3izlmb/zk5CE0SjgjrIg3GRsnmAv VYWeKc4vby3k+BuVKL5jR7EEubHvN3YrNGewJUL3pJqn9RyJn+ZvGBscKWhM5zkuCrkb EzzmpPPPz5nMPwerOKDZ7W8jE8TcvAxuvVdLHfP9HilHIK8+sjEUnbxGVTnsGO4EUVCD pZ2MMlPmEj4We7WydPMXo0aWSaxpg9m97+BpAdz/G7yubn7N880kVwxL96+kJ33ThZfI jZ/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256693; x=1736861493; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=66XfwDJcWjfTZ2e1e4Znn6ZZ63vU79SlJRoY1h3FkOY=; b=QLGdJBQexnM+oDcqFJIk2JUnhNKTbKDGuNMsfC2pSPfy2fN+XRBwAojksCUgTPjBcW BgNOdsCHd0SSndb09dhkaNEYzLpaCLwTCvXlnYfJL2to9n4uzVN1HfPPeB7nDh2667qi p52F+q5MdFWWbrbllJNOAerYFaEfMPImza9KbGqH15/88oGjNEQXJa+wzr298+Rw90zF a5k//JcsocH69JonY7eCCH0XkOyrja3juZSZRgY4Gsy5MPtiYfbMzfsMb5vbKNx+bF/N zyZ3FidrDHhQ3MaQlqU3ZAnO8QGFMARzYCT5/8vw5iCff5QyEUnTHh9Ho0n8skQmxJ1Q 3QZQ== X-Gm-Message-State: AOJu0YyLON1I/iSzq5QCAl/YFy0e9CPUOjNxU+gXARmxGy+/gbzzbniW 1c/6ZkdSc45YO70/gntAZVX3fabFO4ftjCrCNg3qBhAayztuxLjpttYxAGOFg214Y+rQxGlmVPb C X-Gm-Gg: ASbGncsABM6f92XHJ7OK7dLSRbWs1Nm0S8F101mYt+o6n7ftAeLE/8Ef6w2T4o53mP0 4YBX35oarmWUDtZltRMFyz774blWy17brLk1IH5u3d+dfgqK8hcdO249l2u3afp02JowIfDytQS OvnHHBCqZ3MLeYOefJdTPYBj0f/Wf9NajIwPSPJYwWIaaZb7xRAglHedKMN6+Q+WQP+WStDZ769 Kvf8GviLmkGMb49QIrKsfYQvRRwurb65aEr8NqEb2x77A== X-Google-Smtp-Source: AGHT+IEmjtiKO5j/gCemjXW8P0uuA4L1Y5k5OUaBPGoSBNhtzeARc7Plm3AJgHjk60MiZEO+L1fVPw== X-Received: by 2002:a05:6a20:e68b:b0:1d9:2b51:3ccd with SMTP id adf61e73a8af0-1e5e044536fmr98386053637.7.1736256692746; Tue, 07 Jan 2025 05:31:32 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:32 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/13] gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad Date: Tue, 7 Jan 2025 05:31:09 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209458 From: Peter Marko These CVEs are patched in gstreamer1.0-plugins-bad. CPE for gstreamer-plugins-bad mostly hits original gstreamer recipe. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb index 2c9c6944b0..cf81620833 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb @@ -69,7 +69,7 @@ FILES:${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb" CVE_PRODUCT = "gstreamer" -# this CVE is patched in gstreamer1.0-plugins-bad -CVE_CHECK_IGNORE += "CVE-2024-0444" +# these CVEs are patched in gstreamer1.0-plugins-bad +CVE_CHECK_IGNORE += "CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444" PTEST_BUILD_HOST_FILES = "" From patchwork Tue Jan 7 13:31:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55117 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48756E7719A for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.20164.1736256695443541104 for ; Tue, 07 Jan 2025 05:31:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=axPYMGdn; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2163dc5155fso224173415ad.0 for ; Tue, 07 Jan 2025 05:31:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256695; x=1736861495; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MycMAMGYJ93DJks3VlAWm2hExqFnat9AzH/mzta/4Gs=; b=axPYMGdnG3UX+Oiclx43wQkVnWZUP5RXsErNk6Je7JcOCs+4eih+Lm0LJ4usqAiZlY HTtvhwEnyjv0t0DHz0q6W2bTeMLvff2M45aCD1J0QhncyrPfm1ihBSI/E/uGE5N6OXPX OtVVXDtj1QT1a+32YG/hR27T17MCJ3v02kXHslWNoM+EoUZYy3r2M9+UBiBsG4zqVT0y X/nBcQJn1H/wtF5y3xjKLSKGcPKc9B5N9aMSN4Fjaq3V7hSDTcOi2Z7DetVLAQO0MTah 0nbte8thH9MedgNOqiJT0F0HV243pBjnXFR/ICJJfKBVG3/+axPz0vUzyljc4On9R0F3 z1Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256695; x=1736861495; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MycMAMGYJ93DJks3VlAWm2hExqFnat9AzH/mzta/4Gs=; b=dhUnKhLQpEMC2pNLJC7WvrkSGjxyF01xVQD3PA8pmcUiMP2y9ZV2KBE2gGZ9L7WPAC 2lZH0P6M82JPYLdu6ykGVYDOZpDQiZlAR0xfKmzpAZgr1BK+3ulIXJcPQF+1X1zFPjIL SvMmAGzl3TPMuStervWt1sigGCxuasgksOEGSscI1gOAiqa5qCDpXCPqRyfIuv4PxJU/ hPFQErMaA5pExYHzoxOBbwvDlmieWTmS8emSnJ905LRiQzBSGNs/09GIq4RVAm97KqF5 0nkKpirllO43JmPzrGPbq35hhGmWR0Jj4XIVFv9H16CkFYpkBGNDwDjReiXTYpdqETqD VxdQ== X-Gm-Message-State: AOJu0YzhgL0fFaRDKeMlnNLuUy4qVuT2ugI9PyzYpUBEm2dvOyPiN3qn VeTcpFVGjs2XCO8SB7zqY4bGdwjbNJG8Q0S6ktLzrTca5n0kM710PsycI4KOoClO2QIvwrvEuXx p X-Gm-Gg: ASbGnctXelxjzAYHxsnFVfxdQ8VKqvZAIt52zKTDvvW/9tGJpjJvd6cS1rq1KzyyBlU hKiNY8sz2+438KBnozjMGjPsgiGy5G9xunaKNAarMZo2dtotYau1kwQj4nqm1glgRIODts6muqJ Eeopplqs/Pksmx+n8BViFe6NovCwY4hIlPDfLUOrMl6rEzY6qRvXdXJObrVsz8uJW0/Y2d81EGZ MIP7+M3AFFSt1I97LHfqjTbOKnBP18byA2YpVxvFbxt3Q== X-Google-Smtp-Source: AGHT+IHJbNPs2EhpxR6Egz45cg+LFu/N0AdcLW6ulPcxySBdXDFDfsW5Ump57CApv3kAjR8HJhTJ3Q== X-Received: by 2002:a05:6a21:108f:b0:1e1:ce4d:a144 with SMTP id adf61e73a8af0-1e5dfb4e030mr86253337637.0.1736256694352; Tue, 07 Jan 2025 05:31:34 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:34 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/13] xwayland: patch CVE-2023-5380 CVE-2024-0229 Date: Tue, 7 Jan 2025 05:31:10 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209459 From: Peter Marko The patches are copied from xserver-xorg recipe. The CVES are reported for both and patched apply on both. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2023-5380.patch | 103 ++++++++ .../xwayland/xwayland/CVE-2024-0229-1.patch | 88 +++++++ .../xwayland/xwayland/CVE-2024-0229-2.patch | 222 ++++++++++++++++++ .../xwayland/xwayland/CVE-2024-0229-3.patch | 42 ++++ .../xwayland/xwayland/CVE-2024-0229-4.patch | 46 ++++ .../xwayland/xwayland_22.1.8.bb | 5 + 6 files changed, 506 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch new file mode 100644 index 0000000000..ee2aa01b0e --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch @@ -0,0 +1,103 @@ +From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 5 Oct 2023 12:19:45 +1000 +Subject: [PATCH] mi: reset the PointerWindows reference on screen switch + +PointerWindows[] keeps a reference to the last window our sprite +entered - changes are usually handled by CheckMotion(). + +If we switch between screens via XWarpPointer our +dev->spriteInfo->sprite->win is set to the new screen's root window. +If there's another window at the cursor location CheckMotion() will +trigger the right enter/leave events later. If there is not, it skips +that process and we never trigger LeaveWindow() - PointerWindows[] for +the device still refers to the previous window. + +If that window is destroyed we have a dangling reference that will +eventually cause a use-after-free bug when checking the window hierarchy +later. + +To trigger this, we require: +- two protocol screens +- XWarpPointer to the other screen's root window +- XDestroyWindow before entering any other window + +This is a niche bug so we hack around it by making sure we reset the +PointerWindows[] entry so we cannot have a dangling pointer. This +doesn't handle Enter/Leave events correctly but the previous code didn't +either. + +CVE-2023-5380, ZDI-CAN-21608 + +This vulnerability was discovered by: +Sri working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +Reviewed-by: Adam Jackson + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7] +CVE: CVE-2023-5380 +Signed-off-by: Vijay Anusuri +Signed-off-by: Peter Marko +--- + dix/enterleave.h | 2 -- + include/eventstr.h | 3 +++ + mi/mipointer.c | 17 +++++++++++++++-- + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/dix/enterleave.h b/dix/enterleave.h +index 4b833d8a3b..e8af924c68 100644 +--- a/dix/enterleave.h ++++ b/dix/enterleave.h +@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev, + + extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode); + +-extern void LeaveWindow(DeviceIntPtr dev); +- + extern void CoreFocusEvent(DeviceIntPtr kbd, + int type, int mode, int detail, WindowPtr pWin); + +diff --git a/include/eventstr.h b/include/eventstr.h +index 93308f9b24..a9926eaeef 100644 +--- a/include/eventstr.h ++++ b/include/eventstr.h +@@ -335,4 +335,7 @@ union _InternalEvent { + GestureEvent gesture_event; + }; + ++extern void ++LeaveWindow(DeviceIntPtr dev); ++ + #endif +diff --git a/mi/mipointer.c b/mi/mipointer.c +index a638f25d4a..8cf0035140 100644 +--- a/mi/mipointer.c ++++ b/mi/mipointer.c +@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y) + #ifdef PANORAMIX + && noPanoramiXExtension + #endif +- ) +- UpdateSpriteForScreen(pDev, pScreen); ++ ) { ++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER); ++ /* Hack for CVE-2023-5380: if we're moving ++ * screens PointerWindows[] keeps referring to the ++ * old window. If that gets destroyed we have a UAF ++ * bug later. Only happens when jumping from a window ++ * to the root window on the other screen. ++ * Enter/Leave events are incorrect for that case but ++ * too niche to fix. ++ */ ++ LeaveWindow(pDev); ++ if (master) ++ LeaveWindow(master); ++ UpdateSpriteForScreen(pDev, pScreen); ++ } + } + + /** +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..03ee6978ca --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch @@ -0,0 +1,88 @@ +From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 14:27:50 +1000 +Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify + +If a device has both a button class and a key class and numButtons is +zero, we can get an OOB write due to event under-allocation. + +This function seems to assume a device has either keys or buttons, not +both. It has two virtually identical code paths, both of which assume +they're applying to the first event in the sequence. + +A device with both a key and button class triggered a logic bug - only +one xEvent was allocated but the deviceStateNotify pointer was pushed on +once per type. So effectively this logic code: + + int count = 1; + if (button && nbuttons > 32) count++; + if (key && nbuttons > 0) count++; + if (key && nkeys > 32) count++; // this is basically always true + // count is at 2 for our keys + zero button device + + ev = alloc(count * sizeof(xEvent)); + FixDeviceStateNotify(ev); + if (button) + FixDeviceStateNotify(ev++); + if (key) + FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here + +If the device has more than 3 valuators, the OOB is pushed back - we're +off by one so it will happen when the last deviceValuator event is +written instead. + +Fix this by allocating the maximum number of events we may allocate. +Note that the current behavior is not protocol-correct anyway, this +patch fixes only the allocation issue. + +Note that this issue does not trigger if the device has at least one +button. While the server does not prevent a button class with zero +buttons, it is very unlikely. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +Signed-off-by: Peter Marko +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index ded8679d76..17964b00a4 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -675,7 +675,8 @@ static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { + int evcount = 1; +- deviceStateNotify *ev, *sev; ++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; ++ deviceStateNotify *ev; + deviceKeyStateNotify *kev; + deviceButtonStateNotify *bev; + +@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + } + } + +- sev = ev = xallocarray(evcount, sizeof(xEvent)); ++ ev = sev; + FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); + + if (b != NULL) { +@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, + DeviceStateNotifyMask, NullGrab); +- free(sev); + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..098b263332 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch @@ -0,0 +1,222 @@ +From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 12:26:20 +1000 +Subject: [PATCH] dix: fix DeviceStateNotify event calculation + +The previous code only made sense if one considers buttons and keys to +be mutually exclusive on a device. That is not necessarily true, causing +a number of issues. + +This function allocates and fills in the number of xEvents we need to +send the device state down the wire. This is split across multiple +32-byte devices including one deviceStateNotify event and optional +deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) +deviceValuator events. + +The previous behavior would instead compose a sequence +of [state, buttonstate, state, keystate, valuator...]. This is not +protocol correct, and on top of that made the code extremely convoluted. + +Fix this by streamlining: add both button and key into the deviceStateNotify +and then append the key state and button state, followed by the +valuators. Finally, the deviceValuator events contain up to 6 valuators +per event but we only ever sent through 3 at a time. Let's double that +troughput. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +Signed-off-by: Peter Marko +--- + dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- + 1 file changed, 52 insertions(+), 69 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 17964b00a4..7b7ba1098b 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + + ev->type = DeviceValuator; + ev->deviceid = dev->id; +- ev->num_valuators = nval < 3 ? nval : 3; ++ ev->num_valuators = nval < 6 ? nval : 6; + ev->first_valuator = first; + switch (ev->num_valuators) { ++ case 6: ++ ev->valuator2 = v->axisVal[first + 5]; ++ case 5: ++ ev->valuator2 = v->axisVal[first + 4]; ++ case 4: ++ ev->valuator2 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->valuator0 = v->axisVal[first]; + break; + } +- first += ev->num_valuators; + } + + static void +@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + ev->num_buttons = b->numButtons; + memcpy((char *) ev->buttons, (char *) b->down, 4); + } +- else if (k) { ++ if (k) { + ev->classes_reported |= (1 << KeyClass); + ev->num_keys = k->xkbInfo->desc->max_key_code - + k->xkbInfo->desc->min_key_code; +@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + } + } + +- ++/** ++ * The device state notify event is split across multiple 32-byte events. ++ * The first one contains the first 32 button state bits, the first 32 ++ * key state bits, and the first 3 valuator values. ++ * ++ * If a device has more than that, the server sends out: ++ * - one deviceButtonStateNotify for buttons 32 and above ++ * - one deviceKeyStateNotify for keys 32 and above ++ * - one deviceValuator event per 6 valuators above valuator 4 ++ * ++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS, ++ */ + static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { ++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify ++ * and one deviceValuator for each 6 valuators */ ++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; + int evcount = 1; +- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; +- deviceStateNotify *ev; +- deviceKeyStateNotify *kev; +- deviceButtonStateNotify *bev; ++ deviceStateNotify *ev = sev; + + KeyClassPtr k; + ButtonClassPtr b; +@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + if ((b = dev->button) != NULL) { + nbuttons = b->numButtons; +- if (nbuttons > 32) ++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; + } + if ((k = dev->key) != NULL) { + nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; +- if (nkeys > 32) ++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; +- if (nbuttons > 0) { +- evcount++; +- } + } + if ((v = dev->valuator) != NULL) { + nval = v->numAxes; +- +- if (nval > 3) +- evcount++; +- if (nval > 6) { +- if (!(k && b)) +- evcount++; +- if (nval > 9) +- evcount += ((nval - 7) / 3); +- } ++ /* first three are encoded in deviceStateNotify, then ++ * it's 6 per deviceValuator event */ ++ evcount += ((nval - 3) + 6)/6; + } + +- ev = sev; +- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); +- +- if (b != NULL) { +- FixDeviceStateNotify(dev, ev++, NULL, b, v, first); +- first += 3; +- nval -= 3; +- if (nbuttons > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- bev = (deviceButtonStateNotify *) ev++; +- bev->type = DeviceButtonStateNotify; +- bev->deviceid = dev->id; +- memcpy((char *) &bev->buttons[4], (char *) &b->down[4], +- DOWN_LENGTH - 4); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ BUG_RETURN(evcount <= ARRAY_SIZE(sev)); ++ ++ FixDeviceStateNotify(dev, ev, k, b, v, first); ++ ++ if (b != NULL && nbuttons > 32) { ++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ bev->type = DeviceButtonStateNotify; ++ bev->deviceid = dev->id; ++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4], ++ DOWN_LENGTH - 4); + } + +- if (k != NULL) { +- FixDeviceStateNotify(dev, ev++, k, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nkeys > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- kev = (deviceKeyStateNotify *) ev++; +- kev->type = DeviceKeyStateNotify; +- kev->deviceid = dev->id; +- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ if (k != NULL && nkeys > 32) { ++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ kev->type = DeviceKeyStateNotify; ++ kev->deviceid = dev->id; ++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); + } + ++ first = 3; ++ nval -= 3; + while (nval > 0) { +- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ ev->deviceid |= MORE_EVENTS; ++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); ++ first += 6; ++ nval -= 6; + } + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..915da00c6f --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch @@ -0,0 +1,42 @@ +From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 21 Dec 2023 13:48:10 +1000 +Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of + buttons + +There's a racy sequence where a master device may copy the button class +from the slave, without ever initializing numButtons. This leads to a +device with zero buttons but a button class which is invalid. + +Let's copy the numButtons value from the source - by definition if we +don't have a button class yet we do not have any other slave devices +with more than this number of buttons anyway. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +Signed-off-by: Peter Marko +--- + Xi/exevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 54ea11a938..e161714682 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + to->button = calloc(1, sizeof(ButtonClassRec)); + if (!to->button) + FatalError("[Xi] no memory for class shift.\n"); ++ to->button->numButtons = from->button->numButtons; + } + else + classes->button = NULL; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..35a853ad6f --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch @@ -0,0 +1,46 @@ +From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 21 Dec 2023 14:10:11 +1000 +Subject: [PATCH] Xi: require a pointer and keyboard device for + XIAttachToMaster + +If we remove a master device and specify which other master devices +attached slaves should be returned to, enforce that those two are +indeeed a pointer and a keyboard. + +Otherwise we can try to attach the keyboards to pointers and vice versa, +leading to possible crashes later. + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +Signed-off-by: Peter Marko +--- + Xi/xichangehierarchy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index 504defe566..d2d985848d 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) + if (rc != Success) + goto unwind; + +- if (!IsMaster(newptr)) { ++ if (!IsMaster(newptr) || !IsPointerDevice(newptr)) { + client->errorValue = r->return_pointer; + rc = BadDevice; + goto unwind; +@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) + if (rc != Success) + goto unwind; + +- if (!IsMaster(newkeybd)) { ++ if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) { + client->errorValue = r->return_keyboard; + rc = BadDevice; + goto unwind; +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 133c65fbc3..f639088b25 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -16,6 +16,11 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2023-6816.patch \ file://CVE-2024-0408.patch \ file://CVE-2024-0409.patch \ + file://CVE-2023-5380.patch \ + file://CVE-2024-0229-1.patch \ + file://CVE-2024-0229-2.patch \ + file://CVE-2024-0229-3.patch \ + file://CVE-2024-0229-4.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Tue Jan 7 13:31:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55115 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50755E77199 for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.20165.1736256696453206468 for ; Tue, 07 Jan 2025 05:31:36 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=OVqPm7Ro; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2163dc5155fso224173755ad.0 for ; Tue, 07 Jan 2025 05:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256696; x=1736861496; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OTNcwNCkF0/UYl0BFC/MQH26Mczt3OjEQZaNdLDMyf8=; b=OVqPm7Ro+sub6bvH0I9q4JGjXG5UTy+yrsJeA4mkDoEALObV0608rbBF+4UOGNnHXP gg9NBBubbmvxYrjUTzPJc5Dr1+HMizu8sVYeTPmEXAiETrwARcGuHS0EMiNlSmuU7dZg RaRiLerV2JKyEe6o1XHrY3gHxXreDqfktYs4e5l1POf6OVCwOkAgi0cxW+dJRto6afFo /ayAwI7pbtI3Houlx1MrF+NxIJy0Cl1NWmRYGUarOo7E9v12AyG9S8kPg7J4zAaL92gS UZ3Uzl1MX53Oavwqvi4yqw0UNN0Oftx0ZXVMMM54qI4XW28q8DxS9YEr85ACyrttAop+ gqAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256696; x=1736861496; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OTNcwNCkF0/UYl0BFC/MQH26Mczt3OjEQZaNdLDMyf8=; b=XO9iN6fcz07L6aiK/4+VSYlnYveqYs8OTCx2Y3GC33w7TRBrJRQckHXCHFXZKZgiRV 4MJnnXdEjob8Wyb/r75LKGgI+hOmkh+75+mqEWSAd+kxvQipB/BfjuPPIIIVq8C5L9db efC9LcyanYo5A70+z3PaUXKMno7kflcNjWvAN3EGJ1WKzSYTOOb34lVeuJ2Vdzwf2I+K OId6X56KdfLkFgiviHjkhSwvgQXiWVoYlvjTYvVcw7guaFTBkJjroSixmCGLd/FVJA/y qvfuSH98ZfG+VkFpt9Fs43sxy7NhdzYkoWptnY8q0nAmSV8XWL3mbA2Ap9hkXtKnlCNC lgVg== X-Gm-Message-State: AOJu0YzO8Zr++6ok8gZm/Y8sn9I/BnC2i64dJEytK0JU8994dS5t0kK+ jS9mJ4uyOSvKeCnjZ03eztn284ySwe1oTQ6QPVP8Ol9It9eK84pfBvwfq+5OLqAtob1xvbtaLjy r X-Gm-Gg: ASbGncv+Va7u0s6oxtX4w6wMfcF8UipjIVRNiR+p+gjz1/wfbpnYnW8KQcWJcshLQyL nC/1AKv3SOZqvtUWl5gdD43IGLcXjBruCblUEF0nc5toeR8OkaodZXJtKYp+fyCmZ9sPICs9NCN NR6o2vMkz5jbFJvA717hesISNacBBfPzlC+66eYUSJDtgDuxC/3hxp6BP7jJiG1JMXGRENiV5h9 /QXoGky0BpXTtwYDyhjEJ5uS/BKIKcim63sxx4nugsiPQ== X-Google-Smtp-Source: AGHT+IFlWyP5zmqyBSgMg97VVmYMRXx+rRtI2swAE8z0jSj1B9nJI9p7cG+rL5j2pfNoFcsE22gPdw== X-Received: by 2002:a05:6a00:4486:b0:725:eb85:f802 with SMTP id d2e1a72fcca58-72abdd5ede1mr89838420b3a.2.1736256695674; Tue, 07 Jan 2025 05:31:35 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:35 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/13] libarchive: Fix CVE-2024-20696 Date: Tue, 7 Jan 2025 05:31:11 -0800 Message-ID: <8885aa23d77fcec288a416d199e08c6eee27e027.1736256495.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209460 From: aszh07 Add Patch file to fix CVE-2024-20696 CVE: CVE-2024-20696 Signed-off-by: Nitin Wankhade Signed-off-by: Nikhil R Signed-off-by: Steve Sakoman --- .../libarchive/CVE-2024-20696.patch | 114 ++++++++++++++++++ .../libarchive/libarchive_3.6.2.bb | 1 + 2 files changed, 115 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch new file mode 100644 index 0000000000..f980f60597 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch @@ -0,0 +1,114 @@ +From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001 +From: "Dustin L. Howett" +Date: Thu, 9 May 2024 18:59:17 -0500 +Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172) + +copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where +both of its callers were holding a `size_t`. + +A lzss opcode chain could be constructed that resulted in a negative +copy length, which when passed into memcpy would result in a very, very +large positive number. + +Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to +properly bounds-check length. + +In addition, this patch also ensures that `length` is not itself larger +than the destination buffer. + +CVE: CVE-2024-20696 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1] + +Signed-off-by: Nitin Wankhade +--- + +--- a/libarchive/archive_read_support_format_rar.c 2024-12-11 12:33:47.566310000 +0530 ++++ a/libarchive/archive_read_support_format_rar.c 2024-12-11 13:09:39.396142151 +0530 +@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc + struct huffman_table_entry *, int, int); + static int expand(struct archive_read *, int64_t *); + static int copy_from_lzss_window_to_unp(struct archive_read *, const void **, +- int64_t, int); ++ int64_t, size_t); + static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *); + static int parse_filter(struct archive_read *, const uint8_t *, uint16_t, + uint8_t); +@@ -2069,7 +2069,7 @@ read_data_compressed(struct archive_read + bs = rar->unp_buffer_size - rar->unp_offset; + else + bs = (size_t)rar->bytes_uncopied; +- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); ++ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); + if (ret != ARCHIVE_OK) + return (ret); + rar->offset += bs; +@@ -2209,7 +2209,7 @@ read_data_compressed(struct archive_read + bs = rar->unp_buffer_size - rar->unp_offset; + else + bs = (size_t)rar->bytes_uncopied; +- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs); ++ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs); + if (ret != ARCHIVE_OK) + return (ret); + rar->offset += bs; +@@ -3090,11 +3090,16 @@ copy_from_lzss_window(struct archive_rea + + static int + copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer, +- int64_t startpos, int length) ++ int64_t startpos, size_t length) + { + int windowoffs, firstpart; + struct rar *rar = (struct rar *)(a->format->data); + ++ if (length > rar->unp_buffer_size) ++ { ++ goto fatal; ++ } ++ + if (!rar->unp_buffer) + { + if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL) +@@ -3106,17 +3111,17 @@ copy_from_lzss_window_to_unp(struct arch + } + + windowoffs = lzss_offset_for_position(&rar->lzss, startpos); +- if(windowoffs + length <= lzss_size(&rar->lzss)) { ++ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) { + memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs], + length); +- } else if (length <= lzss_size(&rar->lzss)) { ++ } else if (length <= (size_t)lzss_size(&rar->lzss)) { + firstpart = lzss_size(&rar->lzss) - windowoffs; + if (firstpart < 0) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Bad RAR file data"); + return (ARCHIVE_FATAL); + } +- if (firstpart < length) { ++ if ((size_t)firstpart < length) { + memcpy(&rar->unp_buffer[rar->unp_offset], + &rar->lzss.window[windowoffs], firstpart); + memcpy(&rar->unp_buffer[rar->unp_offset + firstpart], +@@ -3126,9 +3131,7 @@ copy_from_lzss_window_to_unp(struct arch + &rar->lzss.window[windowoffs], length); + } + } else { +- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, +- "Bad RAR file data"); +- return (ARCHIVE_FATAL); ++ goto fatal; + } + rar->unp_offset += length; + if (rar->unp_offset >= rar->unp_buffer_size) +@@ -3136,6 +3139,10 @@ copy_from_lzss_window_to_unp(struct arch + else + *buffer = NULL; + return (ARCHIVE_OK); ++fatal: ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Bad RAR file data"); ++ return (ARCHIVE_FATAL); + } + + static const void * diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index e1eca79004..6af01cf408 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -33,6 +33,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2024-26256.patch \ file://CVE-2024-48957.patch \ file://CVE-2024-48958.patch \ + file://CVE-2024-20696.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Tue Jan 7 13:31:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55118 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6384BE7719D for ; Tue, 7 Jan 2025 13:31:38 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.20167.1736256698082582264 for ; Tue, 07 Jan 2025 05:31:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=F417UKz7; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-21675fd60feso31752155ad.2 for ; Tue, 07 Jan 2025 05:31:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256697; x=1736861497; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sp4sX90QaBqBjcM0DgZWxE1NRTsCA2L3qv2OsvD77sY=; b=F417UKz7mKN0QWwLxZv4yZo/CLK+7Nd9MeJjYbms5+K7RpZxXkvuYECPTtfsPe1Knx AeUe+rCylWKJ2WqS8GleUTbV699d7FSBj5gXqp2hCQbUMNIQYbp/qzQRYQELgDMvDezs p72WVSFdNDoxzlfKRtUElbbH2epFPy53JtsRdeZ83jJSlg7EFa2Eo3658MMFJambss7T 14Cxs95+5+j6d/dgCmYmZz3GIOjyy98zbi4d77UOG57QhxPcuu+9BuFQkEgP7wxoKqTM R9zpuLTg6+3T0278iLRPOrsFYHYAAmAsFYeZHzlsebu6X+AcI/b/CorPiPeSLW19jH7L V/pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256697; x=1736861497; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sp4sX90QaBqBjcM0DgZWxE1NRTsCA2L3qv2OsvD77sY=; b=ctZ7XOr6lGbB3J7hIhbAWV89Z7qx840szcwkRPTz0CMVXN0kv+hvPQDmwanpTjYCy5 WvMMFy9S5CXGts0kGf7WtvVORFRd9l1DhLFt8ey+37SEEMMD3mRyB0BRuH+/OEXWHLIH OgRBuSKRRDip2W7sRB+Uk5oAGwD09Lj/wiQglJHVIl9r0IT9ZCpOKm+gzDvez3kEpTed qhzmDOSbTWuY/grL9jatqOojrHuymKM3fnoLLVCJekwlJxEIcTXAqhwBSE6Ro+hcYTVt oa5K+o4ku6Fls9JaxZxX/SOXSM2ApTt0yfCmwz0QWeW+7zNn0mSWtx2vusb6B0th/eZu DY5g== X-Gm-Message-State: AOJu0YzW5snjhCdz4kODgLlzmEBz+fdbvZarImh4qtWXCPNL8JOrMeLv VnSgKvAm1JRREAsJ+yYg/0M9GK/3J3fHOSSJ75uxg6+n93KaP/iydH/sVSkuixczS0Gvw3tuMQ1 j X-Gm-Gg: ASbGncuJGDS6JRVVAfclxoKyWg9fz0b5VUCbt8BfDQJjHvRFbqVG2Au9ZSDr55Ta5m0 o7o8nEQUo83FGtFyTiDNYiApUSqpCdGKkTiRUVFR5tUm8ZzbwK1eT1xG2Y9nA6KhGz90J/mZgiz vE/7E7nostC3hPDzB11s7MtGR5k03rzF7k4ibAZS55BkQL5CrIp2caNGnq6+MQAFpo4jSYGpAsj 2BXAgdcG5/QunrGrT0ped9Cg6UsY9CvPGhHpZLWxon+5A== X-Google-Smtp-Source: AGHT+IGkyfOcMRuVo38/mJHs1ci4oLPAx0NH4FEI4/T7Qd5/vit2XnZRYWYxCAtOjl6fvl6ll9Ffxg== X-Received: by 2002:a05:6a20:431d:b0:1e1:a5be:2999 with SMTP id adf61e73a8af0-1e5e081c9f9mr103568466637.41.1736256697208; Tue, 07 Jan 2025 05:31:37 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:36 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/13] webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780 Date: Tue, 7 Jan 2025 05:31:12 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209461 From: Rohini Sangam CVE fixed: - CVE-2024-40776 webkitgtk: Use after free may lead to Remote Code Execution - CVE-2024-40780 webkitgtk: Out-of-bounds read was addressed with improved bounds checking Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b and https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Signed-off-by: Rohini Sangam Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- .../webkit/webkitgtk/CVE-2024-40776.patch | 141 ++++++++++++++++++ .../webkit/webkitgtk/CVE-2024-40780.patch | 94 ++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 2 + 3 files changed, 237 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch new file mode 100644 index 0000000000..60f18168fe --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch @@ -0,0 +1,141 @@ +From b951404ea74ae432312a83138f5c8945a0d09e1b Mon Sep 17 00:00:00 2001 +From: Jean-Yves Avenard +Date: Wed, 24 Apr 2024 19:01:06 -0700 +Subject: [PATCH] CVE-2024-40776: Always copy all audio channels to the AudioBus +to guarantee data lifetime. + +Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b +CVE: CVE-2024-40776 + +Signed-off-by: Rohini Sangam +--- + ...et-concurrent-resampler-crash-expected.txt | 1 + + ...dioworklet-concurrent-resampler-crash.html | 44 +++++++++++++++++++ + .../platform/audio/MultiChannelResampler.cpp | 21 ++------- + .../platform/audio/MultiChannelResampler.h | 2 - + 4 files changed, 48 insertions(+), 20 deletions(-) + create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt + create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html + +diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt +new file mode 100644 +index 00000000..654ddf7f +--- /dev/null ++++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt +@@ -0,0 +1 @@ ++This test passes if it does not crash. +diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html +new file mode 100644 +index 00000000..b3ab181d +--- /dev/null ++++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html +@@ -0,0 +1,44 @@ ++ ++ ++ ++ ++ ++

This test passes if it does not crash.

++ ++ ++ +diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.cpp b/Source/WebCore/platform/audio/MultiChannelResampler.cpp +index 1dadc58c..13db6f26 100644 +--- a/Source/WebCore/platform/audio/MultiChannelResampler.cpp ++++ b/Source/WebCore/platform/audio/MultiChannelResampler.cpp +@@ -41,18 +41,8 @@ namespace WebCore { + MultiChannelResampler::MultiChannelResampler(double scaleFactor, unsigned numberOfChannels, unsigned requestFrames, Function&& provideInput) + : m_numberOfChannels(numberOfChannels) + , m_provideInput(WTFMove(provideInput)) +- , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames, false)) ++ , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames)) + { +- // As an optimization, we will use the buffer passed to provideInputForChannel() as channel memory for the first channel so we +- // only need to allocate memory if there is more than one channel. +- if (numberOfChannels > 1) { +- m_channelsMemory.reserveInitialCapacity(numberOfChannels - 1); +- for (unsigned channelIndex = 1; channelIndex < numberOfChannels; ++channelIndex) { +- m_channelsMemory.uncheckedAppend(makeUnique(requestFrames)); +- m_multiChannelBus->setChannelMemory(channelIndex, m_channelsMemory.last()->data(), requestFrames); +- } +- } +- + // Create each channel's resampler. + for (unsigned channelIndex = 0; channelIndex < numberOfChannels; ++channelIndex) + m_kernels.append(makeUnique(scaleFactor, requestFrames, std::bind(&MultiChannelResampler::provideInputForChannel, this, std::placeholders::_1, std::placeholders::_2, channelIndex))); +@@ -89,15 +79,10 @@ void MultiChannelResampler::process(AudioBus* destination, size_t framesToProces + void MultiChannelResampler::provideInputForChannel(float* buffer, size_t framesToProcess, unsigned channelIndex) + { + ASSERT(channelIndex < m_multiChannelBus->numberOfChannels()); +- ASSERT(framesToProcess == m_multiChannelBus->length()); ++ ASSERT(framesToProcess <= m_multiChannelBus->length()); + +- if (!channelIndex) { +- // As an optimization, we use the provided buffer as memory for the first channel in the AudioBus. This avoids +- // having to memcpy() for the first channel. +- m_multiChannelBus->setChannelMemory(0, buffer, framesToProcess); ++ if (!channelIndex) + m_provideInput(m_multiChannelBus.get(), framesToProcess); +- return; +- } + + // Copy the channel data from what we received from m_multiChannelProvider. + memcpy(buffer, m_multiChannelBus->channel(channelIndex)->data(), sizeof(float) * framesToProcess); +diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.h b/Source/WebCore/platform/audio/MultiChannelResampler.h +index e96cc56b..274fe364 100644 +--- a/Source/WebCore/platform/audio/MultiChannelResampler.h ++++ b/Source/WebCore/platform/audio/MultiChannelResampler.h +@@ -29,7 +29,6 @@ + #ifndef MultiChannelResampler_h + #define MultiChannelResampler_h + +-#include "AudioArray.h" + #include + #include + #include +@@ -62,7 +61,6 @@ private: + size_t m_outputFramesReady { 0 }; + Function m_provideInput; + RefPtr m_multiChannelBus; +- Vector> m_channelsMemory; + }; + + } // namespace WebCore +-- +2.35.7 + diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch new file mode 100644 index 0000000000..ab41213d7d --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch @@ -0,0 +1,94 @@ +From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001 +From: Jer Noble +Date: Tue, 11 Jun 2024 11:54:06 -0700 +Subject: [PATCH] CVE-2024-40780: Add check in AudioBufferSourceNode::renderFromBuffer() +when detune is set to large negative value + +Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5 +CVE: CVE-2024-40780 + +Signed-off-by: Rohini Sangam +--- + ...buffersourcenode-detune-crash-expected.txt | 10 +++++++ + .../audiobuffersourcenode-detune-crash.html | 30 +++++++++++++++++++ + .../webaudio/AudioBufferSourceNode.cpp | 7 +++++ + 3 files changed, 47 insertions(+) + create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt + create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html + +diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt +new file mode 100644 +index 00000000..914ba0b1 +--- /dev/null ++++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt +@@ -0,0 +1,10 @@ ++Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash. ++ ++On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". ++ ++ ++PASS Test passed because it did not crash. ++PASS successfullyParsed is true ++ ++TEST COMPLETE ++ +diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html +new file mode 100644 +index 00000000..e8af579d +--- /dev/null ++++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html +@@ -0,0 +1,30 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +index 689d37a1..f68e7ff5 100644 +--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp ++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +@@ -327,9 +327,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination + virtualReadIndex = readIndex; + } else if (!pitchRate) { + unsigned readIndex = static_cast(virtualReadIndex); ++ int deltaFrames = static_cast(virtualDeltaFrames); ++ maxFrame = static_cast(virtualMaxFrame); ++ ++ if (readIndex >= maxFrame) ++ readIndex -= deltaFrames; + + for (unsigned i = 0; i < numberOfChannels; ++i) + std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]); ++ ++ virtualReadIndex = readIndex; + } else if (reverse) { + unsigned maxFrame = static_cast(virtualMaxFrame); + unsigned minFrame = static_cast(floorf(virtualMinFrame)); +-- +2.35.7 + diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 4849ee50ff..2006d1d55e 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -26,6 +26,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2023-32439.patch \ file://CVE-2024-40779.patch \ file://0d3344e17d258106617b0e6d783d073b188a2548.patch \ + file://CVE-2024-40776.patch \ + file://CVE-2024-40780.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Tue Jan 7 13:31:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55121 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69000E77197 for ; Tue, 7 Jan 2025 13:31:48 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.20168.1736256699263280810 for ; Tue, 07 Jan 2025 05:31:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=gi4ylT3f; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2166022c5caso201114515ad.2 for ; Tue, 07 Jan 2025 05:31:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256698; x=1736861498; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=U7KY+dKQTYVZlPHcDPgnaCm9Q6K8PLj1/Snv4vD4UUs=; b=gi4ylT3fxWrI6KHxgcNnNwfySFsK+Tt9MsT2xr97vQngYyxJwtggTJyaOpEQBPz9hV sdsP8YP6oa8/B0AYXQUqJNe99Vn50bNe3LYRqwA1/M0sOFubRr54+dU+RiHyLVsTbyod 84We8FfG0fnf2qRevenqF/DvXJ2uLlRhEqfYi5xdlONmmSKTiFyU9ZRWKQ2QR91ffD3y QqabHvVuk2o3f+58U1HMb7l7+sUuM2Ql3RaSPI1q3PnsgOEPKyJVgtCR05qs7T8RmRZS EwFfFpP75IJoFYNZswwbZEvb4aioiNPIUJ7kxTeWR3YZj5LAq/84dr6zvEsIBZZVamtv 3nLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256698; x=1736861498; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=U7KY+dKQTYVZlPHcDPgnaCm9Q6K8PLj1/Snv4vD4UUs=; b=HIz8XCwGnk3KcjjLXJYlE9KJhkKqSeoycC8PZMx5SO6tJQn/BVwnBwn072Hlt8OBT/ eqTA0RZVKWwmkXtDaz2Qij+/sfwP/CEk9AXfypxXA+HXpHs5BVrIIrkfdOhkLJ8lMUwe EqF6aS1OnhiIAmLLuUIEOjtJxuI9rSXWt8Sp6qtbCJzJnPfuupbLMMBDo9xJ1DpVwF5Z VfMAzki7Hc8C+dLjxmW7HlJGpt0G1FunZ+TIX81FqcGDk0cc5Ro7qqL3LQqkPO7mCXjd 7FF5xt8EwVkqYJ1g4QEqs9HXqDj/OSDevk1GkDtXPSNT2K54rAIPa7Szo2bVAoGSSGW/ lPgQ== X-Gm-Message-State: AOJu0Yw5C8WS0aq+cL0bn5uiQKvItqsv5W+MOWqqzba62rUA6Hlt4x4D 2MxWGTHq+9NbbNTspARhTUV1nWGkULpzpc2+DFvDE8bOR/YZ/U40XPH5Hp+RG6XZnrhGokraR7O U X-Gm-Gg: ASbGncsi9GjCUkTueg5g6qCXWA2LjUXtTSQB3+XFL73cjL4r1nbo5Fo/GhnceZ2FLOa V0w27WSwPa/N67l0QsS9LXxVbdHYU0GKIrTn+S/7ix/rk0PXm+oVa8Tw1fiC6GtDdbZRMFlGmaI oAUzVTH5oD7kVIhHRGb3+kbJZR2NU0tinfV4smfX9445v4VLL76758f6Aiv/xaWev87Oitqv+as yMmamCEqBql7UBNp6TvENjPfTcGKj9b+h0G543k41CHtA== X-Google-Smtp-Source: AGHT+IFQwvD3pTIEnh9+Mb7zTxc6Cx2GUmXX4oVr84ftWXN5ooblVodwSiSoKMBmALYn89f3OyyUyw== X-Received: by 2002:a05:6a21:3a85:b0:1e1:c8f5:19ee with SMTP id adf61e73a8af0-1e5e04945e8mr99255533637.25.1736256698502; Tue, 07 Jan 2025 05:31:38 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:38 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/13] ffmpeg: fix CVE-2024-35366 Date: Tue, 7 Jan 2025 05:31:13 -0800 Message-ID: <9acfc54b2707bf04922f153d06ae27ff552fbe23.1736256495.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209462 From: Archana Polampalli FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-35366.patch | 37 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch new file mode 100644 index 0000000000..f619dd6eac --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch @@ -0,0 +1,37 @@ +From 4db0eb4653efad967ddcf71f564fd2f1169bafcb Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 26 Mar 2024 00:39:49 +0100 +Subject: [PATCH] avformat/sbgdec: Check for negative duration + +Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +(cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-35366 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb] + +Signed-off-by: Archana Polampalli +--- + libavformat/sbgdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c +index 1ef50e1598..fdcee0b452 100644 +--- a/libavformat/sbgdec.c ++++ b/libavformat/sbgdec.c +@@ -385,7 +385,7 @@ static int parse_options(struct sbg_parser *p) + case 'L': + FORWARD_ERROR(parse_optarg(p, opt, &oarg)); + r = str_to_time(oarg.s, &p->scs.opt_duration); +- if (oarg.e != oarg.s + r) { ++ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { + snprintf(p->err_msg, sizeof(p->err_msg), + "syntax error for option -L"); + return AVERROR_INVALIDDATA; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 7b03b7cbc0..39d79c343d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -40,6 +40,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2023-50007.patch \ file://CVE-2023-51796.patch \ file://CVE-2024-7055.patch \ + file://CVE-2024-35366.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Jan 7 13:31:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55124 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88655E7719B for ; Tue, 7 Jan 2025 13:31:48 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.20207.1736256700613759542 for ; Tue, 07 Jan 2025 05:31:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=iuRxHOd7; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-216634dd574so150458325ad.2 for ; Tue, 07 Jan 2025 05:31:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256700; x=1736861500; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iLR6YOYf4CknG6CFRcQMd9wNvsrn55SyyGDhcXFfzr4=; b=iuRxHOd7dT4BelvnbhXAz9tYXiWvXia99+VKIE93SiJMcU76iFkau6zSisJEE0Ge2V aK8eqvhlOz+H7pbD+c8nGLyXJoxT3GJrMSIaY8jWtahpbMunQTJz+Tyab7vTNHSwbBbf ihG8Tu7lr7xA2iuQODZO4cLX39LvYFM/ePjXNQjYjG8ko+UsbOBtyxgPmtQzKyCTl3Z3 mgyjPnQ8uhyetOyY3xKU+s0jTtI7GePvH3QgSwQuIVU2Vbz/IYYNR9ujoRSLyrQfTc2z h+7gQfUDwmIVL5Q0oZcw+dG7zD2sksS1xcB2KemH6oVdNofqwfAgWodIHaHAGVe4Non9 r6Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256700; x=1736861500; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iLR6YOYf4CknG6CFRcQMd9wNvsrn55SyyGDhcXFfzr4=; b=HrnxgrDxN/kUcCJYiMArimZ3jrXxAn/huu3rMpu7pPGzqEnZjaVsnvuDUSnwzJnzLs b6O6OZrmZej6JHYh7bYd6/VUW5kI71CZ7L2onA9m4sxiEGz9g17HWhsMzV0vrgNNMtGn 64+t8Al/5NTqVlVpq+5hLgZ93O0FCLWWErCphThbS8ELa9Q3LVhTqwTmVAzHu3Q3r4Ol OGP7s5ejii9pHeG6fSGhqF1Llb4tPlKmAW/maH48SkrWpM/+aCPshFx+ZOkez4x3YpXa rZevzBo2AcLsdEKOtpGl16NItM42qQtIK8tdvQ8nx5WOeqF0rT06KeoDFG20DJ1Jqw7V KfQA== X-Gm-Message-State: AOJu0YwdpjSGo2Xzl3F+fjROD+QqjeaSAfu4QqGZ8re0vvufoBIA/dS/ hIsI5TQbaGq0mMCLYitcMZZHGKghytjF1aJZ5fGfNuLmuC0hba5iD1JQiuX1Kt8bJX0Y9JdCKxj e X-Gm-Gg: ASbGncvTjDEARu4qY8oN4z2Izmk0NOXoPHplR4M5Xjnth8vAe2Tt1sIaR0P681qZ8Zm YaqJ5wFJsmGlZxerJTAkPkpdoFkOmUkuXJkDPbev1PdHCvoU2jSAWNL3T3//2WZvzGg54yBNg4X IUBFRPgIQMA3XW0/6HznJ1EsLiF9XpJtv7lVD6KFgV5B1rJG75VOJa9p7gdFTpnUNtXIz1m0eCp GeVuYlUD4Uuy3NtBdu7uNX2mZs0Jwl5z5F0ty+kV4rcYw== X-Google-Smtp-Source: AGHT+IF23XeX2kQDSTvevVOgMkx5hpyEKTDas7OBQhOGdDDdKM/zVpoe15JiF+DF92Il/78WojiBEw== X-Received: by 2002:a05:6a21:3989:b0:1db:e3c7:9974 with SMTP id adf61e73a8af0-1e5e04635b1mr90528882637.12.1736256699874; Tue, 07 Jan 2025 05:31:39 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:39 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/13] ffmpeg: fix CVE-2024-35367 Date: Tue, 7 Jan 2025 05:31:14 -0800 Message-ID: <623dd997856903be54d75e819f93d313b04edd8e.1736256495.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209463 From: Archana Polampalli FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-35367.patch | 47 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch new file mode 100644 index 0000000000..69d42955da --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch @@ -0,0 +1,47 @@ +From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Wed, 13 Mar 2024 02:10:26 +0100 +Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access + +h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2] +belong together and the former allows the range 0..6, +so the latter needs to support 0..3. But it has only three +elements. Add another one. +The value for the last element has been guesstimated +from subpel_filters in libavcodec/vp8dsp.c. + +This is also intended to fix FATE-failures with UBSan here: +https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu + +Tested-by: Sean McGovern +Signed-off-by: Andreas Rheinhardt + +CVE: CVE-2024-35367 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667] + +Signed-off-by: Archana Polampalli +--- + libavcodec/ppc/vp8dsp_altivec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c +index 12dac8b0a8..061914fc38 100644 +--- a/libavcodec/ppc/vp8dsp_altivec.c ++++ b/libavcodec/ppc/vp8dsp_altivec.c +@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] = + // for 6tap filters, these are the outer two taps + // The zeros mask off pixels 4-7 when filtering 0-3 + // and vice-versa +-static const vec_s8 h_subpel_filters_outer[3] = ++static const vec_s8 h_subpel_filters_outer[4] = + { + REPT4(0, 0, 2, 1), + REPT4(0, 0, 3, 3), + REPT4(0, 0, 1, 2), ++ REPT4(0, 0, 0, 0), + }; + + #define LOAD_H_SUBPEL_FILTER(i) \ +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 39d79c343d..ac4ade276c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -41,6 +41,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2023-51796.patch \ file://CVE-2024-7055.patch \ file://CVE-2024-35366.patch \ + file://CVE-2024-35367.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Jan 7 13:31:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55123 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79869E77199 for ; Tue, 7 Jan 2025 13:31:48 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web11.20170.1736256702085858797 for ; Tue, 07 Jan 2025 05:31:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=NJOl4tC1; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-21631789fcdso166769795ad.1 for ; Tue, 07 Jan 2025 05:31:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256701; x=1736861501; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gPUcMfEHS8dNNsvxRlb4lY6kCd/LBOcihkN3z3XBLZs=; b=NJOl4tC1/c9BDjtoHdERgT9fbQa0WoXKZH0LicXx2yA4gL/tZQz+fnVPx+DGyjOU6Z 9bvLINEbRyuDB2EmWibS3DCVb/PLjZXdo07fjEhhLF/IKKEnl/uZq6eXgdrGrD+ApkCK ybfT3fH35LD6ifg0yh4x91A7kww2cliVPgj9eQfHQUZHQCKj8FOm+xSQCYdJB3d+6XHe GVs1o8hyM+w7yG00f5haGrNYcR4d9UJK/BTRLG/sEuysGdeqbhoZuT3lz3fUgKQ3s3kv q/kaHjnKPMmQhs+RuCXeFQYy+8nSlaCx64d+Pk8qf1FIjScShPTE+O80kMHcrTDbOQRt AFJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256701; x=1736861501; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gPUcMfEHS8dNNsvxRlb4lY6kCd/LBOcihkN3z3XBLZs=; b=cm7oUuLkl2Vr0/iIos2WeKd/ehNS8HvMMC/mvAupvUELqayqL33hYotCU79xzeSzrL vM/HRq0wAQoXvotGVxQo10AZKWbK5DZtZSg83Q8vhPMV8vLZFhI5XTk5kEOuwRojAA0u X5134SeZEoZ2G5vktFV8YB3C3ly3gwMnr44q1dSdJDO8PaoOAvDvuahmxmZKQxrxSMGG ZJkTQ5eILpK5HOudm5klzmGAsHpkvRWbtnv2Vl4/2z4DFCh1TE+uh0rwXy6dkXFDyYzP sTA5thTgmV0Y0u8rdb9368ReLARJvUV4f/pWbuG6O4drS16/1KhRJKDW4rBdEreRHaEf dcig== X-Gm-Message-State: AOJu0Yz+FtrYU9f9GLgnA0YY+RejPlxik+yvzQsKBrKsEqjMeLF5RENx lP7+vuw1/05z9uL/WuHVgkIWhg5atc0utuj27c9YQYxSXHB1SiWDxTHr03kN4F+GJXiI4lgN0lA U X-Gm-Gg: ASbGnctEzi210hYvGVGrUL7GqoxkZrirU20ogRvyo0BxiqdAN/hjyf8lRPdZR0TFmrD 54ivYy50ad6fRz3PpSEVj4tI84GfaSksZn/NjOKaRRExojcQQA7xoPXXo0zsevwT+3lNH5YYsBD YuZVxrl5RlSk9UNgER2JphPAewISq0BogyH0mgPAnVjVaq6a7wjvY/3Ri/WhVSNrZEoJCRWCppn XFqRq37PeG9Y1qaSn4PF4hVNbUxLbJLLQzzOWG3hoDZgQ== X-Google-Smtp-Source: AGHT+IHQUtN3v6YWmGUKk9Mee37j8IuFmESSD6jUJrYVQRR3REcOBjVTSEnkLPhIK9PM12OgHJKSHg== X-Received: by 2002:aa7:8041:0:b0:725:cd8b:d798 with SMTP id d2e1a72fcca58-72d103f6ff7mr4403247b3a.9.1736256701354; Tue, 07 Jan 2025 05:31:41 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:41 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/13] ffmpeg: fix CVE-2024-35368 Date: Tue, 7 Jan 2025 05:31:15 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209464 From: Archana Polampalli FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-35368.patch | 41 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch new file mode 100644 index 0000000000..555d569825 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch @@ -0,0 +1,41 @@ +From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Sun, 24 Sep 2023 13:15:48 +0200 +Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error + +After having created the AVBuffer that is put into frame->buf[0], +ownership of several objects (namely an AVDRMFrameDescriptor, +an MppFrame and some AVBufferRefs framecontextref and decoder_ref) +has passed to the AVBuffer and therefore to the frame. +Yet it has nevertheless been freed manually on error +afterwards, which would lead to a double-free as soon +as the AVFrame is unreferenced. + +Signed-off-by: Andreas Rheinhardt + +CVE: CVE-2024-35368 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c] + +Signed-off-by: Archana Polampalli +--- + libavcodec/rkmppdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c +index 7665098c6a..6889545b20 100644 +--- a/libavcodec/rkmppdec.c ++++ b/libavcodec/rkmppdec.c +@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame) + + frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref); + if (!frame->hw_frames_ctx) { +- ret = AVERROR(ENOMEM); +- goto fail; ++ av_frame_unref(frame); ++ return AVERROR(ENOMEM); + } + + return 0; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index ac4ade276c..9aecdf07e0 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -42,6 +42,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-7055.patch \ file://CVE-2024-35366.patch \ file://CVE-2024-35367.patch \ + file://CVE-2024-35368.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Jan 7 13:31:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55125 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FDD9E7719A for ; Tue, 7 Jan 2025 13:31:48 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.20209.1736256703515936665 for ; Tue, 07 Jan 2025 05:31:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=O4OKPqaa; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2166022c5caso201115785ad.2 for ; Tue, 07 Jan 2025 05:31:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256703; x=1736861503; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gT8/pXjWIGaOEtjzH571QsIerGxHuzBbmxA+DxXysrQ=; b=O4OKPqaaDT8H1uzIWcn1rtkFC6Ke1eTP16RR2v8uywuN+8om7+ffok6YETzo63vQGw CyZTMz0XT4XnBjuPwxkD07RPVtqRaZVNgTJAsT2ciRSP52gjge+sJa2keyGAFZFAPq5V ov8LrzyDROpoDlmh+epE3Qv8pjITBo/DdClnm6PCvPlyl6Be931Y6fAWjo1b75HuF7M5 sQpzbKCtRJpDsNonY++0RppO7N+lJTzSBMHv/PDfxP5uoIUyBVua4hEAH00v+i8Otb5V bCv2OKqsx6kjdr2kx6tlsOElf7lmBU7YJuAYkVA7Eb5KC/vCxhGkLwnzFrDs0gW7hKrh C0KA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256703; x=1736861503; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gT8/pXjWIGaOEtjzH571QsIerGxHuzBbmxA+DxXysrQ=; b=c0PuMXqQ6oJppfoaGX3q+Ev4teq2gtlfUfwlkJZDHsfWLr2NyqrHdTbI5Q4a/bbl10 mVVmiahfOG+zfa7/arISn/ktoTtquTIKYos9DoTv1q5P1vbqdPiuA3NbOrM9KeMPeCD1 njcoQdYvTdZN+SXvm8Oe5oTIvamTuYKB2pDfA3TWVOLXH3ON1iU5IoMPslws8p0leOJq UNlBgLk6oW7oO+/D2enmFrgCib584LzCgwQV9QUhlYg5h+NQk52zlz8gfcJALgHelSq2 CUNPI/2/8M7WXWGTLBJNfSM5PABzz3TciNlIKczvmJztKyYtYd6hedMsBKsAZOpv9X/m Aezg== X-Gm-Message-State: AOJu0YzJMNktEX/svor1nWlg1wB/s4O8Vj6HuqpoqxrXWuYbkp0PD6AC 996jiaxazO3XC19vM1iQmUhvgnRXLQv9cbfns6Y1WpTOEc7b3puIIu9TBw2QJ/ecNnT1n24cShJ 5 X-Gm-Gg: ASbGncuwe8wPaVZPeSdQl4UNaRslJs4dAmCXfgh/IHo0jZn9btFV5o/sg0bissA2nDp e7wjNt8OxBeQv44Z/DhVQfhUuQk6qECTE4a17Tjzm4+H5Sn67c7MIJMfnpcRjO4+DfaESFNX12b 10O+fEp/X1Pe5xNfypq9505+SrwiNEYnYaBCLhJKuwg9RlUoG9Knn3NMCw04dXzV2W0By6WkuvX Z3QezEffUpwoOFXRry60SKC0q+IukoFBCZ4lwQfGwbQow== X-Google-Smtp-Source: AGHT+IGlBR2yceXYBFofx5bVw36LaRflga5Rmu0l/fs5hlku/ZcoMZYE6xOz92tEOPZLignlys6GUA== X-Received: by 2002:a05:6a00:889:b0:71d:eb7d:20d5 with SMTP id d2e1a72fcca58-72abdd7b8fdmr107874852b3a.8.1736256702720; Tue, 07 Jan 2025 05:31:42 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:42 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/13] python3: upgrade 3.10.15 -> 3.10.16 Date: Tue, 7 Jan 2025 05:31:16 -0800 Message-ID: <5a611fbbdb3e373d379f922ffc5606ff70279831.1736256495.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209465 From: Peter Marko Handles CVE-2024-50602, CVE-2024-11168 and CVE-2024-9287. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../0001-Don-t-search-system-for-headers-libraries.patch | 2 +- .../python/{python3_3.10.15.bb => python3_3.10.16.bb} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3_3.10.15.bb => python3_3.10.16.bb} (99%) diff --git a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch index 5485020eb4..0086b1a0d6 100644 --- a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch +++ b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch @@ -14,7 +14,7 @@ diff --git a/setup.py b/setup.py index c190002..5ef368d 100644 --- a/setup.py +++ b/setup.py -@@ -854,8 +854,8 @@ class PyBuildExt(build_ext): +@@ -856,8 +856,8 @@ class PyBuildExt(build_ext): add_dir_to_list(self.compiler.include_dirs, sysconfig.get_config_var("INCLUDEDIR")) diff --git a/meta/recipes-devtools/python/python3_3.10.15.bb b/meta/recipes-devtools/python/python3_3.10.16.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.10.15.bb rename to meta/recipes-devtools/python/python3_3.10.16.bb index 0eb619dfa2..19a85a8770 100644 --- a/meta/recipes-devtools/python/python3_3.10.15.bb +++ b/meta/recipes-devtools/python/python3_3.10.16.bb @@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79" +SRC_URI[sha256sum] = "bfb249609990220491a1b92850a07135ed0831e41738cf681d63cf01b2a8fbd1" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Tue Jan 7 13:31:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55122 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69040E77198 for ; Tue, 7 Jan 2025 13:31:48 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.20172.1736256704753077267 for ; Tue, 07 Jan 2025 05:31:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2rs7nmUe; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2166f1e589cso8279985ad.3 for ; Tue, 07 Jan 2025 05:31:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736256704; x=1736861504; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jQxGZo3g9OLMqyBy6ogPog+3W3k+T5SeUiZ6skMgvA8=; b=2rs7nmUenYL8YDFA0HIpi/+Afsj6XF9sOx5MiYCpuhuemOt4juRjp8VW4SuCsNtkQk eQUHMVD8jA/MBoC3jDl0JWtPhSHh+ZqwYeWvN0wUrPsFLq2EBSjuAwK6SWsNw7VYUJyL cY0tkVMYvf4Tw7/q1rGkpzB/9GF6eHoS7iLXjfOagcZt+4+Lmhqp0wprpFNzf4nTPaTY 6R0ztQwj7/cANZtizw5P630P/EJSySxAofBDbjm5DAmhQwtBytgVhXwnfoybjWInzsAT xDxazwskMQ13uy/d8Mp8CQYDGnOf6agWrdVilqhMm/6twVH7496T1pJae+XBLEdz1eX0 1XDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736256704; x=1736861504; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jQxGZo3g9OLMqyBy6ogPog+3W3k+T5SeUiZ6skMgvA8=; b=oMTp+hArchPb664BkRvFtmIzXsgbzMcaytJJwuszE6hknT+ZmwN97sDy9PnH2lnCSm lSlrf/kdjBNwkJgXJZECpL9bSe0so5uviXovAOLJYVdxo5Y1wLLjg76SRZAMmkqq8siK dpSuJtHKPu6BaIl/wIfZ1Ws2zFVgOGd/5TLaTfw9R35+tJbsB8Oqxi/6PkAh04fIX16j 5GVvk9wvvvEYX9fQhlzKsGCVkOGobbj7rmj0h9SZE2ODOwF0yDrkvKf6Cui8CDM3/MNR 7goWA5tCPc9AiKAQp/rpPujblnak7vo14+aOqnCoxzD8qynfj8dngQHv2/BVk5L0FXqd XoDw== X-Gm-Message-State: AOJu0YygXm5cPMJ9/Uky/nC6unjU+ANHhGfLs1ulzsogrXUX8IGPY1gV 5mhTuGi2HXCZEnh27wmnN6sPQXUyH0Lm9CoUNsY5ffM93it0KKvymmRBQ9WHzSEGqjTMrpRTODV k X-Gm-Gg: ASbGncuLcvzdW+eNFcQ4leMVgB6DbUK2Nt7kbo6RK7RtiGp/26nlaLy8MOKiOC4zd/i shh1ZxL8v3ugEV65yiDaBePfDSev96AAnshn1Tw2ua842FDmk49BgpFEjLJrjPW2l/K0QDhkmCJ WChLhyFa5nqM1pIobrx2ofOpxuazt6/r8pkFQs5rloPcdn55P1oBOr3olaPeM/dxqDYoOtNLvjn e6ko3shEsK6ZjxjRYPpAwz4PdtgPW4hSVQW/wJp/MqFpg== X-Google-Smtp-Source: AGHT+IGjQlKosTyQANZZ60dC820I9dQpP9udSeNWyAhP3S1hUhfKfZ6csPg5dcBfO6EUAzVZS64fQQ== X-Received: by 2002:a05:6a00:8087:b0:725:ef4d:c1bd with SMTP id d2e1a72fcca58-72abde84667mr91855041b3a.19.1736256704046; Tue, 07 Jan 2025 05:31:44 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dbae4sm33340197b3a.96.2025.01.07.05.31.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jan 2025 05:31:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/13] ovmf-native: remove .pyc files from install Date: Tue, 7 Jan 2025 05:31:17 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Jan 2025 13:31:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209466 From: Mikko Rapeli They break builds which share sstate files on different machines and paths: ERROR: ovmf-edk2-stable202408-r0 do_prepare_recipe_sysroot: Error executing a python function in exec_func_python() autogenerated: The stack trace of python calls that resulted in this exception/failure was: File: 'exec_func_python() autogenerated', lineno: 2, function: 0001: *** 0002:extend_recipe_sysroot(d) 0003: File: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/classes-global/staging.bbclass', lineno: 624, function: extend_recipe_sysroot 0620: 0621: # Handle deferred binfiles 0622: for l in binfiles: 0623: (targetdir, dest) = binfiles[l] *** 0624: staging_copyfile(l, targetdir, dest, postinsts, seendirs) 0625: 0626: bb.note("Installed into sysroot: %s" % str(msg_adding)) 0627: bb.note("Skipping as already exists in sysroot: %s" % str(msg_exists)) 0628: File: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/classes-global/staging.bbclass', lineno: 165, function: staging_copyfile 0161: os.symlink(linkto, dest) 0162: #bb.warn(c) 0163: else: 0164: try: *** 0165: os.link(c, dest) 0166: except OSError as err: 0167: if err.errno == errno.EXDEV: 0168: bb.utils.copyfile(c, dest) 0169: else: Exception: FileExistsError: [Errno 17] File exists: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-667282/tmp/sysroots-components/x86_64/ovmf-native/usr/bin/edk2_basetools/BaseTools/Source/Python/AutoGen/__pycache__/WorkspaceAutoGen.cpython-312.pyc' -> '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-667282/tmp/work/core2-64-poky-linux/ovmf/edk2-stable202408/recipe-sysroot-native/usr/bin/edk2_basetools/BaseTools/Source/Python/AutoGen/__pycache__/WorkspaceAutoGen.cpython-312.pyc' Signed-off-by: Mikko Rapeli Signed-off-by: Richard Purdie (cherry picked from commit facd9e17fa53e2fb3a828b3f179cfb659be75d37) Signed-off-by: Steve Sakoman --- meta/recipes-core/ovmf/ovmf_git.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index a067dd017b..d52e3f4971 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -240,6 +240,7 @@ do_compile:class-target() { do_install:class-native() { install -d ${D}/${bindir}/edk2_basetools + find ${S}/BaseTools -name \*.pyc -exec rm -rf \{\} \; cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR} }