From patchwork Tue Feb 18 21:09:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57550 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D3E8C021AF for ; Tue, 18 Feb 2025 21:10:18 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web11.7189.1739913013230294968 for ; Tue, 18 Feb 2025 13:10:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=A3cR8tF6; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-2f441791e40so8783640a91.3 for ; Tue, 18 Feb 2025 13:10:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913012; x=1740517812; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gVnJjPPfM9UgUGrk7dqY76Z6GfJLp23pxtgHKca0QkE=; b=A3cR8tF6EDjmh93PoyV9Q0E6THDHRdxaS1NE9cJg+d1whWUeLQ4dyXSL/bxaMvRXbf X3GgZcvBkf6ZMuXUmlkJb9kmeQYscSZ7GJH8xR3+TvgUpMVs98jw6Bwsi0r+hUeJ7Vd7 P2UyAPrg+8uSBzCkwqlJ5ucktVU7KFwd/ETc1Vjy5Y+j4emINXSFEGR7c9ROaqdZ7vGE Ji2YxSLboGotG4Xw0XQ7+qDW0Baox/UanecWvK0adOYdRjA9v/P78cNAfrj+MTVT6x1f 7TlpG6kUVCkaFWGsIOEIeYXoUYLYrANvQhTQg3C/vbXxTS0qPkqJ+JsEQO0qA4oObtit +wHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913012; x=1740517812; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gVnJjPPfM9UgUGrk7dqY76Z6GfJLp23pxtgHKca0QkE=; b=hAZyybtJehpaIhLQrGqI93MK9yax8vHMsSXhNag9O2356mevIz0Onl9AZj4csStbGh V3GCABMuSN/N7HlTIKrcLv8hyZLWoKaBTjJbxYZgtUmGar0dmkCDlDgxdFxssTGuXNkn 4rcxlNPk0qHlZkrr8zS33meq2K+hHyaX0Ef8lMawnzpw7M34QdsOM+i4c2gd2yWrWoNe J62XljWMWgoVaeGzUC8IYHxBvM0cQJeNDk+x4ef1DY1o5lx/6tkdo9gGVAdLQDmPrelg sIzUjWpG149IAOFuH22Q2GnKOJTkRw3ajUAnp1N/Q5uYMjCX197qmAkyOb6NDYLbRdID jTNQ== X-Gm-Message-State: AOJu0YyYaOk9uL8rXgugQdudxGj8bXbNXCUZPT5VdWs7vVo+8Cs3bUJx VG2Hs2DTnga+aGCBZLCdUbjRgq38DMh15sLctyv/VSUQdfdbpGCVuiBosnC9C02uhoEnFAlIUlR W X-Gm-Gg: ASbGncu6jafBxVvWqYW46Lt7yJxa08j5o6aVXDL4Q2SIXjujZPofCi+DIYgRU20eHNt Nl8kwh3lQASH+CmkRTJ694hgddLkJKR9jxsodHDtu47UnpkTjGCBJsQSRu7yVR2qYVhMbptU8Ji n0AfQvx4S5ba1RRjC2n1bUXX3C1PRIY/1BDpySyYHcvg2n21pezl/CAh981XeBITpnGznHet8Vd 5KWtQxq8n79NiaQaRLAVNKpCvsMgMtxNyATbShE3Z15FiKk3EV7E5Kyj/T4yMWC+8Oo9jbH1hLz leiXtSQ= X-Google-Smtp-Source: AGHT+IGKxuEYzlnjzrA82W6l0S8uFjl8gSZhwJn6q5rUhVxxAN1FfCYkI78oC4XLBmAHBqi5GJKQew== X-Received: by 2002:a17:90b:4fcf:b0:2ee:a4f2:b311 with SMTP id 98e67ed59e1d1-2fc40f1040dmr21790618a91.8.1739913012564; Tue, 18 Feb 2025 13:10:12 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:12 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/12] subversion: ignore CVE-2024-45720 Date: Tue, 18 Feb 2025 13:09:54 -0800 Message-ID: <3a3488c8c4c0e19e32504e03e6bb73777ac7c72e.1739912869.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211640 From: Peter Marko Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720 This CVE is relevant only for subversion running on Windows. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-devtools/subversion/subversion_1.14.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/subversion/subversion_1.14.2.bb b/meta/recipes-devtools/subversion/subversion_1.14.2.bb index 35da95f39d..a979e63c60 100644 --- a/meta/recipes-devtools/subversion/subversion_1.14.2.bb +++ b/meta/recipes-devtools/subversion/subversion_1.14.2.bb @@ -19,6 +19,9 @@ inherit autotools pkgconfig gettext python3native CVE_PRODUCT = "apache:subversion" +# not-applicable-platform: Issue only applies on Windows +CVE_CHECK_IGNORE += "CVE-2024-45720" + PACKAGECONFIG ?= "" PACKAGECONFIG[boost] = "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost" From patchwork Tue Feb 18 21:09:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57548 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 217BAC021B2 for ; Tue, 18 Feb 2025 21:10:18 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.7190.1739913014752393298 for ; Tue, 18 Feb 2025 13:10:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GEijPWLY; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-2f42992f608so9137117a91.0 for ; Tue, 18 Feb 2025 13:10:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913014; x=1740517814; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=k1hK9OxgZH2uRzdbYDEhbgoU+OMVNsF9lzvVyIuFJsw=; b=GEijPWLYDMuUwTf/RbewUZmJ3eLe4zBZ3ezqMz92lvW/ddWaH23NAKGbtTfP22O/s6 jYZWCuwNebgVfSMJBm1fV/pHXDH+f8cokY3H4NWbMqQmRHBl3Uqj7vhgt3XN+U+T/aE4 yhOEGq1p02ytoEmxAnbNxHfWKwj/r9oC4mft3iyQ6119j+ZL+rL99N91KejxoRKy7XXA WWQon0OdRNC0a1S5AQAtphPKZHLKU3f6lJmrDXtwf/PWJ+g58g6s28Oea9lullZTnUmW vE28UvPZEBZ+eTGzH0TPSumHqHeEKtSmIrkP7SbWNYnOzrFHsOmAcY5dPii2gZHjgXRX KU8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913014; x=1740517814; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k1hK9OxgZH2uRzdbYDEhbgoU+OMVNsF9lzvVyIuFJsw=; b=Qh0lmSkxSPWdT2VqTVkVdl/JttL6UhkXirC7/PlqaSbCTPorBYo/H9VnfuoSx9KmCG bsYFwLGvDBIiiNNDOwjPrUaLJ6aEesBSB3p5IrIMoPaUpnD9cpIsM8kS10Rtcrjn5pI4 SDlYGyEKTOl6vA8ECC9+Ikw0z2D0YhBHfzkDjUaH/yPo9U/MgLXSZLVpflFnRWFYsqPD JB7lFSlGiBvLYnF5nUYvF1RmuV4p+u9NuuygfJPjY9HBZSEED2lvYo8BMCBlHegxaLGl 17oe+1Y/mVgMNWTD+tyQcuAaTicu0kU79PIn3LuwaF1fN26JnzG5kzn+KGibP5PKhUic hYTg== X-Gm-Message-State: AOJu0YxS59FwilKcDHFamIxbSnJx8SNAlyJm8k3gdfjxMdmdVPz6+WjI fgEe1McY2B6YvlImdvk8oMvm/NSGsBTELLOSnny1CpY6LlrlAMmyneMWpYQVQ3xxWSr9OvEHSqv c X-Gm-Gg: ASbGncszMJZUX5SunD9+s3eQpRyS95VyK+bh8M7HgqSFByoM7lFAk2RKcIHXO5dDiQv +CQ9A+hTdy3751hqB2aBJEptGWwX+HFIolPCqeERCsdO/Pa6ugYZndNiLrXA8OQVEU8JjdzN1Ej Frmb5VP+SlyJw5CIqaWmQhoBSff0nXHJUfv0VMmXoXq7AF8EQhux7dQRfU8XxTdQDkfKq8jlAvf LS5+vGELD3qNPIUii9gd8Gr0johlLUNfJ68twH9miXOC0HfHauEQbDmMaZWiXNvf0aOe5pbnpYk 6rBMLG4= X-Google-Smtp-Source: AGHT+IGwNyMvj12feUyfTj6VkT/SSFjv7HGR60gFbqf680ECpUKihHBpRPpg+2IVP9xBkrt5ENzRfg== X-Received: by 2002:a17:90b:1a87:b0:2ee:e113:815d with SMTP id 98e67ed59e1d1-2fc40f10271mr21462152a91.8.1739913013995; Tue, 18 Feb 2025 13:10:13 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:13 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/12] libpcre2: ignore CVE-2022-1586 Date: Tue, 18 Feb 2025 13:09:55 -0800 Message-ID: <063be7f1f3d9abe61a1eb2d71eeb548b4eb760e6.1739912869.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211641 From: Peter Marko This CVE is fixed in 10.40 NVD wrongly changed <10.40 to =10.40 when adding debian_linux=10.0 Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1586#VulnChangeHistorySection Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-support/libpcre/libpcre2_10.40.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-support/libpcre/libpcre2_10.40.bb b/meta/recipes-support/libpcre/libpcre2_10.40.bb index 74c12ecec2..ba5f8cff32 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.40.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb @@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "14e4b83c4783933dc17e964318e6324f7cae1bc75d8f3c79bc6969f00c CVE_PRODUCT = "pcre2" +# This CVE is fixed in 10.40 +# NVD wrongly changed <10.40 to =10.40 when adding debian_linux=10.0 +CVE_CHECK_IGNORE += "CVE-2022-1586" + S = "${WORKDIR}/pcre2-${PV}" PROVIDES += "pcre2" From patchwork Tue Feb 18 21:09:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57547 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 143DDC021B0 for ; Tue, 18 Feb 2025 21:10:18 +0000 (UTC) Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) by mx.groups.io with SMTP id smtpd.web10.7388.1739913016180906444 for ; Tue, 18 Feb 2025 13:10:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=jt53pTg4; spf=softfail (domain: sakoman.com, ip: 209.85.216.53, mailfrom: steve@sakoman.com) Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-2f441791e40so8783702a91.3 for ; Tue, 18 Feb 2025 13:10:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913015; x=1740517815; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pmiwlVNY6OUne2IPets111kb9dtbxiGOLeH+/HD145k=; b=jt53pTg4crnGUta4aeZWQaqMiqKcGwSmoRxof0If2Rc6dQ029qEiHAycLvDUq2lzmT OPWKNAMYN+7q8Y45M3o1iscSe8FF0BtymbT2/Qwfcyz+l4f84aF3PseQyiFDJusOeOKx V/w/o5WlUlFqt9g30twgyrcFSmGWgUEITtdZ3zHi0935PpBqSJnYMzWCYuQj2GA23AyN LInCmyQsV7GtPNJ5QujOwk6JOHgqTlR8lBQ7m/A2rXjA9GyOAQ+r8+xhdiXAtr6trYef mHwNfHs02aC1oU/bjotGripXPYl/OtBOHXZQhDFwhPy4xGespYdfYKes07mQGiNN76iz D7Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913015; x=1740517815; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pmiwlVNY6OUne2IPets111kb9dtbxiGOLeH+/HD145k=; b=laNbJiH0oVu0gId5gmlh3GlPYs5ciy43mNRjGUTDxgIVcsmdXgT53pXBOnVsAaca8L gV9JSd7biTuyVQ6DUIvSbbOh3RQQEKrc73V+Vtv7y4YlJmWp5tMZ13oheKvgXcj0ILvH XxlDGgiSPTic57t5XfPe2tu9NHhA5Z/SDS5xzhaQrqlZESIKLxnpJGsYRXA0AG2LFCNq d4IKYBZJIkTsX9VIOLXJgaHxDSQPEWeUifqPFaUZEq7Nqhcw8l/Q5Q3wQeSDFOWLTaAA hGQ51WCOjoTNoS3HYA60ODF+cm+5qiyNOMAGagYPFmBuYPTl6FgVvh7ZO5Fry21og1Tc rS3w== X-Gm-Message-State: AOJu0YwWgJvALgifaPkiMgFnG8mcOUWl3Ii/xz7EWYGuGDZOyGwRChz1 of/pzYhqlUkV1/UbQXYYTN1zx1/0HYAooQbQyIG+KOz+/iNobbJm/rfmQO7+ApSmMrzohu3oTMH W X-Gm-Gg: ASbGncuiw5avgetaHb0P7/7X+YjICXlONLDhrZ4zbYwFpsBGaUWcMFKNgcg0/PYgfxD 3H7MYYt9MGfjiuQbPfikotUFgmRBLMXOW8W6gaMSg3oZNQnBiC1rkAUCFXxnpMLwubpG1G4YM3x CyTfSDlMujC30ybyX9X+PgloCskPnxlD2wGaVhMdlgKhF71yi/z3Qgxk5RlEUvXbuo1etSWHmcf WoS42TW71bGsPTgEykgYR+m8TA5yuH/BSi2NJysEE40dD+EtsloOuhOeqgUBkrdmy2bfUBQ1MdI /2yf9RU= X-Google-Smtp-Source: AGHT+IEpOJWLdr5+XfcB17jYpsNRynHXQNH/2SjoMxzj7MN0n7c2Tfo7OKgSkSSMCwDbcGB8ZDlnqQ== X-Received: by 2002:a17:90b:4c0c:b0:2ee:c6c8:d89f with SMTP id 98e67ed59e1d1-2fc40f108e9mr26436524a91.14.1739913015433; Tue, 18 Feb 2025 13:10:15 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:15 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/12] libxml2: Fix for CVE-2022-49043 Date: Tue, 18 Feb 2025 13:09:56 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211642 From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b] Reference: https://access.redhat.com/security/cve/cve-2022-49043 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2022-49043.patch | 38 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch new file mode 100644 index 0000000000..25c7bc847c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch @@ -0,0 +1,38 @@ +From 5a19e21605398cef6a8b1452477a8705cb41562b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:13:27 +0100 +Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode + +Found with libFuzzer, see #344. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b] +CVE: CVE-2022-49043 +Signed-off-by: Vijay Anusuri +--- + xinclude.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xinclude.c b/xinclude.c +index e5fdf0f..36fa8ec 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { + } + URL = xmlSaveUri(uri); + xmlFreeURI(uri); +- xmlFree(URI); + if (URL == NULL) { + xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", URI); + if (fragment != NULL) + xmlFree(fragment); ++ xmlFree(URI); + return(-1); + } ++ xmlFree(URI); + + if (xmlStrEqual(URL, ctxt->doc->URL)) + local = 1; +-- +2.25.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 94b3b510ae..ecaae0b436 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -33,6 +33,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2023-45322-2.patch \ file://CVE-2024-25062.patch \ file://CVE-2024-34459.patch \ + file://CVE-2022-49043.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Tue Feb 18 21:09:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57549 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 097E3C021AA for ; Tue, 18 Feb 2025 21:10:18 +0000 (UTC) Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web11.7192.1739913017653612737 for ; Tue, 18 Feb 2025 13:10:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uSeRkG9i; spf=softfail (domain: sakoman.com, ip: 209.85.216.48, mailfrom: steve@sakoman.com) Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-2fc0026eb79so11262507a91.0 for ; Tue, 18 Feb 2025 13:10:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913017; x=1740517817; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=HOV5BpCUZ3FEV+KwajxqDwrWaZ4jSFQR9MK4Q7GCAvU=; b=uSeRkG9iPOG0a1bK0WCi0LSRLvtA1mBUZV3IQPqr4Kvx3nL4pBXVt76mHEQgBmFigo NXrgeUMZ/DNZEVDmXKe+JSX5f8NFLnG38ZY7fFDaBVYGB2a/5UFndXOcwLwd5pLPf2nf j1Uri5vzuMolQQnYY9oV6ovHkmqXnjAJYY87fJ3IScoYHcpTuo+k88qbgpEAYLckL4Z8 vCAqspxbVPQO6EK9BI6h5TUel/cT5tfSMomxMENKh7sI9aWCuAthZLxWaPFN0OnPp3H8 HkZybPTFRCaieW9ht4cunfWJ9Wu+7y3DP25KCHtkFnEwua3vqkEZSNOImpPLix9BNlY8 O5nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913017; x=1740517817; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HOV5BpCUZ3FEV+KwajxqDwrWaZ4jSFQR9MK4Q7GCAvU=; b=mi6bX4FTIV92j8HjWaIk2Yi/TMXkxjwjko6rlx0vJ8lHN2UHI8+9ejyGVQOI2YU013 6F8z2jgKCA665+D88xFHsaz4MA/jI9P8I+kvks5N4fv1xXsr3vuizh0RqXE+1S3gtC/e WKlYkdMGHwMJJZGdmNCEolv+agJYHJaDbb/12q0NmtkkvLrx4Cr5APN22gtQrqOJyWMX 7ZjqCVi1Hi35eaKO/8q9cltUtTvSejd2YDuRbovn9lXfJnHr23qXYaD7HyT351o6Q3fd Jm4G8fcsNQoFXeq+BBjjJDGOv17bN+4YzweloG4sJW49+Vy/XG6TAt0nUeryuu/e/M28 JjVA== X-Gm-Message-State: AOJu0YwrKAWuhj66jaG5imzk763OBsxlpDsrfZ45pf+e5cN62OWuFZQk /NCvHSL/miCcLxW1YRYbpenDw7dA1S71T4g0zVe/2Pgv/ghBX37Pofy5I/C8cKYfOy/3SjqNvup l X-Gm-Gg: ASbGncvW+L2Pb9Tr4GqE3eBV8xiB/OChgAiB4daL3sjSGCD3sXSOdoekyD1eQtlRUhP hk7eR1iEZ4Oa0aBpsoUiQICkcWGOTWbDVB5MwouA6C9QWt09hlhYUtZZ8VBdswbLryzvWhDznUb 3oXJmmM0O9lsSb5UU1wJ7CtguMwwrYNOfBLXRw2P7zYCqp9OKb/GEXDY/bSl/yOUnrDsu2nLBDo WExye7shUcy5pjsWHkTUU3O4cEgMEFhkGxKgflFCNS95sDKa6IHZWG1+FSS4DUG/ui0LPWb8eTe nFlRb84= X-Google-Smtp-Source: AGHT+IG+WTgoxVjjJPd665G6iGLvaM3aw+JEOd5JyQztuSXL5nBu/e3vVibYTA87mtg1QnJYi6Zgnw== X-Received: by 2002:a17:90b:520d:b0:2ee:f687:6adb with SMTP id 98e67ed59e1d1-2fcb59ec21dmr1368952a91.3.1739913016876; Tue, 18 Feb 2025 13:10:16 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:16 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/12] ruby: fix CVE-2024-41946 Date: Tue, 18 Feb 2025 13:09:57 -0800 Message-ID: <38b077c9238b1fa9bbd73b7611a68cc17fc51c73.1739912869.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211643 From: Divya Chellam REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41946 Upstream-patch: https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2024-41946.patch | 117 ++++++++++++++++++ meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 + 2 files changed, 118 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch new file mode 100644 index 0000000000..0da383f9b9 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch @@ -0,0 +1,117 @@ +From 033d1909a8f259d5a7c53681bcaf14f13bcf0368 Mon Sep 17 00:00:00 2001 +From: NAITOH Jun +Date: Thu, 1 Aug 2024 09:20:31 +0900 +Subject: [PATCH] Add support for XML entity expansion limitation in SAX and + pull parsers (#187) + +- Supported `REXML::Security.entity_expansion_limit=` in SAX and pull parsers +- Supported `REXML::Security.entity_expansion_text_limit=` in SAX and pull parsers + +CVE: CVE-2024-41946 + +Upstream-Status: Backport [https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368] + +Signed-off-by: Divya Chellam +--- + .../lib/rexml/parsers/baseparser.rb | 19 ++++++++++++++++++- + .../lib/rexml/parsers/pullparser.rb | 4 ++++ + .../lib/rexml/parsers/sax2parser.rb | 4 ++++ + 3 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +index 661f0e2..e32c7f4 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +@@ -135,6 +135,7 @@ module REXML + def initialize( source ) + self.stream = source + @listeners = [] ++ @entity_expansion_count = 0 + @attributes_scanner = StringScanner.new('') + end + +@@ -143,6 +144,7 @@ module REXML + end + + attr_reader :source ++ attr_reader :entity_expansion_count + + def stream=( source ) + @source = SourceFactory.create_from( source ) +@@ -447,7 +449,9 @@ module REXML + def entity( reference, entities ) + value = nil + value = entities[ reference ] if entities +- if not value ++ if value ++ record_entity_expansion ++ else + value = DEFAULT_ENTITIES[ reference ] + value = value[2] if value + end +@@ -486,12 +490,17 @@ module REXML + } + matches.collect!{|x|x[0]}.compact! + if matches.size > 0 ++ sum = 0 + matches.each do |entity_reference| + unless filter and filter.include?(entity_reference) + entity_value = entity( entity_reference, entities ) + if entity_value + re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/ + rv.gsub!( re, entity_value ) ++ sum += rv.bytesize ++ if sum > Security.entity_expansion_text_limit ++ raise "entity expansion has grown too large" ++ end + else + er = DEFAULT_ENTITIES[entity_reference] + rv.gsub!( er[0], er[2] ) if er +@@ -504,6 +513,14 @@ module REXML + end + + private ++ ++ def record_entity_expansion ++ @entity_expansion_count += 1 ++ if @entity_expansion_count > Security.entity_expansion_limit ++ raise "number of entity expansions exceeded, processing aborted." ++ end ++ end ++ + def need_source_encoding_update?(xml_declaration_encoding) + return false if xml_declaration_encoding.nil? + return false if /\AUTF-16\z/i =~ xml_declaration_encoding +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb +index f8b232a..36b4595 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb +@@ -47,6 +47,10 @@ module REXML + @listeners << listener + end + ++ def entity_expansion_count ++ @parser.entity_expansion_count ++ end ++ + def each + while has_next? + yield self.pull +diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb +index 6a24ce2..01cb469 100644 +--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb ++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb +@@ -22,6 +22,10 @@ module REXML + @parser.source + end + ++ def entity_expansion_count ++ @parser.entity_expansion_count ++ end ++ + def add_listener( listener ) + @parser.add_listener( listener ) + end +-- +2.40.0 + diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index eec7e4684c..96873fd7fa 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -45,6 +45,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://CVE-2024-49761-0007.patch \ file://CVE-2024-49761-0008.patch \ file://CVE-2024-49761-0009.patch \ + file://CVE-2024-41946.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" From patchwork Tue Feb 18 21:09:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57557 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51CEBC3DA4A for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.7196.1739913019742185075 for ; Tue, 18 Feb 2025 13:10:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1fLyQqIm; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-22113560c57so63002295ad.2 for ; Tue, 18 Feb 2025 13:10:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913019; x=1740517819; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZQXHJgfu/w3uGmGEftQrMMwNjvIlGjps71+lHOYjcvI=; b=1fLyQqImrM9YiQSgYp5S/PjBc0oUFJkLC+CAAvu+1K+6UVKOLrsf8rXp5VcS+OwUCK xzqLiE3JJes9tR4QGfJQ1EAl+CaY7Ci0QuIFE+srxtaP02paWOKYwgFgi34T/70D0ouE hyetWxzjE1KIJAoY2VHEslX3ICBxdT+FJwX/u5HVSDb4kgpgR7pCN4rXPy5JWazoTHOA Ue2NwEouhsMVE0npq0krxj++SnD2Zd3H0dWcL8HaDJi8Q8TxOdfOuB3jYHoTDKinwTYm dX3in9wqyZgHdtHCoTQI3MEUNmTzz7pOE72HA/Tt4Gergnq5C/jMb5v99Uya0uMPEzlc VIag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913019; x=1740517819; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZQXHJgfu/w3uGmGEftQrMMwNjvIlGjps71+lHOYjcvI=; b=iyDaJT+aVc0GKCuox7byZtP1ms04/c/uZmFkGLdYpH5UmzFuZxlijASM+AYiAhYPxz 5oE85qJrXDzPC7Gr8D8S1iI9kGZ2e2h5B+wA+iBw+fDVeIfwtC5dwkhwWF1lZlsIUPJT ejb2qE9bowiGdsw7u5ll7YlGItXdG4VnOiK2GjXNXTNffYfQsjyTtV24k5x8VuqBavoF x7bCFMBo+jRjKOqFMjufFwuPO6vnrUnbLcOEk0xMyKR36EQU/+1pnnX4TxgdHQigE//m qAHTJNNqKx+rrMVnohrRCpa2t7HQUYwOSs4NmYFkeuvTHFdTvt48Glys4ZLe1VPjTpFk 6/WQ== X-Gm-Message-State: AOJu0Yyzjhvpq6OIiO8pFr49iVQmwFNWxU/2N9FP6G7f/9LgRV0AScja RmEqlPdTaOxcno2H5FaHwSDJnyhlCSLMjYk769Y2qF1Fa9l8zbhoNfsfJEXAZkAOv4jtqchbk+5 3 X-Gm-Gg: ASbGncty3LpnJgEfhB8jOKSC8PwdcnGcZBIo5sinOz+j31wBIG4G/koI6xMNPa/WTNz KWsBfhZlIM/P7AqhMscAsPoi379wCwk6Drr3vDv6RKahun1G+YT3zueBPcZ6IW+0CE0P4KgH98C q/IZCzwIkaWLpUKPdZQZX4WDO4Ho4NnPSFUjT/cDrWxwytCHeZ0rifabobOm3FHNXLX7DRL2jYX yFLjLN4M64WXucB5ujFtwRtJlBYN23626I26y+F8mtadB1JwyQRMjACrhTfYdkOSjRObL/+XEIE hIzD3dI= X-Google-Smtp-Source: AGHT+IFA70N+c1dEr9QK9XdtM2AKKLnJZUyr/zbq2h4BX4C6FYZp2JM6Cyz2yWZKLyDeVpZMYi6oIg== X-Received: by 2002:a17:902:cec1:b0:215:b190:de6 with SMTP id d9443c01a7336-22103ef5291mr208115055ad.3.1739913018514; Tue, 18 Feb 2025 13:10:18 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:18 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/12] gnutls: fix CVE-2024-12243 Date: Tue, 18 Feb 2025 13:09:58 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211644 From: Archana Polampalli A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2024-12243.patch | 1160 +++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.7.4.bb | 1 + 2 files changed, 1161 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch new file mode 100644 index 0000000000..c0ff21fd25 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch @@ -0,0 +1,1160 @@ +From 4760bc63531e3f5039e70ede91a20e1194410892 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 18 Nov 2024 17:23:46 +0900 +Subject: [PATCH] x509: optimize name constraints processing + +This switches the representation name constraints from linked lists to +array lists to optimize the lookup performance from O(n) to O(1), also +enforces a limit of name constraint checks against subject alternative +names. + +Signed-off-by: Daiki Ueno + +CVE: CVE-2024-12243 + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892] + +Signed-off-by: Archana Polampalli +--- + lib/datum.c | 7 +- + lib/x509/name_constraints.c | 594 +++++++++++++++++++++--------------- + lib/x509/x509_ext.c | 87 +++--- + lib/x509/x509_ext_int.h | 5 + + lib/x509/x509_int.h | 24 +- + 5 files changed, 405 insertions(+), 312 deletions(-) + +diff --git a/lib/datum.c b/lib/datum.c +index bd0f216..b0e8d11 100644 +--- a/lib/datum.c ++++ b/lib/datum.c +@@ -29,6 +29,7 @@ + #include + #include + #include "errors.h" ++#include "intprops.h" + + /* On error, @dat is not changed. */ + int +@@ -61,7 +62,11 @@ _gnutls_set_strdatum(gnutls_datum_t * dat, const void *data, size_t data_size) + if (data == NULL) + return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); + +- unsigned char *m = gnutls_malloc(data_size + 1); ++ size_t capacity; ++ if (!INT_ADD_OK(data_size, 1, &capacity)) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ unsigned char *m = gnutls_malloc(capacity); + if (!m) + return GNUTLS_E_MEMORY_ERROR; + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 6c1546e..c9eab70 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -33,49 +33,99 @@ + #include + #include + #include ++#include "x509_ext_int.h" + #include + + #include "ip.h" + #include "ip-in-cidr.h" + ++#include "intprops.h" ++ ++#define MAX_NC_CHECKS (1 << 20) ++ ++struct name_constraints_node_st { ++ unsigned type; ++ gnutls_datum_t name; ++}; ++ ++struct name_constraints_node_list_st { ++ struct name_constraints_node_st **data; ++ size_t size; ++ size_t capacity; ++}; ++ ++struct gnutls_name_constraints_st { ++ struct name_constraints_node_list_st nodes; /* owns elements */ ++ struct name_constraints_node_list_st permitted; /* borrows elements */ ++ struct name_constraints_node_list_st excluded; /* borrows elements */ ++}; ++ ++static struct name_constraints_node_st * ++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, ++ unsigned char *data, unsigned int size); ++ ++static int name_constraints_node_list_add(struct name_constraints_node_list_st *list, ++ struct name_constraints_node_st *node) ++{ ++ if (!list->capacity || list->size == list->capacity) { ++ size_t new_capacity = list->capacity; ++ struct name_constraints_node_st **new_data; ++ ++ if (!INT_MULTIPLY_OK(new_capacity, 2, &new_capacity) || ++ !INT_ADD_OK(new_capacity, 1, &new_capacity)) ++ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ new_data = _gnutls_reallocarray( ++ list->data, new_capacity, ++ sizeof(struct name_constraints_node_st *)); ++ if (!new_data) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ list->capacity = new_capacity; ++ list->data = new_data; ++ } ++ list->data[list->size++] = node; ++ return 0; ++} ++ + // for documentation see the implementation +-static int name_constraints_intersect_nodes(name_constraints_node_st * nc1, +- name_constraints_node_st * nc2, +- name_constraints_node_st ** intersection); ++static int name_constraints_intersect_nodes( ++ gnutls_x509_name_constraints_t nc, ++ const struct name_constraints_node_st *node1, ++ const struct name_constraints_node_st *node2, ++ struct name_constraints_node_st **intersection); + + /*- +- * is_nc_empty: ++ * _gnutls_x509_name_constraints_is_empty: + * @nc: name constraints structure +- * @type: type (gnutls_x509_subject_alt_name_t) ++ * @type: type (gnutls_x509_subject_alt_name_t or 0) + * + * Test whether given name constraints structure has any constraints (permitted + * or excluded) of a given type. @nc must be allocated (not NULL) before the call. ++ * If @type is 0, type checking will be skipped. + * +- * Returns: 0 if @nc contains constraints of type @type, 1 otherwise ++ * Returns: false if @nc contains constraints of type @type, true otherwise + -*/ +-static unsigned is_nc_empty(struct gnutls_name_constraints_st* nc, unsigned type) ++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc, ++ unsigned type) + { +- name_constraints_node_st *t; ++ if (nc->permitted.size == 0 && nc->excluded.size == 0) ++ return true; + +- if (nc->permitted == NULL && nc->excluded == NULL) +- return 1; ++ if (type == 0) ++ return false; + +- t = nc->permitted; +- while (t != NULL) { +- if (t->type == type) +- return 0; +- t = t->next; ++ for (size_t i = 0; i < nc->permitted.size; i++) { ++ if (nc->permitted.data[i]->type == type) ++ return false; + } + +- t = nc->excluded; +- while (t != NULL) { +- if (t->type == type) +- return 0; +- t = t->next; ++ for (size_t i = 0; i < nc->excluded.size; i++) { ++ if (nc->excluded.data[i]->type == type) ++ return false; ++ + } + + /* no constraint for that type exists */ +- return 1; ++ return true; + } + + /*- +@@ -111,21 +161,16 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type, + return GNUTLS_E_SUCCESS; + } + +-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, +- name_constraints_node_st ** _nc) ++static int extract_name_constraints(gnutls_x509_name_constraints_t nc, ++ asn1_node c2, const char *vstr, ++ struct name_constraints_node_list_st *nodes) + { + int ret; + char tmpstr[128]; + unsigned indx; + gnutls_datum_t tmp = { NULL, 0 }; + unsigned int type; +- struct name_constraints_node_st *nc, *prev; +- +- prev = *_nc; +- if (prev != NULL) { +- while(prev->next != NULL) +- prev = prev->next; +- } ++ struct name_constraints_node_st *node; + + for (indx=1;;indx++) { + snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx); +@@ -144,25 +189,19 @@ int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, + goto cleanup; + } + +- nc = gnutls_malloc(sizeof(struct name_constraints_node_st)); +- if (nc == NULL) { ++ node = name_constraints_node_new(nc, type, tmp.data, tmp.size); ++ _gnutls_free_datum(&tmp); ++ if (node == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + +- memcpy(&nc->name, &tmp, sizeof(gnutls_datum_t)); +- nc->type = type; +- nc->next = NULL; +- +- if (prev == NULL) { +- *_nc = prev = nc; +- } else { +- prev->next = nc; +- prev = nc; ++ ret = name_constraints_node_list_add(nodes, node); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- +- tmp.data = NULL; + } + + assert(ret < 0); +@@ -177,84 +216,102 @@ int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, + return ret; + } + ++int _gnutls_x509_name_constraints_extract(asn1_node c2, ++ const char *permitted_name, ++ const char *excluded_name, ++ gnutls_x509_name_constraints_t nc) ++{ ++ int ret; ++ ++ ret = extract_name_constraints(nc, c2, permitted_name, &nc->permitted); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ret = extract_name_constraints(nc, c2, excluded_name, &nc->excluded); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ return ret; ++} ++ + /*- +- * _gnutls_name_constraints_node_free: ++ * name_constraints_node_free: + * @node: name constraints node + * +- * Deallocate a list of name constraints nodes starting at the given node. ++ * Deallocate a name constraints node. + -*/ +-void _gnutls_name_constraints_node_free(name_constraints_node_st *node) ++static void name_constraints_node_free(struct name_constraints_node_st *node) + { +- name_constraints_node_st *next, *t; +- +- t = node; +- while (t != NULL) { +- next = t->next; +- gnutls_free(t->name.data); +- gnutls_free(t); +- t = next; ++ if (node) { ++ gnutls_free(node->name.data); ++ gnutls_free(node); + } + } + + /*- + * name_constraints_node_new: + * @type: name constraints type to set (gnutls_x509_subject_alt_name_t) ++ * @nc: a %gnutls_x509_name_constraints_t + * @data: name.data to set or NULL + * @size: name.size to set + * + * Allocate a new name constraints node and set its type, name size and name data. +- * If @data is set to NULL, name data will be an array of \x00 (the length of @size). +- * The .next pointer is set to NULL. + * + * Returns: Pointer to newly allocated node or NULL in case of memory error. + -*/ +-static name_constraints_node_st* name_constraints_node_new(unsigned type, +- unsigned char *data, +- unsigned int size) ++static struct name_constraints_node_st * ++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type, ++ unsigned char *data, unsigned int size) + { +- name_constraints_node_st *tmp = gnutls_malloc(sizeof(struct name_constraints_node_st)); ++ struct name_constraints_node_st *tmp; ++ int ret; ++ ++ tmp = gnutls_calloc(1, sizeof(struct name_constraints_node_st)); + if (tmp == NULL) + return NULL; + tmp->type = type; +- tmp->next = NULL; +- tmp->name.size = size; +- tmp->name.data = NULL; +- if (tmp->name.size > 0) { +- +- tmp->name.data = gnutls_malloc(tmp->name.size); +- if (tmp->name.data == NULL) { ++ if (data) { ++ ret = _gnutls_set_strdatum(&tmp->name, data, size); ++ if (ret < 0) { ++ gnutls_assert(); + gnutls_free(tmp); + return NULL; + } +- if (data != NULL) { +- memcpy(tmp->name.data, data, size); +- } else { +- memset(tmp->name.data, 0, size); +- } + } ++ ret = name_constraints_node_list_add(&nc->nodes, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ name_constraints_node_free(tmp); ++ return NULL; ++ } ++ + return tmp; + } + + /*- +- * @brief _gnutls_name_constraints_intersect: +- * @_nc: first name constraints list (permitted) +- * @_nc2: name constraints list to merge with (permitted) +- * @_nc_excluded: Corresponding excluded name constraints list ++ * @brief name_constraints_node_list_intersect: ++ * @nc: %gnutls_x509_name_constraints_t ++ * @permitted: first name constraints list (permitted) ++ * @permitted2: name constraints list to merge with (permitted) ++ * @excluded: Corresponding excluded name constraints list + * +- * This function finds the intersection of @_nc and @_nc2. The result is placed in @_nc, +- * the original @_nc is deallocated. @_nc2 is not changed. If necessary, a universal ++ * This function finds the intersection of @permitted and @permitted2. The result is placed in @permitted, ++ * the original @permitted is modified. @permitted2 is not changed. If necessary, a universal + * excluded name constraint node of the right type is added to the list provided +- * in @_nc_excluded. ++ * in @excluded. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + -*/ +-static +-int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, +- name_constraints_node_st * _nc2, +- name_constraints_node_st ** _nc_excluded) ++static int name_constraints_node_list_intersect( ++ gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *permitted, ++ const struct name_constraints_node_list_st *permitted2, ++ struct name_constraints_node_list_st *excluded) + { +- name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL, *prev = NULL; ++ struct name_constraints_node_st *tmp; + int ret, type, used; ++ struct name_constraints_node_list_st removed = { .data = NULL, ++ .size = 0, ++ .capacity = 0 }; + + /* temporary array to see, if we need to add universal excluded constraints + * (see phase 3 for details) +@@ -262,61 +319,73 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, + unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX]; + memset(types_with_empty_intersection, 0, sizeof(types_with_empty_intersection)); + +- if (*_nc == NULL || _nc2 == NULL) ++ if (permitted->size == 0 || permitted2->size == 0) + return 0; + + /* Phase 1 +- * For each name in _NC, if a _NC2 does not contain a name +- * with the same type, preserve the original name. +- * Do this also for node of unknown type (not DNS, email, IP */ +- t = nc = *_nc; +- while (t != NULL) { +- name_constraints_node_st *next = t->next; +- nc2 = _nc2; +- while (nc2 != NULL) { +- if (t->type == nc2->type) { ++ * For each name in PERMITTED, if a PERMITTED2 does not contain a name ++ * with the same type, move the original name to REMOVED. ++ * Do this also for node of unknown type (not DNS, email, IP) */ ++ for (size_t i = 0; i < permitted->size;) { ++ struct name_constraints_node_st *t = permitted->data[i]; ++ const struct name_constraints_node_st *found = NULL; ++ ++ for (size_t j = 0; j < permitted2->size; j++) { ++ const struct name_constraints_node_st *t2 = ++ permitted2->data[j]; ++ if (t->type == t2->type) { + // check bounds (we will use 't->type' as index) +- if (t->type > GNUTLS_SAN_MAX || t->type == 0) +- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ if (t->type > GNUTLS_SAN_MAX || t->type == 0) { ++ gnutls_assert(); ++ ret = GNUTLS_E_INTERNAL_ERROR; ++ goto cleanup; ++ } + // note the possibility of empty intersection for this type + // if we add something to the intersection in phase 2, + // we will reset this flag back to 0 then + types_with_empty_intersection[t->type - 1] = 1; ++ found = t2; + break; + } +- nc2 = nc2->next; + } +- if (nc2 == NULL || +- (t->type != GNUTLS_SAN_DNSNAME && +- t->type != GNUTLS_SAN_RFC822NAME && +- t->type != GNUTLS_SAN_IPADDRESS) +- ) { +- /* move node from NC to DEST */ +- if (prev != NULL) +- prev->next = next; +- else +- prev = nc = next; +- t->next = dest; +- dest = t; +- } else { +- prev = t; ++ if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME || ++ t->type == GNUTLS_SAN_RFC822NAME || ++ t->type == GNUTLS_SAN_IPADDRESS)) { ++ /* move node from PERMITTED to REMOVED */ ++ ret = name_constraints_node_list_add(&removed, t); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ /* remove node by swapping */ ++ if (i < permitted->size - 1) ++ permitted->data[i] = ++ permitted->data[permitted->size - 1]; ++ permitted->size--; ++ continue; ++ + } +- t = next; ++ i++; + } + + /* Phase 2 +- * iterate through all combinations from nc2 and nc1 ++ * iterate through all combinations from PERMITTED2 and PERMITTED + * and create intersections of nodes with same type */ +- nc2 = _nc2; +- while (nc2 != NULL) { +- // current nc2 node has not yet been used for any intersection +- // (and is not in DEST either) ++ for (size_t i = 0; i < permitted2->size; i++) { ++ const struct name_constraints_node_st *t2 = permitted2->data[i]; ++ ++ // current PERMITTED2 node has not yet been used for any intersection ++ // (and is not in REMOVED either) + used = 0; +- t = nc; +- while (t != NULL) { ++ for (size_t j = 0; j < removed.size; j++) { ++ const struct name_constraints_node_st *t = ++ removed.data[j]; + // save intersection of name constraints into tmp +- ret = name_constraints_intersect_nodes(t, nc2, &tmp); +- if (ret < 0) return gnutls_assert_val(ret); ++ ret = name_constraints_intersect_nodes(nc, t, t2, &tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } + used = 1; + // if intersection is not empty + if (tmp != NULL) { // intersection for this type is not empty +@@ -327,31 +396,35 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, + } + // we will not add universal excluded constraint for this type + types_with_empty_intersection[tmp->type - 1] = 0; +- // add intersection node to DEST +- tmp->next = dest; +- dest = tmp; ++ // add intersection node to PERMITTED ++ ret = name_constraints_node_list_add(permitted, ++ tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ + } +- t = t->next; + } +- // if the node from nc2 was not used for intersection, copy it to DEST ++ // if the node from PERMITTED2 was not used for intersection, copy it to DEST + // Beware: also copies nodes other than DNS, email, IP, + // since their counterpart may have been moved in phase 1. + if (!used) { +- tmp = name_constraints_node_new(nc2->type, nc2->name.data, nc2->name.size); ++ tmp = name_constraints_node_new(nc, t2->type, t2->name.data, t2->name.size); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(permitted, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ + } +- tmp->next = dest; +- dest = tmp; + } +- nc2 = nc2->next; + } + +- /* replace the original with the new */ +- _gnutls_name_constraints_node_free(nc); +- *_nc = dest; +- + /* Phase 3 + * For each type: If we have empty permitted name constraints now + * and we didn't have at the beginning, we have to add a new +@@ -364,60 +437,79 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc, + switch (type) { + case GNUTLS_SAN_IPADDRESS: + // add universal restricted range for IPv4 +- tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS, NULL, 8); ++ tmp = name_constraints_node_new( ++ nc, GNUTLS_SAN_IPADDRESS, NULL, 8); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(excluded, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ + } +- tmp->next = *_nc_excluded; +- *_nc_excluded = tmp; + // add universal restricted range for IPv6 +- tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS, NULL, 32); ++ tmp = name_constraints_node_new( ++ nc, GNUTLS_SAN_IPADDRESS, NULL, 32); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(excluded, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- tmp->next = *_nc_excluded; +- *_nc_excluded = tmp; + break; + case GNUTLS_SAN_DNSNAME: + case GNUTLS_SAN_RFC822NAME: +- tmp = name_constraints_node_new(type, NULL, 0); ++ tmp = name_constraints_node_new(nc, type, NULL, 0); + if (tmp == NULL) { +- _gnutls_name_constraints_node_free(dest); +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ gnutls_assert(); ++ ret = GNUTLS_E_MEMORY_ERROR; ++ goto cleanup; ++ } ++ ret = name_constraints_node_list_add(excluded, tmp); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } +- tmp->next = *_nc_excluded; +- *_nc_excluded = tmp; + break; + default: // do nothing, at least one node was already moved in phase 1 + break; + } + } +- return GNUTLS_E_SUCCESS; +-} +- +-static int _gnutls_name_constraints_append(name_constraints_node_st **_nc, +- name_constraints_node_st *_nc2) +-{ +- name_constraints_node_st *nc, *nc2; +- struct name_constraints_node_st *tmp; ++ ret = GNUTLS_E_SUCCESS; + +- if (_nc2 == NULL) +- return 0; ++cleanup: ++ gnutls_free(removed.data); ++ return ret; + +- nc2 = _nc2; +- while (nc2) { +- nc = *_nc; ++} + +- tmp = name_constraints_node_new(nc2->type, nc2->name.data, nc2->name.size); +- if (tmp == NULL) ++static int name_constraints_node_list_concat( ++ gnutls_x509_name_constraints_t nc, ++ struct name_constraints_node_list_st *nodes, ++ const struct name_constraints_node_list_st *nodes2) ++{ ++ for (size_t i = 0; i < nodes2->size; i++) { ++ const struct name_constraints_node_st *node = nodes2->data[i]; ++ struct name_constraints_node_st *tmp; ++ int ret; ++ ++ tmp = name_constraints_node_new(nc, node->type, node->name.data, ++ node->name.size); ++ if (tmp == NULL) { + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- +- tmp->next = nc; +- *_nc = tmp; +- +- nc2 = nc2->next; ++ } ++ ret = name_constraints_node_list_add(nodes, tmp); ++ if (ret < 0) { ++ name_constraints_node_free(tmp); ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ } + } + + return 0; +@@ -487,6 +579,25 @@ int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt, + + } + ++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc) ++{ ++ for (size_t i = 0; i < nc->nodes.size; i++) { ++ struct name_constraints_node_st *node = nc->nodes.data[i]; ++ name_constraints_node_free(node); ++ } ++ gnutls_free(nc->nodes.data); ++ nc->nodes.capacity = 0; ++ nc->nodes.size = 0; ++ ++ gnutls_free(nc->permitted.data); ++ nc->permitted.capacity = 0; ++ nc->permitted.size = 0; ++ ++ gnutls_free(nc->excluded.data); ++ nc->excluded.capacity = 0; ++ nc->excluded.size = 0; ++} ++ + /** + * gnutls_x509_name_constraints_deinit: + * @nc: The nameconstraints +@@ -497,10 +608,9 @@ int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt, + **/ + void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc) + { +- _gnutls_name_constraints_node_free(nc->permitted); +- _gnutls_name_constraints_node_free(nc->excluded); +- ++ _gnutls_x509_name_constraints_clear(nc); + gnutls_free(nc); ++ + } + + /** +@@ -515,12 +625,15 @@ void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc) + **/ + int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc) + { +- *nc = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st)); +- if (*nc == NULL) { ++ struct gnutls_name_constraints_st *tmp; ++ ++ tmp = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st)); ++ if (tmp == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + ++ *nc = tmp; + return 0; + } + +@@ -530,37 +643,23 @@ int name_constraints_add(gnutls_x509_name_constraints_t nc, + const gnutls_datum_t * name, + unsigned permitted) + { +- struct name_constraints_node_st * tmp, *prev = NULL; ++ struct name_constraints_node_st *tmp; ++ struct name_constraints_node_list_st *nodes; + int ret; + + ret = validate_name_constraints_node(type, name); + if (ret < 0) + return gnutls_assert_val(ret); + +- if (permitted != 0) +- prev = tmp = nc->permitted; +- else +- prev = tmp = nc->excluded; ++ nodes = permitted ? &nc->permitted : &nc->excluded; + +- while(tmp != NULL) { +- tmp = tmp->next; +- if (tmp != NULL) +- prev = tmp; ++ tmp = name_constraints_node_new(nc, type, name->data, name->size); ++ ret = name_constraints_node_list_add(nodes, tmp); ++ if (ret < 0) { ++ name_constraints_node_free(tmp); ++ return gnutls_assert_val(ret); + } + +- tmp = name_constraints_node_new(type, name->data, name->size); +- if (tmp == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- tmp->next = NULL; +- +- if (prev == NULL) { +- if (permitted != 0) +- nc->permitted = tmp; +- else +- nc->excluded = tmp; +- } else +- prev->next = tmp; +- + return 0; + } + +@@ -585,17 +684,15 @@ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc, + { + int ret; + +- ret = +- _gnutls_name_constraints_intersect(&nc->permitted, +- nc2->permitted, &nc->excluded); ++ ret = name_constraints_node_list_intersect( ++ nc, &nc->permitted, &nc2->permitted, &nc->excluded); + if (ret < 0) { + gnutls_assert(); + return ret; + } + +- ret = +- _gnutls_name_constraints_append(&nc->excluded, +- nc2->excluded); ++ ret = name_constraints_node_list_concat(nc, &nc->excluded, ++ &nc2->excluded); + if (ret < 0) { + gnutls_assert(); + return ret; +@@ -767,47 +864,50 @@ static unsigned email_matches(const gnutls_datum_t *name, const gnutls_datum_t * + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + -*/ +-static int +-name_constraints_intersect_nodes(name_constraints_node_st * nc1, +- name_constraints_node_st * nc2, +- name_constraints_node_st ** _intersection) ++static int name_constraints_intersect_nodes( ++ gnutls_x509_name_constraints_t nc, ++ const struct name_constraints_node_st *node1, ++ const struct name_constraints_node_st *node2, ++ struct name_constraints_node_st **_intersection) + { + // presume empty intersection +- name_constraints_node_st *intersection = NULL; +- name_constraints_node_st *to_copy = NULL; ++ struct name_constraints_node_st *intersection = NULL; ++ const struct name_constraints_node_st *to_copy = NULL; + unsigned iplength = 0; + unsigned byte; + + *_intersection = NULL; + +- if (nc1->type != nc2->type) { ++ if (node1->type != node2->type) { + return GNUTLS_E_SUCCESS; + } +- switch (nc1->type) { ++ switch (node1->type) { + case GNUTLS_SAN_DNSNAME: +- if (!dnsname_matches(&nc2->name, &nc1->name)) ++ if (!dnsname_matches(&node2->name, &node1->name)) + return GNUTLS_E_SUCCESS; +- to_copy = nc2; + break; + case GNUTLS_SAN_RFC822NAME: +- if (!email_matches(&nc2->name, &nc1->name)) ++ if (!email_matches(&node2->name, &node1->name)) + return GNUTLS_E_SUCCESS; +- to_copy = nc2; ++ to_copy = node2; + break; + case GNUTLS_SAN_IPADDRESS: +- if (nc1->name.size != nc2->name.size) ++ if (node1->name.size != node2->name.size) + return GNUTLS_E_SUCCESS; +- iplength = nc1->name.size/2; ++ iplength = node1->name.size / 2; + for (byte = 0; byte < iplength; byte++) { +- if (((nc1->name.data[byte]^nc2->name.data[byte]) // XOR of addresses +- & nc1->name.data[byte+iplength] // AND mask from nc1 +- & nc2->name.data[byte+iplength]) // AND mask from nc2 ++ if (((node1->name.data[byte] ^ ++ node2->name.data[byte]) // XOR of addresses ++ & node1->name.data[byte + ++ iplength] // AND mask from nc1 ++ & node2->name.data[byte + ++ iplength]) // AND mask from nc2 + != 0) { + // CIDRS do not intersect + return GNUTLS_E_SUCCESS; + } + } +- to_copy = nc2; ++ to_copy = node2; + break; + default: + // for other types, we don't know how to do the intersection, assume empty +@@ -816,7 +916,9 @@ name_constraints_intersect_nodes(name_constraints_node_st * nc1, + + // copy existing node if applicable + if (to_copy != NULL) { +- *_intersection = name_constraints_node_new(to_copy->type, to_copy->name.data, to_copy->name.size); ++ *_intersection = name_constraints_node_new(nc, to_copy->type, ++ to_copy->name.data, ++ to_copy->name.size); + if (*_intersection == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + intersection = *_intersection; +@@ -826,10 +928,11 @@ name_constraints_intersect_nodes(name_constraints_node_st * nc1, + if (intersection->type == GNUTLS_SAN_IPADDRESS) { + // make sure both IP addresses are correctly masked + _gnutls_mask_ip(intersection->name.data, intersection->name.data+iplength, iplength); +- _gnutls_mask_ip(nc1->name.data, nc1->name.data+iplength, iplength); ++ _gnutls_mask_ip(node1->name.data, ++ node1->name.data + iplength, iplength); + // update intersection, if necessary (we already know one is subset of other) + for (byte = 0; byte < 2 * iplength; byte++) { +- intersection->name.data[byte] |= nc1->name.data[byte]; ++ intersection->name.data[byte] |= node1->name.data[byte]; + } + } + } +@@ -1123,10 +1226,16 @@ int ret; + unsigned idx, t, san_type; + gnutls_datum_t n; + unsigned found_one; ++size_t checks; + +- if (is_nc_empty(nc, type) != 0) ++ if (_gnutls_x509_name_constraints_is_empty(nc, type) != 0) + return 1; /* shortcut; no constraints to check */ + ++ if (!INT_ADD_OK(nc->permitted.size, nc->excluded.size, &checks) || ++ !INT_MULTIPLY_OK(checks, cert->san->size, &checks) || ++ checks > MAX_NC_CHECKS) { ++ return gnutls_assert_val(0); ++ } + if (type == GNUTLS_SAN_RFC822NAME) { + found_one = 0; + for (idx=0;;idx++) { +@@ -1315,21 +1424,13 @@ int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc + unsigned idx, + unsigned *type, gnutls_datum_t * name) + { +- unsigned int i; +- struct name_constraints_node_st * tmp = nc->permitted; ++ const struct name_constraints_node_st *tmp; + +- for (i = 0; i < idx; i++) { +- if (tmp == NULL) +- return +- gnutls_assert_val +- (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); +- +- tmp = tmp->next; +- } +- +- if (tmp == NULL) ++ if (idx >= nc->permitted.size) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + ++ tmp = nc->permitted.data[idx]; ++ + *type = tmp->type; + *name = tmp->name; + +@@ -1359,21 +1460,12 @@ int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc, + unsigned idx, + unsigned *type, gnutls_datum_t * name) + { +- unsigned int i; +- struct name_constraints_node_st * tmp = nc->excluded; +- +- for (i = 0; i < idx; i++) { +- if (tmp == NULL) +- return +- gnutls_assert_val +- (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); +- +- tmp = tmp->next; +- } +- +- if (tmp == NULL) ++ const struct name_constraints_node_st *tmp; ++ if (idx >= nc->excluded.size) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + ++ tmp = nc->excluded.data[idx]; ++ + *type = tmp->type; + *name = tmp->name; + +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c +index 8bcf183..54741c8 100644 +--- a/lib/x509/x509_ext.c ++++ b/lib/x509/x509_ext.c +@@ -34,10 +34,6 @@ + #include "intprops.h" + + #define MAX_ENTRIES 64 +-struct gnutls_subject_alt_names_st { +- struct name_st *names; +- unsigned int size; +-}; + + /** + * gnutls_subject_alt_names_init: +@@ -389,24 +385,15 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext, + } + + if (flags & GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND && +- (nc->permitted != NULL || nc->excluded != NULL)) { ++ !_gnutls_x509_name_constraints_is_empty(nc, 0)) { + ret = gnutls_x509_name_constraints_init (&nc2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + +- ret = +- _gnutls_extract_name_constraints(c2, "permittedSubtrees", +- &nc2->permitted); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = +- _gnutls_extract_name_constraints(c2, "excludedSubtrees", +- &nc2->excluded); ++ ret = _gnutls_x509_name_constraints_extract( ++ c2, "permittedSubtrees", "excludedSubtrees", nc2); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -418,20 +405,11 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext, + goto cleanup; + } + } else { +- _gnutls_name_constraints_node_free(nc->permitted); +- _gnutls_name_constraints_node_free(nc->excluded); + +- ret = +- _gnutls_extract_name_constraints(c2, "permittedSubtrees", +- &nc->permitted); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } ++ _gnutls_x509_name_constraints_clear(nc); + +- ret = +- _gnutls_extract_name_constraints(c2, "excludedSubtrees", +- &nc->excluded); ++ ret = _gnutls_x509_name_constraints_extract( ++ c2, "permittedSubtrees", "excludedSubtrees", nc); + if (ret < 0) { + gnutls_assert(); + goto cleanup; +@@ -467,9 +445,10 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + int ret, result; + uint8_t null = 0; + asn1_node c2 = NULL; +- struct name_constraints_node_st *tmp; ++ unsigned rtype; ++ gnutls_datum_t rname; + +- if (nc->permitted == NULL && nc->excluded == NULL) ++ if (_gnutls_x509_name_constraints_is_empty(nc, 0)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + result = asn1_create_element +@@ -479,11 +458,20 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + return _gnutls_asn2err(result); + } + +- if (nc->permitted == NULL) { ++ ret = gnutls_x509_name_constraints_get_permitted(nc, 0, &rtype, &rname); ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + (void)asn1_write_value(c2, "permittedSubtrees", NULL, 0); + } else { +- tmp = nc->permitted; +- do { ++ for (unsigned i = 0;; i++) { ++ ret = gnutls_x509_name_constraints_get_permitted( ++ nc, i, &rtype, &rname); ++ if (ret < 0) { ++ if (ret == ++ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ gnutls_assert(); ++ goto cleanup; ++ } + result = + asn1_write_value(c2, "permittedSubtrees", "NEW", 1); + if (result != ASN1_SUCCESS) { +@@ -515,22 +503,30 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + ret = + _gnutls_write_general_name(c2, + "permittedSubtrees.?LAST.base", +- tmp->type, +- tmp->name.data, +- tmp->name.size); ++ rtype, ++ rname.data, ++ rname.size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } +- tmp = tmp->next; +- } while (tmp != NULL); ++ } + } + +- if (nc->excluded == NULL) { ++ ret = gnutls_x509_name_constraints_get_excluded(nc, 0, &rtype, &rname); ++ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + (void)asn1_write_value(c2, "excludedSubtrees", NULL, 0); + } else { +- tmp = nc->excluded; +- do { ++ for (unsigned i = 0;; i++) { ++ ret = gnutls_x509_name_constraints_get_excluded( ++ nc, i, &rtype, &rname); ++ if (ret < 0) { ++ if (ret == ++ GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ gnutls_assert(); ++ goto cleanup; ++ } + result = + asn1_write_value(c2, "excludedSubtrees", "NEW", 1); + if (result != ASN1_SUCCESS) { +@@ -562,15 +558,14 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc, + ret = + _gnutls_write_general_name(c2, + "excludedSubtrees.?LAST.base", +- tmp->type, +- tmp->name.data, +- tmp->name.size); ++ rtype, ++ rname.data, ++ rname.size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } +- tmp = tmp->next; +- } while (tmp != NULL); ++ } + + } + +diff --git a/lib/x509/x509_ext_int.h b/lib/x509/x509_ext_int.h +index 2e3f162..97f0abd 100644 +--- a/lib/x509/x509_ext_int.h ++++ b/lib/x509/x509_ext_int.h +@@ -29,6 +29,11 @@ struct name_st { + gnutls_datum_t othername_oid; + }; + ++struct gnutls_subject_alt_names_st { ++ struct name_st *names; ++ unsigned int size; ++}; ++ + int _gnutls_alt_name_process(gnutls_datum_t *out, unsigned type, const gnutls_datum_t *san, unsigned raw); + + #endif /* GNUTLS_LIB_X509_X509_EXT_INT_H */ +diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h +index acbc185..bf4363e 100644 +--- a/lib/x509/x509_int.h ++++ b/lib/x509/x509_int.h +@@ -529,20 +529,16 @@ _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, + int crl_list_length, + gnutls_verify_output_function func); + +-typedef struct gnutls_name_constraints_st { +- struct name_constraints_node_st * permitted; +- struct name_constraints_node_st * excluded; +-} gnutls_name_constraints_st; +- +-typedef struct name_constraints_node_st { +- unsigned type; +- gnutls_datum_t name; +- struct name_constraints_node_st *next; +-} name_constraints_node_st; +- +-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr, +- name_constraints_node_st ** _nc); +-void _gnutls_name_constraints_node_free (name_constraints_node_st *node); ++ ++ ++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc, ++ unsigned type); ++int _gnutls_x509_name_constraints_extract(asn1_node c2, ++ const char *permitted_name, ++ const char *excluded_name, ++ gnutls_x509_name_constraints_t nc); ++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc); ++ + int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc, + gnutls_x509_name_constraints_t nc2); + +-- +2.40.0 diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 9f502e3f7c..5cd85c5996 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2024-0567.patch \ file://CVE-2024-28834.patch \ file://CVE-2024-28835.patch \ + file://CVE-2024-12243.patch \ " SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" From patchwork Tue Feb 18 21:09:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57551 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D416C021AA for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web10.7391.1739913020757798542 for ; Tue, 18 Feb 2025 13:10:20 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tu/Xbb3h; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2fc3027c7aeso8257946a91.0 for ; Tue, 18 Feb 2025 13:10:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913020; x=1740517820; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CtkMgEv7s2oR+UK0fcBTJ1j7HtQfbZvbVlKrBXOpS94=; b=tu/Xbb3hayI9SX6UVfTekgeRVpJwILMCZdljnwVt8TVjIwsGHNVxnseyLNkxqyRKF1 jzf5suaSzhjftIfwBDOm5UwYMuAbKkbMoQuvkOgM3Z+zz+F/ygUB0qSM/0jfecIDpJQU /gX/VrJZohZ4r84HxuwjFBM4r8upTPm/36/Srs89PVeejOp9zZWzZOf/eQfhboCsk2BZ I+wGXNSOvr2LiIIYSsAPcWXyfnWMuzm8gC3urW0uPSJfOHQFWjsKa2PcRDkiTFFvuEB+ DRwl5z4QxR+Wj/EDR7I202AMD5k94nfJoK2GBWpvARAPMABwOi3Vs7SxnuVDcAFHu2LY 0ROg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913020; x=1740517820; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CtkMgEv7s2oR+UK0fcBTJ1j7HtQfbZvbVlKrBXOpS94=; b=twxgZPc1ls6gh4QYrpXEZGh6SeAOjWZiNzo6o378N+svzJrI2/oUS/8bF2N2e7ku8S nZTePnZ+YdbwUfJqof3ui7AXMMWC7oEOImyC3ZCzy+Z5TerY3xM+weuXelRL80ztyJyL 5cns7o8xgtknxI5iF4rY67w9pdDheAu5bSlmReum3IlNdDDqNvQc9v7wHb+V9bgJ2djo aPaUE5vUc5CTRssrNiFjuLc5jPXIbLC5hbWGDxAMlpzM8Sx80Wc8XJMiItnsfxlERcCx F8c1npHrnVxsjN5APVoa4GWows12ZfS9YxkZ077Ea5hcpTvtl8HIlE/IpKk6XcfsFRM9 wQ7w== X-Gm-Message-State: AOJu0Yy2nyZeT/4R3qSnpZ6BwMW8+vfyFgSI8UpY+FFM8WDWygSbgnqn uLg0AscF0fanGshINUWVyf/DkZQ+YZPsAtI9plqJtHSWepS4Axdldd68m6iN2cP45XxPuinZd8a 1 X-Gm-Gg: ASbGncs5PKQktKlV0qFjczheYqkz4do7SRPhr2Y9YqvSDdi4Fo4H7XDn9ydlRHuQ7nt 37lEDPrF6ohizjGWKqLS2rw4y4HkeyHD0UL79gJFn7pj37OYt9JNVgDD0b4tWO52X6a1zX8d7BB +nrQilRMgANQy0kTTsL0EAXwTwfmg9AqM+cLm490tI/sz00lq7UaCUEeac0TIdDqXkfp1lVQ1+f Imv70F8/1XCQ6AxOVKkpX4I7A3Frzc7vsmmrAIc8JHdDxNsRAHL/ssvwY46ag7pja8mBgOloYZu 9xj7ph4= X-Google-Smtp-Source: AGHT+IGkMxpRDFv/2QtVd74nJ//nXcWy/GK7oSsMki+W1LwZXgXeRvotE6O0JJWkp9kWWki6rnGofQ== X-Received: by 2002:a17:90b:3c82:b0:2fa:13f7:960 with SMTP id 98e67ed59e1d1-2fc40f0e9dbmr23915854a91.13.1739913020000; Tue, 18 Feb 2025 13:10:20 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:19 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/12] ffmpeg: CVE-2025-0518 Date: Tue, 18 Feb 2025 13:09:59 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211645 From: Archana Polampalli Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-0518.patch | 34 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch new file mode 100644 index 0000000000..d7623a5b9d --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch @@ -0,0 +1,34 @@ +From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Mon, 6 Jan 2025 22:01:39 +0100 +Subject: [PATCH 1/4] avfilter/af_pan: Fix sscanf() use + +Fixes: Memory Data Leak + +Found-by: Simcha Kosman +Signed-off-by: Michael Niedermayer + +CVE: CVE-2025-0518 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a] + +Signed-off-by: Archana Polampalli +--- + libavfilter/af_pan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c +index a8a1896..6f8d2a4 100644 +--- a/libavfilter/af_pan.c ++++ b/libavfilter/af_pan.c +@@ -178,7 +178,7 @@ static av_cold int init(AVFilterContext *ctx) + sign = 1; + while (1) { + gain = 1; +- if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) ++ if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) + arg += len; + if (parse_channel_name(&arg, &in_ch_id, &named)){ + av_log(ctx, AV_LOG_ERROR, +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 9aecdf07e0..049d9fd9ec 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -43,6 +43,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-35366.patch \ file://CVE-2024-35367.patch \ file://CVE-2024-35368.patch \ + file://CVE-2025-0518.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 18 21:10:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57556 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2BBC0C021AF for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.7394.1739913022129771143 for ; Tue, 18 Feb 2025 13:10:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PCPCwBG3; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-2fbf5c2f72dso9030765a91.1 for ; Tue, 18 Feb 2025 13:10:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913021; x=1740517821; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3KeJzT4O+utcbruYUEWzyhXhaMSVH0Ht1TeSlOZl+6U=; b=PCPCwBG3l6qywPnC6L2y1LbXS+HdbhMan8taWlbQzyvT3IwhnINDOlTdGlaXqbHzeN msLrMqLgo7UAL9T3ZQFMf5yK9r9/hnLNda7hNqKFP/Vbfi4k2v4Ui6JkJXEmkciStr4p 0OUvk/2xemQ1aFennx0pxmAZy88VKfBlHk9mrMKAPdZRePy0Zgv3F+q+CYXflr/8nhw+ /S73M9ZrgVUU1QS8qW0xuFCpDDdLBt2aQeFneT/z/X15EDTCR70/1noO7ccwSXazPJls YWKG7yeEG2NlB0XzkuVaL1dnI7jJzxbE3ZLVQWElBheR72QppL83NIj/YdNVhGNldTwj 9YVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913021; x=1740517821; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3KeJzT4O+utcbruYUEWzyhXhaMSVH0Ht1TeSlOZl+6U=; b=NyNsvjdqGlIVOaQs7Q1P3MqnuFEBSmusJDjUygDs0761nRnac8GCUe1vrPUF4wU8vQ XQ+KhJafpHwpt1Y0uPohs8imGwqG1h32dU+EhKMPWlaOJXxxzKRrXnG5XHToMSmOtkH3 FC3gPp8EyJeENfjbySYUsXljnrEsqkQW3hhU4E7FC19EL8wUiZdseHO93331YDJeLk+x 8i1107CoXBzWxSTKI694xEdd8+uRM9wfT24Wl0ZQPSKijccPcf66uXviHzfnvNEKtq/b JfmdgNOR9OurbML3pGTJ0Ox2ba1Duh/ra3HZHy0E6Y4hxu5Rsm82swOhUnwZK3DOElzq KOmA== X-Gm-Message-State: AOJu0YwVgYKyxnv3svhpxlXg4jA3X7/1HgoO66hT6juqm1V/Tk4Y/R+w OxqkyQUl9EXLxR/iLARZy1k4JfYxuYLRI8u9HnnRjdSPpGIL5fsLfMeOrPwiukRyV3ZJ4bSMgx0 z X-Gm-Gg: ASbGnctAijNqGJYRM9VtpK9V7bSxSsZqPeYWqZoc1mQeSrn/OnqnZm6BS//AtXNVC0V arxEslGIPetSX5axwlENfaFFlreCjNXz/tnnL3V5UJtvv5+rh7dXUbQOq6exD+OVgV6hs8VTmBl Vj5SLTNpzMPe+LUnQ2UiRDz4PoadiNr/MruqwzojLd7darUj5z66twD7X/gFBHYgTUR50dMA7M4 BbvRwOygXpdOa5tiJWH42YmUCjaOwOHltlD2Kzl+gUAxwgVWWL2Sk23kU99C5P+0Pg1ZA5GLbb1 XsARtAU= X-Google-Smtp-Source: AGHT+IHmOI3YOsXKa9N4AwwwdOG63AXIFUkhSEJZwRpOta+Thm5v4iEQkEC3gYQfxZ2smUlv627IBg== X-Received: by 2002:a17:90b:38ce:b0:2ee:b2fe:eeeb with SMTP id 98e67ed59e1d1-2fcb5a99658mr1204341a91.22.1739913021340; Tue, 18 Feb 2025 13:10:21 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:21 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/12] ffmpeg: fix CVE-2024-36613 Date: Tue, 18 Feb 2025 13:10:00 -0800 Message-ID: <35e7313d5da4cefa405b0b07c2ce4239aa92a69b.1739912869.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211646 From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-36613.patch | 38 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch new file mode 100644 index 0000000000..300b8d1e49 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch @@ -0,0 +1,38 @@ +From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 30 Sep 2023 00:51:29 +0200 +Subject: [PATCH 2/4] avformat/dxa: Adjust order of operations around block + align + +Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 +Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36613 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/1f6fcc64179377114b4ecc3b9f63bd5774a64edf] + +Signed-off-by: Archana Polampalli +--- + libavformat/dxa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/dxa.c b/libavformat/dxa.c +index 16fbb08..53747c8 100644 +--- a/libavformat/dxa.c ++++ b/libavformat/dxa.c +@@ -120,7 +120,7 @@ static int dxa_read_header(AVFormatContext *s) + } + c->bpc = (fsize + c->frames - 1) / c->frames; + if(ast->codecpar->block_align) +- c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; ++ c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bytes_left = fsize; + c->wavpos = avio_tell(pb); + avio_seek(pb, c->vidpos, SEEK_SET); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 049d9fd9ec..91259baa5e 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -44,6 +44,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-35367.patch \ file://CVE-2024-35368.patch \ file://CVE-2025-0518.patch \ + file://CVE-2024-36613.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 18 21:10:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57552 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A970C021AD for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web10.7395.1739913023446113996 for ; Tue, 18 Feb 2025 13:10:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0Old2lFI; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-2fa48404207so12031629a91.1 for ; Tue, 18 Feb 2025 13:10:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913023; x=1740517823; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XH/zoKWiu4F/ZdnhCqF9c3h03ui/co/p6T8A46nynG4=; b=0Old2lFIXipjMHv1HUmY4w9HsiuIbiLc4ET4ogDKJAMgwYs7E9s6MsfcBLZJk3xvsl lvh/sFhG6CNzPuskgZBzlpw1/gT1uuxddUTFyVwn0m6S/YpJmibkjctzn2OprL/oiSy2 9g4AUNfuoeUW9aTLoNqqjLZUBJVm4E7DaxqRA/mAd41sqCQCNKnTlaetYwjAzC+9tanJ gPY9kRIMQZdM/T0z300Lzk1Di6TNa9Ei1lodWoPOSsAaKKN4mA+aSaoIbyDMnKoJsd8D +1+k3o/VH4j9ydLPee0vQPnt89qVPBLh+K4gkjiBlZ5Fg8xgQvMO2lmjpBbbbAo/PNx8 eWOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913023; x=1740517823; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XH/zoKWiu4F/ZdnhCqF9c3h03ui/co/p6T8A46nynG4=; b=h9WJPp6xG0P1Z+xUulHCtuS70Q/3dbQEflSfwW/tcSBFEqI2YU0+FL0D/ed0UGkfx9 HENNlxRZ9638DYYcw3qktoeMxg99i7jzBnzBMcngaqyBaOJ//cSyWv2qW03HbXiWdLAj 02Mh/k2vFMJ8gecIVtJjEbKuyrOW2uMYp+gyWDLjvqWZlxYg7pBdz8VmuiWOtdZSEhCe 2oEIFfCEi3UJ7MtKkzFsgP/2xXteWUGa8yac/AB5hZmkV+gbTyZaokDYK+QWAVyd7XNZ PuiqB4VG7O1Giv40JD3lhPIHovJfdVZ1LW3jT7xhmMXFYtUwWEWygADNxfKGcVPrQ+l+ KpFw== X-Gm-Message-State: AOJu0YyNQq+x7Z0pCBuTSvhn4Ot76KJg+FCMyVH0bvj7AlcmrDvBZeHX p30DNBYOOvqbE4OHPMhfQYg34QKCpWCjskooxmvA53c5i8eQLKED8EmIepl8iNn4bsIzvDWtrqe h X-Gm-Gg: ASbGncv8zA7EPmzAnX39/N7kLvyJSSfJrE3Gf38hY+zapfyYHw8/FPhaz8YUSGVtEvU /LgpH/vgiGNQ9N+egBwEOBNTALWI4px4Gpm+jMl9Ty1FKpcV7pzGn1sBz4oNxqwf5PfJW5L7W55 9paDfCGjLQmTSiEPxne0S1rbaEu8YLA1Jdhtuppy+4HeWuOD21qfkYy2DHtH3mm4sETNL6v/SWy 1qrBn85Scz6xIti5K1mHtTBoFsDP/DB0AY5KjRnzeWD/PElR6zm1GNtRAhGuNxFHTDQf6KHA/xU P3JRo2s= X-Google-Smtp-Source: AGHT+IGQL9t23HYK77xqCeeBTKmwnHKHeK7sV5cCrk4T3QKgkEoZDfYOfvyklPq/LLLcAz/KECUsCA== X-Received: by 2002:a17:90b:4a09:b0:2ee:df70:1ff3 with SMTP id 98e67ed59e1d1-2fc4079026cmr28895401a91.0.1739913022673; Tue, 18 Feb 2025 13:10:22 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:22 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/12] ffmpeg: fix CVE-2024-36616 Date: Tue, 18 Feb 2025 13:10:01 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211647 From: Archana Polampalli An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-36616.patch | 37 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch new file mode 100644 index 0000000000..5e2046dbac --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch @@ -0,0 +1,37 @@ +From a8beef67993aa267de87599007143d9f0ba67c23 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 26 Mar 2024 01:00:13 +0100 +Subject: [PATCH 3/4] avformat/westwood_vqa: Fix 2g packets + +Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +(cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36616 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/a8beef67993aa267de87599007143d9f0ba67c23] + +Signed-off-by: Archana Polampalli +--- + libavformat/westwood_vqa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c +index 9d11606..9499569 100644 +--- a/libavformat/westwood_vqa.c ++++ b/libavformat/westwood_vqa.c +@@ -259,7 +259,7 @@ static int wsvqa_read_packet(AVFormatContext *s, + break; + case SND2_TAG: + /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ +- pkt->duration = (chunk_size * 2) / wsvqa->channels; ++ pkt->duration = (chunk_size * 2LL) / wsvqa->channels; + break; + } + break; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 91259baa5e..fc92bb2ec0 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -45,6 +45,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-35368.patch \ file://CVE-2025-0518.patch \ file://CVE-2024-36613.patch \ + file://CVE-2024-36616.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 18 21:10:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57555 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 394AFC021B0 for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.7200.1739913024803973346 for ; Tue, 18 Feb 2025 13:10:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Jdus+86q; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-220c92c857aso3750985ad.0 for ; Tue, 18 Feb 2025 13:10:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913024; x=1740517824; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vUC/dHQEIQ15VzbMeKDjQNqWP/TVjuhdebFBH84lcp4=; b=Jdus+86qTFPCbynMK1BbDSr4U6skAkjdQMesQ52iCTNdghe2CgytWILrc7GAjpnrjj w3LbbmjNTM53fTsw7CyHFAGhtJylyM1kLRCWvDrd8BBvtoZRgYSlHNip5Jm0AivUppR4 9Tc/ysnCKV4brcPk1v1deM4CSdkUJ9thU45hrwqix9C14gvAkUIN2kXFhPldiOlSHGtt A1kCuVTZQI99EUWDWGZrS/gwOd5T1+Wjftt2MNJGpOEvuLJjWmonuilhu+R7HR6o686r 9csIUzABwoJCT01vhqNkRbhMu0JK9mkuzaDCBp/naXIFKLkSY3bJJ+/8EqXDIfZvtX27 3xsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913024; x=1740517824; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vUC/dHQEIQ15VzbMeKDjQNqWP/TVjuhdebFBH84lcp4=; b=D2oyt2Ut2fR7bIrAyIy2B5vVPFGpuZrcK34rmjAOl7lDXxivZdpbPrbY+UsjuGeUti J4o52nzxVt2nNOnHf1vNRj0+Wn72iR9xe79LR/yzsqzadO8fs66EKgjuaaGsyW9fij0M eGoDa740j0Qu3RJdYyzUJFcypSFAPqK//s/U3e66DIchl/P9c7keY8zYswo1cxg25Gr3 FNz67aX44oWS/IUUbVSV4G+8D/Ek2d5/dKBaPnzUpZE+ljDzUnNkmZAz30mJjHFBPzpP XvC68uwjvBs7Lh96A87kiqZ1/eLeTf9zWPzApl+6TCWq3oLFrss/fMwfJh2Ov6EjhwyJ Xtgw== X-Gm-Message-State: AOJu0Yx5L2DS6wbbL0Y9TladPdJ96XJbm1bP+tA0skoDKFP6fh3VomLI sqmIf+OgZelvz/qU31y/8uzIWSo5cK7VSLPyNWtu8OLK0cqPqsq9kLuYBMF5r4JShjtwfOHYbxg r X-Gm-Gg: ASbGncs57fnP6MhiBo/O4K0n2dIz/7tD2+m72V00Hn5SPLPy1Kp6HzMrBwgWeOrV7Vw tHISegyMsHKrxS1m0p9F4Ln94QMonkuACO8uEila+h6FgxjzC0zjuWWgnOA5D921fEODXvh2fMW OgpZApCTPE3IbvD4qskRRAmqz2P6L/hDcn/WX4Fdo/3Xgl94kyDUhDb/q9+iEE8XqFlJb12emRJ KVDdgUGgOKL5j72zgxgi382nXglyJ0jUhkTjwFGvintwH1lfGP369R5Gqqq3FS25J4iPdt3GJ2l jPpMax0= X-Google-Smtp-Source: AGHT+IEJdVtzfQEJbnngrNveXz9LUbFdfaiBYRVy0KLdl7s3wKqcTsy2kAo6N8t29WOd02dfjFfjDg== X-Received: by 2002:a17:90b:2e03:b0:2f6:e47c:1750 with SMTP id 98e67ed59e1d1-2fcb4d699c6mr1933286a91.13.1739913023953; Tue, 18 Feb 2025 13:10:23 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:23 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/12] ffmpeg: fix CVE-2024-36617 Date: Tue, 18 Feb 2025 13:10:02 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211648 From: Archana Polampalli FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-36617.patch | 38 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch new file mode 100644 index 0000000000..8b4928d1ca --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch @@ -0,0 +1,38 @@ +From f0e780370cc1c437d64f10d326b1d656ef490b5f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 30 Sep 2023 00:38:17 +0200 +Subject: [PATCH 4/4] avformat/cafdec: dont seek beyond 64bit + +Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' +Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +(cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36617 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/f0e780370cc1c437d64f10d326b1d656ef490b5f] + +Signed-off-by: Archana Polampalli +--- + libavformat/cafdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c +index d5668bf..aa56a5e 100644 +--- a/libavformat/cafdec.c ++++ b/libavformat/cafdec.c +@@ -220,7 +220,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) + } + } + +- if (avio_tell(pb) - ccount > size) { ++ if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { + av_log(s, AV_LOG_ERROR, "error reading packet table\n"); + return AVERROR_INVALIDDATA; + } +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index fc92bb2ec0..b5b11496f4 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -46,6 +46,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2025-0518.patch \ file://CVE-2024-36613.patch \ file://CVE-2024-36616.patch \ + file://CVE-2024-36617.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" From patchwork Tue Feb 18 21:10:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57553 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DFC8C021B1 for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web10.7397.1739913025962490314 for ; Tue, 18 Feb 2025 13:10:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=O+LZXEOq; spf=softfail (domain: sakoman.com, ip: 209.85.216.45, mailfrom: steve@sakoman.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2fc3027c7aeso8258076a91.0 for ; Tue, 18 Feb 2025 13:10:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913025; x=1740517825; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=n9sdJ9GiKwTJrL3GVpI98XbcJ/kFNtvUtzFTpuueR4o=; b=O+LZXEOqxtHsq1HvZKm5NVtW8ezJdBlel6dxKW5aM+5FJqRetNJrEJPObGj2xyy7j7 QuucXYDbL6COZggz1rD+r+s+MRcMKPLPBF5L2LEzulleR4rAxWS8bHfac3rAMWWxFeG9 hizQ8d/0Zw3hHaNhhYoCouMBHnYebPC2FZf2uq5kxXOfYID7SbHAbSsL49MLf4FPSDO5 fDzZF0Yp6fF8NAoxSJ8IqJhNAVGFL69nfUCWI/AUAc8KKXo2uU9ei6U/nMM0WmdJ2j1n TwbfSq91+vYlZUzigeUIKhvv+d0ZBaOS3xyGTKp8LtP70oDRj3Oqsa0bA48qit2JOWo+ xB1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913025; x=1740517825; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n9sdJ9GiKwTJrL3GVpI98XbcJ/kFNtvUtzFTpuueR4o=; b=PlAwlGIbdxepSr/4OY4nuCSXXmkaF2iXbDTzNy7tLipoCU76qZ3ynBLVz1f8kZj6L6 62FPisyfuaW07J4jJJ71Sbn9f+ic25q2W1xuK6w3/ZbjWj9YAUQ48s8wyWy6ggNQTKxD GooXqLc28RxrXuoBOAbXrBrkSDNX/HCOzIpwI5iQDi4PR1RkmNcEIhGe+5/WFxBRR0Z9 lNi+yMf6subkYmDMjgHJNNO79Lvs/CmIU+tAuxLqHmPlBr0YvF1qMR1WmL5J5oPbQacZ ajnbc9md+gKDalWxk9NyKt/QPMlPEWl0wBxLZtP2BibIG+LtJlTe5p0psxoxwj6Tey4v hsTA== X-Gm-Message-State: AOJu0YzozJDkc5G9UTDUtslA8s2pIQONI2s+al8jsKI63sETOk7XTVKy WnmgQYE1c7N+/M5mcE6K16W8+1QkoAOXpN+u3+t7fRigr5pPby/ZVIhg1tBaI2I8zO15sVp3m0A l X-Gm-Gg: ASbGncsWqA//bD7x/SaUhaXnwh+UwTvJlWV6lIH3VBomaigN9X4sdct+NyUm8sO0ByJ /+S2d5hFCEeUTOkHR3FF9zGcxf9lh5H7gxtsbk89ZAKwTdckY7NytbBS8qXfGbNMd8zFMUL5QuH v7Gnb82SerdYhp9qrRM4hRiXWn4MAgDRyInr3/wvFXtiD0TeX62noXU9wYUYR+FNlyBiKU8aOeH bisTVpvTaHdxY+bQA+tmtpkUIIh1u5sUIsYWtceJasN6gRWs7sNrRuhc1CgEZg9+Uz0/DlzsXS0 IMXGmb0= X-Google-Smtp-Source: AGHT+IHydY8ZDfnGpMV2GYtrGfhUnIgqnwpvyFmWR+yPTltg+0GoeoIhulDqOzJSfoHOUgam0i8WDA== X-Received: by 2002:a17:90a:e7cc:b0:2ee:5bc9:75c3 with SMTP id 98e67ed59e1d1-2fc40c1d6e4mr21970488a91.5.1739913025281; Tue, 18 Feb 2025 13:10:25 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:24 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/12] scripts/install-buildtools: Update to 4.0.24 Date: Tue, 18 Feb 2025 13:10:03 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211649 From: Aleksandar Nikolic Update to the 4.0.24 release of the 4.0 series for buildtools. Signed-off-by: Aleksandar Nikolic Signed-off-by: Steve Sakoman --- scripts/install-buildtools | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install-buildtools b/scripts/install-buildtools index 01253e5f95..56b22e4270 100755 --- a/scripts/install-buildtools +++ b/scripts/install-buildtools @@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout) DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools') DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto' -DEFAULT_RELEASE = 'yocto-4.0.23' -DEFAULT_INSTALLER_VERSION = '4.0.23' +DEFAULT_RELEASE = 'yocto-4.0.24' +DEFAULT_INSTALLER_VERSION = '4.0.24' DEFAULT_BUILDDATE = '202110XX' # Python version sanity check From patchwork Tue Feb 18 21:10:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57554 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EBFDC021B3 for ; Tue, 18 Feb 2025 21:10:28 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.7398.1739913027518794028 for ; Tue, 18 Feb 2025 13:10:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0y2O0WGc; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-22114b800f7so56784925ad.2 for ; Tue, 18 Feb 2025 13:10:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913027; x=1740517827; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=w44JGsgOXvkxJgl+IZDIDww51IEG5+2l9e3dBp3MNdw=; b=0y2O0WGcIa/dxuecpWbBg74GTY3AVPvd7801H8bQmpdxXEP4wSvZQiv7pF7rjg8mN2 1poYUip0No6SjesTETZilBpL2+n+4VI9g+4jRQu9xJqAZhyJwpzu6VOzk9yhXiQXg/t0 PQ4spUbwgqj0LahzFxFRZfK32P+uzxtDs4DJyJEunCXJtaEtvef3hkjfs7wZQ7mxKq+/ yCl5ARLDLAp17Uy78pFyvuRyhJzTpIdeuWwDiZsoCGNSRYMWANiWysGjVdfiN3wrcv0x sk5Ey4HJLBJ46EAW4kmLeRH09UfEd58rEXGfDIre5/BVj0evBkXkXJLeKkIIR6+5heXi A1gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913027; x=1740517827; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w44JGsgOXvkxJgl+IZDIDww51IEG5+2l9e3dBp3MNdw=; b=kC9tR7oZZKVdR6lbuO0jnxmn/qkmzTSsXZxmWhowRvntqPZ5ZrnvCTBhqE4FXwjusv SKMV2ojwkgMnJ6CG/T4Xh+nn9NW45e+flUGvp1NEyOYtfg+Opjo5p3Tc+4/o6FBJtHPi rDbzE0AwhBkRRUqNj9VkNY03X/dcCzlsAPKn8uhoSQuvL6nx7OY4A9wukKcEBDMWvIAL wmgBgGBgB90x/oxfWr8ypCxKdjuyVCQwq9y8wRog5JgfQtFIfAip2850knhBPUqnwyI8 8NqdWi2XMcEJbWOWRoiCbACC/H/fBApWDeH93tcNCopYa4m8DXgPE8bXR4RQo1BwJa5r 4B8Q== X-Gm-Message-State: AOJu0Yw9WMpHC+zmp89bjFxmTJXzlZJ8TLyDFAhsadHdXeF5dTJ/vGNU Uh/k53J47tMsjB4+BpJ57vsMCxXpq4XrGBo3TauvPBvzGLZp61vjyLFuapV93Nc+Q7Hfyrl4LaF g X-Gm-Gg: ASbGncvvGWzkUs8ULdxQ22YP1jR0fn8RzNAr3GIo9aZVLUOoN5DVdfyJqLPERLOlNDd TBhsNrImrxgBVH4yH+oV6/BE3V+PFFco/90yzjekOKTXwnycF7dWljiDKSJzp4HXfM+qZQnKisp iZK1R+PYbSOgbMUtitPnHQ9hCohcyAJpRPnrkeZjqj8xxgH61mTm37v5z2I58Ne5OTIVaB1hl8c 2kYK2DL/KY7eIOJUTOEXRlPfsnumtV3IJ7VVTdAN5eKWTIp/UGWOLCjV7z/1p/htGxU1KgRwSuN pUVOkNs= X-Google-Smtp-Source: AGHT+IFrks1CYr9AJhjcydIGyEHUida/Suh5zSN0pS4yXp7ig7kqKoZfn1mRXbIGbjoYT+Ms3Ejf0Q== X-Received: by 2002:a17:90b:3d0f:b0:2ee:c918:cd60 with SMTP id 98e67ed59e1d1-2fcb5a39f7dmr1492439a91.20.1739913026737; Tue, 18 Feb 2025 13:10:26 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:26 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/12] scritps/runqemu: Ensure we only have two serial ports Date: Tue, 18 Feb 2025 13:10:04 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211650 From: Richard Purdie I have a theory that some of the console boot issues we're seeing are due to starting images with three serial ports yet only starting gettys on two of them. This means that occasionally, depending on the port numbering we may not get a login prompt on the console we expect it on. To fix this, change the runqemu code so that if serial ports are passed in on the commandline (as is the case in automated testing), we don't add any other GUI serial consoles. We do need to make sure we do have at least two serial ports since we don't want getty timeout warnings. Signed-off-by: Richard Purdie (cherry picked from commit 1b0348535dce3b776efbcf26406b94730a51eb85) Signed-off-by: Ming Liu Signed-off-by: Steve Sakoman --- scripts/runqemu | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/scripts/runqemu b/scripts/runqemu index 8a417a7c24..9f7827565e 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -1408,6 +1408,19 @@ to your build configuration. for entry in self.get('SERIAL_CONSOLES').split(' '): self.kernel_cmdline_script += ' console=%s' %entry.split(';')[1] + # We always wants ttyS0 and ttyS1 in qemu machines (see SERIAL_CONSOLES). + # If no serial or serialtcp options were specified, only ttyS0 is created + # and sysvinit shows an error trying to enable ttyS1: + # INIT: Id "S1" respawning too fast: disabled for 5 minutes + serial_num = len(re.findall("-serial", self.qemu_opt)) + + # Assume if the user passed serial options, they know what they want + # and pad to two devices + if serial_num == 1: + self.qemu_opt += " -serial null" + elif serial_num >= 2: + return + if self.serialstdio == True or self.nographic == True: self.qemu_opt += " -serial mon:stdio" else: @@ -1419,10 +1432,6 @@ to your build configuration. self.qemu_opt += " %s" % self.get("QB_SERIAL_OPT") - # We always wants ttyS0 and ttyS1 in qemu machines (see SERIAL_CONSOLES). - # If no serial or serialtcp options were specified, only ttyS0 is created - # and sysvinit shows an error trying to enable ttyS1: - # INIT: Id "S1" respawning too fast: disabled for 5 minutes serial_num = len(re.findall("-serial", self.qemu_opt)) if serial_num < 2: self.qemu_opt += " -serial null" From patchwork Tue Feb 18 21:10:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57558 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49FE4C021AA for ; Tue, 18 Feb 2025 21:10:38 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web10.7400.1739913029084895632 for ; Tue, 18 Feb 2025 13:10:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=UhFQHw6z; spf=softfail (domain: sakoman.com, ip: 209.85.216.51, mailfrom: steve@sakoman.com) Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-2fa8ac56891so8632937a91.2 for ; Tue, 18 Feb 2025 13:10:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739913028; x=1740517828; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LcgDwIeG9rHszKQyq1GKWbk6oW9+RtHMW2rhhKwus9I=; b=UhFQHw6z1PljW1Pxt1u2g2Cpp3opdG2f1hAH+XEbQBwEEsXPpEKwFlJ0COPSNrzaUx /c8zKa63sJ4I4ujZUv+aHKOmQLP1oarX/xWXZ7x3SxyOSvYe3NMD2cMMCNR/UDI1V9r6 tuhTSJdj6SlUnQ9mxPenl/B77CMuku/SF5d5ddoXtWYpCvA7tWApkt6EfoFMsR0CKPgM jpFhKc3mfhwVWGKd3aQ5ByhSX6nSmNaIUhPcp1RQIEtnjS03FY90vtNLgk0v/dvZ2fMh ziBhxwOLbIDO06EVIw8knTQsf0qEuZ6Oyezutokee5gxIv5u+Y4IhSInWdwyhrTldRkv scyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739913028; x=1740517828; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LcgDwIeG9rHszKQyq1GKWbk6oW9+RtHMW2rhhKwus9I=; b=uamns1acg7Q6+uqV/O+y4WhInxLIlSMNmli9R37pU++OdJqWu6auEtWNA61nTwJ6Q0 0Wvj6qtZ1rU9gNsVYdZN/ayruPPBaut9iZgVqqIxDZCMDjfpz4QdaaubleiOWMUWaVwV iPbLbdUKS3AdmUzaZguFuvyWugK/PgKpzUpyIXRD2bXI6p32wcaH/nFkzzht7x2+O7uz OHGXs9TfklcDPFJYY0nSDwAuRQ+JGcwU/zWxgwODk5/fW8394OHTNOMTQ68WL1QZJuCF 5/ttWUx8WuZWQKRHPSNxsu2NyAkoNUmDFmlUfWV3uDMA16Y5vmg5kznGtKozluO90s3y knEg== X-Gm-Message-State: AOJu0YwvYrvaiGgqQv0vE7kaOPc07P4DwmU+o5UT7Rqiwe38lpr5WIY5 uqBVoqJDHQ6NAARsCUymRpAADfrpqBXE4RJHAakRk9mCCCwJ1g189iNasyOuQa+juhTeYMywEqM Q X-Gm-Gg: ASbGncsN7QEH/m9I+mNj1pjoYP7XrlUzRZQ9MepxvAHjPnDe/TK59BKLhTO/zWgG1iI geDdnTCx3t0KVAolJV7PDN0qEtrZjSPyRsd8KiGsl4bO2ONFIInV1mdzDSoVattKIKSR1IjhjQ7 nMXcSCItk/aO7QNo+gwFMo2F6++8ouPASFsrQZfVUhqf3boOsWyQPN9aANxMHqClMLslBOjYnjC r9tmrY/XNKxR/bzivWSJ7fTiAPoXuQ3y+WHWFI/aL65Dgg+vnVXd02DVSxciig15G8c5NpXcR3y rm1NAUs= X-Google-Smtp-Source: AGHT+IFpI2CKvRBMAp3wY04gLfXfnj2CHtdX1uBFp7snPBoU9J93WX9E3CvrnC+4frH4xE1BMobb2g== X-Received: by 2002:a17:90b:3b92:b0:2fa:15ab:4de7 with SMTP id 98e67ed59e1d1-2fc40f10763mr28350649a91.12.1739913028282; Tue, 18 Feb 2025 13:10:28 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:83c7:94a9:a555:bf05]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf98b326bsm12820720a91.1.2025.02.18.13.10.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Feb 2025 13:10:27 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/12] procps: replaced one use of fputs(3) with a write(2) call Date: Tue, 18 Feb 2025 13:10:05 -0800 Message-ID: <824dc4695add682052106401c912772469fa8169.1739912869.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 18 Feb 2025 21:10:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211651 From: Mingli Yu This patch is ported from a merge request shown below, and the following represents the original commit text. ------------------------------------------------------ top: In the bye_bye function, replace fputs with the write interface. When top calls malloc, if a signal is received, it will call sig_endpgm to process the signal. In the bye_bye function, if the -b option is enable, the Batch variable is set, the fputs function will calls malloc at the same time. The malloc function is not reentrant, so it will cause the program to crash. Signed-off-by: Shaohua Zhan ------------------------------------------------------ Reference(s): https://gitlab.com/procps-ng/procps/-/merge_requests/127 Signed-off-by: Mingli Yu Signed-off-by: Steve Sakoman --- ...x-for-the-bye_bye-function-merge-127.patch | 58 +++++++++++++++++++ ...e-use-of-fputs-3-with-a-write-2-call.patch | 50 ++++++++++++++++ meta/recipes-extended/procps/procps_3.3.17.bb | 2 + 3 files changed, 110 insertions(+) create mode 100644 meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch create mode 100644 meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch diff --git a/meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch b/meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch new file mode 100644 index 0000000000..bbc137a3d8 --- /dev/null +++ b/meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch @@ -0,0 +1,58 @@ +From 37f106029975e3045b0cd779525d14c55d24b74e Mon Sep 17 00:00:00 2001 +From: Jim Warner +Date: Mon, 21 Jun 2021 00:00:00 -0500 +Subject: [PATCH] top: fix a fix for the 'bye_bye' function (merge #127) + +In the merge request shown below, 1 too many bytes are +written to stdout thus including the terminating null. +As the cure, this commit just reduces the length by 1. + +[ along the way, we will remove some unneeded braces ] +[ plus add some additional comments with attribution ] + +Reference(s): +https://gitlab.com/procps-ng/procps/-/merge_requests/127 +. original merged change +commit 0bf15c004db6a3342703a3c420a5692e376c457d + +Signed-off-by: Jim Warner + +Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/37f106029975e3045b0cd779525d14c55d24b74e] + +Signed-off-by: Mingli Yu +--- + top/top.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/top/top.c b/top/top.c +index 4d9860d5..0d21a1a5 100644 +--- a/top/top.c ++++ b/top/top.c +@@ -569,13 +569,21 @@ static void bye_bye (const char *str) { + #endif // end: OFF_HST_HASH + + numa_uninit(); ++ ++ /* we'll only have a 'str' if called by error_exit() | ++ or that xalloc_our_handler() function. if we were | ++ called from a sig_endpgm(), that parm is NULL ... | */ + if (str) { + fputs(str, stderr); + exit(EXIT_FAILURE); + } +- if (Batch) { +- write(fileno(stdout), "\n", sizeof("\n")); +- } ++ /* this could happen when called from several places | ++ including that sig_endpgm(). thus we must use an | ++ async-signal-safe write function just in case ... | ++ (thanks: Shaohua Zhan shaohua.zhan@windriver.com) | */ ++ if (Batch) ++ write(fileno(stdout), "\n", sizeof("\n") - 1); ++ + exit(EXIT_SUCCESS); + } // end: bye_bye + +-- +2.34.1 + diff --git a/meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch b/meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch new file mode 100644 index 0000000000..4da13df047 --- /dev/null +++ b/meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch @@ -0,0 +1,50 @@ +From 6b8980a3b6279058d727377e914cfb6439d6f178 Mon Sep 17 00:00:00 2001 +From: Shaohua Zhan +Date: Mon, 22 Mar 2021 00:00:00 +0800 +Subject: [PATCH] top: replaced one use of fputs(3) with a write(2) call + +This patch is ported from a merge request shown below, +and the following represents the original commit text. + +------------------------------------------------------ +top: In the bye_bye function, replace fputs with the write interface. + +When top calls malloc, if a signal is received, it will +call sig_endpgm to process the signal. In the bye_bye function, if the +-b option is enable, the Batch variable is set, the fputs function +will calls malloc at the same time. The malloc function is not reentrant, so +it will cause the program to crash. + +Signed-off-by: Shaohua Zhan +------------------------------------------------------ + +Reference(s): +https://gitlab.com/procps-ng/procps/-/merge_requests/127 + +Signed-off-by: Jim Warner + +Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/6b8980a3b6279058d727377e914cfb6439d6f178] + +Signed-off-by: Mingli Yu +--- + top/top.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/top/top.c b/top/top.c +index f4f82be4..951c240c 100644 +--- a/top/top.c ++++ b/top/top.c +@@ -417,7 +417,9 @@ static void bye_bye (const char *str) { + fputs(str, stderr); + exit(EXIT_FAILURE); + } +- if (Batch) fputs("\n", stdout); ++ if (Batch) { ++ write(fileno(stdout), "\n", sizeof("\n")); ++ } + exit(EXIT_SUCCESS); + } // end: bye_bye + +-- +2.34.1 + diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb index bbec5a543c..131063efb9 100644 --- a/meta/recipes-extended/procps/procps_3.3.17.bb +++ b/meta/recipes-extended/procps/procps_3.3.17.bb @@ -18,6 +18,8 @@ SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ file://0002-proc-escape.c-add-missing-include.patch \ file://CVE-2023-4016.patch \ file://CVE-2023-4016-2.patch \ + file://0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch \ + file://0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch \ " SRCREV = "19a508ea121c0c4ac6d0224575a036de745eaaf8"