From patchwork Tue Jun 25 12:37:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 167719 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp5499531ilk; Tue, 25 Jun 2019 05:38:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqwRpHd4hSgsf7QXp2aURNk77jfj//cr5CycGlS9oqD6VqblpgXe0cPzHzZgEhRc9oSRrPuy X-Received: by 2002:a17:902:7603:: with SMTP id k3mr47688325pll.245.1561466282320; Tue, 25 Jun 2019 05:38:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561466282; cv=none; d=google.com; s=arc-20160816; b=hEUikuFUT4taG3cfrbl9nhcDLmBaDWRIcb6tbj6rGZ+5uRWV7UDXgIwbBdFFafpHli L7AjBCaanFhxSg8lFFuiHNXgrWxfP2an8UX9HEiJjOjK+GTq8Wbz8ChuT1XWJGcgpi+W OzUXF6Vtx2dzdExkZeKZcXkveatZUi+E1pv5KBtvmck3AvIMCRe2QYFzmRZxCUMQhP2c k2/rVCoZdZw6+5JGc1u0pP9bRbe7QWnEBX76VGz1t94pqd/fb5yd44s+k4+MbRP9X2Ti fod3w1T0YeOZqegl6niluHU3qWmdqOGE0DpHOBwMocQ0mI8EjrZb2DOlPjhDjW7nsj3b Ke7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=rLNwaPrXOVTySg15Tx0C/8MmibkIwZ0KalWaHHgvAp4=; b=rfFNlFRCs1ChC7gviaP0YL5CMhHFCy09k7Af8kIYXtf4pJn/Md9e12CHAE7x+Q14ht 06YUWemc/Div51KUaRIAiFX1sTKmZgGJWWDDemMAfMsgAT7TjsXDJa6UUlCKz7kfLHiw 7dXFvY9f828pTXSW2H599qee8o5Q1OGHhDMf6rqCgQsqABxXHEN0KV6IXLBE70YeLkBN co6cGtW5nVjvhebx4sKbzOrzjokS286ppu5ZWqF6eqlkU97LpgAUgmJkS1CUooz39ywS e8BlDVmK+P5aKcSY7RmrasaWHNFuDkR6/4QJr1VGokrwyyZB8Elvne5VLbUwZeRhg/pS OqjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b="yQxJL7/A"; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id d24si13252319pgk.186.2019.06.25.05.38.01; Tue, 25 Jun 2019 05:38:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b="yQxJL7/A"; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 8CDB07E27B; Tue, 25 Jun 2019 12:37:58 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by mail.openembedded.org (Postfix) with ESMTP id 80F5A7E269 for ; Tue, 25 Jun 2019 12:37:56 +0000 (UTC) Received: by mail-wr1-f67.google.com with SMTP id k11so17721625wrl.1 for ; Tue, 25 Jun 2019 05:37:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id; bh=YmaIpnuM5zDc+2plodB1m+LLYcZYZvYRW3VBV9ZESqY=; b=yQxJL7/A5FLMB+xf0TeaPL9osdn9AC9qWSL+NJKRaZxgFm4WpGPxpa8mFGstFgRtab IQ7a1nuaSh4rhGjYUI/mSDiTCL0/bJw9WNwfSRM7B41oESeSHbyXsKINrB9gAmvCyaWu NvyKYOg/UB3yJ2Ne4thrCU3RrEwDgT3DgBQwXmOUDEZkBdw2Ep4xVA55t7AgP/kNlFAs pD7p7nZ1QXq+CEpcH5+L1Xua01XWsc8eOUwjIzuzL7Dam6/0/1RqpEfBTV7hX1U1PfTp y3Q+SiClqQs59x5kh5/pWqvv95PglfjnugXo1d/yiPPHf2Ap5ollv7IG6iQQmeiWsBrE Adfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=YmaIpnuM5zDc+2plodB1m+LLYcZYZvYRW3VBV9ZESqY=; b=Fwq74GJ7nAqQlg6pLIz6lETtLVGau/j3cxy6Z8WZxfjxLz7nZD+Z5UDKyHQ/8wB9oC yIeMLlzdp0ldXSeH78SBqU8aX1eULS1HFikhgB5z0t4Z8BpuJNeAwLakhL25YJqHkBPa 8Q5JtmkOGIHpSTfsZGHN9MXpMJIqcJh7XEpJMQDHvImVTFbFfpdS/eb0XeBUA/CxjTEb 9Qs241nE52AbFpE7Murp48xX/ZebBYWbY8f5eOCxAzizMksLSqf3IWmSCfIUF4Y7WE7S gzzvuN2bz122y1S+TDi6z6+C7PyCY9tDfxB9BqTfpSsNhXzJHumi/vWaM/X58wKSQN40 B1pA== X-Gm-Message-State: APjAAAX6AC7BjIf5zo7HI0vANhBi1l1DVMErNhIkM4/M7oEOg1aReDnk HkhaJmoSL1FGC0rfEDmou5yhkdN3sQ8= X-Received: by 2002:adf:e691:: with SMTP id r17mr61520846wrm.67.1561466276860; Tue, 25 Jun 2019 05:37:56 -0700 (PDT) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id j189sm2975116wmb.48.2019.06.25.05.37.55 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 05:37:56 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 25 Jun 2019 13:37:52 +0100 Message-Id: <20190625123753.18465-1-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 Subject: [OE-core] [PATCH][thud 1/2] lighttpd: fix CVE-2019-11072 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Signed-off-by: Ross Burton --- .../lighttpd/lighttpd/fix-http-parseopts.patch | 51 ++++++++++++++++++++++ meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch b/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch new file mode 100644 index 00000000000..f3a0402c4be --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch @@ -0,0 +1,51 @@ +CVE: CVE-2019-11072 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 32120d5b8b3203fc21ccb9eafb0eaf824bb59354 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Wed, 10 Apr 2019 11:28:10 -0400 +Subject: [PATCH] [core] fix abort in http-parseopts (fixes #2945) + +fix abort in server.http-parseopts with url-path-2f-decode enabled + +(thx stze) + +x-ref: + "Security - SIGABRT during GET request handling with url-path-2f-decode enabled" + https://redmine.lighttpd.net/issues/2945 +--- + src/burl.c | 6 ++++-- + src/t/test_burl.c | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/burl.c b/src/burl.c +index 51182628..c4b928fd 100644 +--- a/src/burl.c ++++ b/src/burl.c +@@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i) + } + } + if (qs >= 0) { +- memmove(s+j, s+qs, blen - qs); +- j += blen - qs; ++ const int qslen = blen - qs; ++ memmove(s+j, s+qs, (size_t)qslen); ++ qs = j; ++ j += qslen; + } + buffer_string_set_length(b, j); + return qs; +diff --git a/src/t/test_burl.c b/src/t/test_burl.c +index 7be9be50..f7a16815 100644 +--- a/src/t/test_burl.c ++++ b/src/t/test_burl.c +@@ -97,6 +97,8 @@ static void test_burl_normalize (void) { + flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE; + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/")); diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb index f28fd2f6905..5c828da5b06 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t file://lighttpd \ file://lighttpd.service \ file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ + file://fix-http-parseopts.patch \ " SRC_URI[md5sum] = "6e68c19601af332fa3c5f174245f59bf" From patchwork Tue Jun 25 12:37:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 167720 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp5499750ilk; Tue, 25 Jun 2019 05:38:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqwO4Ty+UDnEy9bDdmZ9NDQm0G8VWuvsaYJk9d2a4RHU7D38+YzRq+UpZkS+613eUrdcdgN2 X-Received: by 2002:a65:5c0a:: with SMTP id u10mr39616458pgr.412.1561466293760; Tue, 25 Jun 2019 05:38:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561466293; cv=none; d=google.com; s=arc-20160816; b=im/8iAlV0ZfYH2DerbOgFAphCqpg02KUly6sI+4lVgRxBXvTH2dLjqkzF+kdsNNyXc /uttMId+RnTv61UAYekj16C6TuzNRVw13t1Z1Pg4P93eSnkQA3pMLNX8EYFkz2n9ipb/ Wo8OkUrSGoG9uQFbcHKP70YMd5r/fC5GDcJ98eQxibrs47T7aqbYoBSW7eAG7SigqB2i 4nJmLtcTNjglY8HqdR4754cgs+1mJhlGowyYuELE0q6pLDmI/5JqF+kqN5dfRqoLHOsD KejT05yGs3U8+1DqouHDkJnZdHD/HkRhDjVMpw1UaMsRpPScJ1SmKkowZv40SXT4E5XK k4Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=tDMATy4NJJrNGmg1RadgnzPpi/ibB2YeIyPKMTTGe3c=; b=VW62n9GMgUKyWqs8ukzKZMuT/mKZXeKN9RTdD27OqpXn471Tmc3fhCVvEbWh481ss8 fzhpF+05Z5cp7EJ4hSi2Wfc6njCraPjaF7BQcPRpdlDnonzromtGzYGwbOfjl7qLRC6H MzlcSMY79KArZ49wCofPSLVMYPDqQgf3F//hrMu7J1b47SzxHjeE1LYzG/DsN6Up904o jaP0itVAMY3nlD1T75pHXfFuCLoorrE8vUnzMrCix1lvvimLNe3DRfJHIv79b5KFLpWJ c+n4ufGy6ueMKR9st8tqOt6mO0EVheL46LYQ80RbpMFZrMgSQP3QD1ifGC+O0P0uU/Bf qvlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=bLMSjmgr; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id v99si2683237pjb.82.2019.06.25.05.38.13; Tue, 25 Jun 2019 05:38:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=bLMSjmgr; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 9B7517E508; Tue, 25 Jun 2019 12:38:10 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mail.openembedded.org (Postfix) with ESMTP id AE57E7E27B for ; Tue, 25 Jun 2019 12:37:57 +0000 (UTC) Received: by mail-wm1-f48.google.com with SMTP id g135so2649850wme.4 for ; Tue, 25 Jun 2019 05:37:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=0Zsz43TFqg2ud+M7Dia6PRY1SXHqk3NqD/oaNc6OQ98=; b=bLMSjmgrKhqe9yNIJu83ANkdon2oGLPmzXLuajA243tASukuxDxaES/5DnzfUMV9t+ xf4WZ3mf7UNyA50rROhwTz8J1jkypvGH+RJS891HTbiIDoN5fCWCcRwIprK9v8rdw5le 1sRV7+D6AhMiJfwz4Umk5Pn6IQggDchub4+rQencvDq04x+dzLW4yxDGGPgmqR+bH2ew lyJ7aSAQcxjL81KH+X7sNNwbbyeGirIO0PevyC3oCqVBipd/xehakIttx3CumQa0plv2 f8AoLHchDLMWA4X5K4exUHzKVxo8LP+sgjSNCJg3QmFrNTNmLLiPjIyxQWX7lQy1GcTb 0e0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=0Zsz43TFqg2ud+M7Dia6PRY1SXHqk3NqD/oaNc6OQ98=; b=aTnVTBTDNis49pG7EO0KWvAVi47HuyxPbbHGWsjw20edWB5aFWPbMIpN1G/moxZKQm xC4cDaE7TIfUl853n9Pi7ZpFuL5V1zHqEQb+48p3n0FreNhczGoFZQLgan0JrLeMfDfA 7oqXnux9xOY35RiUN9xRYHpKhmvy5j66GxHK1Oc81IbIWCKYr96AiynV8EJcAIS0r384 aWXS3byAAOyhqjrj/XjDEuweoxOGnzFZfpigs+gflHwgX/cCsMKBpU1Qyk0hT3ttpZXY zkVTaPdPYpSAZX+3suEGMKv7jM/4lI3IabYV4vcaSoGrI5GsPBQPYr34VghOlcRxUiaP eWdg== X-Gm-Message-State: APjAAAXCcctryFZ6ZxWIJvPWG7zl7mHSypiuMtPQ54ln9dc1RRjV7Jsi AWD515ww7IuVQDP6fIyiejRARFCIDKA= X-Received: by 2002:a1c:cb43:: with SMTP id b64mr19207464wmg.135.1561466277981; Tue, 25 Jun 2019 05:37:57 -0700 (PDT) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id j189sm2975116wmb.48.2019.06.25.05.37.56 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 05:37:57 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 25 Jun 2019 13:37:53 +0100 Message-Id: <20190625123753.18465-2-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190625123753.18465-1-ross.burton@intel.com> References: <20190625123753.18465-1-ross.burton@intel.com> Subject: [OE-core] [PATCH][thud 2/2] glibc: backport CVE fixes X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Backport the fixes for several CVEs from the 2.28 stable branch: - CVE-2016-10739 - CVE-2018-19591 - CVE-2019-9169 Signed-off-by: Ross Burton --- meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | 232 +++++++++++++++++++++ meta/recipes-core/glibc/glibc/CVE-2018-19591.patch | 48 +++++ meta/recipes-core/glibc/glibc/CVE-2019-9169.patch | 40 ++++ meta/recipes-core/glibc/glibc_2.28.bb | 4 +- 4 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2016-10739.patch create mode 100644 meta/recipes-core/glibc/glibc/CVE-2018-19591.patch create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch new file mode 100644 index 00000000000..7eb55d6663d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch @@ -0,0 +1,232 @@ +CVE: CVE-2016-10739 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 21 Jan 2019 08:59:42 +0100 +Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style + +(cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0) +--- + ChangeLog | 5 ++ + resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++------------------------- + 2 files changed, 106 insertions(+), 91 deletions(-) + +diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c +index 022f7ea084..32f58b0e13 100644 +--- a/resolv/inet_addr.c ++++ b/resolv/inet_addr.c +@@ -1,3 +1,21 @@ ++/* Legacy IPv4 text-to-address functions. ++ Copyright (C) 2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ + /* + * Copyright (c) 1983, 1990, 1993 + * The Regents of the University of California. All rights reserved. +@@ -78,105 +96,97 @@ + #include + #include + +-/* +- * Ascii internet address interpretation routine. +- * The value returned is in network order. +- */ ++/* ASCII IPv4 Internet address interpretation routine. The value ++ returned is in network order. */ + in_addr_t +-__inet_addr(const char *cp) { +- struct in_addr val; ++__inet_addr (const char *cp) ++{ ++ struct in_addr val; + +- if (__inet_aton(cp, &val)) +- return (val.s_addr); +- return (INADDR_NONE); ++ if (__inet_aton (cp, &val)) ++ return val.s_addr; ++ return INADDR_NONE; + } + weak_alias (__inet_addr, inet_addr) + +-/* +- * Check whether "cp" is a valid ascii representation +- * of an Internet address and convert to a binary address. +- * Returns 1 if the address is valid, 0 if not. +- * This replaces inet_addr, the return value from which +- * cannot distinguish between failure and a local broadcast address. +- */ ++/* Check whether "cp" is a valid ASCII representation of an IPv4 ++ Internet address and convert it to a binary address. Returns 1 if ++ the address is valid, 0 if not. This replaces inet_addr, the ++ return value from which cannot distinguish between failure and a ++ local broadcast address. */ + int +-__inet_aton(const char *cp, struct in_addr *addr) ++__inet_aton (const char *cp, struct in_addr *addr) + { +- static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; +- in_addr_t val; +- char c; +- union iaddr { +- uint8_t bytes[4]; +- uint32_t word; +- } res; +- uint8_t *pp = res.bytes; +- int digit; +- +- int saved_errno = errno; +- __set_errno (0); +- +- res.word = 0; +- +- c = *cp; +- for (;;) { +- /* +- * Collect number up to ``.''. +- * Values are specified as for C: +- * 0x=hex, 0=octal, isdigit=decimal. +- */ +- if (!isdigit(c)) +- goto ret_0; +- { +- char *endp; +- unsigned long ul = strtoul (cp, (char **) &endp, 0); +- if (ul == ULONG_MAX && errno == ERANGE) +- goto ret_0; +- if (ul > 0xfffffffful) +- goto ret_0; +- val = ul; +- digit = cp != endp; +- cp = endp; +- } +- c = *cp; +- if (c == '.') { +- /* +- * Internet format: +- * a.b.c.d +- * a.b.c (with c treated as 16 bits) +- * a.b (with b treated as 24 bits) +- */ +- if (pp > res.bytes + 2 || val > 0xff) +- goto ret_0; +- *pp++ = val; +- c = *++cp; +- } else +- break; +- } +- /* +- * Check for trailing characters. +- */ +- if (c != '\0' && (!isascii(c) || !isspace(c))) +- goto ret_0; +- /* +- * Did we get a valid digit? +- */ +- if (!digit) +- goto ret_0; +- +- /* Check whether the last part is in its limits depending on +- the number of parts in total. */ +- if (val > max[pp - res.bytes]) ++ static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; ++ in_addr_t val; ++ char c; ++ union iaddr ++ { ++ uint8_t bytes[4]; ++ uint32_t word; ++ } res; ++ uint8_t *pp = res.bytes; ++ int digit; ++ ++ int saved_errno = errno; ++ __set_errno (0); ++ ++ res.word = 0; ++ ++ c = *cp; ++ for (;;) ++ { ++ /* Collect number up to ``.''. Values are specified as for C: ++ 0x=hex, 0=octal, isdigit=decimal. */ ++ if (!isdigit (c)) ++ goto ret_0; ++ { ++ char *endp; ++ unsigned long ul = strtoul (cp, &endp, 0); ++ if (ul == ULONG_MAX && errno == ERANGE) + goto ret_0; +- +- if (addr != NULL) +- addr->s_addr = res.word | htonl (val); +- +- __set_errno (saved_errno); +- return (1); +- +-ret_0: +- __set_errno (saved_errno); +- return (0); ++ if (ul > 0xfffffffful) ++ goto ret_0; ++ val = ul; ++ digit = cp != endp; ++ cp = endp; ++ } ++ c = *cp; ++ if (c == '.') ++ { ++ /* Internet format: ++ a.b.c.d ++ a.b.c (with c treated as 16 bits) ++ a.b (with b treated as 24 bits). */ ++ if (pp > res.bytes + 2 || val > 0xff) ++ goto ret_0; ++ *pp++ = val; ++ c = *++cp; ++ } ++ else ++ break; ++ } ++ /* Check for trailing characters. */ ++ if (c != '\0' && (!isascii (c) || !isspace (c))) ++ goto ret_0; ++ /* Did we get a valid digit? */ ++ if (!digit) ++ goto ret_0; ++ ++ /* Check whether the last part is in its limits depending on the ++ number of parts in total. */ ++ if (val > max[pp - res.bytes]) ++ goto ret_0; ++ ++ if (addr != NULL) ++ addr->s_addr = res.word | htonl (val); ++ ++ __set_errno (saved_errno); ++ return 1; ++ ++ ret_0: ++ __set_errno (saved_errno); ++ return 0; + } + weak_alias (__inet_aton, inet_aton) + libc_hidden_def (__inet_aton) +-- +2.11.0 diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch new file mode 100644 index 00000000000..9c78a3dfa02 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch @@ -0,0 +1,48 @@ +CVE: CVE-2018-19591 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From ce6ba630dbc96f49eb1f30366aa62261df4792f9 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 27 Nov 2018 16:12:43 +0100 +Subject: [PATCH] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong + name [BZ #23927] + +(cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408) +--- + ChangeLog | 7 +++++++ + NEWS | 6 ++++++ + sysdeps/unix/sysv/linux/if_index.c | 11 ++++++----- + 3 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c +index e3d08982d9..782fc5e175 100644 +--- a/sysdeps/unix/sysv/linux/if_index.c ++++ b/sysdeps/unix/sysv/linux/if_index.c +@@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname) + return 0; + #else + struct ifreq ifr; +- int fd = __opensock (); +- +- if (fd < 0) +- return 0; +- + if (strlen (ifname) >= IFNAMSIZ) + { + __set_errno (ENODEV); +@@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname) + } + + strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); ++ ++ int fd = __opensock (); ++ ++ if (fd < 0) ++ return 0; ++ + if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0) + { + int saved_errno = errno; +-- +2.11.0 diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch new file mode 100644 index 00000000000..8f28b56fa05 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch @@ -0,0 +1,40 @@ +CVE: CVE-2019-9196 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 2aee101ff6075dd97a99982a1ba29e21ec25c52f Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Mon, 21 Jan 2019 11:08:13 -0800 +Subject: [PATCH] regex: fix read overrun [BZ #24114] + +Problem found by AddressSanitizer, reported by Hongxu Chen in: +https://debbugs.gnu.org/34140 +* posix/regexec.c (proceed_next_node): +Do not read past end of input buffer. + +(cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9) +--- + ChangeLog | 8 ++++++++ + posix/regexec.c | 6 ++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/posix/regexec.c b/posix/regexec.c +index 73644c2341..06b8487c3e 100644 +--- a/posix/regexec.c ++++ b/posix/regexec.c +@@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs, + else if (naccepted) + { + char *buf = (char *) re_string_get_buffer (&mctx->input); +- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, +- naccepted) != 0) ++ if (mctx->input.valid_len - *pidx < naccepted ++ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, ++ naccepted) ++ != 0)) + return -1; + } + } +-- +2.11.0 + diff --git a/meta/recipes-core/glibc/glibc_2.28.bb b/meta/recipes-core/glibc/glibc_2.28.bb index 72cee04d9a7..ffc4be814b9 100644 --- a/meta/recipes-core/glibc/glibc_2.28.bb +++ b/meta/recipes-core/glibc/glibc_2.28.bb @@ -47,7 +47,9 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0032-sysdeps-ieee754-soft-fp-ignore-maybe-uninitialized-w.patch \ file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ file://0034-inject-file-assembly-directives.patch \ -" + file://CVE-2016-10739.patch \ + file://CVE-2018-19591.patch \ + file://CVE-2019-9169.patch" NATIVESDKFIXES ?= "" NATIVESDKFIXES_class-nativesdk = "\