From patchwork Tue Oct 21 14:53:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72760 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7048FCCD1A7 for ; Tue, 21 Oct 2025 14:53:55 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.web11.14115.1761058432750719207 for ; Tue, 21 Oct 2025 07:53:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lUBDrFIM; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-475c1f433d8so3029945e9.3 for ; Tue, 21 Oct 2025 07:53:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761058431; x=1761663231; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=A7geCl3h1wM+azRbUb5/nw8tzJVUBoQSVSr7Ozf/z7U=; b=lUBDrFIMEOfXChBp8kvOyxP2jSvl3dpEJVRdZj1f5LrBPNKn2UdosSwBxo4w/h2FIS 2AaOrBOgj8pFTASwjDs6j6EGiPClyel0HpkEDG7ee8Lz1LDYlLrZIjPpG41YCw3Epjpe Jbzx7MgMOnVkKbFJP93ZJCehtcyT3ODZxU7FPUZA5aeGi0ibQN6AVjwpC3/X5KabVJBq c14BB09bny+riIISZI5glfkyZIfm5D5pFSA5WyHxUUR69xnXj0sdMHamWumSl02jEdNg jbHUo/f3tTu8vmjMq0CA7g2Hln0SlRzsFLMQLSZ3NH+2uQAW5iW4BH2dpF4JeGzoDAMw TJIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761058431; x=1761663231; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=A7geCl3h1wM+azRbUb5/nw8tzJVUBoQSVSr7Ozf/z7U=; b=hYtDo7LNt6ZiYDEMYgEEujK9BrPwW5gy0vW4TvemM70A8bBRXf6OpYJSaLbpnkmA4m 2YlxDS+fG0/iRfSXkcUKL3O18wFAjtQCwZMsY5UeShLvbp9ac/+4Q8wYOhPKkcSSfK86 KWWUbHpwNZyo3zj4VQVCC1xuQZ2Yb9R91/XWLUabdvSu2QS4k8x2I5ntx1ItkUZ2yAnW K3jChKh7/6lcLRPoTj56WZKYwdZFXdMo6188L3WUdHQfx3GROuTyjxaeXWoGLirMrB3L 0GhWDX/SuPSrrBPR+RamM2NNj1DQV+1j13Man4b5X3hZ57HB3IrJH8/vExs0+zA39ft+ ZhHw== X-Gm-Message-State: AOJu0YxBAOvyV6VClxepU+9VItnGhAfGlLVpjAatJMwLJYqfzzu3YAOv wk7c2ZXeEaEIhDHd1e/DzNVSiT5f684hixz7oZCOWlt0JOwrI7Vrp/xXqrN0NA== X-Gm-Gg: ASbGncsyRGjkGT5AnzBUXfSHXMSYT/J5/H68bx83ZIk+AH3uaOfVlc7cnMr0/LO1ApJ cVAwTElCF5s1n/4Y9mvzKkYEVHS5u/zkmKD3TzGgXrRDdu70ADeovQA/ebQDFUJ1EWl+E/hU6o/ PfY/j3XbieC+1A/mb6afpH7qkqgvGd2kt2bxKRw5epFa8+TPIagmli+drOnA2L2PWu7WCuXQc/G Rwih8LZMElBBlc/Sf46zD7deS+QuIZExECJaHxPls7lnuVgSpb8BQwg+RHZTTq0ffBwvZNOThMn G1VW/SC3YsHsODQWfaizFu6XXLnPJ4BWTecrOuPKFDO65/bixxta9x5rqNsFpsfa4xu9ppEZnw7 8sEzmO9KH+KuMbTek5PBZDhuAm36DcLAAU3NU6gtbVzdHYapjf/RFSUa9PL+An8wJr3CWSLrqXE bKfKXcpGUY X-Google-Smtp-Source: AGHT+IFBy0SFCl4010/oYrjCkqdMGdLJqidQwpbus73bJsA8AwSX327onUkuJfpgHJNwpFrOTtv+aA== X-Received: by 2002:a05:600c:3f08:b0:470:ffd1:782d with SMTP id 5b1f17b1804b1-47117876a19mr144162105e9.6.1761058430847; Tue, 21 Oct 2025 07:53:50 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-471144b5c91sm283259535e9.11.2025.10.21.07.53.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Oct 2025 07:53:50 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/4] wavpack: patch CVE-2016-10169 Date: Tue, 21 Oct 2025 16:53:45 +0200 Message-ID: <20251021145349.33878-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 21 Oct 2025 14:53:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120835 Details: https://nvd.nist.gov/vuln/detail/CVE-2016-10169 Backport the relevant part of the linked patch. (The full patch contains fixes for other vulnerabilities also, which were introduced after v4.60) Signed-off-by: Gyorgy Sarvari --- .../wavpack/wavpack/CVE-2016-10169.patch | 27 +++++++++++++++++++ .../wavpack/wavpack_4.60.1.bb | 4 ++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-multimedia/wavpack/wavpack/CVE-2016-10169.patch diff --git a/meta-oe/recipes-multimedia/wavpack/wavpack/CVE-2016-10169.patch b/meta-oe/recipes-multimedia/wavpack/wavpack/CVE-2016-10169.patch new file mode 100644 index 0000000000..22dbc2648c --- /dev/null +++ b/meta-oe/recipes-multimedia/wavpack/wavpack/CVE-2016-10169.patch @@ -0,0 +1,27 @@ +From 847968ff66f0d743ed2cf3d5f1f7d8d8dafcf42d Mon Sep 17 00:00:00 2001 +From: David Bryant +Date: Wed, 21 Dec 2016 22:18:36 -0800 +Subject: [PATCH] CVE-2016-10169 + +CVE: CVE-2016-10169 +Upstream-Status: Backport [https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc] +Signed-off-by: Gyorgy Sarvari +--- + src/words.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/words.c b/src/words.c +index c87b8d2..272760a 100644 +--- a/src/words.c ++++ b/src/words.c +@@ -1117,6 +1117,10 @@ int32_t FASTCALL get_word (WavpackStream *wps, int chan, int32_t *correction) + + low &= 0x7fffffff; + high &= 0x7fffffff; ++ ++ if (low > high) // make sure high and low make sense ++ high = low; ++ + mid = (high + low + 1) >> 1; + + if (!c->error_limit) diff --git a/meta-oe/recipes-multimedia/wavpack/wavpack_4.60.1.bb b/meta-oe/recipes-multimedia/wavpack/wavpack_4.60.1.bb index 021496bd43..8dbeb9883c 100644 --- a/meta-oe/recipes-multimedia/wavpack/wavpack_4.60.1.bb +++ b/meta-oe/recipes-multimedia/wavpack/wavpack_4.60.1.bb @@ -2,7 +2,9 @@ DESCRIPTION = "WavPack is a completely open audio compression format providing l LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://license.txt;md5=f596650807588c61fcab60bec8242df8" -SRC_URI = "http://wavpack.com/wavpack-${PV}.tar.bz2" +SRC_URI = "http://wavpack.com/wavpack-${PV}.tar.bz2 \ + file://CVE-2016-10169.patch \ + " SRC_URI[md5sum] = "7bb1528f910e4d0003426c02db856063" SRC_URI[sha256sum] = "175ee4f2effd6f51e6ec487956f41177256bf892c2e8e07de5d27ed4ee6888c5" From patchwork Tue Oct 21 14:53:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72759 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74A82CCD184 for ; Tue, 21 Oct 2025 14:53:55 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.web10.14087.1761058433728840793 for ; Tue, 21 Oct 2025 07:53:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=D5vDCVoq; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-471131d6121so44818475e9.1 for ; Tue, 21 Oct 2025 07:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761058432; x=1761663232; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dcZMhsGZ/IFxKMoW1xk6T9Ac2Gai9ZZZo5Xcq+Zsqss=; b=D5vDCVoqO3gQZJfAEmlo6WvI8V6NcuiIWfdu9ZgR+rjTR2tgVWj+yuGEhcCqNi13Q/ 2PLM5RVq8D6tXbbxnUaibzAwLsEINHM7HHmTVEwMLSNNPhxSAEHv+Tn3wskq965oLWwQ jLDLdWu46G53sVUYa6WZLLiFCbUPmvFna5JTX4PFugntZvOH7lwkqR64Hzh4fG1TViqz RzrrmTWlMSE7KUC/nooR7nGmx4tbhe/JWvw4hQAhlKUu+EA5fuBKDd7JzWiNyi7SlX1Z Bew25OS0xkftK8VfkqMc+rLP6JU1XFL+xVOj4W9i61KLWVkZ4pBKzPBPdJ8bGpW/KD7/ +FZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761058432; x=1761663232; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dcZMhsGZ/IFxKMoW1xk6T9Ac2Gai9ZZZo5Xcq+Zsqss=; b=n/LLs0L/w5tHX+E85IuAZL/8xkcmiIaXXLVTUoILG2n4V9ZpUjI5RmECD2QBt1VHbl uQpdEm91aHaStHcX2Q6bYz4NElnjPf4kdzNFJ+2N7/WPlbg9HA7jUKcGtC62emdAQ79k UwZCPwCG/l/kFcYdI3VX2enEbnlM9L49990/A28VvJoxP9BLUGA+zukiQ5y5aoHQzxNP H7hVzeBzFsjU7zhT8rQo5XHgeYINVxClGrA41lCyCIpPe/Uzjq/PYCq2zOPldLlB1Ppx ncxCQANjK9PPfv05TEYt6QctclxZ2o6BiNkIdkb3EeY6xLmxUo5E63yhQN3U+0ozIZEg XkNQ== X-Gm-Message-State: AOJu0Yykkufa6aOxikc+PbWNymuY8LDyaSxux043+TFL7iBpy6O24PE2 UylO2gtMAemdxDsXB2u5bNziPvw6E4dX2Fk+rQrhKISrnXaNYYxjxXNnaZxDIA== X-Gm-Gg: ASbGncsGcbAYvgpJDbUgoAmIudywlA+R2PJr4f6BaGVCk42KFCBObqQhpdv4dQxF0VE 8knUz9GX8YXaUXHYeJZtJwcdyKGJkK4EE6BaXZ7/Yf46eceKRCp002SOJSnPxhIwpLsQ/AWaR4U MECMssRuCETXc8HwKtU0JpelWKSAF4qdciaQekSs42Ug7ur8Jz2DW1Ui4qFYm9dvTcJd2Z1dvb9 CwvAZt8h57Fr5ntkuIh2zL0MWntegtgjfXPQPmIhZSq9OP7LxqnaHWdVKGvA9s+c46mETnoNw4A kxPD57vqDTaGf25ckSgz+1qf9lSOrMmIiZNA8ROZGPr/g5y9Moc7NS2VFw62f2C3lIdI1bGEoDU dtPPWKJ/5MEgIGCnKiOtGkkMGdphViElmcExJxn863QTlWef7Bu1QqssBcExrVHsmQEDIe3gmf2 pvRbPqAmVI X-Google-Smtp-Source: AGHT+IGHuZUJhZUNKjwqvsFDhqTUF3jjV4RtBvuZGslkqASMZPXBDFjlHIUy3PH6RzWpo5fpRnn4eg== X-Received: by 2002:a05:600d:41cc:b0:46f:d897:516f with SMTP id 5b1f17b1804b1-4711791c880mr148218685e9.34.1761058431620; Tue, 21 Oct 2025 07:53:51 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-471144b5c91sm283259535e9.11.2025.10.21.07.53.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Oct 2025 07:53:51 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/4] dash: set CVE_PRODUCT Date: Tue, 21 Oct 2025 16:53:46 +0200 Message-ID: <20251021145349.33878-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251021145349.33878-1-skandigraun@gmail.com> References: <20251021145349.33878-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 21 Oct 2025 14:53:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120836 From: Peter Marko This removes false positive CVE-2024-21485 from cve reports. $ sqlite3 nvdcve_2-2.db sqlite> select * from products where product = 'dash'; CVE-2009-0854|dash|dash|0.5.4|=|| CVE-2024-21485|plotly|dash|||2.13.0|< CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|< Our dash:dash did not reach major version 1 yet. Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit e1427013e01df44b9275908f7605e8e25fc3fd83) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-shells/dash/dash_0.5.11.5.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-shells/dash/dash_0.5.11.5.bb b/meta-oe/recipes-shells/dash/dash_0.5.11.5.bb index 3674052311..904d8a74cc 100644 --- a/meta-oe/recipes-shells/dash/dash_0.5.11.5.bb +++ b/meta-oe/recipes-shells/dash/dash_0.5.11.5.bb @@ -10,6 +10,8 @@ inherit autotools update-alternatives SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz" SRC_URI[sha256sum] = "db778110891f7937985f29bf23410fe1c5d669502760f584e54e0e7b29e123bd" +CVE_PRODUCT = "dash:dash" + EXTRA_OECONF += "--bindir=${base_bindir}" ALTERNATIVE:${PN} = "sh" From patchwork Tue Oct 21 14:53:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71D2FCCD1AF for ; Tue, 21 Oct 2025 14:53:55 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.web11.14116.1761058434155349120 for ; Tue, 21 Oct 2025 07:53:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=JHyND1Yx; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-471076f819bso45063755e9.3 for ; Tue, 21 Oct 2025 07:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761058432; x=1761663232; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bkx6SuR6/6ZupSV2gAtr2zG4e1bCk05VtjoTAxZeR6M=; b=JHyND1Yxss0r9t3PAwwCAoOBXr6wmqN8TaszvhsTLMU9GnwwpfhUCzvg7znbTU3GVW I7zOOgSAxo1bD0avTyKWMcKK9tS3hWurMtkm0BzF9CWYjPhxH0nbnZWvXTmKTlCgnaRr wSvZBll2YR/eXghkyimLjsD6tMg7t5Np7BaDHBb+Up+2z7E4iUUuAKMWDNNSNwBzsylA FCdEe1XS9jCxNpWu8b8+ATgAwijSOiDtmak9ZDqltj5/J+iNCBBwfBt2n7JGw/69y3VP VqTh15ylvlUANyaaq2kIA7R8zZNp74RuOTov1WAY1vXCD5c1+KxHT3m8y57uAtUbXrZn LDsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761058432; x=1761663232; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bkx6SuR6/6ZupSV2gAtr2zG4e1bCk05VtjoTAxZeR6M=; b=So4IcX1fKD9nEWNSSuhFid6QQtrRjM+bdhxx+pfwOwZQQV8aGi6Tdo8Xl8yiDaEqBc 5+YSAq0A0esiQkFa4OvP8kSKz42C2Ed+b2Lj/Z+HpYEgCOgh4hQW+el03yM9ScqWxS+z b8ycchGIi+FEx/BTWFwQmPFLBOeQhQon3o5ttw7ej6I6l07cfj3MAjePnngf0JUZzvmW nYw7RqGYl3JQL2DLJ78UJiZR1x7UF5FuvG2EzD7e2vzdDmYP+ELDZ/G/oLm0n2Lhx5AU JqBXjcPFSfxBzQ/UoK5jZ+2t7CzDL5NKD8JVuBsJawOpnl84xhlI0srCh5DLfbWwciok Adqw== X-Gm-Message-State: AOJu0YxBVu+UTtLpoLrvuMPA7xXO9oFRLTo3rmdfpvImleIqemt6XdjP fLwtKYboGAnE1Yz5spOH7sjgItkH9ZkejUFZ1Hs+MdlgcCHDhdwi3DmG2NRmow== X-Gm-Gg: ASbGncvExJKp4nhq/KfMffzlqMNNFTVuUt+2aOl20KxevTIG1+AOTXqXirR+V/tZHnn e2VlpmEafg9c1ZTfQmznn22dR3OMbHFIS4aEzUh8IT0lHI4oDLNUEM9URtIs1ApL+IhRaMxbnBo oZkGjAinMVcrZHZu4MIGzrcp039qWGhkB7pnoz0EQ1gImRgO2BJJJZGq9XoQu6qpv9urWzJSAlB pNMA9gxyHlizv64tr3vp44gkE4l9gNOzo6W/6+zV+qbJ69CckluCQogwB6w61BPGUXc+YbA9URQ RQcTG9dyXXkPq6TdovutfKw6qAizYYxUce87uTjVHh/6an0Js0dozPa6t/GIB/Gj/Z/mwGEzLYM 4A7Okwep2OF0yRqEbtLgkx4I3joSvcYRCnZOpw+cp9KcZjTvdlYKHvdXYh6XzPt2a3u68XYZt4A == X-Google-Smtp-Source: AGHT+IHPkK9hgjnnNTfo8u12Ep/dBsIW8mMVTpAq+EN6LpiFo2WJ/YpvHqlZL9spDuHmV0WyNbbSOg== X-Received: by 2002:a05:600c:3b03:b0:471:14af:c715 with SMTP id 5b1f17b1804b1-47117874978mr125681895e9.3.1761058432352; Tue, 21 Oct 2025 07:53:52 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-471144b5c91sm283259535e9.11.2025.10.21.07.53.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Oct 2025 07:53:51 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 3/4] netkit-telnet: patch CVE-2022-39028 Date: Tue, 21 Oct 2025 16:53:47 +0200 Message-ID: <20251021145349.33878-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251021145349.33878-1-skandigraun@gmail.com> References: <20251021145349.33878-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 21 Oct 2025 14:53:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120837 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39028 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari --- .../netkit-telnet/files/CVE-2022-39028.patch | 72 +++++++++++++++++++ .../netkit-telnet/netkit-telnet_0.17.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch new file mode 100644 index 0000000000..7ce4766426 --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2022-39028.patch @@ -0,0 +1,72 @@ +From 1949388e52acd343bb3e366d816b33912e38db39 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Sun, 28 Aug 2022 15:07:29 +0200 +Subject: [PATCH] Fix remote DoS vulnerability in inetutils-telnetd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is caused by a crash by a NULL pointer dereference when sending +the byte sequences «0xff 0xf7» or «0xff 0xf8». + +Found-by: Pierre Kim and Alexandre Torres +Patch-adapted-by: Erik Auerswald + +CVE: CVE-2022-39028 +Upstream-Status: Backport [https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289] + +Signed-off-by: Gyorgy Sarvari +--- + .../inetutils-telnetd-EC_EL_null_deref.patch | 43 +++++++++++++++++++ + 1 file changed, 43 insertions(+) + create mode 100644 debian/patches/inetutils-telnetd-EC_EL_null_deref.patch + +diff --git a/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch +new file mode 100644 +index 0000000..fac5e3f +--- /dev/null ++++ b/debian/patches/inetutils-telnetd-EC_EL_null_deref.patch +@@ -0,0 +1,43 @@ ++Description: Fix remote DoS vulnerability in inetutils-telnetd ++ This is caused by a crash by a NULL pointer dereference when sending the ++ byte sequences «0xff 0xf7» or «0xff 0xf8». ++Authors: ++ Pierre Kim (original patch), ++ Alexandre Torres (original patch), ++ Erik Auerswald (adapted patch), ++Reviewed-by: Erik Auerswald ++Origin: upstream ++Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html ++Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html ++Last-Update: 2022-08-28 ++ ++ ++diff --git a/telnetd/state.c b/telnetd/state.c ++index ffc6cbaf..c2d760f8 100644 ++--- a/telnetd/state.c +++++ b/telnetd/state.c ++@@ -312,15 +312,21 @@ telrcv (void) ++ case EC: ++ case EL: ++ { ++- cc_t ch; +++ cc_t ch = (cc_t) (_POSIX_VDISABLE); ++ ++ DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); ++ ptyflush (); /* half-hearted */ ++ init_termbuf (); ++ if (c == EC) ++- ch = *slctab[SLC_EC].sptr; +++ { +++ if (slctab[SLC_EC].sptr) +++ ch = *slctab[SLC_EC].sptr; +++ } ++ else ++- ch = *slctab[SLC_EL].sptr; +++ { +++ if (slctab[SLC_EL].sptr) +++ ch = *slctab[SLC_EL].sptr; +++ } ++ if (ch != (cc_t) (_POSIX_VDISABLE)) ++ pty_output_byte ((unsigned char) ch); ++ break; diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index 56860ea098..6cfc886350 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb @@ -14,6 +14,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/netkit-telnet_${PV}.orig.tar.gz file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \ file://CVE-2020-10188.patch \ file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ + file://CVE-2022-39028.patch \ " UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" From patchwork Tue Oct 21 14:53:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72762 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59DB0CCD1A7 for ; Tue, 21 Oct 2025 14:54:05 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.web10.14088.1761058435152927774 for ; Tue, 21 Oct 2025 07:53:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=So1Lhczi; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4710683a644so50839485e9.0 for ; Tue, 21 Oct 2025 07:53:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761058433; x=1761663233; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Isp9raybpiyJOO6fQJjogP8mlipCMDqENPbA5l3OQSU=; b=So1Lhczi7kar2yoVEVPIaFPumWazdm9ITxkEXMHiNmRfjbj+bGJJz211J5t5nHeEMa YIy3tNZN5xBtTacgl1ZCw6Ps6AAzCtXe+RAJFfBhPGO6GFlNQ1GkVkcrTkV68/kq8V1i MQYZVqP8n4ycNdoCid0RSzzasgKkCjjDdWkAGtZpYytvhLp8/yQCvRfcvTK63orNIi1y g9zvz3/4PU2Azm2jOKrkU4RdQ7dUAtiFQmqeX8OwY6q2pWI3UP0NhcLzQiXT3u0Ggflx okBjUbM0Y6xCHLE6bUGciypMrdt8QWGtGtGvNrlRLhBaxA7AVUJgL5j/Ca/FLaerR2Uf 5hmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761058433; x=1761663233; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Isp9raybpiyJOO6fQJjogP8mlipCMDqENPbA5l3OQSU=; b=h8ERTietUYNtdGX57DZnBl47eFFdryAxIvDDQm2TkpKnmRf2DUHiwb8WfSBSWQVkE2 wGqPbev1221wEP/NlIM8U0I846RbJ68QVMQbd+qYPbOrTvfZYD4kYE2T0lgD5rdPk+dB 2u+n6R7eVfFb/mO5m89jO/IBwGPhMQm3fG6iE/9pb4QLpGDfeJaqk0IdY/DOa45Pym2L ARegeNUwmR6mqEsvFy9OdE4HetzFtgC+Ts8f38rcQkY4CYLpWLk2kdHW/O9J7yPb8jN/ 8xnnuK6dyiqfSKwnd6KJS6i57wts7/3RJ6QTWpuG0UOzok0VqgijIS0l63WxtwStYqTB cwNQ== X-Gm-Message-State: AOJu0YyAkQ6mnyT9N2Db3fG3UWlCbUiiYYHIJD1DlTTWdDJiECm87H1e /lMsqsgnB/Z4VnXtognrK7CnmdNx7oM5SPkCXLYrGldyyHSWV6gf+iCHJ4PMTg== X-Gm-Gg: ASbGncvwced7qgIEgodr/5cOIDUYZ6A0B4paDTNgjWULSQ8siQh7h4b8zUy5hJNljkI w3OIP4Ok3PvPjDE0w1tHpA+tygmtQ09oo44vbvC6Zh0Uh+cGBXinrVer7s7vRRpfi5hVrjg/QgT 9mQ6AXhmSdPZ7NbM5eHPnNDAvuGsFh/rrGBVyDvdVBSJ4vE0V+ndSLVn/k1PRurGuIKKgUpJ3Am lVPi27vY0QQ260oeTQq++NZQI+zjmIcQTXNYG0sXAQHs3+1qNEnHBNE1FxTboX3p7op9QzJt3xp 3jERhKTygkdf40rTeUeBFMNwsMzm0mxuyqFh0zBTIDkb58iigpdHTYZzfh9LEJYPuQWm7Q4S1LR dHUwVXsOz921Us3T7aEOO57IC6nUx3Z0YTqgV4MWYOc9HEvoyeWVP+phXObiykMyaiaLR1Z1qZg == X-Google-Smtp-Source: AGHT+IHSirr+tZH1eOYNfAmctvbaKVtJsxMS1N4y0d34CPyRkWUyyiQTRQzTUy7jYq8Q/RNqtMJ1qw== X-Received: by 2002:a05:600c:3115:b0:471:846:80ac with SMTP id 5b1f17b1804b1-475c3eeaf1amr59695e9.18.1761058433086; Tue, 21 Oct 2025 07:53:53 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-471144b5c91sm283259535e9.11.2025.10.21.07.53.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Oct 2025 07:53:52 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/4] renderdoc: patch CVE-2023-33863, CVE-2023-33864 and CVE-2023-33865 Date: Tue, 21 Oct 2025 16:53:48 +0200 Message-ID: <20251021145349.33878-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251021145349.33878-1-skandigraun@gmail.com> References: <20251021145349.33878-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 21 Oct 2025 14:54:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120838 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-33863 https://nvd.nist.gov/vuln/detail/CVE-2023-33864 https://nvd.nist.gov/vuln/detail/CVE-2023-33865 Take the patches mentioned from the original researcher's report[1] [1]: https://www.qualys.com/2023/06/06/renderdoc/renderdoc.txt (summary section) Signed-off-by: Gyorgy Sarvari --- .../CVE-2023-33863-33864-33865-1.patch | 71 ++++++++ .../CVE-2023-33863-33864-33865-2.patch | 72 ++++++++ .../CVE-2023-33863-33864-33865-3.patch | 160 ++++++++++++++++++ .../CVE-2023-33863-33864-33865-4.patch | 28 +++ .../CVE-2023-33863-33864-33865-5.patch | 40 +++++ .../renderdoc/renderdoc_1.13.bb | 12 +- 6 files changed, 379 insertions(+), 4 deletions(-) create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-1.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-2.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-3.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-4.patch create mode 100644 meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-5.patch diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-1.patch b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-1.patch new file mode 100644 index 0000000000..8d0eaf49eb --- /dev/null +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-1.patch @@ -0,0 +1,71 @@ +From d55a6f1f849e38d2ca41c6d6683b773981f7e6c0 Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 09:57:03 +0100 +Subject: [PATCH] Verify array sizes when serialising for strings + +* We also limit the array size to 1GB for 32-bit. The 4GB/1GB limit is far + larger than reasonable for strings but can be handled the same way regardless. + +CVE: CVE-2023-33863 CVE-2023-33864 CVE-2023-33865 +Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856] + +Signed-off-by: Gyorgy Sarvari +--- + renderdoc/serialise/serialiser.h | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/renderdoc/serialise/serialiser.h b/renderdoc/serialise/serialiser.h +index 9393876ba..de42e54b4 100644 +--- a/renderdoc/serialise/serialiser.h ++++ b/renderdoc/serialise/serialiser.h +@@ -721,7 +721,7 @@ public: + arr.ReserveChildren((size_t)size); + + if(IsReading()) +- el.resize((int)size); ++ el.resize((size_t)size); + + if(m_LazyThreshold > 0 && size > m_LazyThreshold) + { +@@ -756,7 +756,7 @@ public: + else + { + if(IsReading()) +- el.resize((int)size); ++ el.resize((size_t)size); + + for(size_t i = 0; i < (size_t)size; i++) + SerialiseDispatch::Do(*this, el[i]); +@@ -1271,7 +1271,8 @@ public: + if(IsReading()) + { + m_Read->Read(len); +- el.resize((int)len); ++ VerifyArraySize(len); ++ el.resize((size_t)len); + if(len > 0) + m_Read->Read(&el[0], len); + } +@@ -1386,13 +1387,20 @@ private: + } + }; + +- void VerifyArraySize(uint64_t &count) ++ template ++ void VerifyArraySize(intSize &count) + { + uint64_t size = m_Read->GetSize(); + +- // for streaming, just take 4GB as a 'semi reasonable' upper limit for array sizes ++// for streaming, just take 4GB as a 'semi reasonable' upper limit for array sizes ++// use 1GB on 32-bit to avoid overflows ++#if ENABLED(RDOC_X64) + if(m_DataStreaming) + size = 0xFFFFFFFFU; ++#else ++ if(m_DataStreaming) ++ size = 0x3FFFFFFFU; ++#endif + + if(count > size) + { diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-2.patch b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-2.patch new file mode 100644 index 0000000000..528c2e3b99 --- /dev/null +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-2.patch @@ -0,0 +1,72 @@ +From f451eb1d46c9cf71376e41ac95ed236d58eba817 Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 09:58:49 +0100 +Subject: [PATCH] Don't call ReadLargeBuffer for socket reads + +* In ReadLargeBuffer we read directly into an external buffer with ReadExternal, + but for sockets when reading externally we want to read ahead of the current + spot (non-blocking) as much as possible to batch small reads together. Rather + than making ReadExternal handle or detect reads to external buffers, we + instead avoid ReadLargeBuffer as it is an optimisation for direct I/O to avoid + unnecessary memcpy's and is not relevant for sockets. + +CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865 +Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862] + +Signed-off-by: Gyorgy Sarvari +--- + renderdoc/serialise/streamio.cpp | 11 ++++++++++- + renderdoc/serialise/streamio.h | 4 +++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/renderdoc/serialise/streamio.cpp b/renderdoc/serialise/streamio.cpp +index d8863b537..24294f62b 100644 +--- a/renderdoc/serialise/streamio.cpp ++++ b/renderdoc/serialise/streamio.cpp +@@ -267,7 +267,7 @@ bool StreamReader::Reserve(uint64_t numBytes) + + bool StreamReader::ReadLargeBuffer(void *buffer, uint64_t length) + { +- RDCASSERT(m_Sock || m_File || m_Decompressor); ++ RDCASSERT(m_File || m_Decompressor); + + byte *dest = (byte *)buffer; + +@@ -384,6 +384,9 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t length) + // first get the required data blocking (this will sleep the thread until it comes in). + byte *readDest = (byte *)buffer; + ++ // we expect to be reading into our window buffer ++ RDCASSERT(readDest >= m_BufferBase && readDest <= m_BufferBase + m_BufferSize); ++ + success = m_Sock->RecvDataBlocking(readDest, (uint32_t)length); + + if(success) +@@ -393,6 +396,12 @@ bool StreamReader::ReadFromExternal(void *buffer, uint64_t length) + + uint32_t bufSize = uint32_t(m_BufferSize - m_InputSize); + ++ if(m_InputSize > m_BufferSize) ++ { ++ bufSize = 0; ++ RDCERR("Invalid read in ReadFromExternal!"); ++ } ++ + // now read more, as much as possible, to try and batch future reads + success = m_Sock->RecvDataNonBlocking(readDest, bufSize); + +diff --git a/renderdoc/serialise/streamio.h b/renderdoc/serialise/streamio.h +index a069f6321..2bf719b7b 100644 +--- a/renderdoc/serialise/streamio.h ++++ b/renderdoc/serialise/streamio.h +@@ -170,7 +170,9 @@ public: + // and larger by just skating over the limit each time, but that's fine because the main + // case we want to catch is a window that's only a few MB and then suddenly we read 100s of + // MB. +- if(numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes) ++ // We don't do this on sockets since we want to opportunistically read more into the window ++ // to batch lots of small reads together. ++ if(m_Sock == NULL && numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes) + { + success = ReadLargeBuffer(data, numBytes); + alreadyread = true; diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-3.patch b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-3.patch new file mode 100644 index 0000000000..77f0086f07 --- /dev/null +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-3.patch @@ -0,0 +1,160 @@ +From 79ecca7aeb1766f26b25e6c4f45fc0057197c8ab Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 10:28:58 +0100 +Subject: [PATCH] Sanitise strings printed when received from target + control/remote server + +* Given socket corruption or network errors these strings could contain + unprintable characters so we sanitise them reasonably. This also ameliorates a + potential security concern with arbitrary strings being written to a log, but + these connections are still considered trusted and users should not be + exposing RenderDoc ports to the internet. + +CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865 +Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/1f72a09e3b4fd8ba45be4b0db4889444ef5179e2] + +Signed-off-by: Gyorgy Sarvari +--- + renderdoc/common/common.cpp | 11 +++++++++++ + renderdoc/core/remote_server.cpp | 2 +- + renderdoc/core/target_control.cpp | 25 ++++++++++++++----------- + renderdoc/strings/string_utils.cpp | 12 ++++++++++++ + renderdoc/strings/string_utils.h | 5 +++++ + 5 files changed, 43 insertions(+), 12 deletions(-) + +diff --git a/renderdoc/common/common.cpp b/renderdoc/common/common.cpp +index 120e6edd2..efe6254bd 100644 +--- a/renderdoc/common/common.cpp ++++ b/renderdoc/common/common.cpp +@@ -448,6 +448,17 @@ void rdclog_direct(time_t utcTime, uint32_t pid, LogType type, const char *proje + va_end(args2); + } + ++ // normalise newlines ++ { ++ char *nl = base; ++ while(*nl) ++ { ++ if(*nl == '\r') ++ *nl = '\n'; ++ nl++; ++ } ++ } ++ + // likely path - string contains no newlines + char *nl = strchr(base, '\n'); + if(nl == NULL) +diff --git a/renderdoc/core/remote_server.cpp b/renderdoc/core/remote_server.cpp +index 525a4c4e7..085f4f733 100644 +--- a/renderdoc/core/remote_server.cpp ++++ b/renderdoc/core/remote_server.cpp +@@ -439,7 +439,7 @@ static void ActiveRemoteClientThread(ClientThread *threadData, + + reader.EndChunk(); + +- RDCLOG("Taking ownership of '%s'.", path.c_str()); ++ RDCLOG("Taking ownership of capture."); + + tempFiles.push_back(path); + } +diff --git a/renderdoc/core/target_control.cpp b/renderdoc/core/target_control.cpp +index 121e3ad18..198955f80 100644 +--- a/renderdoc/core/target_control.cpp ++++ b/renderdoc/core/target_control.cpp +@@ -31,6 +31,7 @@ + #include "os/os_specific.h" + #include "replay/replay_driver.h" + #include "serialise/serialiser.h" ++#include "strings/string_utils.h" + + static const uint32_t TargetControlProtocolVersion = 6; + +@@ -443,6 +444,8 @@ void RenderDoc::TargetControlServerThread(Network::Socket *sock) + + ser.EndChunk(); + ++ strip_nonbasic(newClient); ++ + if(newClient.empty() || !IsProtocolVersionSupported(version)) + { + RDCLOG("Invalid/Unsupported handshake '%s' / %d", newClient.c_str(), version); +@@ -564,12 +567,23 @@ public: + + m_Version = 0; + ++ if(type == ePacket_Handshake) + { + READ_DATA_SCOPE(); + SERIALISE_ELEMENT(m_Version); + SERIALISE_ELEMENT(m_Target); + SERIALISE_ELEMENT(m_PID); + } ++ else if(type == ePacket_Busy) ++ { ++ READ_DATA_SCOPE(); ++ SERIALISE_ELEMENT(m_Version); ++ SERIALISE_ELEMENT(m_Target); ++ SERIALISE_ELEMENT(m_BusyClient); ++ } ++ ++ strip_nonbasic(m_Target); ++ strip_nonbasic(m_BusyClient); + + reader.EndChunk(); + +@@ -704,17 +718,6 @@ public: + reader.EndChunk(); + return msg; + } +- else if(type == ePacket_Busy) +- { +- READ_DATA_SCOPE(); +- SERIALISE_ELEMENT(msg.busy.clientName).Named("Client Name"_lit); +- +- SAFE_DELETE(m_Socket); +- +- RDCLOG("Got busy signal: '%s", msg.busy.clientName.c_str()); +- msg.type = TargetControlMessageType::Busy; +- return msg; +- } + else if(type == ePacket_NewChild) + { + msg.type = TargetControlMessageType::NewChild; +diff --git a/renderdoc/strings/string_utils.cpp b/renderdoc/strings/string_utils.cpp +index 5d8f40844..019a83c3a 100644 +--- a/renderdoc/strings/string_utils.cpp ++++ b/renderdoc/strings/string_utils.cpp +@@ -141,6 +141,18 @@ rdcstr strip_extension(const rdcstr &path) + return path.substr(0, offs); + } + ++rdcstr strip_nonbasic(rdcstr &str) ++{ ++ for(char &c : str) ++ { ++ if((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '.' || ++ c == ' ') ++ continue; ++ ++ c = '_'; ++ } ++} ++ + void split(const rdcstr &in, rdcarray &out, const char sep) + { + if(in.empty()) +diff --git a/renderdoc/strings/string_utils.h b/renderdoc/strings/string_utils.h +index 5164fe676..7c05a30f8 100644 +--- a/renderdoc/strings/string_utils.h ++++ b/renderdoc/strings/string_utils.h +@@ -37,5 +37,10 @@ rdcstr get_basename(const rdcstr &path); + rdcstr get_dirname(const rdcstr &path); + rdcstr strip_extension(const rdcstr &path); + ++// remove everything but alphanumeric ' ' and '.' ++// It replaces everything else with _ ++// for logging strings where they might contain garbage characters ++rdcstr strip_nonbasic(rdcstr &str); ++ + void split(const rdcstr &in, rdcarray &out, const char sep); + void merge(const rdcarray &in, rdcstr &out, const char sep); diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-4.patch b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-4.patch new file mode 100644 index 0000000000..99a68e6579 --- /dev/null +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-4.patch @@ -0,0 +1,28 @@ +From a3ddb69c93a39901c2659a165a119f001cf8b1f4 Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 10:47:12 +0100 +Subject: [PATCH] Don't open symlinks when opening logfile + +CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865 +Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/203fc8382a79d53d2035613d9425d966b1d4958e] + +Signed-off-by: Gyorgy Sarvari +--- + renderdoc/os/posix/posix_stringio.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/renderdoc/os/posix/posix_stringio.cpp b/renderdoc/os/posix/posix_stringio.cpp +index 59701e532..6f4389773 100644 +--- a/renderdoc/os/posix/posix_stringio.cpp ++++ b/renderdoc/os/posix/posix_stringio.cpp +@@ -499,8 +499,8 @@ rdcstr logfile_readall(uint64_t offset, const rdcstr &filename) + + LogFileHandle *logfile_open(const rdcstr &filename) + { +- int fd = +- open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); ++ int fd = open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT | O_NOFOLLOW, ++ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + + if(fd < 0) + { diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-5.patch b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-5.patch new file mode 100644 index 0000000000..f1aa4c0591 --- /dev/null +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc/CVE-2023-33863-33864-33865-5.patch @@ -0,0 +1,40 @@ +From 3be494014166fbccd1b951aeeb26534d44ceab37 Mon Sep 17 00:00:00 2001 +From: baldurk +Date: Fri, 19 May 2023 10:58:29 +0100 +Subject: [PATCH] Fix incorrect return type + +CVE: CVE-2023-33836 CVE-2023-33864 CVE-2023-33865 +Upstream-Status: Backport [https://github.com/baldurk/renderdoc/commit/771aa8e769b72e6a36b31d6e2116db9952dcbe9b] + +Signed-off-by: Gyorgy Sarvari +--- + renderdoc/strings/string_utils.cpp | 2 +- + renderdoc/strings/string_utils.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/renderdoc/strings/string_utils.cpp b/renderdoc/strings/string_utils.cpp +index 019a83c3a..7c42ede4e 100644 +--- a/renderdoc/strings/string_utils.cpp ++++ b/renderdoc/strings/string_utils.cpp +@@ -141,7 +141,7 @@ rdcstr strip_extension(const rdcstr &path) + return path.substr(0, offs); + } + +-rdcstr strip_nonbasic(rdcstr &str) ++void strip_nonbasic(rdcstr &str) + { + for(char &c : str) + { +diff --git a/renderdoc/strings/string_utils.h b/renderdoc/strings/string_utils.h +index 7c05a30f8..58c6b4f9c 100644 +--- a/renderdoc/strings/string_utils.h ++++ b/renderdoc/strings/string_utils.h +@@ -40,7 +40,7 @@ rdcstr strip_extension(const rdcstr &path); + // remove everything but alphanumeric ' ' and '.' + // It replaces everything else with _ + // for logging strings where they might contain garbage characters +-rdcstr strip_nonbasic(rdcstr &str); ++void strip_nonbasic(rdcstr &str); + + void split(const rdcstr &in, rdcarray &out, const char sep); + void merge(const rdcarray &in, rdcstr &out, const char sep); diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.13.bb b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.13.bb index ceff54f46a..492a873c00 100644 --- a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.13.bb +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.13.bb @@ -5,10 +5,14 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=5486c0df458c74c85828e0cdbffd499e" SRCREV = "cc05b288b6d1660ab04c6cf01173f1bb62e6f5dd" -SRC_URI = " \ - git://github.com/baldurk/${BPN}.git;protocol=https;branch=v1.x \ - file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \ -" +SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=https;branch=v1.x \ + file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \ + file://CVE-2023-33863-33864-33865-1.patch \ + file://CVE-2023-33863-33864-33865-2.patch \ + file://CVE-2023-33863-33864-33865-3.patch \ + file://CVE-2023-33863-33864-33865-4.patch \ + file://CVE-2023-33863-33864-33865-5.patch \ + " S = "${WORKDIR}/git" DEPENDS += "virtual/libx11 virtual/libgl libxcb xcb-util-keysyms vim-native"