From patchwork Wed Jan 15 14:37:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55625 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 391EFC02185 for ; Wed, 15 Jan 2025 14:38:04 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.22643.1736951880045001742 for ; Wed, 15 Jan 2025 06:38:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XVflOBAM; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-21680814d42so102535705ad.2 for ; Wed, 15 Jan 2025 06:38:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951879; x=1737556679; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uu+vx0ADfZ28oW0RGVvN60aTETYGJly0irJhz7iQil8=; b=XVflOBAM8CVj7I3JYsU06RP4RfKv6A5iUoGX2alW6g1gePk0Qf9NK6aPVvRaHbjp2l s601yDc29VifAjJGIrsvwxUDCPCVewY/lW9eQe4xRHDwgk6guRSqWMbb3uh40Yct2pZY 3FcxzloQLc4tGO3zsGnMyUw+RRmkGsYICZYjlmPVjVI98AOueW1Y+QosHOUDXrUVGOv6 VFlsEBY0l7iq6W+Av9Sb98LCW4ykm5gos2mbjJktHohN4LTkLohioli7s6FNtnHyQgD4 FNMULbSCH0IxNN9Ippbt+6+GeIzASeoX+QE0ad8kmFWduZljxKBNKM5PKsj+w+wPsnXb vOUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951879; x=1737556679; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uu+vx0ADfZ28oW0RGVvN60aTETYGJly0irJhz7iQil8=; b=lwfXLU5sXnMHkQLvVT2EALwV+OOI8/sSvPlzIoABAYEw96EeXe/I1OmqxAvbRuOWF2 wWIXv2l07oWZShwtL9FpcWjPbC9LvQ5G+zh9oI0M9WnJjUFx0MEDlqE2FPhkVKhvjtu+ ik4PxwU0dRIvrA63jGxIDaZteqJrgtfc/uUxUf58jpbOZuRhXT4s8llZjNrSEhU4gFCb 330czGYEmLRn6ILi+O33y2SjHNOAfmfZCrndQvLOzfP1GWGj7DHmEB6xBXy1IIlnM0aX 3nyaF+lQetk0lNcv0fthI6cuSRopvdNEds6M+ZGgGeX59x2G8ecCr5VG0tulvRL6NhYR nm0A== X-Gm-Message-State: AOJu0YxetIyoKCAt6Qa2140hVo7HNKUVhjlxp6+efm8Sj9t89ghl7mjG 4ZIqMLuU03jbsEkHOrV/jKGpBDhlUUzA/vcia6atwyrVPKRMelpJBai0QMXGJf8B3LpgXMXTEHa 9HQI= X-Gm-Gg: ASbGncu7hhoo5nMKNU90jlu95vDNkyX9l/xWb75NroX3+7MYK3b2JFiel32YNAlPVqm QHfwcC8DfeDleeUOn4qLBkbQ/Rk+noSJNoP0hbKjdNMwXoknPB1NFOVQpbIJ2BjyByAbTRkbj7U Dbd1OYK7TdYgV/WjdiX8+NVGwmZlKEjBCpWGqaAYepiNX5zlTvfn1+MJQho6Dr+CjvAdIWsfEVP cv2oM7ugGpv2BWFNtJaKVr7sX99AJX8M9YoU2+9B2efng== X-Google-Smtp-Source: AGHT+IHokmwyVpjnf8yqV9hHMZezm2wZJpmKHDiA/WNh9bO4oD7VKUeS5Dm3/SN1fceNk2f2b3dWgA== X-Received: by 2002:a17:902:ccc2:b0:216:4165:c05e with SMTP id d9443c01a7336-21a83f67982mr539555005ad.24.1736951879190; Wed, 15 Jan 2025 06:37:59 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.37.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:37:58 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/11] go: Fix CVE-2024-34155 Date: Wed, 15 Jan 2025 06:37:39 -0800 Message-ID: <9d21d527e2448e202030ae7ad38c88e25943a2f3.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209906 From: Archana Polampalli Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-34155 Upstream-patch: https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2024-34155.patch | 71 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 349b0be6be..11bd2afde0 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -58,6 +58,7 @@ SRC_URI += "\ file://CVE-2023-45288.patch \ file://CVE-2024-24789.patch \ file://CVE-2024-24791.patch \ + file://CVE-2024-34155.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch new file mode 100644 index 0000000000..515d9dcdff --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch @@ -0,0 +1,71 @@ +From b232596139dbe96a62edbe3a2a203e856bf556eb Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 10 Jun 2024 15:34:12 -0700 +Subject: [PATCH] go/parser: track depth in nested element lists + +Prevents stack exhaustion with extremely deeply nested literal values, +i.e. field values in structs. + +Updates #69138 +Fixes #69142 +Fixes CVE-2024-34155 + +Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520 +Reviewed-by: Robert Griesemer +Reviewed-by: Damien Neil +Reviewed-by: Russ Cox +(cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1561 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/611181 +Reviewed-by: Michael Pratt +TryBot-Bypass: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2024-34155 + +Upstream-Status: Backport [https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb] + +Signed-off-by: Archana Polampalli +--- + src/go/parser/parser.go | 2 ++ + src/go/parser/parser_test.go | 9 +++++---- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go +index 2c42b9f..a728d9a 100644 +--- a/src/go/parser/parser.go ++++ b/src/go/parser/parser.go +@@ -1481,6 +1481,8 @@ func (p *parser) parseElementList() (list []ast.Expr) { + } + + func (p *parser) parseLiteralValue(typ ast.Expr) ast.Expr { ++ defer decNestLev(incNestLev(p)) ++ + if p.trace { + defer un(trace(p, "LiteralValue")) + } +diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go +index 993df63..b2cd501 100644 +--- a/src/go/parser/parser_test.go ++++ b/src/go/parser/parser_test.go +@@ -607,10 +607,11 @@ var parseDepthTests = []struct { + {name: "chan2", format: "package main; var x «<-chan »int"}, + {name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType + {name: "map", format: "package main; var x «map[int]»int"}, +- {name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit +- {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit +- {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit +- {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2}, // Parser nodes: CompositeLit, KeyValueExpr ++ {name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit ++ {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit ++ {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit ++ {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3}, // Parser nodes: CompositeLit, KeyValueExpr ++ {name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"}, + {name: "dot", format: "package main; var x = «x.»x"}, + {name: "index", format: "package main; var x = x«[1]»"}, + {name: "slice", format: "package main; var x = x«[1:2]»"}, +-- +2.40.0 From patchwork Wed Jan 15 14:37:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55622 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AC6AC02187 for ; Wed, 15 Jan 2025 14:38:04 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web10.22451.1736951881961058535 for ; Wed, 15 Jan 2025 06:38:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FU5kbZRw; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2ef714374c0so1596374a91.0 for ; Wed, 15 Jan 2025 06:38:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951881; x=1737556681; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DzBZT8IqZ7ZcMQWIUzTR1xIgzN3ev17EWsHlF2bKxWE=; b=FU5kbZRw7t/laLFzrf5WRReqKJEXZhNFq1G6KWQoEbV/pFTghXs17O9GyDuwgaRawq WWKp8f6fE9k4WykqGVaSUhXxFuGHEBgdCAt88X+Sre2ilsIyJPAGOBXfwqM343IdwrWc tQRRBHpRhMRiI8Dq1aGf/NQQ9rd9CXgtL/lgwjoKFd2rPpUA+juptygIOQ2u6ygAearh Lwryr+fRJcye3UYEAIWLyMXWcbS12VyF6B/+qvzIG/tbJmuJe2aN90CP/FPGWS5/NYIl oTRaaeElJ4CUEFUo07asi71cs7ESnB1yi+h30uYZ0+ZKcFu1XKEn5YsgCS+TdYg4X8ho AeRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951881; x=1737556681; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DzBZT8IqZ7ZcMQWIUzTR1xIgzN3ev17EWsHlF2bKxWE=; b=QLawprQtY330YaEFYGgwrULiO7Kahj05Akw1AWPvAp+d8BhIH8cOM/5t9KbSiCHvE7 PvjzdkV8FVyJqFtvSjm9ilWO1i75iZ4Xz0VjCYZrkjchBcjCA/wQ7JIOTNbjyD0d4wTf FxgOZYXouMvieTmMIp47/4zBZ042FxceCxTTuCr3CykPXmOjrLv2jQI0xPwaMl99Z2+W IiQt2fd94mgSzUD0p8qalGlPtrk3iI5qzYCp4i7DEf6monf4hqWXvbXiH5wRrE+u5ndO FTt5ZL60UgSJGcGVyLYLyewEMMLxSnZLImHoLOXsFcdc9deYlXYNbd4AtNoNC//aIzAX pA2A== X-Gm-Message-State: AOJu0YwwbwibOusangU8e2h7nnw3vtpow1Dts+dFbXeZ4ujbvqcyVRt9 LpKvs8jmRgtmi8y+ZzTIyQqj7tQI3AUZ/4+Qj0j+KFmrkCKLf3bAURR1y9OM9P3s9CBzrK8wvZL +zHA= X-Gm-Gg: ASbGnctrRhCWjldQQU+GZvPh9zp2CEufdOepsS2IEBXwsHfOkaT3BM8MxQCESBZYbeR Jrme5WkHD/qAv6L8SgARgGQ7w1ZVOZGmV7Vu32QWLijdJz0XACJVQaf3YwoDGkUGTNAB3ZgQSXL tDn+REUl+4dcWw8khuVcZZgnoQBsSb0en8V663lrNJw2SPgPdnmhJeSwMGE7ddJbX2EUxKyt61D 0fJCXdyB6DVMxQSFdhgBtr2x9h6gnAzJ9PO2eX2sNbAAA== X-Google-Smtp-Source: AGHT+IEpuPwkzciqAnv4QX+oiOhJeeW99+ueliSeS7J1ThP7VvMzGavzAQMnL5cwSwMCDFATXow0FA== X-Received: by 2002:a17:90b:3ccb:b0:2ee:5c9b:35c0 with SMTP id 98e67ed59e1d1-2f728e001damr4212788a91.9.1736951881024; Wed, 15 Jan 2025 06:38:01 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:00 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/11] go: Fix CVE-2024-34156 Date: Wed, 15 Jan 2025 06:37:40 -0800 Message-ID: <3aeeee86a53cee14bb1a6a485f8781459b6f2ffc.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209907 From: Archana Polampalli Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-34156 Upstream-patch: https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2024-34156.patch | 150 ++++++++++++++++++ 2 files changed, 151 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 11bd2afde0..53ca869221 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -59,6 +59,7 @@ SRC_URI += "\ file://CVE-2024-24789.patch \ file://CVE-2024-24791.patch \ file://CVE-2024-34155.patch \ + file://CVE-2024-34156.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch new file mode 100644 index 0000000000..d8a915d6e9 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch @@ -0,0 +1,150 @@ +From 2092294f2b097c5828f4eace6c98a322c1510b01 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Fri, 3 May 2024 09:21:39 -0400 +Subject: [PATCH] encoding/gob: cover missed cases when checking ignore depth + +This change makes sure that we are properly checking the ignored field +recursion depth in decIgnoreOpFor consistently. This prevents stack +exhaustion when attempting to decode a message that contains an +extremely deeply nested struct which is ignored. + +Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) +for reporting this issue. + +Updates #69139 +Fixes #69144 +Fixes CVE-2024-34156 + +Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440 +Reviewed-by: Russ Cox +Reviewed-by: Damien Neil +(cherry picked from commit f0a11f9b3aaa362cb1d05e095e3c8d421d4f087f) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1580 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/611182 +TryBot-Bypass: Dmitri Shuralyov +Reviewed-by: Michael Pratt +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2024-34156 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01] + +Signed-off-by: Archana Polampalli +--- + src/encoding/gob/decode.go | 19 +++++++++++-------- + src/encoding/gob/decoder.go | 2 ++ + src/encoding/gob/gobencdec_test.go | 14 ++++++++++++++ + 3 files changed, 27 insertions(+), 8 deletions(-) + +diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go +index 0e0ec75..92d64cb 100644 +--- a/src/encoding/gob/decode.go ++++ b/src/encoding/gob/decode.go +@@ -874,8 +874,11 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg + var maxIgnoreNestingDepth = 10000 + + // decIgnoreOpFor returns the decoding op for a field that has no destination. +-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp { +- if depth > maxIgnoreNestingDepth { ++func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp { ++ // Track how deep we've recursed trying to skip nested ignored fields. ++ dec.ignoreDepth++ ++ defer func() { dec.ignoreDepth-- }() ++ if dec.ignoreDepth > maxIgnoreNestingDepth { + error_(errors.New("invalid nesting depth")) + } + // If this type is already in progress, it's a recursive type (e.g. map[string]*T). +@@ -901,7 +904,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, + errorf("bad data: undefined type %s", wireId.string()) + case wire.ArrayT != nil: + elemId := wire.ArrayT.Elem +- elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1) ++ elemOp := dec.decIgnoreOpFor(elemId, inProgress) + op = func(i *decInstr, state *decoderState, value reflect.Value) { + state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len) + } +@@ -909,15 +912,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, + case wire.MapT != nil: + keyId := dec.wireType[wireId].MapT.Key + elemId := dec.wireType[wireId].MapT.Elem +- keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1) +- elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1) ++ keyOp := dec.decIgnoreOpFor(keyId, inProgress) ++ elemOp := dec.decIgnoreOpFor(elemId, inProgress) + op = func(i *decInstr, state *decoderState, value reflect.Value) { + state.dec.ignoreMap(state, *keyOp, *elemOp) + } + + case wire.SliceT != nil: + elemId := wire.SliceT.Elem +- elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1) ++ elemOp := dec.decIgnoreOpFor(elemId, inProgress) + op = func(i *decInstr, state *decoderState, value reflect.Value) { + state.dec.ignoreSlice(state, *elemOp) + } +@@ -1078,7 +1081,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de + func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine { + engine := new(decEngine) + engine.instr = make([]decInstr, 1) // one item +- op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0) ++ op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp)) + ovfl := overflow(dec.typeString(remoteId)) + engine.instr[0] = decInstr{*op, 0, nil, ovfl} + engine.numInstr = 1 +@@ -1123,7 +1126,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn + localField, present := srt.FieldByName(wireField.Name) + // TODO(r): anonymous names + if !present || !isExported(wireField.Name) { +- op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0) ++ op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp)) + engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl} + continue + } +diff --git a/src/encoding/gob/decoder.go b/src/encoding/gob/decoder.go +index b476aaa..8fab2fd 100644 +--- a/src/encoding/gob/decoder.go ++++ b/src/encoding/gob/decoder.go +@@ -34,6 +34,8 @@ type Decoder struct { + freeList *decoderState // list of free decoderStates; avoids reallocation + countBuf []byte // used for decoding integers while parsing messages + err error ++ // ignoreDepth tracks the depth of recursively parsed ignored fields ++ ignoreDepth int + } + + // NewDecoder returns a new decoder that reads from the io.Reader. +diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go +index 1b52ecc..2b5f2a8 100644 +--- a/src/encoding/gob/gobencdec_test.go ++++ b/src/encoding/gob/gobencdec_test.go +@@ -806,6 +806,8 @@ func TestIngoreDepthLimit(t *testing.T) { + defer func() { maxIgnoreNestingDepth = oldNestingDepth }() + b := new(bytes.Buffer) + enc := NewEncoder(b) ++ ++ // Nested slice + typ := reflect.TypeOf(int(0)) + nested := reflect.ArrayOf(1, typ) + for i := 0; i < 100; i++ { +@@ -819,4 +821,16 @@ func TestIngoreDepthLimit(t *testing.T) { + if err := dec.Decode(&output); err == nil || err.Error() != expectedErr { + t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err) + } ++ ++ // Nested struct ++ nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: typ}}) ++ for i := 0; i < 100; i++ { ++ nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}}) ++ } ++ badStruct = reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}})) ++ enc.Encode(badStruct.Interface()) ++ dec = NewDecoder(b) ++ if err := dec.Decode(&output); err == nil || err.Error() != expectedErr { ++ t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err) ++ } + } +-- +2.40.0 From patchwork Wed Jan 15 14:37:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55623 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23ACBC02180 for ; Wed, 15 Jan 2025 14:38:04 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.22647.1736951883614339269 for ; Wed, 15 Jan 2025 06:38:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WdAa9LVR; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2164b662090so120339215ad.1 for ; Wed, 15 Jan 2025 06:38:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951883; x=1737556683; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lgA/5T9WzdqMHIEpI6IXH0/OmgBB0l6Qj0KpXxVSgwE=; b=WdAa9LVRntSnoz7fFYBX+qB3cWuniUveYBkTbZsqHeTQgyWw7j/0ux7GTYTBbiWsZf DHdTeDNNB/VgIrxhw+33Pst2Bbvi5JaHydmZ/Zo8QyuSlqnzzXzmGCq2iA3xvwUjbLlj 5TM/gSa4GfbylIJGNm4t0aGJxFmZ6LyjIUyZqhxEmU5/T5EjfK+AyWv6hhYcOHfNlGRB 6X9LK7v0VdRIz8mCkD1u9DJBRY4NvQUcEXjx6jDFkcxsOGDyUFksrZ0xvqyE6c1lUM3s J+/rMMeofXUD5nPh9l0y6ys/+kBykKKmSVE6CU9EVj0TXiTZzicblHn5cXybQZG7JSky HCQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951883; x=1737556683; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lgA/5T9WzdqMHIEpI6IXH0/OmgBB0l6Qj0KpXxVSgwE=; b=iJ1SsgrqT13nn0//mWPn9X4RinaDe5Jwe9UY9XC30ADlufU/10c1qphnP1blNtLHmX CwKKxvJWa6ZRS3h7AD8kT9GsamjuuEs2r/iajBWHL9cGgKIkNwAktxZT8p6VBQ0z1nZu RGtzacVlAsT7l7W2nkto2JYWioObiHP76gmfRXtidI7rTDigkK1iVz5zRD7UmYSdHbfk PaAwV2cROYug8mR2DZM8Ne2MoBcXe5XzAT2frQ7HP2iwUBNCytwIJ7Jr89X7R0T1GceQ 9XIojcdFW72rX/WrAzrlsRBIlPU5kgCuvcbd9Jm/6HH1fG2Mu5qO7kOprxLARE/5a012 j7SQ== X-Gm-Message-State: AOJu0YweWQnmVa1eseAbiY6Zb9n5aH2W23I3efSJ9C9tW9rvqovloiJU 79xwj0goeNYsBgq4K0lsZxWnJAswn4fMmfCb4gfXfGcW47HpB+pW4vNZmPixVF/6Wjj2J+UZg0s cJsk= X-Gm-Gg: ASbGncuF5lXRdarmqSmLPBwn6OG03VVC21xjdMXLvkcLThYSDHbOSakG3eJWC001ebl zIOejRtwF0UekLtRPLVrGun5dCeJN2mIg5NQQP+uztG/JaVR4xavnL53YBHA3Alw2sk+VesdgK7 va1u7LoASIeJUbv5vQzfA3FDo7zlTPQb08kuxM8aWzKNYfoT5EIHjxZpx837oHbp3D8A7LYWZw8 2Um2QsLktmUzfi8UIaEeiFvatj6jOL3C9zilC/kENaHoA== X-Google-Smtp-Source: AGHT+IGcnlbqgAEIWAohgFrTrOcpSc3LcSmd96xiXRnwENd/2NAxbGjj/pToaWoCmCnnMSL0ClqVMA== X-Received: by 2002:a17:902:d352:b0:215:8847:435c with SMTP id d9443c01a7336-21a83f4b133mr368272975ad.12.1736951882752; Wed, 15 Jan 2025 06:38:02 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:02 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/11] go: Fix CVE-2024-34158 Date: Wed, 15 Jan 2025 06:37:41 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209908 From: Archana Polampalli Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-34158 Upstream-patch: https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2024-34158.patch | 205 ++++++++++++++++++ 2 files changed, 206 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 53ca869221..c483590931 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -60,6 +60,7 @@ SRC_URI += "\ file://CVE-2024-24791.patch \ file://CVE-2024-34155.patch \ file://CVE-2024-34156.patch \ + file://CVE-2024-34158.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch new file mode 100644 index 0000000000..ad4d4f092c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch @@ -0,0 +1,205 @@ +From d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 20 Jun 2024 10:45:30 -0700 +Subject: [PATCH] go/build/constraint: add parsing limits + +Limit the size of build constraints that we will parse. This prevents a +number of stack exhaustions that can be hit when parsing overly complex +constraints. The imposed limits are unlikely to ever be hit in real +world usage. + +Updates #69141 +Fixes #69148 +Fixes CVE-2024-34158 + +Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4 +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540 +Reviewed-by: Damien Neil +Reviewed-by: Russ Cox +(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04) +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582 +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/go/+/611183 +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Michael Pratt +TryBot-Bypass: Dmitri Shuralyov + +CVE: CVE-2024-34158 + +Upstream-Status: Backport [https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002] + +Signed-off-by: Archana Polampalli +--- + src/go/build/constraint/expr.go | 28 ++++++++++-- + src/go/build/constraint/expr_test.go | 65 +++++++++++++++++++++++++++- + 2 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/src/go/build/constraint/expr.go b/src/go/build/constraint/expr.go +index 957eb9b..85897e2 100644 +--- a/src/go/build/constraint/expr.go ++++ b/src/go/build/constraint/expr.go +@@ -18,6 +18,10 @@ import ( + "unicode/utf8" + ) + ++// maxSize is a limit used to control the complexity of expressions, in order ++// to prevent stack exhaustion issues due to recursion. ++const maxSize = 1000 ++ + // An Expr is a build tag constraint expression. + // The underlying concrete type is *AndExpr, *OrExpr, *NotExpr, or *TagExpr. + type Expr interface { +@@ -153,7 +157,7 @@ func Parse(line string) (Expr, error) { + return parseExpr(text) + } + if text, ok := splitPlusBuild(line); ok { +- return parsePlusBuildExpr(text), nil ++ return parsePlusBuildExpr(text) + } + return nil, errNotConstraint + } +@@ -203,6 +207,8 @@ type exprParser struct { + tok string // last token read + isTag bool + pos int // position (start) of last token ++ ++ size int + } + + // parseExpr parses a boolean build tag expression. +@@ -251,6 +257,10 @@ func (p *exprParser) and() Expr { + // On entry, the next input token has not yet been lexed. + // On exit, the next input token has been lexed and is in p.tok. + func (p *exprParser) not() Expr { ++ p.size++ ++ if p.size > maxSize { ++ panic(&SyntaxError{Offset: p.pos, Err: "build expression too large"}) ++ } + p.lex() + if p.tok == "!" { + p.lex() +@@ -391,7 +401,13 @@ func splitPlusBuild(line string) (expr string, ok bool) { + } + + // parsePlusBuildExpr parses a legacy build tag expression (as used with “// +build”). +-func parsePlusBuildExpr(text string) Expr { ++func parsePlusBuildExpr(text string) (Expr, error) { ++ // Only allow up to 100 AND/OR operators for "old" syntax. ++ // This is much less than the limit for "new" syntax, ++ // but uses of old syntax were always very simple. ++ const maxOldSize = 100 ++ size := 0 ++ + var x Expr + for _, clause := range strings.Fields(text) { + var y Expr +@@ -417,19 +433,25 @@ func parsePlusBuildExpr(text string) Expr { + if y == nil { + y = z + } else { ++ if size++; size > maxOldSize { ++ return nil, errComplex ++ } + y = and(y, z) + } + } + if x == nil { + x = y + } else { ++ if size++; size > maxOldSize { ++ return nil, errComplex ++ } + x = or(x, y) + } + } + if x == nil { + x = tag("ignore") + } +- return x ++ return x, nil + } + + // isValidTag reports whether the word is a valid build tag. +diff --git a/src/go/build/constraint/expr_test.go b/src/go/build/constraint/expr_test.go +index 15d1890..ac38ba6 100644 +--- a/src/go/build/constraint/expr_test.go ++++ b/src/go/build/constraint/expr_test.go +@@ -222,7 +222,7 @@ var parsePlusBuildExprTests = []struct { + func TestParsePlusBuildExpr(t *testing.T) { + for i, tt := range parsePlusBuildExprTests { + t.Run(fmt.Sprint(i), func(t *testing.T) { +- x := parsePlusBuildExpr(tt.in) ++ x, _ := parsePlusBuildExpr(tt.in) + if x.String() != tt.x.String() { + t.Errorf("parsePlusBuildExpr(%q):\nhave %v\nwant %v", tt.in, x, tt.x) + } +@@ -319,3 +319,66 @@ func TestPlusBuildLines(t *testing.T) { + }) + } + } ++ ++func TestSizeLimits(t *testing.T) { ++ for _, tc := range []struct { ++ name string ++ expr string ++ }{ ++ { ++ name: "go:build or limit", ++ expr: "//go:build " + strings.Repeat("a || ", maxSize+2), ++ }, ++ { ++ name: "go:build and limit", ++ expr: "//go:build " + strings.Repeat("a && ", maxSize+2), ++ }, ++ { ++ name: "go:build and depth limit", ++ expr: "//go:build " + strings.Repeat("(a &&", maxSize+2), ++ }, ++ { ++ name: "go:build or depth limit", ++ expr: "//go:build " + strings.Repeat("(a ||", maxSize+2), ++ }, ++ } { ++ t.Run(tc.name, func(t *testing.T) { ++ _, err := Parse(tc.expr) ++ if err == nil { ++ t.Error("expression did not trigger limit") ++ } else if syntaxErr, ok := err.(*SyntaxError); !ok || syntaxErr.Err != "build expression too large" { ++ if !ok { ++ t.Errorf("unexpected error: %v", err) ++ } else { ++ t.Errorf("unexpected syntax error: %s", syntaxErr.Err) ++ } ++ } ++ }) ++ } ++} ++ ++func TestPlusSizeLimits(t *testing.T) { ++ maxOldSize := 100 ++ for _, tc := range []struct { ++ name string ++ expr string ++ }{ ++ { ++ name: "+build or limit", ++ expr: "// +build " + strings.Repeat("a ", maxOldSize+2), ++ }, ++ { ++ name: "+build and limit", ++ expr: "// +build " + strings.Repeat("a,", maxOldSize+2), ++ }, ++ } { ++ t.Run(tc.name, func(t *testing.T) { ++ _, err := Parse(tc.expr) ++ if err == nil { ++ t.Error("expression did not trigger limit") ++ } else if err != errComplex { ++ t.Errorf("unexpected error: got %q, want %q", err, errComplex) ++ } ++ }) ++ } ++} +-- +2.40.0 From patchwork Wed Jan 15 14:37:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55631 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3843EC02183 for ; Wed, 15 Jan 2025 14:38:14 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web11.22649.1736951886469875038 for ; Wed, 15 Jan 2025 06:38:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=eHYAZZHx; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-21669fd5c7cso125856635ad.3 for ; Wed, 15 Jan 2025 06:38:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951886; x=1737556686; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xqaeEaDpXTPL2Q8aakfqZzYRzVj0Rvtu4i09xHLfIyI=; b=eHYAZZHxyPoBiepngL10THnZI68aiDtvYjPyhpNRomA9BAi0Lz2NjfTI2lb80TNR0Q vi8T8RWrhCuUSDyEZ3o68i6JQODFxQh0l/rKcdtZ/Tdpxq9DG4uS4Jz9WqeMw55I0gkv Gss32OI5OfzCXRokSYdnUB+1E8pAvV9K63lnlSGopyoKt73rm1gmdlgvqJJ4c2CxzMsM 2HWGm6z7SmZkexNXOAiCeWoE2CuNbolR1scqJgTeoVPuhYAd+zjyCb1yH9J7FGP+ohdK hoTetzAJiYwNZ4t6jowd3j47OwaUVLr03yPghKp5BCZrtUW2zwDwXIqdYD14nFLxnt49 zLLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951886; x=1737556686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xqaeEaDpXTPL2Q8aakfqZzYRzVj0Rvtu4i09xHLfIyI=; b=NjeMuba9DUliObSqmenjDOeQMwYorVAECS6C9vMNz94ukWIdZwiI1iYkOrCeWIo/kA MgKqikjsnSG1AHNe18CFF/w1SnsG7ulpmESvqtunu9RR/LPz3r64DFAQU74WRWwE0OFh aXTnDNp8cCVmtZphidfS6Lsiwk8+wF9dMgZxs8Zb+4ZlIrSrFB37RIzzb4mi/wKB11kQ v4rbZ0WCpb3SDNOKfqMoht3ZAbj32gLZ44ZrVYUCP6EJlNBgsVEAyu993grsY/YeyWmB zzQqCnSLsPEududIy2Z6pJ079cspS4j3wwaFRqXTOk4lHl0sUtDq1M9UjDVr1VqJpBhu 62bQ== X-Gm-Message-State: AOJu0YzWWCqT0GFwKcE8OTuJTStJwufEsrb1Mdxw9G0yXn3F0sm8gi/N iIyWIZE7wveH6WLp+AAsEDUyq8vuXLwVOo1OkyxH7Kbmx1w7INryIGFdLGVCC0zcOeel5wPUv7P TMpM= X-Gm-Gg: ASbGnct9LX8jXH9vLUQPuLhtjEQn/X2QkndN//ke4hN/zHJeNhtyIYC/eCCldPypzr+ NrCYcyZZeGnQkJxwLwDvLHn5D435dfXU0S11MTK6LtodBisQWi7EEjInmpxjg5B7/RiHsjrxI8e epeg14A6ZbIUf7qZBVFn3SA/Cikomq8TX10EKuu/NMs4a8v0M9rRn+v0Fkpsi1lBby0s88HC2ty HYPgqqZGSonz4qPfQDcKlFro/s7rOGyYdpj3iz+ScL9WQ== X-Google-Smtp-Source: AGHT+IGNmvIG+8ch9gckxoviw3/v9uDYwWIpIqnZz/lKNMcVQoQk7kr/bKKmBLC9gz/uL75aiVcMxA== X-Received: by 2002:a17:902:e5c2:b0:215:b33b:e26d with SMTP id d9443c01a7336-21a83f55103mr486656545ad.21.1736951884710; Wed, 15 Jan 2025 06:38:04 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:04 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/11] ruby: fix CVE-2024-49761 Date: Wed, 15 Jan 2025 06:37:42 -0800 Message-ID: <5b453400e9dd878b81b1447d14b3f518809de17e.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209909 From: Divya Chellam REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x.... This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-49761 Upstream-patch: https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863 https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320 https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5 https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2024-49761-0001.patch | 391 ++++++++++++ .../ruby/ruby/CVE-2024-49761-0002.patch | 104 ++++ .../ruby/ruby/CVE-2024-49761-0003.patch | 85 +++ .../ruby/ruby/CVE-2024-49761-0004.patch | 71 +++ .../ruby/ruby/CVE-2024-49761-0005.patch | 51 ++ .../ruby/ruby/CVE-2024-49761-0006.patch | 79 +++ .../ruby/ruby/CVE-2024-49761-0007.patch | 561 ++++++++++++++++++ .../ruby/ruby/CVE-2024-49761-0008.patch | 107 ++++ .../ruby/ruby/CVE-2024-49761-0009.patch | 46 ++ meta/recipes-devtools/ruby/ruby_3.1.3.bb | 9 + 10 files changed, 1504 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch new file mode 100644 index 0000000000..3caf389923 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch @@ -0,0 +1,391 @@ +From 810d2285235d5501a0a124f300832e6e9515da3c Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Wed, 17 Jan 2024 15:32:57 +0900 +Subject: [PATCH] Use string scanner with baseparser (#105) + +Using StringScanner reduces the string copying process and speeds up the +process. + +And I removed unnecessary methods. + +https://github.com/ruby/rexml/actions/runs/7549990000/job/20554906140?pr=105 + +``` +ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [x86_64-linux] +Calculating ------------------------------------- + rexml 3.2.6 master 3.2.6(YJIT) master(YJIT) + dom 4.868 5.077 8.137 8.303 i/s - 100.000 times in 20.540529s 19.696590s 12.288900s 12.043666s + sax 13.597 13.953 19.206 20.948 i/s - 100.000 times in 7.354343s 7.167142s 5.206745s 4.773765s + pull 15.641 16.918 22.266 25.378 i/s - 100.000 times in 6.393424s 5.910955s 4.491201s 3.940471s + stream 14.339 15.844 19.810 22.206 i/s - 100.000 times in 6.973856s 6.311350s 5.047957s 4.503244s + +Comparison: + dom + master(YJIT): 8.3 i/s + 3.2.6(YJIT): 8.1 i/s - 1.02x slower + master: 5.1 i/s - 1.64x slower + rexml 3.2.6: 4.9 i/s - 1.71x slower + + sax + master(YJIT): 20.9 i/s + 3.2.6(YJIT): 19.2 i/s - 1.09x slower + master: 14.0 i/s - 1.50x slower + rexml 3.2.6: 13.6 i/s - 1.54x slower + + pull + master(YJIT): 25.4 i/s + 3.2.6(YJIT): 22.3 i/s - 1.14x slower + master: 16.9 i/s - 1.50x slower + rexml 3.2.6: 15.6 i/s - 1.62x slower + + stream + master(YJIT): 22.2 i/s + 3.2.6(YJIT): 19.8 i/s - 1.12x slower + master: 15.8 i/s - 1.40x slower + rexml 3.2.6: 14.3 i/s - 1.55x slower +``` + +- YJIT=ON : 1.02x - 1.14x faster +- YJIT=OFF : 1.02x - 1.10x faster + +--------- + +Co-authored-by: Sutou Kouhei + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c] + +Signed-off-by: Divya Chellam +--- + .../lib/rexml/parsers/baseparser.rb | 21 ++- + .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 149 ++++++------------ + 2 files changed, 56 insertions(+), 114 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 305b120..65bad26 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -96,7 +96,7 @@ module REXML + ENTITYDEF = "(?:#{ENTITYVALUE}|(?:#{EXTERNALID}(#{NDATADECL})?))" + PEDECL = "" + GEDECL = "" +- ENTITYDECL = /\s*(?:#{GEDECL})|(?:#{PEDECL})/um ++ ENTITYDECL = /\s*(?:#{GEDECL})|\s*(?:#{PEDECL})/um + + NOTATIONDECL_START = /\A\s*0 +- rv +- end +- + def read + end + +- def consume( pattern ) +- @buffer = $' if pattern.match( @buffer ) +- end +- +- def match_to( char, pattern ) +- return pattern.match(@buffer) +- end +- +- def match_to_consume( char, pattern ) +- md = pattern.match(@buffer) +- @buffer = $' +- return md +- end +- + def match(pattern, cons=false) +- md = pattern.match(@buffer) +- @buffer = $' if cons and md +- return md ++ if cons ++ @scanner.scan(pattern).nil? ? nil : @scanner ++ else ++ @scanner.check(pattern).nil? ? nil : @scanner ++ end + end + + # @return true if the Source is exhausted + def empty? +- @buffer == "" +- end +- +- def position +- @orig.index( @buffer ) ++ @scanner.eos? + end + + # @return the current line in the source + def current_line + lines = @orig.split +- res = lines.grep @buffer[0..30] ++ res = lines.grep @scanner.rest[0..30] + res = res[-1] if res.kind_of? Array + lines.index( res ) if res + end + + private ++ + def detect_encoding +- buffer_encoding = @buffer.encoding ++ scanner_encoding = @scanner.rest.encoding + detected_encoding = "UTF-8" + begin +- @buffer.force_encoding("ASCII-8BIT") +- if @buffer[0, 2] == "\xfe\xff" +- @buffer[0, 2] = "" ++ @scanner.string.force_encoding("ASCII-8BIT") ++ if @scanner.scan(/\xfe\xff/n) + detected_encoding = "UTF-16BE" +- elsif @buffer[0, 2] == "\xff\xfe" +- @buffer[0, 2] = "" ++ elsif @scanner.scan(/\xff\xfe/n) + detected_encoding = "UTF-16LE" +- elsif @buffer[0, 3] == "\xef\xbb\xbf" +- @buffer[0, 3] = "" ++ elsif @scanner.scan(/\xef\xbb\xbf/n) + detected_encoding = "UTF-8" + end + ensure +- @buffer.force_encoding(buffer_encoding) ++ @scanner.string.force_encoding(scanner_encoding) + end + self.encoding = detected_encoding + end + + def encoding_updated + if @encoding != 'UTF-8' +- @buffer = decode(@buffer) ++ @scanner.string = decode(@scanner.rest) + @to_utf = true + else + @to_utf = false +- @buffer.force_encoding ::Encoding::UTF_8 ++ @scanner.string.force_encoding(::Encoding::UTF_8) + end + end + end +@@ -172,7 +138,7 @@ module REXML + end + + if !@to_utf and +- @buffer.respond_to?(:force_encoding) and ++ @orig.respond_to?(:force_encoding) and + @source.respond_to?(:external_encoding) and + @source.external_encoding != ::Encoding::UTF_8 + @force_utf8 = true +@@ -181,65 +147,44 @@ module REXML + end + end + +- def scan(pattern, cons=false) +- rv = super +- # You'll notice that this next section is very similar to the same +- # section in match(), but just a liiittle different. This is +- # because it is a touch faster to do it this way with scan() +- # than the way match() does it; enough faster to warrant duplicating +- # some code +- if rv.size == 0 +- until @buffer =~ pattern or @source.nil? +- begin +- @buffer << readline +- rescue Iconv::IllegalSequence +- raise +- rescue +- @source = nil +- end +- end +- rv = super +- end +- rv.taint if RUBY_VERSION < '2.7' +- rv +- end +- + def read + begin +- @buffer << readline ++ # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM, ++ # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs. ++ # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed ++ # and avoids this problem. ++ @scanner.string = @scanner.rest + readline + rescue Exception, NameError + @source = nil + end + end + +- def consume( pattern ) +- match( pattern, true ) +- end +- + def match( pattern, cons=false ) +- rv = pattern.match(@buffer) +- @buffer = $' if cons and rv +- while !rv and @source ++ if cons ++ md = @scanner.scan(pattern) ++ else ++ md = @scanner.check(pattern) ++ end ++ while md.nil? and @source + begin +- @buffer << readline +- rv = pattern.match(@buffer) +- @buffer = $' if cons and rv ++ @scanner << readline ++ if cons ++ md = @scanner.scan(pattern) ++ else ++ md = @scanner.check(pattern) ++ end + rescue + @source = nil + end + end +- rv.taint if RUBY_VERSION < '2.7' +- rv ++ ++ md.nil? ? nil : @scanner + end + + def empty? + super and ( @source.nil? || @source.eof? ) + end + +- def position +- @er_source.pos rescue 0 +- end +- + # @return the current line in the source + def current_line + begin +@@ -290,7 +235,7 @@ module REXML + @source.set_encoding(@encoding, @encoding) + end + @line_break = encode(">") +- @pending_buffer, @buffer = @buffer, "" ++ @pending_buffer, @scanner.string = @scanner.rest, "" + @pending_buffer.force_encoding(@encoding) + super + end +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch new file mode 100644 index 0000000000..35e90b632b --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch @@ -0,0 +1,104 @@ +From 83ca5c4b0f76cf7b307dd1be1dc934e1e8199863 Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Sun, 21 Jan 2024 06:11:42 +0900 +Subject: [PATCH] Reduce calls to `Source#buffer`(`StringScanner#rest`) (#106) + +Reduce calls to `Source#buffer`(`StringScanner#rest`) + +## Why +`Source#buffer` calling `StringScanner#rest`. +`StringScanner#rest` is slow. +Reduce calls to `Source#buffer`. + +## Benchmark + +``` +RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml +ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22] +Calculating ------------------------------------- + before after before(YJIT) after(YJIT) + dom 10.639 10.985 16.213 16.221 i/s - 100.000 times in 9.399033s 9.103461s 6.167962s 6.164794s + sax 28.357 29.440 42.900 44.375 i/s - 100.000 times in 3.526479s 3.396688s 2.331024s 2.253511s + pull 32.852 34.210 48.976 51.273 i/s - 100.000 times in 3.043965s 2.923140s 2.041816s 1.950344s + stream 30.821 31.908 43.953 44.697 i/s - 100.000 times in 3.244539s 3.134020s 2.275172s 2.237310s + +Comparison: + dom + after(YJIT): 16.2 i/s + before(YJIT): 16.2 i/s - 1.00x slower + after: 11.0 i/s - 1.48x slower + before: 10.6 i/s - 1.52x slower + + sax + after(YJIT): 44.4 i/s + before(YJIT): 42.9 i/s - 1.03x slower + after: 29.4 i/s - 1.51x slower + before: 28.4 i/s - 1.56x slower + + pull + after(YJIT): 51.3 i/s + before(YJIT): 49.0 i/s - 1.05x slower + after: 34.2 i/s - 1.50x slower + before: 32.9 i/s - 1.56x slower + + stream + after(YJIT): 44.7 i/s + before(YJIT): 44.0 i/s - 1.02x slower + after: 31.9 i/s - 1.40x slower + before: 30.8 i/s - 1.45x slower + +``` + +- YJIT=ON : 1.00x - 1.05x faster +- YJIT=OFF : 1.03x - 1.04x faster + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863] + +Signed-off-by: Divya Chellam +--- + .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 65bad26..7126a12 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -348,9 +348,13 @@ module REXML + @source.match(/\A\s*/um, true) + end + begin +- @source.read if @source.buffer.size<2 +- if @source.buffer[0] == ?< +- if @source.buffer[1] == ?/ ++ next_data = @source.buffer ++ if next_data.size < 2 ++ @source.read ++ next_data = @source.buffer ++ end ++ if next_data[0] == ?< ++ if next_data[1] == ?/ + @nsstack.shift + last_tag = @tags.pop + md = @source.match( CLOSE_MATCH, true ) +@@ -364,7 +368,7 @@ module REXML + raise REXML::ParseException.new(message, @source) + end + return [ :end_element, last_tag ] +- elsif @source.buffer[1] == ?! ++ elsif next_data[1] == ?! + md = @source.match(/\A(\s*[^>]*>)/um) + #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}" + raise REXML::ParseException.new("Malformed node", @source) unless md +@@ -383,7 +387,7 @@ module REXML + end + raise REXML::ParseException.new( "Declarations can only occur "+ + "in the doctype declaration.", @source) +- elsif @source.buffer[1] == ?? ++ elsif next_data[1] == ?? + return process_instruction + else + # Get the next tag +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch new file mode 100644 index 0000000000..9d3515e7a6 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch @@ -0,0 +1,85 @@ +From 51217dbcc64ecc34aa70f126b103bedf07e153fc Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Wed, 31 Jan 2024 16:35:55 +0900 +Subject: [PATCH] Reduce calls to StringScanner.new() (#108) + +## Why + +`StringScanner.new()` instances can be reused within parse_attributes, +reducing initialization costs. + +## Benchmark + +``` +RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml +ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22] +Calculating ------------------------------------- + before after before(YJIT) after(YJIT) + dom 11.018 11.207 17.059 16.660 i/s - 100.000 times in 9.075992s 8.923280s 5.861969s 6.002555s + sax 29.843 30.821 45.518 47.505 i/s - 100.000 times in 3.350909s 3.244524s 2.196940s 2.105037s + pull 34.480 35.937 52.816 57.098 i/s - 100.000 times in 2.900205s 2.782632s 1.893370s 1.751378s + stream 32.430 33.516 46.247 48.412 i/s - 100.000 times in 3.083536s 2.983607s 2.162288s 2.065584s + +Comparison: + dom + before(YJIT): 17.1 i/s + after(YJIT): 16.7 i/s - 1.02x slower + after: 11.2 i/s - 1.52x slower + before: 11.0 i/s - 1.55x slower + + sax + after(YJIT): 47.5 i/s + before(YJIT): 45.5 i/s - 1.04x slower + after: 30.8 i/s - 1.54x slower + before: 29.8 i/s - 1.59x slower + + pull + after(YJIT): 57.1 i/s + before(YJIT): 52.8 i/s - 1.08x slower + after: 35.9 i/s - 1.59x slower + before: 34.5 i/s - 1.66x slower + + stream + after(YJIT): 48.4 i/s + before(YJIT): 46.2 i/s - 1.05x slower + after: 33.5 i/s - 1.44x slower + before: 32.4 i/s - 1.49x slower + +``` + +- YJIT=ON : 1.02x - 1.08x faster +- YJIT=OFF : 1.01x - 1.04x faster + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc] + +Signed-off-by: Divya Chellam +--- + .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 7126a12..b66b0ed 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -115,6 +115,7 @@ module REXML + def initialize( source ) + self.stream = source + @listeners = [] ++ @attributes_scanner = StringScanner.new('') + end + + def add_listener( listener ) +@@ -601,7 +602,8 @@ module REXML + return attributes, closed if raw_attributes.nil? + return attributes, closed if raw_attributes.empty? + +- scanner = StringScanner.new(raw_attributes) ++ @attributes_scanner.string = raw_attributes ++ scanner = @attributes_scanner + until scanner.eos? + if scanner.scan(/\s+/) + break if scanner.eos? +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch new file mode 100644 index 0000000000..f2bbbd76f7 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch @@ -0,0 +1,71 @@ +From 7e4049f6a68c99c4efec2df117057ee080680c9f Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Wed, 31 Jan 2024 17:17:51 +0900 +Subject: [PATCH] Change loop in parse_attributes to `while true`. (#109) + +loop is slower than `while true`. + +``` +RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml +ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22] +Calculating ------------------------------------- + before after before(YJIT) after(YJIT) + dom 11.186 11.304 17.395 17.450 i/s - 100.000 times in 8.940144s 8.846590s 5.748718s 5.730793s + sax 30.811 31.629 47.352 48.040 i/s - 100.000 times in 3.245601s 3.161619s 2.111854s 2.081594s + pull 35.793 36.621 56.924 57.313 i/s - 100.000 times in 2.793829s 2.730693s 1.756732s 1.744812s + stream 33.157 34.757 46.792 50.536 i/s - 100.000 times in 3.015940s 2.877088s 2.137106s 1.978787s + +Comparison: + dom + after(YJIT): 17.4 i/s + before(YJIT): 17.4 i/s - 1.00x slower + after: 11.3 i/s - 1.54x slower + before: 11.2 i/s - 1.56x slower + + sax + after(YJIT): 48.0 i/s + before(YJIT): 47.4 i/s - 1.01x slower + after: 31.6 i/s - 1.52x slower + before: 30.8 i/s - 1.56x slower + + pull + after(YJIT): 57.3 i/s + before(YJIT): 56.9 i/s - 1.01x slower + after: 36.6 i/s - 1.57x slower + before: 35.8 i/s - 1.60x slower + + stream + after(YJIT): 50.5 i/s + before(YJIT): 46.8 i/s - 1.08x slower + after: 34.8 i/s - 1.45x slower + before: 33.2 i/s - 1.52x slower + +``` + +- YJIT=ON : 1.00x - 1.08x faster +- YJIT=OFF : 1.01x - 1.04x faster + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f] + +Signed-off-by: Divya Chellam +--- + .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index b66b0ed..3fe5c29 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -610,7 +610,7 @@ module REXML + end + + pos = scanner.pos +- loop do ++ while true + break if scanner.scan(ATTRIBUTE_PATTERN) + unless scanner.scan(QNAME) + message = "Invalid attribute name: <#{scanner.rest}>" +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch new file mode 100644 index 0000000000..304270092e --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch @@ -0,0 +1,51 @@ +From fc6cad570b849692a28f26a963ceb58edc282bbc Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Fri, 16 Feb 2024 04:51:16 +0900 +Subject: [PATCH] Remove unnecessary checks in baseparser (#112) + +https://github.com/ruby/rexml/blob/444c9ce7449d3c5a75ae50087555ec73ae1963a8/lib/rexml/parsers/baseparser.rb#L352-L425 +``` + next_data = @source.buffer + if next_data.size < 2 + @source.read + next_data = @source.buffer + end + if next_data[0] == ?< + : + (omit) + : + else # next_data is a string of one or more characters other than '<'. + md = @source.match( TEXT_PATTERN, true ) # TEXT_PATTERN = /\A([^<]*)/um + text = md[1] + if md[0].length == 0 # md[0].length is greater than or equal to 1. + @source.match( /(\s+)/, true ) + end +``` +This is an unnecessary check because md[0].length is greater than or +equal to 1. + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc] + +Signed-off-by: Divya Chellam +--- + .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 3fe5c29..595669c 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -420,9 +420,6 @@ module REXML + else + md = @source.match( TEXT_PATTERN, true ) + text = md[1] +- if md[0].length == 0 +- @source.match( /(\s+)/, true ) +- end + return [ :text, text ] + end + rescue REXML::UndefinedNamespaceException +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch new file mode 100644 index 0000000000..7d3f547089 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch @@ -0,0 +1,79 @@ +From 77128555476cb0db798e2912fb3a07d6411dc320 Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Sun, 21 Jan 2024 20:02:00 +0900 +Subject: [PATCH] Use `@scanner << readline` instead of `@scanner.string = + @scanner.rest + readline` (#107) + +JRuby's `StringScanner#<<` and `StringScanner#scan` OutOfMemoryError has +been resolved in strscan gem 3.0.9. + +https://github.com/ruby/strscan/issues/83 + +``` +RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml +ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22] +Calculating ------------------------------------- + before after before(YJIT) after(YJIT) + dom 10.958 11.044 16.615 16.783 i/s - 100.000 times in 9.126104s 9.055023s 6.018799s 5.958437s + sax 29.624 29.609 44.390 45.370 i/s - 100.000 times in 3.375641s 3.377372s 2.252774s 2.204080s + pull 33.868 34.695 51.173 53.492 i/s - 100.000 times in 2.952679s 2.882229s 1.954138s 1.869422s + stream 31.719 32.351 43.604 45.403 i/s - 100.000 times in 3.152713s 3.091052s 2.293356s 2.202514s + +Comparison: + dom + after(YJIT): 16.8 i/s + before(YJIT): 16.6 i/s - 1.01x slower + after: 11.0 i/s - 1.52x slower + before: 11.0 i/s - 1.53x slower + + sax + after(YJIT): 45.4 i/s + before(YJIT): 44.4 i/s - 1.02x slower + before: 29.6 i/s - 1.53x slower + after: 29.6 i/s - 1.53x slower + + pull + after(YJIT): 53.5 i/s + before(YJIT): 51.2 i/s - 1.05x slower + after: 34.7 i/s - 1.54x slower + before: 33.9 i/s - 1.58x slower + + stream + after(YJIT): 45.4 i/s + before(YJIT): 43.6 i/s - 1.04x slower + after: 32.4 i/s - 1.40x slower + before: 31.7 i/s - 1.43x slower + +``` + +- YJIT=ON : 1.01x - 1.05x faster +- YJIT=OFF : 1.00x - 1.02x faster + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320] + +Signed-off-by: Divya Chellam +--- + .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb +index 71b08f9..db78a12 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb +@@ -149,11 +149,7 @@ module REXML + + def read + begin +- # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM, +- # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs. +- # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed +- # and avoids this problem. +- @scanner.string = @scanner.rest + readline ++ @scanner << readline + rescue Exception, NameError + @source = nil + end +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch new file mode 100644 index 0000000000..4ba60823ab --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch @@ -0,0 +1,561 @@ +From 370666e314816b57ecd5878e757224c3b6bc93f5 Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Tue, 27 Feb 2024 09:48:35 +0900 +Subject: [PATCH] Use more StringScanner based API to parse XML (#114) + +## Why? + +Improve maintainability by optimizing the process so that the parsing +process proceeds using StringScanner#scan. + +## Changed +- Change `REXML::Parsers::BaseParser` from `frozen_string_literal: +false` to `frozen_string_literal: true`. +- Added `Source#string=` method for error message output. +- Added TestParseDocumentTypeDeclaration#test_no_name test case. +- Of the `intSubset` of DOCTYPE, " + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5] + +Signed-off-by: Divya Chellam +--- + .../lib/rexml/parsers/baseparser.rb | 325 +++++++++--------- + .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 31 +- + 2 files changed, 188 insertions(+), 168 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 595669c..bc59bcd 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -1,4 +1,4 @@ +-# frozen_string_literal: false ++# frozen_string_literal: true + require_relative '../parseexception' + require_relative '../undefinednamespaceexception' + require_relative '../source' +@@ -112,6 +112,19 @@ module REXML + "apos" => [/'/, "'", "'", /'/] + } + ++ module Private ++ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um ++ TAG_PATTERN = /((?>#{QNAME_STR}))/um ++ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um ++ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um ++ NAME_PATTERN = /\s*#{NAME}/um ++ GEDECL_PATTERN = "\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>" ++ PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" ++ ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um ++ end ++ private_constant :Private ++ include Private ++ + def initialize( source ) + self.stream = source + @listeners = [] +@@ -198,183 +211,172 @@ module REXML + #STDERR.puts @source.encoding + #STDERR.puts "BUFFER = #{@source.buffer.inspect}" + if @document_status == nil +- word = @source.match( /\A((?:\s+)|(?:<[^>]*>))/um ) +- word = word[1] unless word.nil? +- #STDERR.puts "WORD = #{word.inspect}" +- case word +- when COMMENT_START +- return [ :comment, @source.match( COMMENT_PATTERN, true )[1] ] +- when XMLDECL_START +- #STDERR.puts "XMLDECL" +- results = @source.match( XMLDECL_PATTERN, true )[1] +- version = VERSION.match( results ) +- version = version[1] unless version.nil? +- encoding = ENCODING.match(results) +- encoding = encoding[1] unless encoding.nil? +- if need_source_encoding_update?(encoding) +- @source.encoding = encoding +- end +- if encoding.nil? and /\AUTF-16(?:BE|LE)\z/i =~ @source.encoding +- encoding = "UTF-16" +- end +- standalone = STANDALONE.match(results) +- standalone = standalone[1] unless standalone.nil? +- return [ :xmldecl, version, encoding, standalone ] +- when INSTRUCTION_START ++ if @source.match("/um, true) +- id = [nil, nil, nil] +- @document_status = :after_doctype +- else +- id = parse_id(base_error_message, +- accept_external_id: true, +- accept_public_id: false) +- if id[0] == "SYSTEM" +- # For backward compatibility +- id[1], id[2] = id[2], nil ++ elsif @source.match("/um, true)[1] ] ++ elsif @source.match("DOCTYPE", true) ++ base_error_message = "Malformed DOCTYPE" ++ unless @source.match(/\s+/um, true) ++ if @source.match(">") ++ message = "#{base_error_message}: name is missing" ++ else ++ message = "#{base_error_message}: invalid name" ++ end ++ @source.string = "/um, true) ++ elsif @source.match(/\s*>/um, true) ++ id = [nil, nil, nil] + @document_status = :after_doctype + else +- message = "#{base_error_message}: garbage after external ID" +- raise REXML::ParseException.new(message, @source) ++ id = parse_id(base_error_message, ++ accept_external_id: true, ++ accept_public_id: false) ++ if id[0] == "SYSTEM" ++ # For backward compatibility ++ id[1], id[2] = id[2], nil ++ end ++ if @source.match(/\s*\[/um, true) ++ @document_status = :in_doctype ++ elsif @source.match(/\s*>/um, true) ++ @document_status = :after_doctype ++ else ++ message = "#{base_error_message}: garbage after external ID" ++ raise REXML::ParseException.new(message, @source) ++ end + end +- end +- args = [:start_doctype, name, *id] +- if @document_status == :after_doctype +- @source.match(/\A\s*/um, true) +- @stack << [ :end_doctype ] +- end +- return args +- when /\A\s+/ +- else +- @document_status = :after_doctype +- if @source.encoding == "UTF-8" +- @source.buffer_encoding = ::Encoding::UTF_8 ++ args = [:start_doctype, name, *id] ++ if @document_status == :after_doctype ++ @source.match(/\s*/um, true) ++ @stack << [ :end_doctype ] ++ end ++ return args ++ else ++ message = "Invalid XML" ++ raise REXML::ParseException.new(message, @source) + end + end + end + if @document_status == :in_doctype +- md = @source.match(/\A\s*(.*?>)/um) +- case md[1] +- when SYSTEMENTITY +- match = @source.match( SYSTEMENTITY, true )[1] +- return [ :externalentity, match ] +- +- when ELEMENTDECL_START +- return [ :elementdecl, @source.match( ELEMENTDECL_PATTERN, true )[1] ] +- +- when ENTITY_START +- match = [:entitydecl, *@source.match( ENTITYDECL, true ).captures.compact] +- ref = false +- if match[1] == '%' +- ref = true +- match.delete_at 1 +- end +- # Now we have to sort out what kind of entity reference this is +- if match[2] == 'SYSTEM' +- # External reference +- match[3] = match[3][1..-2] # PUBID +- match.delete_at(4) if match.size > 4 # Chop out NDATA decl +- # match is [ :entity, name, SYSTEM, pubid(, ndata)? ] +- elsif match[2] == 'PUBLIC' +- # External reference +- match[3] = match[3][1..-2] # PUBID +- match[4] = match[4][1..-2] # HREF +- match.delete_at(5) if match.size > 5 # Chop out NDATA decl +- # match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ] +- else +- match[2] = match[2][1..-2] +- match.pop if match.size == 4 +- # match is [ :entity, name, value ] +- end +- match << '%' if ref +- return match +- when ATTLISTDECL_START +- md = @source.match( ATTLISTDECL_PATTERN, true ) +- raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil? +- element = md[1] +- contents = md[0] +- +- pairs = {} +- values = md[0].scan( ATTDEF_RE ) +- values.each do |attdef| +- unless attdef[3] == "#IMPLIED" +- attdef.compact! +- val = attdef[3] +- val = attdef[4] if val == "#FIXED " +- pairs[attdef[0]] = val +- if attdef[0] =~ /^xmlns:(.*)/ +- @nsstack[0] << $1 +- end ++ @source.match(/\s*/um, true) # skip spaces ++ if @source.match("/um, true) ++ raise REXML::ParseException.new( "Bad ELEMENT declaration!", @source ) if md.nil? ++ return [ :elementdecl, "/um) +- message = "#{base_error_message}: name is missing" ++ # Now we have to sort out what kind of entity reference this is ++ if match[2] == 'SYSTEM' ++ # External reference ++ match[3] = match[3][1..-2] # PUBID ++ match.delete_at(4) if match.size > 4 # Chop out NDATA decl ++ # match is [ :entity, name, SYSTEM, pubid(, ndata)? ] ++ elsif match[2] == 'PUBLIC' ++ # External reference ++ match[3] = match[3][1..-2] # PUBID ++ match[4] = match[4][1..-2] # HREF ++ match.delete_at(5) if match.size > 5 # Chop out NDATA decl ++ # match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ] + else +- message = "#{base_error_message}: invalid declaration name" ++ match[2] = match[2][1..-2] ++ match.pop if match.size == 4 ++ # match is [ :entity, name, value ] + end +- raise REXML::ParseException.new(message, @source) +- end +- name = parse_name(base_error_message) +- id = parse_id(base_error_message, +- accept_external_id: true, +- accept_public_id: true) +- unless @source.match(/\A\s*>/um, true) +- message = "#{base_error_message}: garbage before end >" +- raise REXML::ParseException.new(message, @source) ++ match << '%' if ref ++ return match ++ elsif @source.match("ATTLIST", true) ++ md = @source.match(ATTLISTDECL_END, true) ++ raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil? ++ element = md[1] ++ contents = md[0] ++ ++ pairs = {} ++ values = md[0].scan( ATTDEF_RE ) ++ values.each do |attdef| ++ unless attdef[3] == "#IMPLIED" ++ attdef.compact! ++ val = attdef[3] ++ val = attdef[4] if val == "#FIXED " ++ pairs[attdef[0]] = val ++ if attdef[0] =~ /^xmlns:(.*)/ ++ @nsstack[0] << $1 ++ end ++ end ++ end ++ return [ :attlistdecl, element, pairs, contents ] ++ elsif @source.match("NOTATION", true) ++ base_error_message = "Malformed notation declaration" ++ unless @source.match(/\s+/um, true) ++ if @source.match(">") ++ message = "#{base_error_message}: name is missing" ++ else ++ message = "#{base_error_message}: invalid name" ++ end ++ @source.string = " /um, true) ++ message = "#{base_error_message}: garbage before end >" ++ raise REXML::ParseException.new(message, @source) ++ end ++ return [:notationdecl, name, *id] ++ elsif md = @source.match(/--(.*?)-->/um, true) ++ case md[1] ++ when /--/, /-\z/ ++ raise REXML::ParseException.new("Malformed comment", @source) ++ end ++ return [ :comment, md[1] ] if md + end +- return [:notationdecl, name, *id] +- when DOCTYPE_END ++ elsif match = @source.match(/(%.*?;)\s*/um, true) ++ return [ :externalentity, match[1] ] ++ elsif @source.match(/\]\s*>/um, true) + @document_status = :after_doctype +- @source.match( DOCTYPE_END, true ) + return [ :end_doctype ] + end + end + if @document_status == :after_doctype +- @source.match(/\A\s*/um, true) ++ @source.match(/\s*/um, true) + end + begin +- next_data = @source.buffer +- if next_data.size < 2 +- @source.read +- next_data = @source.buffer +- end +- if next_data[0] == ?< +- if next_data[1] == ?/ ++ if @source.match("<", true) ++ if @source.match("/", true) + @nsstack.shift + last_tag = @tags.pop +- md = @source.match( CLOSE_MATCH, true ) ++ md = @source.match(CLOSE_PATTERN, true) + if md and !last_tag + message = "Unexpected top-level end tag (got '#{md[1]}')" + raise REXML::ParseException.new(message, @source) + end + if md.nil? or last_tag != md[1] + message = "Missing end tag for '#{last_tag}'" +- message << " (got '#{md[1]}')" if md ++ message += " (got '#{md[1]}')" if md ++ @source.string = "]*>)/um) ++ elsif @source.match("!", true) ++ md = @source.match(/([^>]*>)/um) + #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}" + raise REXML::ParseException.new("Malformed node", @source) unless md +- if md[0][2] == ?- +- md = @source.match( COMMENT_PATTERN, true ) ++ if md[0][0] == ?- ++ md = @source.match(/--(.*?)-->/um, true) + + case md[1] + when /--/, /-\z/ +@@ -383,17 +385,18 @@ module REXML + + return [ :comment, md[1] ] if md + else +- md = @source.match( CDATA_PATTERN, true ) ++ md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true) + return [ :cdata, md[1] ] if md + end + raise REXML::ParseException.new( "Declarations can only occur "+ + "in the doctype declaration.", @source) +- elsif next_data[1] == ?? ++ elsif @source.match("?", true) + return process_instruction + else + # Get the next tag +- md = @source.match(TAG_MATCH, true) ++ md = @source.match(TAG_PATTERN, true) + unless md ++ @source.string = "<" + @source.buffer + raise REXML::ParseException.new("malformed XML: missing tag start", @source) + end + tag = md[1] +@@ -418,7 +421,7 @@ module REXML + return [ :start_element, tag, attributes ] + end + else +- md = @source.match( TEXT_PATTERN, true ) ++ md = @source.match(/([^<]*)/um, true) + text = md[1] + return [ :text, text ] + end +@@ -462,8 +465,7 @@ module REXML + + # Unescapes all possible entities + def unnormalize( string, entities=nil, filter=nil ) +- rv = string.clone +- rv.gsub!( /\r\n?/, "\n" ) ++ rv = string.gsub( /\r\n?/, "\n" ) + matches = rv.scan( REFERENCE_RE ) + return rv if matches.size == 0 + rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { +@@ -498,9 +500,9 @@ module REXML + end + + def parse_name(base_error_message) +- md = @source.match(/\A\s*#{NAME}/um, true) ++ md = @source.match(NAME_PATTERN, true) + unless md +- if @source.match(/\A\s*\S/um) ++ if @source.match(/\s*\S/um) + message = "#{base_error_message}: invalid name" + else + message = "#{base_error_message}: name is missing" +@@ -577,11 +579,28 @@ module REXML + end + + def process_instruction +- match_data = @source.match(INSTRUCTION_PATTERN, true) ++ match_data = @source.match(INSTRUCTION_END, true) + unless match_data + message = "Invalid processing instruction node" ++ @source.string = " +Date: Tue, 25 Jun 2024 09:07:11 +0900 +Subject: [PATCH] Optimize BaseParser#unnormalize method (#158) + +## Benchmark +``` +RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.3/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml +ruby 3.3.3 (2024-06-12 revision f1c7b6f435) [arm64-darwin22] +Calculating ------------------------------------- + before after before(YJIT) after(YJIT) + dom 17.704 18.106 34.215 33.806 i/s - 100.000 times in 5.648398s 5.523110s 2.922698s 2.958036s + sax 25.664 25.302 48.429 48.602 i/s - 100.000 times in 3.896488s 3.952289s 2.064859s 2.057537s + pull 28.966 29.215 61.710 62.068 i/s - 100.000 times in 3.452275s 3.422901s 1.620480s 1.611129s + stream 28.291 28.426 53.860 55.548 i/s - 100.000 times in 3.534716s 3.517884s 1.856667s 1.800247s + +Comparison: + dom + before(YJIT): 34.2 i/s + after(YJIT): 33.8 i/s - 1.01x slower + after: 18.1 i/s - 1.89x slower + before: 17.7 i/s - 1.93x slower + + sax + after(YJIT): 48.6 i/s + before(YJIT): 48.4 i/s - 1.00x slower + before: 25.7 i/s - 1.89x slower + after: 25.3 i/s - 1.92x slower + + pull + after(YJIT): 62.1 i/s + before(YJIT): 61.7 i/s - 1.01x slower + after: 29.2 i/s - 2.12x slower + before: 29.0 i/s - 2.14x slower + + stream + after(YJIT): 55.5 i/s + before(YJIT): 53.9 i/s - 1.03x slower + after: 28.4 i/s - 1.95x slower + before: 28.3 i/s - 1.96x slower + +``` + +- YJIT=ON : 1.00x - 1.03x faster +- YJIT=OFF : 0.98x - 1.02x faster + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d] + +Signed-off-by: Divya Chellam +--- + .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index bc59bcd..9983d51 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -121,6 +121,13 @@ module REXML + GEDECL_PATTERN = "\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>" + PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" + ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um ++ CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/ ++ CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ++ DEFAULT_ENTITIES_PATTERNS = {} ++ default_entities = ['gt', 'lt', 'quot', 'apos', 'amp'] ++ default_entities.each do |term| ++ DEFAULT_ENTITIES_PATTERNS[term] = /&#{term};/ ++ end + end + private_constant :Private + include Private +@@ -465,10 +472,10 @@ module REXML + + # Unescapes all possible entities + def unnormalize( string, entities=nil, filter=nil ) +- rv = string.gsub( /\r\n?/, "\n" ) ++ rv = string.gsub( Private::CARRIAGE_RETURN_NEWLINE_PATTERN, "\n" ) + matches = rv.scan( REFERENCE_RE ) + return rv if matches.size == 0 +- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) { ++ rv.gsub!( Private::CHARACTER_REFERENCES ) { + m=$1 + m = "0#{m}" if m[0] == ?x + [Integer(m)].pack('U*') +@@ -479,7 +486,7 @@ module REXML + unless filter and filter.include?(entity_reference) + entity_value = entity( entity_reference, entities ) + if entity_value +- re = /&#{entity_reference};/ ++ re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/ + rv.gsub!( re, entity_value ) + else + er = DEFAULT_ENTITIES[entity_reference] +@@ -487,7 +494,7 @@ module REXML + end + end + end +- rv.gsub!( /&/, '&' ) ++ rv.gsub!( Private::DEFAULT_ENTITIES_PATTERNS['amp'], '&' ) + end + rv + end +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch new file mode 100644 index 0000000000..58a0894b09 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch @@ -0,0 +1,46 @@ +From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001 +From: Sutou Kouhei +Date: Thu, 24 Oct 2024 14:45:31 +0900 +Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character + reference + +CVE: CVE-2024-49761 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f] + +Signed-off-by: Divya Chellam +--- + .../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 9983d51..661f0e2 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -122,7 +122,7 @@ module REXML + PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" + ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um + CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/ +- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ++ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ + DEFAULT_ENTITIES_PATTERNS = {} + default_entities = ['gt', 'lt', 'quot', 'apos', 'amp'] + default_entities.each do |term| +@@ -477,8 +477,12 @@ module REXML + return rv if matches.size == 0 + rv.gsub!( Private::CHARACTER_REFERENCES ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index a00df5d191..eec7e4684c 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -36,6 +36,15 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://CVE-2024-27281.patch \ file://CVE-2024-27280.patch \ file://CVE-2024-27282.patch \ + file://CVE-2024-49761-0001.patch \ + file://CVE-2024-49761-0002.patch \ + file://CVE-2024-49761-0003.patch \ + file://CVE-2024-49761-0004.patch \ + file://CVE-2024-49761-0005.patch \ + file://CVE-2024-49761-0006.patch \ + file://CVE-2024-49761-0007.patch \ + file://CVE-2024-49761-0008.patch \ + file://CVE-2024-49761-0009.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" From patchwork Wed Jan 15 14:37:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55630 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53FE9C02188 for ; Wed, 15 Jan 2025 14:38:14 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.22454.1736951886947332651 for ; Wed, 15 Jan 2025 06:38:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=KFw6ixht; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2165448243fso150980105ad.1 for ; Wed, 15 Jan 2025 06:38:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951886; x=1737556686; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YihpeWLnc62T53Mi1Z6VBmncBElODO9Wnjb0HoxUS6w=; b=KFw6ixhti0YphFwZdHcG4AIMmxdO+NhV6qDvU5ab0RLhl6M6sLb7zmxgjz54YMxp10 c2gFBAlhDUaw2s+yAiBOM+gsCywLZ194LnyA0xXz1VdZ+WmJAe5DjxYdph797jx+tkw9 t0mbGy9W+RrJoZ6HP5mhXlaJoEwQe61QnLuiioRvmcVP5a3s+aOMqp106ASNvWME69as a7wMBSQu5fafASdIYGzqMcsnsRn0DwyHJVj7F8aapm4kOLexvNZjuI7vyxGPTNhsbQeK cVSXYdlKB8PyL0oZ57RMaJ25hfTz4YEfdJchSAkmLFqiw4O7rLLl54IZY1Q4yOrvTeau D7Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951886; x=1737556686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YihpeWLnc62T53Mi1Z6VBmncBElODO9Wnjb0HoxUS6w=; b=fTBWULaXEURkJfbllJQAJVm5jE1ArGu+tfdEOi3X2AtqTKVEeUFxUkEMBrL97aR+o+ +Y0sO4qs6D37go2YU28IvVKeR7jun9Jf8FrCvVEqVJ6McM4f1faL2/hxmf3NiBJJ0a9N mS0Ryf5n5v0APao9f0T7mcViztwxMtzZrw0lm5nKqMPRNIbdzpda4oLLmjG+lzMVBHgg T3wxhA+4GrEiEFZFPfIpltP9dKIYX2b9hQDTaPXo7XtgrWQ5NK6kIufYUREo4OiQ3a3M s2vcXkqXz+Zyl2Li902Wp0e0amBBDKL+LoDdHCWzJMU4Tc3aZac6LyUKc3s+TTJwlUVs e+ow== X-Gm-Message-State: AOJu0YyjTG5vGChEw8birufvQMp8BcK+s3v7sZui/RiyzOup+Bony+Vj yp5BmKGX3CHEVkbo9biJv+y3meHI0psjBJP7QkrW9AXmfvWNokSyXGXtNFyZQRO1TK3iHZ4StYj Jino= X-Gm-Gg: ASbGncudfts+A5i5NBbNTPFntCq9nrK7hfE7VJ5ZBeDy3NfGS0YQ85WX+/P3WvTjR8M rcTc6UzcTFYA2Kp1wDTOBIqj/qJX40meqUKqSia5/kCmDcT77jS9IYpMB05kGO6Tw+DIZHbfoif Ib9FeIYXadcesApJzcnadEzCj8/79TZd3xHxCeoGOjLfRrRIv/p4VatGV/yQ6gJQZ5IQ49NaoVN FyvHfCwQxVfn/KQp3B56staWCyrT8tleu2+cbAkAIATYg== X-Google-Smtp-Source: AGHT+IEUkkLeozwpZrZO1BVwqMsFZCRtL3TIacx4ufyNG5Hp7EtemnQGfiPHsYMBg25z0UE0ZKPadQ== X-Received: by 2002:a17:902:f644:b0:216:48f4:4f3d with SMTP id d9443c01a7336-21a83f56bdfmr419189615ad.13.1736951886224; Wed, 15 Jan 2025 06:38:06 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:05 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/11] gstreamer1.0: ignore CVEs fixed in plugins recipes Date: Wed, 15 Jan 2025 06:37:43 -0800 Message-ID: <09f0b16877ab207cba91f13d036bc6f4cd6bdf70.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209910 From: Peter Marko These were fixed in previous commits. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb index b95c67f586..697c6e8b49 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb @@ -72,5 +72,14 @@ CVE_PRODUCT = "gstreamer" # these CVEs are patched in gstreamer1.0-plugins-bad CVE_CHECK_IGNORE += "CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444" +# these CVEs are patched in gstreamer1.0-plugins-base +CVE_CHECK_IGNORE += "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835" +# these CVEs are patched in gstreamer1.0-plugins-good +CVE_CHECK_IGNORE += " \ + CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \ + CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \ + CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \ + CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \ +" PTEST_BUILD_HOST_FILES = "" From patchwork Wed Jan 15 14:37:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55626 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22574C02180 for ; Wed, 15 Jan 2025 14:38:14 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.22651.1736951888639284028 for ; Wed, 15 Jan 2025 06:38:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nhMJ2TIz; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2163b0c09afso127514165ad.0 for ; Wed, 15 Jan 2025 06:38:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951888; x=1737556688; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wXMcnIU0paSF/P/aSqVLFF/pLHiVI29Zuz3MXKNo358=; b=nhMJ2TIz3VwAOPUWvXwUDeweZDXK09L1aw9v0YcxRvicUHOHKGyuEJ4FlOxqTdaL3q E5PM0uZrNrpNFFPiN6gcBgyt7zPhrGhEwFUOEbPj6r7NPwtVALIih3evXGyXIAbjgp3A 7srQ2nuTxbQ690XsG+62sA29W8zMlpfFyZDdR75Rl523vxpCXrYPodQNdth/XfZVzc0d EkwBTBI7E+nY6Gxituw/hyRU4QJr4LJGjZoBGh6LNiyduULTYFIN2JEyjC1RtWn+n4rI H1/KtUlkQuN1pHA0z+SsTfhBcE0inwErgRbYK6ANS7PrwbEVcG5cc91gcE53Dx9Ttm2e F4FA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951888; x=1737556688; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wXMcnIU0paSF/P/aSqVLFF/pLHiVI29Zuz3MXKNo358=; b=doDw5LX3nYePzkzkv2EJxMgV6z2R2iUwD6+BwvOLKq8ue+a+EuoB+nF6FIXBFEJaDL QtanCuYELtWyBl7qenbdbyeIBkRUkbVT3E2/Vpz0awc0yt26Lk3ORLlQSA7BsIg6wkHJ wga4fg+qnuVjm0r/BtYouZlFRBcrQzJN7vzFrcS08ZcX+nYbWlovnPi2PnYi9xYe1oG7 QbZv8eCVc85Q+a/jDVN+P0Beiphi6tz4mcZaMZcyP8rbXzo0FJi1OG4u1r/5uu6Rwwix 9HDxmAv8MqnwFniu+9urCNtO/3lNbU58RPpHQnPNRpzMK/gmdmFpM0q0LvJMFIfaoH1V t8/g== X-Gm-Message-State: AOJu0YzCsiOVAuVQo5HNGLVGtUsKegHCmFL2YjnwprUYq9mv77H22FnB YGDW7WFpmuu25fWlX0r8Q6aoQ+CNhuZ4TWi5eB3KX8GY8Oyq5Zf1NRhDKEMAhNvq1vFKzsKBpdf fFpk= X-Gm-Gg: ASbGnct7MU/cGDuTR7xfWQKEZJ4EXrSsZ3b324JkTLfpZMTWdBpryXZSUmgeCw09jNQ 5jhY4hZeWwhhvCHPy7kQy/CFrfllvF9JrlX4nokbpkBpfbLlDh9FoNYjitCpYksBU3KoQzJsrmz fITh0q85FIQPAsuQ010sUfTDGBcYtmFgziVMWoFIRywrZ9u2aKpp7L65aeb8vC7kMiTXUUenRnK 1aD2kfkhql8sJ+mqyeGGPat7JuDOc69d7MQp3+ul+tWPQ== X-Google-Smtp-Source: AGHT+IGicSfNu+iMGLwawozbkQJdKmf1M8BTVDuY9bnIxQalso/s2zw87NN5sojPZ2u/u2mT7uDY0w== X-Received: by 2002:a17:903:41c3:b0:215:9a73:6c45 with SMTP id d9443c01a7336-21a83f4cc87mr543590435ad.22.1736951887880; Wed, 15 Jan 2025 06:38:07 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/11] ofono: fix CVE-2024-7539 Date: Wed, 15 Jan 2025 06:37:44 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209911 From: Yogita Urade oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7539 Upstream Patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ofono/ofono/CVE-2024-7539.patch | 88 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch new file mode 100644 index 0000000000..46e45580c2 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch @@ -0,0 +1,88 @@ +From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001 +From: "Sicelo A. Mhlongo" +Date: Tue, 17 Dec 2024 11:31:29 +0200 +Subject: [PATCH] ussd: ensure ussd content fits in buffers + +Fixes: CVE-2024-7539 + +CVE: CVE-2024-7539 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc] + +Signed-off-by: Yogita Urade +--- + drivers/atmodem/ussd.c | 5 ++++- + drivers/huaweimodem/ussd.c | 5 ++++- + drivers/speedupmodem/ussd.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c +index 3be1832..29f86dc 100644 +--- a/drivers/atmodem/ussd.c ++++ b/drivers/atmodem/ussd.c +@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + const char *content; + int dcs; + enum sms_charset charset; +- unsigned char msg[160]; ++ unsigned char msg[160] = {0}; + const unsigned char *msg_ptr = NULL; + long msg_len; + +@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + if (!g_at_result_iter_next_number(&iter, &dcs)) + dcs = 0; + ++ if (strlen(content) > sizeof(msg) * 2) ++ goto out; ++ + if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) { + ofono_error("Unsupported USSD data coding scheme (%02x)", dcs); + status = 4; /* Not supported */ +diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c +index fbed3cd..4160b7d 100644 +--- a/drivers/huaweimodem/ussd.c ++++ b/drivers/huaweimodem/ussd.c +@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + GAtResultIter iter; + int status, dcs; + const char *content; +- unsigned char msg[160]; ++ unsigned char msg[160] = {0}; + const unsigned char *msg_ptr = NULL; + long msg_len; + +@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + if (!g_at_result_iter_next_number(&iter, &dcs)) + dcs = 0; + ++ if (strlen(content) > sizeof(msg) * 2) ++ goto out; ++ + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); + + out: +diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c +index 57b91d7..99af19a 100644 +--- a/drivers/speedupmodem/ussd.c ++++ b/drivers/speedupmodem/ussd.c +@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + GAtResultIter iter; + int status, dcs; + const char *content; +- unsigned char msg[160]; ++ unsigned char msg[160] = {0}; + const unsigned char *msg_ptr = NULL; + long msg_len; + +@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd) + if (!g_at_result_iter_next_number(&iter, &dcs)) + dcs = 0; + ++ if (strlen(content) > sizeof(msg) * 2) ++ goto out; ++ + msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg); + + out: +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 3ffb713472..a7c3a9085d 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -18,6 +18,7 @@ SRC_URI = "\ file://CVE-2023-2794-0002.patch \ file://CVE-2023-2794-0003.patch \ file://CVE-2023-2794-0004.patch \ + file://CVE-2024-7539.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Wed Jan 15 14:37:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55629 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D6ECC02185 for ; Wed, 15 Jan 2025 14:38:14 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.22654.1736951890008210464 for ; Wed, 15 Jan 2025 06:38:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tchtU6Vv; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-21a7ed0155cso118602145ad.3 for ; Wed, 15 Jan 2025 06:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951889; x=1737556689; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xaLw3wryidAVrtpD6LP5C6hAhHM+kFdI4e+qUkVeRLI=; b=tchtU6Vv+I07hlihWNx7HrLKdRLgyHLq50rsCMaBNPEYwg5tj00mNq8P2UrB6eoXkd FAwB/Om1ZBrB4ea4+7vvSqIj963bDbEQMW6etIx1OYQBvhhXVcbzm4NQT7Dl6CEnXD14 yKCRc3aavgasVg2A22zFUr9orvguLLZ8UWFy2jGSl7oRdycrkXbM+Y4VO4mycOX9eI58 AdgVN29ZHBPqQ1XVqNfA5gNdkOyqvViYROpARZni+q1No61A1wt3i/MD3BjXo5KNdxYr 0VV3RDozHsvV/T0dYIPucb3Rut3TX/8X4n95kTiyH5swhgmqpFC0+gYheoZFaF6d+cLD Ifog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951889; x=1737556689; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xaLw3wryidAVrtpD6LP5C6hAhHM+kFdI4e+qUkVeRLI=; b=MQ6byW/DPVuUHgPcPf4Wyci4eQEfsZt4O5QOIVafc75DCqv0THEK89jV8eJ/MhSy+B hMng6PqqMPXso7zqnDu/8Uaq0TmFkBFDgUPp41qw2sVUVYDuIeANTdnhO6K2HhtCDtuT BYB8j2Vx4ff2dNE9a3bdaIku6NH8lAgC+8CdjLQEfruiIdlRh5USQjUslDL52yi9p8pz 6FZw3ZR6fVaM6TGmJ/3WCkhZyW0+3PwmOZ+xfT6VpTeiz8Uoo5Sa4WUGvzytmIvAKddO NRRNUf4nx66EDA93jTTXrwzkD3YqiwbEBrUIWQJ00Z0/jzmvps+0mRP6Xtv20n9xiaUA VbLw== X-Gm-Message-State: AOJu0Yw4TEk4DSUz0OO/zQz14MnvizctfPZ9+Z/15xCcFrhQX+Q4JAP4 JhXtHMlyN2ZOvBcnQBzZU9HqO5ME0H4qsn+AR064WAeJhb2fNMIt20UwBWvmrL8ZMBSjvbPiDGD MB/k= X-Gm-Gg: ASbGncsF3h27a9S3NeBPei4kGxsp0+0WfWdKG38VxAoZVbop0KDdNmE1t5kETArMKHE BA3O0ry8uSNGRU9gceShZw8PH2HxAjue/bJQY+zqMVSrghIiL4+n1eMiHsfHGsd9lEw2YMTdJTZ 27GVMvoIoHVjm9Q0X0nzqctc7+1ahmYeAsPo3aBCcf4dx9RYsL0yCsCGRjOoaF+hZgcq2EW2x/f y3sGR1Xn61JXnbZ7o19DwRKvZnTZBTZXT1RS/t0RYRcwQ== X-Google-Smtp-Source: AGHT+IF++iG5MRNcq2HG2NFoO5OkprPWOBDl/dMR75bYSZDy6jPU3jYNwZZOhaOVIoPm68byXnO2eQ== X-Received: by 2002:a17:902:e5ce:b0:216:386e:dd8 with SMTP id d9443c01a7336-21a83f54a51mr362345875ad.17.1736951889227; Wed, 15 Jan 2025 06:38:09 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:08 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/11] ofono: fix CVE-2024-7543 Date: Wed, 15 Jan 2025 06:37:45 -0800 Message-ID: <31ba25646b78d60923b1d897a43e37ef6f9edd51.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209912 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7543 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ofono/ofono/CVE-2024-7543.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch new file mode 100644 index 0000000000..d71d00b832 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch @@ -0,0 +1,30 @@ +From 90e60ada012de42964214d8155260f5749d0dcc7 Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:50 +0200 +Subject: [PATCH] stkutil: Fix CVE-2024-7543 + +CVE: CVE-2024-7543 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index 4f31af4..fdd11ad 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter, + + data = comprehension_tlv_iter_get_data(iter); + mr->len = len; ++ ++ if (len > sizeof(mr->ref)) ++ return false; ++ + memcpy(mr->ref, data, len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index a7c3a9085d..731b186b12 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -19,6 +19,7 @@ SRC_URI = "\ file://CVE-2023-2794-0003.patch \ file://CVE-2023-2794-0004.patch \ file://CVE-2024-7539.patch \ + file://CVE-2024-7543.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Wed Jan 15 14:37:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55627 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31E26C02187 for ; Wed, 15 Jan 2025 14:38:14 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.22655.1736951891321583634 for ; Wed, 15 Jan 2025 06:38:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=AmMqfFHc; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2167141dfa1so18182745ad.1 for ; Wed, 15 Jan 2025 06:38:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951890; x=1737556690; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4w+7J9IRKuV1WBu/k8izw+38n49pktIS162T32ZNO6Q=; b=AmMqfFHc0lQ0wD0qUPGsYu8iooeeAwd8JuMDnH7ur9qpxjP9T26g9L2e70aiALuBvG BhX9bKJEGF9v+U867VlHHZxHaKCaD47XzKxWHMohtCnFzVdVswZmOkgg34H96+GMyjOm SKnl2Il26f47AjJFrWwjD5FHNVDADZfzKXx2+w24PHGTG9AmAQVM3j7YAVwSJ0gD+J89 Wx+5DeMEA7tK6oQ0oosQVDIFeWb3mUhcDwAB+IzdVYBQDxUm3Pw5QYn+XCfWczCOpRkw 1wkcbwnhoyQueHrOrG6TjTrzfW9ModPco3yhPKikAI0lqGmbBp1afcJ8hpoemjy89fCG 9+sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951890; x=1737556690; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4w+7J9IRKuV1WBu/k8izw+38n49pktIS162T32ZNO6Q=; b=VzxdOyU4mraKeQ7h2BjG2FK+8pmBgilcWSnq+5dxw+IOb9GeMAQs7pnEgavVjVTQyu Ta12SdpWeJ/XfF8VYFgBDCAdlgtJDL0kd64b3svfL+4dLGOyQdhc/7hBh8MsfR4mN6iP INaWWrau+Wcx2hhA9nEUUA6xhryIOXremqqI/QGWLGKi0Lp/zJLZONafxkFX4rZ1oUmp z4nae/VAO1zoYyBoMYqZnZMO+7jWSBLzJAX787/cpJEP6tlnvls27APGOKKmuu8FUlEe G7Mqjpo0rPY57912t3Z1KxvBpKhVMKKRAx4Gl3NoG/iIBR+RdGTjrcYE88BMliDVXILF wY1w== X-Gm-Message-State: AOJu0YwPoyqZbSB7lMGjkPU4uh6ZxbaETBU9UmJA1I3WAOyeeNQJxXMV jxFhmYQW544kGQvNfWtWgAcSd4ZccBblYcotKfNha/cdyViKpabpb4XCoP0Ffe5V1SKJ64nagdL dJBU= X-Gm-Gg: ASbGncv3+0LpkC4i7nK2G/ovuOZUHxCBDWJjXkBdtGpafN3ONlcKSw13u6CmvSNeaF/ PadVjbFHKd3u24dA1gbFv8Twleroyp2+/tXkg0orhuZSntDROMYTzjU6tjdCkTfqA8XH4MEWWSG b3xaUiKfMvJn1KsoCAtOdHscKX2SswVYGadxW3yIugmnZJ8Ek55U6L2bP9RWd5pCZyCoKaqV/MD WT/NN1MdjZcwG+mF5WEIY8ecGiXneRsA/VZ/Y5/IzP8Bw== X-Google-Smtp-Source: AGHT+IEqSp+i29HSiRL7RgxBLRGOpePXhndNA3biTw3T/Ox4fnI6Zr2Lp57ZT0KJrIINtdzn82RLKA== X-Received: by 2002:a17:902:fc86:b0:21a:87e8:3891 with SMTP id d9443c01a7336-21bf077daafmr47124295ad.6.1736951890633; Wed, 15 Jan 2025 06:38:10 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:10 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/11] ofono: fix CVE-2024-7544 Date: Wed, 15 Jan 2025 06:37:46 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209913 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7544 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ofono/ofono/CVE-2024-7544.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch new file mode 100644 index 0000000000..ebbf809030 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch @@ -0,0 +1,30 @@ +From a240705a0d5d41eca6de4125ab2349ecde4c873a Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:49 +0200 +Subject: [PATCH] stkutil: Fix CVE-2024-7544 + +CVE: CVE-2024-7544 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index fdd11ad..475caaa 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1898,6 +1898,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter, + + data = comprehension_tlv_iter_get_data(iter); + mi->len = len; ++ ++ if (len > sizeof(mi->id)) ++ return false; ++ + memcpy(mi->id, data, len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 731b186b12..54710aa9fd 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -20,6 +20,7 @@ SRC_URI = "\ file://CVE-2023-2794-0004.patch \ file://CVE-2024-7539.patch \ file://CVE-2024-7543.patch \ + file://CVE-2024-7544.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Wed Jan 15 14:37:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55628 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 438A3C02189 for ; Wed, 15 Jan 2025 14:38:14 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.22457.1736951892771587374 for ; Wed, 15 Jan 2025 06:38:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PLmGNO1D; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-21649a7bcdcso118101035ad.1 for ; Wed, 15 Jan 2025 06:38:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951892; x=1737556692; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xoc30xNvh2kRNh37pF8vpfGzD3hVgxc1HGNhd/d4FMk=; b=PLmGNO1DiFV3Fpf0MbCLZTH01YdZ02h4kexP7iF6vGHJoZIHYSrrTvviWRoc1oVe/U Gm8292Z6ZkKkYS/W+HezPwE6ZSyKSawSPJcRmFsXYNy2xNemowVx7g0iq34xMS25wnqc HzcBsfpuRvfYNnnyNXjLDdmYKdVydYljrBbtvHJkXytMNx05T6EZpvTOnzN+cRPPw9kO O5k/4Skb3qqtQ6wGRNqtsJWv55cRn8QHFXKcV6oXbvQm4wPtP3VCFlnYFj32x5FvuyI8 Lm86vJdoHWbUDHTpfI6j/ckwh7hZMbjBHpbcsM/Tk+lQ/L+BmEa81Zlbylq+C2w/Lxfz E4+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951892; x=1737556692; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xoc30xNvh2kRNh37pF8vpfGzD3hVgxc1HGNhd/d4FMk=; b=mXN9sLL9GPeBu0TkXsCen/3JSQty53q4iYmAnzHexMtbGn7JoeGvWkCJFx7JXUclw6 BvPrRURl8m4H62NsXhXdtG3yzZiZWPZwAfgoRhJaOv1/3mGeUKxQoFzjX/zLWUVrk3FJ 5yWss26lehhcwwRqrIZA3e1BUJMmPL3sZyrZQPg2uMcVncFecOhv+oBqyisgf41CiqQm d3dehRtGC+LLsQSylVCTHCQJ/AwMCjVVgdeoi8UtXHSzRuGTk3YDDU+VXC2azRPR+u65 SINX6sahHIHuMIwr+19KPHMJtHUMVJZWWtRRcwvV4m+5lgrOc7l6tGvuQCXFU8D+IPK+ XSbg== X-Gm-Message-State: AOJu0Yy36YgQihxUEL1awaXtgGhzAIAB1x9V01UmXUhFEdMvLvhvnN4f aMBGPkNgh+oIZbT7DblSZrsHXlhCVK0gl2JyBwrUne4CM8QWkGvDgHpZ9Zp3wS8TJVm0egdD0q2 fRk0= X-Gm-Gg: ASbGncstLXCx2Kaz/DzHYGo9ohzLqxngYgdwVFL6LixCx9zHLNaX4pW/3qVa2oXLlaT sE76D1R+AjO9OWsMVHdmlgc+dvQOVtGhanm+FPsBR0m1m7r54djieoBjtnO3e5RZ+VzaBgiphdd OTfmnCyMjmDLo5Y83np7/c1iA7kT0D32WcfMyhXMXqY/e1DZMo7NtEExHx5USnGnPDxw+sCIxyQ h4lzuxG0B8aXmiSGXlBUakzoaoph/ZEYNNLNQvLGpSgEQ== X-Google-Smtp-Source: AGHT+IEA2H9h8e2uiGM0zJc/2YPbb1bMCkS7+mm477ETextKykExCQc5GgcaZpcxPuce+yHk0HQ6Tw== X-Received: by 2002:a17:902:ea08:b0:215:854c:a71a with SMTP id d9443c01a7336-21a83f76727mr440931725ad.34.1736951892064; Wed, 15 Jan 2025 06:38:12 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:11 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/11] ofono: fix CVE-2024-7545 Date: Wed, 15 Jan 2025 06:37:47 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209914 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458. Reeference: https://security-tracker.debian.org/tracker/CVE-2024-7545 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ofono/ofono/CVE-2024-7545.patch | 32 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch new file mode 100644 index 0000000000..80dc3c9ab0 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch @@ -0,0 +1,32 @@ +From 556e14548c38c2b96d85881542046ee7ed750bb5 Mon Sep 17 00:00:00 2001 +From: Sicelo A. Mhlongo +Date: Wed, Dec 4 12:07:34 2024 +0200 +Subject: [PATCH] stkutil: ensure data fits in buffer + +Fixes CVE-2024-7545 + +CVE: CVE-2024-7545 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index 475caaa..e1fd75c 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1938,6 +1938,10 @@ static bool parse_dataobj_mms_content_id( + + data = comprehension_tlv_iter_get_data(iter); + mci->len = len; ++ ++ if (len > sizeof(mci->id)) ++ return false; ++ + memcpy(mci->id, data, len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 54710aa9fd..0597caff3c 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -21,6 +21,7 @@ SRC_URI = "\ file://CVE-2024-7539.patch \ file://CVE-2024-7543.patch \ file://CVE-2024-7544.patch \ + file://CVE-2024-7545.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Wed Jan 15 14:37:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55633 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 478CFC02180 for ; Wed, 15 Jan 2025 14:38:24 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.22658.1736951894295088577 for ; Wed, 15 Jan 2025 06:38:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pa8SrGk1; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-215770613dbso83531345ad.2 for ; Wed, 15 Jan 2025 06:38:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951893; x=1737556693; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=rwaLYtX/0+kDhM1qb0x7aoslHr6jQPs/zlcLeN68G9M=; b=pa8SrGk1h+QbrQ2BueDHDsNxx0GDBpZmlwW+VfjxAsyc6zvEabHvvgZbIksfu6C/f7 bq/cRAz7UVARZVWX521fsl/O+fW0zrrCn1kO9a1EJreYNtVjoNGb9ZhTy8+jEibEk+wi uC/waIpCVnljQLR2/su7izmPLj3UPoQ+YJWf6t755o8jtqLMcNrkIXnjm8PMgGgI/PJS cqcZrGtjttOwoYty+G5TV4O4/lS7IXNeonKotEJr89xwBDMmfsX0/Z6iOmhbV+PcNjfu fx9wBEyprIntZe6IKmDbmNjp1tvlfhPJ57QgGicZr/onMIv93v7svTCgkGg/9fi3AnkE IQjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951893; x=1737556693; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rwaLYtX/0+kDhM1qb0x7aoslHr6jQPs/zlcLeN68G9M=; b=T69qS4ZQbV7zEKq6urZCJkPiivPCCYb32l3dIPWkz3N13wZyFJyI+Vbwd44Ypp5FeZ QNI4NPM3k6qgUOr2dxGTOwecWG1zklvWOIMv6d/GbUVjDOj3zH70p2vJSpfGzUgLhNoY KEh/tOHpxPjJGHXme7YfTPvm4pPdruHmTumVPiGlFyTJgZJ2OndV/BX+BIj76h6r0HkD lrkMYL3wuaYoCIll8q3bEMFIn7MUEfjwStFUCKye8kn5lbCBjbEuWCWEs0778BfDiEum 1jTNwc05M2c846wltbW5ttEejI5b1K+ZNUzcbSNR/+b2jhoqgzJGYdYQBYiNL/ShoVGI 38Lg== X-Gm-Message-State: AOJu0YxN6PKbhuaC5eTIWDb/n9tKrs2Xca5Hb1/wjyxbR0ClRF5PkLyp kZXRDOrTgvCuR47TatzeHQJz/ueaxCjjI4L4AA0xTbuVoCJuUaGLvf+ADVurHUv/vsdMz20Tncq 9ir0= X-Gm-Gg: ASbGncuTSb0XGNVMjpi08qQSXapNhvEPgMoAdAylv9N7zAIwMPbkrfZGpWmYzkyXHMz oVicj/13/OjKyWvmQL7aLgcEFfbTsvTfYZhNce5upvk79H0dAEbq5NhsoYqbRMLaY/gjx84ygya LxqILT5t41ZSL+Cyx7mkWQAXXb1lrrOhioEfdHv/H8TdZYDOkpfZ5TwBa6tpvmVKKfZn9Ua5WM9 Qgjli8m69EjARhyO/boZaDWGb2kVnCMAo/bFqky25Q1RQ== X-Google-Smtp-Source: AGHT+IGTZVNqw/rldHlwN4KhZWtHjnUPNHCVw1nqlebRTUlVVka10K5rhEkEZxrv2nYdHkIyGe4YOw== X-Received: by 2002:a17:903:2b10:b0:216:2dc5:233c with SMTP id d9443c01a7336-21a83fd34b5mr462465975ad.41.1736951893603; Wed, 15 Jan 2025 06:38:13 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:13 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/11] ofono: fix CVE-2024-7546 Date: Wed, 15 Jan 2025 06:37:48 -0800 Message-ID: <33b2a67b3134498e8c4845efddc7854b4d2315cd.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209915 From: Yogita Urade oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7546 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ofono/ofono/CVE-2024-7546.patch | 30 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch new file mode 100644 index 0000000000..aac6751625 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch @@ -0,0 +1,30 @@ +From 79ea6677669e50b0bb9c231765adb4f81c375f63 Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:52 +0200 +Subject: [PATCH] Fix CVE-2024-7546 + +CVE: CVE-2024-7546 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63] + +Signed-off-by: Yogita Urade +--- + src/stkutil.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/stkutil.c b/src/stkutil.c +index e1fd75c..88a715d 100644 +--- a/src/stkutil.c ++++ b/src/stkutil.c +@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter, + + fl->layout = data[0]; + fl->len = len - 1; ++ ++ if (fl->len > sizeof(fl->size)) ++ return false; ++ + memcpy(fl->size, data + 1, fl->len); + + return true; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 0597caff3c..0c1e0ea6f8 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -22,6 +22,7 @@ SRC_URI = "\ file://CVE-2024-7543.patch \ file://CVE-2024-7544.patch \ file://CVE-2024-7545.patch \ + file://CVE-2024-7546.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" From patchwork Wed Jan 15 14:37:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55632 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47B93C02183 for ; Wed, 15 Jan 2025 14:38:24 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.22458.1736951895642650276 for ; Wed, 15 Jan 2025 06:38:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nuchaN4O; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2166f1e589cso148389655ad.3 for ; Wed, 15 Jan 2025 06:38:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1736951895; x=1737556695; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=khwjSC1h7Emhwagsqvz8+/HogO+Hw7H1K+pEY/ropuc=; b=nuchaN4OQgelv1joY6WBuzDeTUg9yJcCTf4dMxdarDvk2ViN5+9gzg+p8Y3Hg+Thfk 3E95NHa/SVb7K724bk24GU+ysgWUQ81fQNLxcb4URjDdmBOoeOm8df9GBJsBADBJo4wC mvNyWth7ycKjA/mEMmPVDYGCLFtkWKzDSZNhjwbwzqj3EbbogVkwg5lmo/jql+oYTSas wFjy/nIRVcUSLgdxNlGsXS8OFbGoomZln2MsrO7wXNHuxL3XEWWh+LzUPgp5Cx33EdnG RVYYF3arWimf5uXUfiuJo0StKKXEj4j/My+6kUp/jCBrlkHanPFVV8eD7e0vA7cDLerb u/7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736951895; x=1737556695; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=khwjSC1h7Emhwagsqvz8+/HogO+Hw7H1K+pEY/ropuc=; b=TqCBSQJbV2QHG7q6OlAdr2fHFFK14wGlgyr5FEPNIJgWVDvRGrrchamC1GOw7PWHXf DalhCiTOmmQlMwp4cHJ3aK9M+EAns9rYvui7U4dVo73veOnCHPy6aswY+bMy4Jf64wCo kYN4yCWiSMfPZD1+BI+o/f8497qoY3HOz23faYPp0HG2W5ZTrxnbS2wiA5SQ3eIwl/hA DTfpuzQhXMS2RAHf+Kg3Ob7H1bFD6QgliuGv1UyJ2LGTldjSMmdy133Z8hLwoAVjeDdi ZgciVcPzC933ym7VdJuJtHfZ++dE9CaIaNXNAiCmD+BY8G9KlYhXnmR9RAARivEkR+GM KgsQ== X-Gm-Message-State: AOJu0YzpuZ8tXiIkRaH8eXAQZ+aLydNBLPwXCw6Vomym+VLgCxiToPiP 2VzzpTx99uW2MsN1lMdvfRy6rLLVigVL9AKvEhZ2cqIFiDPI0EFKEuX4K0IT5iCfFdbdiUBRy6p FrLA= X-Gm-Gg: ASbGncsAX32gyipmUfOV8n4Bu62Gik0uS+hm9t0b2NlMr1VcjJGuN7zigy6hDPJlQha DeAV8BfMxkul5cMsaGWdqE2T97QlmwhPiOkMfDX/o4mHuQNwtBRBKTy7C4weNLgxYbyptEJRAE8 zrGYs1GC+ShuTZOGt9IT3+ZaEWnFl0IV+J+iNMiOvy818KVcezZlGs9jR63Rlglf0VJ6tOyBP+s lPZIjLJ2jt/+msu31zFlJ2G3i2+aMd38blRsB26QbVzRg== X-Google-Smtp-Source: AGHT+IEguehtknObJbo+gWDCJnNPHc7wsNYxGPqkuULzKgD5SYbagnpQFTHe+WJJp6rXTmCh8NaDbQ== X-Received: by 2002:a17:903:41c3:b0:216:3732:ade3 with SMTP id d9443c01a7336-21a83fc3c07mr452257285ad.35.1736951894913; Wed, 15 Jan 2025 06:38:14 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21a9f244cccsm82333295ad.210.2025.01.15.06.38.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 06:38:14 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/11] ofono: fix CVE-2024-7547 Date: Wed, 15 Jan 2025 06:37:49 -0800 Message-ID: <8c32d91b64ae296d7832ddeb42983f4f3c237946.1736951751.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 15 Jan 2025 14:38:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209916 From: Yogita Urade oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user- supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7547 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../ofono/ofono/CVE-2024-7547.patch | 29 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch new file mode 100644 index 0000000000..b6b08127a8 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch @@ -0,0 +1,29 @@ +From 305df050d02aea8532f7625d6642685aa530f9b0 Mon Sep 17 00:00:00 2001 +From: Ivaylo Dimitrov +Date: Tue, 3 Dec 2024 21:43:51 +0200 +Subject: [PATCH] Fix CVE-2024-7547 + +CVE: CVE-2024-7547 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0] + +Signed-off-by: Yogita Urade +--- + src/smsutil.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/smsutil.c b/src/smsutil.c +index e073a06..f8ff428 100644 +--- a/src/smsutil.c ++++ b/src/smsutil.c +@@ -1475,6 +1475,9 @@ static gboolean decode_command(const unsigned char *pdu, int len, + if ((len - offset) < out->command.cdl) + return FALSE; + ++ if (out->command.cdl > sizeof(out->command.cd)) ++ return FALSE; ++ + memcpy(out->command.cd, pdu + offset, out->command.cdl); + + return TRUE; +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 0c1e0ea6f8..8205ea683d 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -23,6 +23,7 @@ SRC_URI = "\ file://CVE-2024-7544.patch \ file://CVE-2024-7545.patch \ file://CVE-2024-7546.patch \ + file://CVE-2024-7547.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"