diff options
Diffstat (limited to 'external/poky/meta/recipes-extended')
20 files changed, 1863 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch new file mode 100644 index 00000000..b10fd827 --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch @@ -0,0 +1,33 @@ +From fcd9e3aba122a220af617a802c4f47bad4b51e64 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Fri, 7 Dec 2018 07:05:10 +0100 +Subject: [PATCH] Fix: Dereference of null pointer +Reply-To: muislam@microsoft.com +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits + +--- + ext/repo_repomdxml.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/repo_repomdxml.c b/ext/repo_repomdxml.c +index 760d481f..b2a5b8dd 100644 +--- a/ext/repo_repomdxml.c ++++ b/ext/repo_repomdxml.c +@@ -181,7 +181,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha + while (value) + { + char *p = strchr(value, ','); +- if (*p) ++ if (p) + *p++ = 0; + if (*value) + repodata_add_poolstr_array(pd->data, SOLVID_META, REPOSITORY_UPDATES, value); +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch new file mode 100644 index 00000000..fde19940 --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch @@ -0,0 +1,36 @@ +From 58053b44c9ed043d48fa7dd595d213849b733f0f Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 09:50:06 +0100 +Subject: [PATCH] Fix: Add va_end() before return +Reply-To: muislam@microsoft.com + +The va_end() performs cleanup. +If va_end() is not called before a function that calls va_start() returns, +the behavior is undefined. + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + src/pool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pool.c b/src/pool.c +index 60cc0f49..f03b43f9 100644 +--- a/src/pool.c ++++ b/src/pool.c +@@ -1505,6 +1505,7 @@ pool_debug(Pool *pool, int type, const char *format, ...) + vprintf(format, args); + else + vfprintf(stderr, format, args); ++ va_end(args); + return; + } + vsnprintf(buf, sizeof(buf), format, args); +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch new file mode 100644 index 00000000..85398a82 --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch @@ -0,0 +1,158 @@ +From 6c99f33252d8bf8ff3e49013b8ad78aacf71c5d8 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 10:14:04 +0100 +Subject: [PATCH] Fix: Memory leaks +Reply-To: muislam@microsoft.com + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/repo_rpmdb.c | 16 ++++++++++++++++ + ext/testcase.c | 4 ++++ + tools/repo2solv.c | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/ext/repo_rpmdb.c b/ext/repo_rpmdb.c +index 75bb6780..ff939978 100644 +--- a/ext/repo_rpmdb.c ++++ b/ext/repo_rpmdb.c +@@ -1939,6 +1939,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (fread(lead, 96 + 16, 1, fp) != 1 || getu32(lead) != 0xedabeedb) + { + pool_error(pool, -1, "%s: not a rpm", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -1951,12 +1953,16 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (lead[78] != 0 || lead[79] != 5) + { + pool_error(pool, -1, "%s: not a rpm v5 header", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } + if (getu32(lead + 96) != 0x8eade801) + { + pool_error(pool, -1, "%s: bad signature header", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -1965,6 +1971,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (sigcnt >= MAX_SIG_CNT || sigdsize >= MAX_SIG_DSIZE) + { + pool_error(pool, -1, "%s: bad signature header", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -1975,6 +1983,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + { + if (!headfromfp(&state, rpm, fp, lead + 96, sigcnt, sigdsize, sigpad, chksumh, leadsigchksumh)) + { ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2014,6 +2024,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (fread(lead, l, 1, fp) != 1) + { + pool_error(pool, -1, "%s: unexpected EOF", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2034,6 +2046,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (fread(lead, 16, 1, fp) != 1) + { + pool_error(pool, -1, "%s: unexpected EOF", rpm); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2042,6 +2055,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (getu32(lead) != 0x8eade801) + { + pool_error(pool, -1, "%s: bad header", rpm); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2050,6 +2064,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (sigcnt >= MAX_HDR_CNT || sigdsize >= MAX_HDR_DSIZE) + { + pool_error(pool, -1, "%s: bad header", rpm); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2057,6 +2072,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + + if (!headfromfp(&state, rpm, fp, lead, sigcnt, sigdsize, 0, chksumh, 0)) + { ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +diff --git a/ext/testcase.c b/ext/testcase.c +index aa72a8d7..3901d90d 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -2348,6 +2348,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha + if (fclose(fp)) + { + pool_error(solv->pool, 0, "testcase_write: write error"); ++ solv_free(result); + strqueue_free(&sq); + return 0; + } +@@ -2360,12 +2361,14 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha + if (!(fp = fopen(out, "w"))) + { + pool_error(solv->pool, 0, "testcase_write: could not open '%s' for writing", out); ++ solv_free(cmd); + strqueue_free(&sq); + return 0; + } + if (*cmd && fwrite(cmd, strlen(cmd), 1, fp) != 1) + { + pool_error(solv->pool, 0, "testcase_write: write error"); ++ solv_free(cmd); + strqueue_free(&sq); + fclose(fp); + return 0; +@@ -2373,6 +2376,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha + if (fclose(fp)) + { + pool_error(solv->pool, 0, "testcase_write: write error"); ++ solv_free(cmd); + strqueue_free(&sq); + return 0; + } +diff --git a/tools/repo2solv.c b/tools/repo2solv.c +index e055e408..30a41f42 100644 +--- a/tools/repo2solv.c ++++ b/tools/repo2solv.c +@@ -208,6 +208,7 @@ read_plaindir_repo(Repo *repo, const char *dir) + repodata_set_location(data, p, 0, 0, bp[0] == '.' && bp[1] == '/' ? bp + 2 : bp); + solv_free(rpm); + } ++ solv_free(buf); + fclose(fp); + while (waitpid(pid, &wstatus, 0) == -1) + { +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch new file mode 100644 index 00000000..559aefb1 --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch @@ -0,0 +1,41 @@ +From 823bf65087a017d2f488f01e09ee284fa36f7446 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 10:22:09 +0100 +Subject: [PATCH] Fix: testsolv segfault +Reply-To: muislam@microsoft.com + +ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab0e11bf2b bp 0x7ffdfc044b70 sp 0x7ffdfc044a90 T0) +0 0x7fab0e11bf2a in testcase_str2dep_complex /home/company/real_sanitize/libsolv-master/ext/testcase.c:577 +1 0x7fab0e11c80f in testcase_str2dep /home/company/real_sanitize/libsolv-master/ext/testcase.c:656 +2 0x7fab0e12e64a in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2952 +3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148 +4 0x7fab0d9d2a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) +5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8) + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/testcase.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/testcase.c b/ext/testcase.c +index 3901d90d..dd20de14 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -571,6 +571,8 @@ testcase_str2dep_complex(Pool *pool, const char **sp, int relop) + Id flags, id, id2, namespaceid = 0; + struct oplist *op; + ++ if (!s) ++ return 0; + while (*s == ' ' || *s == '\t') + s++; + if (!strncmp(s, "namespace:", 10)) +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch new file mode 100644 index 00000000..5c13ce5e --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch @@ -0,0 +1,47 @@ +From 43928ee565b9c4f69daa1875da66f92b2d5bf932 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 10:27:15 +0100 +Subject: [PATCH] Fix: testsolv segfaults +Reply-To: muislam@microsoft.com + +ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f0 (pc 0x7f31501d3bd2 bp 0x7ffcfe4d4a50 sp 0x7ffcfe4d4a30 T0) +0 0x7f31501d3bd1 in pool_whatprovides /home/company/real_sanitize/libsolv-master/src/pool.h:331 +1 0x7f31501d895e in testcase_str2solvid /home/company/real_sanitize/libsolv-master/ext/testcase.c:793 +2 0x7f31501e8388 in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2807 +3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148 +4 0x7f314fa8da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) +5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8) + +ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5af9e7815f bp 0x7ffc4c843a40 sp 0x7ffc4c8436c0 T0) +0 0x7f5af9e7815e in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2799 +1 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148 +2 0x7f5af971da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) +3 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8) + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/testcase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/testcase.c b/ext/testcase.c +index dd20de14..83467fe2 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -2772,7 +2772,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + { + int i = strlen(pieces[1]); + s = strchr(pieces[1], '('); +- if (!s && pieces[1][i - 1] != ')') ++ if (!s || pieces[1][i - 1] != ')') + { + pool_error(pool, 0, "testcase_read: bad namespace '%s'", pieces[1]); + } +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch new file mode 100644 index 00000000..fdea9dbd --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch @@ -0,0 +1,37 @@ +From ebb51f73491987435664ac14b79bebe16ffbdd5c Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 12:40:42 +0100 +Subject: [PATCH] Fix: Be sure that NONBLOCK is set +Reply-To: muislam@microsoft.com + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + examples/solv/fastestmirror.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/examples/solv/fastestmirror.c b/examples/solv/fastestmirror.c +index d2ebd97a..0ee4e73b 100644 +--- a/examples/solv/fastestmirror.c ++++ b/examples/solv/fastestmirror.c +@@ -68,7 +68,11 @@ findfastest(char **urls, int nurls) + socks[i] = socket(result->ai_family, result->ai_socktype, result->ai_protocol); + if (socks[i] >= 0) + { +- fcntl(socks[i], F_SETFL, O_NONBLOCK); ++ if (fcntl(socks[i], F_SETFL, O_NONBLOCK) == -1) ++ { ++ close(socks[i]); ++ socks[i] = -1; ++ } + if (connect(socks[i], result->ai_addr, result->ai_addrlen) == -1) + { + if (errno != EINPROGRESS) +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch new file mode 100644 index 00000000..8b4a993d --- /dev/null +++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch @@ -0,0 +1,113 @@ +From edf87c92cf59c2eed9c1e33c51a47163da15d90b Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 12:58:34 +0100 +Subject: [PATCH] Don't set values that are never read +Reply-To: muislam@microsoft.com + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/pool_fileconflicts.c | 1 - + ext/repo_appdata.c | 2 +- + ext/repo_comps.c | 2 +- + src/cleandeps.c | 1 - + src/dirpool.c | 2 +- + src/order.c | 1 - + src/repopage.c | 1 - + 7 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/ext/pool_fileconflicts.c b/ext/pool_fileconflicts.c +index eaeb52b2..2fd3d540 100644 +--- a/ext/pool_fileconflicts.c ++++ b/ext/pool_fileconflicts.c +@@ -590,7 +590,6 @@ findfileconflicts_alias_cb(void *cbdatav, const char *fn, struct filelistinfo *i + + if (!info->dirlen) + return; +- dp = fn + info->dirlen; + if (info->diridx != cbdata->lastdiridx) + { + cbdata->lastdiridx = info->diridx; +diff --git a/ext/repo_appdata.c b/ext/repo_appdata.c +index 62faf2d8..69d46386 100644 +--- a/ext/repo_appdata.c ++++ b/ext/repo_appdata.c +@@ -103,7 +103,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha + { + struct parsedata *pd = xmlp->userdata; + Pool *pool = pd->pool; +- Solvable *s = pd->solvable; ++ Solvable *s; + const char *type; + + /* ignore all language tags */ +diff --git a/ext/repo_comps.c b/ext/repo_comps.c +index 255ecb16..e59f8d12 100644 +--- a/ext/repo_comps.c ++++ b/ext/repo_comps.c +@@ -107,7 +107,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha + { + struct parsedata *pd = xmlp->userdata; + Pool *pool = pd->pool; +- Solvable *s = pd->solvable; ++ Solvable *s; + + switch(state) + { +diff --git a/src/cleandeps.c b/src/cleandeps.c +index 1da28f6e..b2fde317 100644 +--- a/src/cleandeps.c ++++ b/src/cleandeps.c +@@ -748,7 +748,6 @@ solver_createcleandepsmap(Solver *solv, Map *cleandepsmap, int unneeded) + continue; + if (strncmp(pool_id2str(pool, s->name), "pattern:", 8) != 0) + continue; +- dp = s->repo->idarraydata + s->requires; + for (dp = s->repo->idarraydata + s->requires; *dp; dp++) + FOR_PROVIDES(p, pp, *dp) + if (pool->solvables[p].repo == installed) +diff --git a/src/dirpool.c b/src/dirpool.c +index afb26ea5..bed9435e 100644 +--- a/src/dirpool.c ++++ b/src/dirpool.c +@@ -85,7 +85,7 @@ dirpool_make_dirtraverse(Dirpool *dp) + return; + dp->dirs = solv_extend_resize(dp->dirs, dp->ndirs, sizeof(Id), DIR_BLOCK); + dirtraverse = solv_calloc_block(dp->ndirs, sizeof(Id), DIR_BLOCK); +- for (parent = 0, i = 0; i < dp->ndirs; i++) ++ for (i = 0; i < dp->ndirs; i++) + { + if (dp->dirs[i] > 0) + continue; +diff --git a/src/order.c b/src/order.c +index c92c3328..cfde40c9 100644 +--- a/src/order.c ++++ b/src/order.c +@@ -1066,7 +1066,6 @@ transaction_order(Transaction *trans, int flags) + #if 0 + printf("do %s [%d]\n", pool_solvid2str(pool, te->p), temedianr[i]); + #endif +- s = pool->solvables + te->p; + for (j = te->edges; od.invedgedata[j]; j++) + { + struct _TransactionElement *te2 = od.tes + od.invedgedata[j]; +diff --git a/src/repopage.c b/src/repopage.c +index 2b7a863b..85d53eb9 100644 +--- a/src/repopage.c ++++ b/src/repopage.c +@@ -399,7 +399,6 @@ match_done: + litlen -= 32; + } + } +- litofs = 0; + } + return oo; + } +-- +2.23.0 + diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb b/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb index 12dfc5d3..ed6a7cbf 100644 --- a/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb +++ b/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb @@ -10,6 +10,13 @@ DEPENDS = "expat zlib" SRC_URI = "git://github.com/openSUSE/libsolv.git" SRC_URI_append_libc-musl = " file://0001-Add-fallback-fopencookie-implementation.patch \ file://0002-Fixes-to-internal-fopencookie-implementation.patch \ + file://0003-Fix-Dereference-of-null-pointer.patch \ + file://0004-Fix-Add-va_end-before-return.patch \ + file://0005-Fix-Memory-leaks.patch \ + file://0006-Fix-testsolv-segfault.patch \ + file://0007-Fix-testsolv-segfaults.patch \ + file://0008-Fix-Be-sure-that-NONBLOCK-is-set.patch \ + file://0009-Don-t-set-values-that-are-never-read.patch \ " SRCREV = "38c5374d4712667b0b6ada4bf78ddbb343095d0c" diff --git a/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch new file mode 100644 index 00000000..f954fac8 --- /dev/null +++ b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch @@ -0,0 +1,170 @@ +Treat an ID of -1 as invalid since that means "no change". +Fixes CVE-2019-14287. +Found by Joe Vennix from Apple Information Security. + +CVE: CVE-2019-14287 +Upstream-Status: Backport +[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7] + +Signed-off-by: Dan Tran <dantran@microsoft.com> + +Index: sudo-1.8.21p2/lib/util/strtoid.c +=================================================================== +--- sudo-1.8.21p2.orig/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 ++++ sudo-1.8.21p2/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 +@@ -42,6 +42,27 @@ + #include "sudo_util.h" + + /* ++ * Make sure that the ID ends with a valid separator char. ++ */ ++static bool ++valid_separator(const char *p, const char *ep, const char *sep) ++{ ++ bool valid = false; ++ debug_decl(valid_separator, SUDO_DEBUG_UTIL) ++ ++ if (ep != p) { ++ /* check for valid separator (including '\0') */ ++ if (sep == NULL) ++ sep = ""; ++ do { ++ if (*ep == *sep) ++ valid = true; ++ } while (*sep++ != '\0'); ++ } ++ debug_return_bool(valid); ++} ++ ++/* + * Parse a uid/gid in string form. + * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) + * If endp is non-NULL it is set to the next char after the ID. +@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha + char *ep; + id_t ret = 0; + long long llval; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ ++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ + errno = 0; + llval = strtoll(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); ++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too large"); ++ goto done; + } +- if (!valid) { ++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { ++ errno = ERANGE; + if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; ++ *errstr = N_("value too small"); + goto done; + } +- if (errno == ERANGE) { +- if (errstr != NULL) { +- if (llval == LLONG_MAX) +- *errstr = N_("value too large"); +- else +- *errstr = N_("value too small"); +- } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; + goto done; + } + ret = (id_t)llval; +@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha + { + char *ep; + id_t ret = 0; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ + errno = 0; + if (*p == '-') { + long lval = strtol(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { +- if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; +- goto done; +- } + if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { + errno = ERANGE; + if (errstr != NULL) +@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha + *errstr = N_("value too small"); + goto done; + } +- ret = (id_t)lval; +- } else { +- unsigned long ulval = strtoul(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || lval == -1) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } ++ ret = (id_t)lval; ++ } else { ++ unsigned long ulval = strtoul(p, &ep, 10); + if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { + errno = ERANGE; + if (errstr != NULL) + *errstr = N_("value too large"); + goto done; + } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; ++ goto done; ++ } + ret = (id_t)ulval; + } + if (errstr != NULL) diff --git a/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch new file mode 100644 index 00000000..dcb2703d --- /dev/null +++ b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch @@ -0,0 +1,98 @@ +CVE: CVE-2019-14287 +Upstream-Status: Backport +[https://www.sudo.ws/repos/sudo/rev/db06a8336c09] + +Signed-off-by: Dan Tran <dantran@microsoft.com> + +Index: sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c +=================================================================== +--- sudo-1.8.21p2.orig/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:13:07.471005893 -0400 +@@ -24,6 +24,7 @@ + #else + # include "compat/stdbool.h" + #endif ++#include <errno.h> + + #include "sudo_compat.h" + #include "sudo_util.h" +@@ -78,15 +79,20 @@ static struct strtoid_data { + id_t id; + const char *sep; + const char *ep; ++ int errnum; + } strtoid_data[] = { +- { "0,1", 0, ",", "," }, +- { "10", 10, NULL, NULL }, +- { "-2", -2, NULL, NULL }, ++ { "0,1", 0, ",", ",", 0 }, ++ { "10", 10, NULL, NULL, 0 }, ++ { "-1", 0, NULL, NULL, EINVAL }, ++ { "4294967295", 0, NULL, NULL, EINVAL }, ++ { "4294967296", 0, NULL, NULL, ERANGE }, ++ { "-2147483649", 0, NULL, NULL, ERANGE }, ++ { "-2", -2, NULL, NULL, 0 }, + #if SIZEOF_ID_T != SIZEOF_LONG_LONG +- { "-2", 4294967294U, NULL, NULL }, ++ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, + #endif +- { "4294967294", 4294967294U, NULL, NULL }, +- { NULL, 0, NULL, NULL } ++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, ++ { NULL, 0, NULL, NULL, 0 } + }; + + static int +@@ -102,11 +108,23 @@ test_strtoid(int *ntests) + (*ntests)++; + errstr = "some error"; + value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); +- if (errstr != NULL) { +- if (d->id != (id_t)-1) { +- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ if (d->errnum != 0) { ++ if (errstr == NULL) { ++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", ++ d->idstr, d->errnum); ++ errors++; ++ } else if (value != 0) { ++ sudo_warnx_nodebug("FAIL: %s should return 0 on error", ++ d->idstr); ++ errors++; ++ } else if (errno != d->errnum) { ++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", ++ d->idstr, errno, d->errnum); + errors++; + } ++ } else if (errstr != NULL) { ++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ errors++; + } else if (value != d->id) { + sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); + errors++; +Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok +=================================================================== +--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.870655365 -0400 +@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. + Entries for user root: + + Command unmatched +-testsudoers: test5.inc should be owned by gid 4294967295 ++testsudoers: test5.inc should be owned by gid 4294967294 + Parse error in sudoers near line 1. + + Entries for user root: +Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh +=================================================================== +--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.870655365 -0400 +@@ -24,7 +24,7 @@ EOF + + # Test group writable + chmod 664 $TESTFILE +-./testsudoers -U $MYUID -G -1 root id <<EOF ++./testsudoers -U $MYUID -G -2 root id <<EOF + #include $TESTFILE + EOF + diff --git a/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb b/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb index ce32bd18..d12cf2d5 100644 --- a/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb +++ b/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb @@ -3,6 +3,8 @@ require sudo.inc SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-Include-sys-types.h-for-id_t-definition.patch \ + file://CVE-2019-14287_p1.patch \ + file://CVE-2019-14287_p2.patch \ " PAM_SRC_URI = "file://sudo.pam" diff --git a/external/poky/meta/recipes-extended/tar/tar/CVE-2018-20482.patch b/external/poky/meta/recipes-extended/tar/tar/CVE-2018-20482.patch new file mode 100644 index 00000000..2a131484 --- /dev/null +++ b/external/poky/meta/recipes-extended/tar/tar/CVE-2018-20482.patch @@ -0,0 +1,405 @@ +From 331be56598b284d41370c67046df25673b040a55 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Thu, 27 Dec 2018 17:48:57 +0200 +Subject: [PATCH] Fix CVE-2018-20482 + +* NEWS: Update. +* src/sparse.c (sparse_dump_region): Handle short read condition. +(sparse_extract_region,check_data_region): Fix dumped_size calculation. +Handle short read condition. +(pax_decode_header): Fix dumped_size calculation. +* tests/Makefile.am: Add new testcases. +* tests/testsuite.at: Likewise. + +* tests/sptrcreat.at: New file. +* tests/sptrdiff00.at: New file. +* tests/sptrdiff01.at: New file. + +CVE: CVE-2018-20482 +Upstream-Status: Backport +[http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + src/sparse.c | 50 +++++++++++++++++++++++++++++++----- + tests/Makefile.am | 5 +++- + tests/sptrcreat.at | 62 +++++++++++++++++++++++++++++++++++++++++++++ + tests/sptrdiff00.at | 55 ++++++++++++++++++++++++++++++++++++++++ + tests/sptrdiff01.at | 55 ++++++++++++++++++++++++++++++++++++++++ + tests/testsuite.at | 5 +++- + 6 files changed, 224 insertions(+), 8 deletions(-) + create mode 100644 tests/sptrcreat.at + create mode 100644 tests/sptrdiff00.at + create mode 100644 tests/sptrdiff01.at + +diff --git a/src/sparse.c b/src/sparse.c +index 0830f62..e8e8259 100644 +--- a/src/sparse.c ++++ b/src/sparse.c +@@ -1,6 +1,6 @@ + /* Functions for dealing with sparse files + +- Copyright 2003-2007, 2010, 2013-2017 Free Software Foundation, Inc. ++ Copyright 2003-2007, 2010, 2013-2018 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the +@@ -427,6 +427,30 @@ sparse_dump_region (struct tar_sparse_file *file, size_t i) + bufsize); + return false; + } ++ else if (bytes_read == 0) ++ { ++ char buf[UINTMAX_STRSIZE_BOUND]; ++ struct stat st; ++ size_t n; ++ if (fstat (file->fd, &st) == 0) ++ n = file->stat_info->stat.st_size - st.st_size; ++ else ++ n = file->stat_info->stat.st_size ++ - (file->stat_info->sparse_map[i].offset ++ + file->stat_info->sparse_map[i].numbytes ++ - bytes_left); ++ ++ WARNOPT (WARN_FILE_SHRANK, ++ (0, 0, ++ ngettext ("%s: File shrank by %s byte; padding with zeros", ++ "%s: File shrank by %s bytes; padding with zeros", ++ n), ++ quotearg_colon (file->stat_info->orig_file_name), ++ STRINGIFY_BIGINT (n, buf))); ++ if (! ignore_failed_read_option) ++ set_exit_status (TAREXIT_DIFFERS); ++ return false; ++ } + + memset (blk->buffer + bytes_read, 0, BLOCKSIZE - bytes_read); + bytes_left -= bytes_read; +@@ -464,9 +488,9 @@ sparse_extract_region (struct tar_sparse_file *file, size_t i) + return false; + } + set_next_block_after (blk); ++ file->dumped_size += BLOCKSIZE; + count = blocking_write (file->fd, blk->buffer, wrbytes); + write_size -= count; +- file->dumped_size += count; + mv_size_left (file->stat_info->archive_file_size - file->dumped_size); + file->offset += count; + if (count != wrbytes) +@@ -598,6 +622,12 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end) + rdsize); + return false; + } ++ else if (bytes_read == 0) ++ { ++ report_difference (file->stat_info, _("Size differs")); ++ return false; ++ } ++ + if (!zero_block_p (diff_buffer, bytes_read)) + { + char begbuf[INT_BUFSIZE_BOUND (off_t)]; +@@ -609,6 +639,7 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end) + + beg += bytes_read; + } ++ + return true; + } + +@@ -635,6 +666,7 @@ check_data_region (struct tar_sparse_file *file, size_t i) + return false; + } + set_next_block_after (blk); ++ file->dumped_size += BLOCKSIZE; + bytes_read = safe_read (file->fd, diff_buffer, rdsize); + if (bytes_read == SAFE_READ_ERROR) + { +@@ -645,7 +677,11 @@ check_data_region (struct tar_sparse_file *file, size_t i) + rdsize); + return false; + } +- file->dumped_size += bytes_read; ++ else if (bytes_read == 0) ++ { ++ report_difference (¤t_stat_info, _("Size differs")); ++ return false; ++ } + size_left -= bytes_read; + mv_size_left (file->stat_info->archive_file_size - file->dumped_size); + if (memcmp (blk->buffer, diff_buffer, rdsize)) +@@ -1213,7 +1249,8 @@ pax_decode_header (struct tar_sparse_file *file) + union block *blk; + char *p; + size_t i; +- ++ off_t start; ++ + #define COPY_BUF(b,buf,src) do \ + { \ + char *endp = b->buffer + BLOCKSIZE; \ +@@ -1229,7 +1266,6 @@ pax_decode_header (struct tar_sparse_file *file) + if (src == endp) \ + { \ + set_next_block_after (b); \ +- file->dumped_size += BLOCKSIZE; \ + b = find_next_block (); \ + if (!b) \ + FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \ +@@ -1242,8 +1278,8 @@ pax_decode_header (struct tar_sparse_file *file) + dst[-1] = 0; \ + } while (0) + ++ start = current_block_ordinal (); + set_next_block_after (current_header); +- file->dumped_size += BLOCKSIZE; + blk = find_next_block (); + if (!blk) + FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); +@@ -1282,6 +1318,8 @@ pax_decode_header (struct tar_sparse_file *file) + sparse_add_map (file->stat_info, &sp); + } + set_next_block_after (blk); ++ ++ file->dumped_size += BLOCKSIZE * (current_block_ordinal () - start); + } + + return true; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 2d7939d..ac3b6e7 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1,6 +1,6 @@ + # Makefile for GNU tar regression tests. + +-# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2015 Free Software ++# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2018 Free Software + + # This file is part of GNU tar. + +@@ -228,6 +228,9 @@ TESTSUITE_AT = \ + spmvp00.at\ + spmvp01.at\ + spmvp10.at\ ++ sptrcreat.at\ ++ sptrdiff00.at\ ++ sptrdiff01.at\ + time01.at\ + time02.at\ + truncate.at\ +diff --git a/tests/sptrcreat.at b/tests/sptrcreat.at +new file mode 100644 +index 0000000..8e28f0e +--- /dev/null ++++ b/tests/sptrcreat.at +@@ -0,0 +1,62 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++ ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++ ++# This file is part of GNU tar. ++ ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++ ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# Tar up to 1.30 would loop endlessly if a sparse file had been truncated ++# while being archived (with --sparse flag). ++# ++# The bug has been assigned id CVE-2018-20482 (on the grounds that it is a ++# denial of service possibility). ++# ++# Reported by: Chris Siebenmann <cks.gnutar-01@cs.toronto.edu> ++# References: <20181226223948.781EB32008E@apps1.cs.toronto.edu>, ++# <http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html> ++# <https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug> ++# <https://nvd.nist.gov/vuln/detail/CVE-2018-20482> ++ ++AT_SETUP([sparse file truncated while archiving]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrcreat]) ++ ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++genfile --run --checkpoint 3 --length 200m --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vcf bar foo baz ++echo Exit status: $? ++echo separator ++genfile --file foo --seek 200m --length 11575296 --pattern=zeros ++tar dvf bar], ++[1], ++[foo ++baz ++Exit status: 1 ++separator ++foo ++foo: Mod time differs ++baz ++], ++[tar: foo: File shrank by 11575296 bytes; padding with zeros ++], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/sptrdiff00.at b/tests/sptrdiff00.at +new file mode 100644 +index 0000000..c410561 +--- /dev/null ++++ b/tests/sptrdiff00.at +@@ -0,0 +1,55 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++# ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++# ++# This file is part of GNU tar. ++# ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered ++# that similar bug exists in file checking code (tar d). ++# This test case checks if tar correctly handles a short read condition ++# appearing in check_sparse_region. ++ ++AT_SETUP([file truncated in sparse region while comparing]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff]) ++ ++# This triggers short read in check_sparse_region. ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++echo creating ++tar --sparse -vcf bar foo baz ++echo comparing ++genfile --run --checkpoint 3 --length 200m --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo='Write checkpoint %u' \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vdf bar ++], ++[1], ++[creating ++foo ++baz ++comparing ++foo ++foo: Size differs ++baz ++], ++[], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/sptrdiff01.at b/tests/sptrdiff01.at +new file mode 100644 +index 0000000..2da2267 +--- /dev/null ++++ b/tests/sptrdiff01.at +@@ -0,0 +1,55 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++# ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++# ++# This file is part of GNU tar. ++# ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered ++# that similar bug exists in file checking code (tar d). ++# This test case checks if tar correctly handles a short read condition ++# appearing in check_data_region. ++ ++AT_SETUP([file truncated in data region while comparing]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff]) ++ ++# This triggers short read in check_data_region. ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++echo creating ++tar --sparse -vcf bar foo baz ++echo comparing ++genfile --run --checkpoint 5 --length 221278210 --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo='Write checkpoint %u' \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vdf bar ++], ++[1], ++[creating ++foo ++baz ++comparing ++foo ++foo: Size differs ++baz ++], ++[], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/testsuite.at b/tests/testsuite.at +index 2a83757..23386f7 100644 +--- a/tests/testsuite.at ++++ b/tests/testsuite.at +@@ -1,7 +1,7 @@ + # Process this file with autom4te to create testsuite. -*- Autotest -*- + + # Test suite for GNU tar. +-# Copyright 2004-2008, 2010-2017 Free Software Foundation, Inc. ++# Copyright 2004-2008, 2010-2018 Free Software Foundation, Inc. + + # This file is part of GNU tar. + +@@ -405,6 +405,9 @@ m4_include([sparsemv.at]) + m4_include([spmvp00.at]) + m4_include([spmvp01.at]) + m4_include([spmvp10.at]) ++m4_include([sptrcreat.at]) ++m4_include([sptrdiff00.at]) ++m4_include([sptrdiff01.at]) + + AT_BANNER([Updates]) + m4_include([update.at]) +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/external/poky/meta/recipes-extended/tar/tar_1.30.bb b/external/poky/meta/recipes-extended/tar/tar_1.30.bb index ab1b33b3..7cf05224 100644 --- a/external/poky/meta/recipes-extended/tar/tar_1.30.bb +++ b/external/poky/meta/recipes-extended/tar/tar_1.30.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://remove-gets.patch \ file://musl_dirent.patch \ file://CVE-2019-9923.patch \ + file://CVE-2018-20482.patch \ " SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65" diff --git a/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch new file mode 100644 index 00000000..d485a1bd --- /dev/null +++ b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch @@ -0,0 +1,33 @@ +From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Mon, 27 May 2019 08:20:32 -0700 +Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the input + state. + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + fileio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fileio.c b/fileio.c +index 7605a29..14460f3 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -532,8 +532,10 @@ void undefer_input(__G) + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; +-- +2.22.0.vfs.1.1.57.gbaf16c8 diff --git a/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch new file mode 100644 index 00000000..41037a8e --- /dev/null +++ b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch @@ -0,0 +1,356 @@ +From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Tue, 11 Jun 2019 22:01:18 -0700 +Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped entries. + +This detects an invalid zip file that has at least one entry that +overlaps with another entry or with the central directory to the +end of the file. A Fifield zip bomb uses overlapped local entries +to vastly increase the potential inflation ratio. Such an invalid +zip file is rejected. + +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's +analysis, construction, and examples of such zip bombs. + +The detection maintains a list of covered spans of the zip files +so far, where the central directory to the end of the file and any +bytes preceding the first entry at zip file offset zero are +considered covered initially. Then as each entry is decompressed +or tested, it is considered covered. When a new entry is about to +be processed, its initial offset is checked to see if it is +contained by a covered span. If so, the zip file is rejected as +invalid. + +This commit depends on a preceding commit: "Fix bug in +undefer_input() that misplaced the input state." + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + globals.c | 1 + + globals.h | 3 + + process.c | 10 +++ + unzip.h | 1 + + 5 files changed, 204 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 24db2a8..2bb72ba 100644 +--- a/extract.c ++++ b/extract.c +@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[] = + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ ++ ++ ++ ++ ++/* A growable list of spans. */ ++typedef zoff_t bound_t; ++typedef struct { ++ bound_t beg; /* start of the span */ ++ bound_t end; /* one past the end of the span */ ++} span_t; ++typedef struct { ++ span_t *span; /* allocated, distinct, and sorted list of spans */ ++ size_t num; /* number of spans in the list */ ++ size_t max; /* allocated number of spans (num <= max) */ ++} cover_t; ++ ++/* ++ * Return the index of the first span in cover whose beg is greater than val. ++ * If there is no such span, then cover->num is returned. ++ */ ++static size_t cover_find(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t lo = 0, hi = cover->num; ++ while (lo < hi) { ++ size_t mid = (lo + hi) >> 1; ++ if (val < cover->span[mid].beg) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ return hi; ++} ++ ++/* Return true if val lies within any one of the spans in cover. */ ++static int cover_within(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t pos = cover_find(cover, val); ++ return pos > 0 && val < cover->span[pos - 1].end; ++} ++ ++/* ++ * Add a new span to the list, but only if the new span does not overlap any ++ * spans already in the list. The new span covers the values beg..end-1. beg ++ * must be less than end. ++ * ++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for ++ * the list as needed. On success, 0 is returned. If the new span overlaps any ++ * existing spans, then 1 is returned and the new span is not added to the ++ * list. If the new span is invalid because beg is greater than or equal to ++ * end, then -1 is returned. If the list needs to be grown but the memory ++ * allocation fails, then -2 is returned. ++ */ ++static int cover_add(cover, beg, end) ++ cover_t *cover; ++ bound_t beg; ++ bound_t end; ++{ ++ size_t pos; ++ int prec, foll; ++ ++ if (beg >= end) ++ /* The new span is invalid. */ ++ return -1; ++ ++ /* Find where the new span should go, and make sure that it does not ++ overlap with any existing spans. */ ++ pos = cover_find(cover, beg); ++ if ((pos > 0 && beg < cover->span[pos - 1].end) || ++ (pos < cover->num && end > cover->span[pos].beg)) ++ return 1; ++ ++ /* Check for adjacencies. */ ++ prec = pos > 0 && beg == cover->span[pos - 1].end; ++ foll = pos < cover->num && end == cover->span[pos].beg; ++ if (prec && foll) { ++ /* The new span connects the preceding and following spans. Merge the ++ following span into the preceding span, and delete the following ++ span. */ ++ cover->span[pos - 1].end = cover->span[pos].end; ++ cover->num--; ++ memmove(cover->span + pos, cover->span + pos + 1, ++ (cover->num - pos) * sizeof(span_t)); ++ } ++ else if (prec) ++ /* The new span is adjacent only to the preceding span. Extend the end ++ of the preceding span. */ ++ cover->span[pos - 1].end = end; ++ else if (foll) ++ /* The new span is adjacent only to the following span. Extend the ++ beginning of the following span. */ ++ cover->span[pos].beg = beg; ++ else { ++ /* The new span has gaps between both the preceding and the following ++ spans. Assure that there is room and insert the span. */ ++ if (cover->num == cover->max) { ++ size_t max = cover->max == 0 ? 16 : cover->max << 1; ++ span_t *span = realloc(cover->span, max * sizeof(span_t)); ++ if (span == NULL) ++ return -2; ++ cover->span = span; ++ cover->max = max; ++ } ++ memmove(cover->span + pos + 1, cover->span + pos, ++ (cover->num - pos) * sizeof(span_t)); ++ cover->num++; ++ cover->span[pos].beg = beg; ++ cover->span[pos].end = end; ++ } ++ return 0; ++} + + + +@@ -376,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + ++ /* One more: initialize cover structure for bomb detection. Start with a ++ span that covers the central directory though the end of the file. */ ++ if (G.cover == NULL) { ++ G.cover = malloc(sizeof(cover_t)); ++ if (G.cover == NULL) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ ((cover_t *)G.cover)->span = NULL; ++ ((cover_t *)G.cover)->max = 0; ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.ziplen) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- + rectory lies at the end of the zipfile and the member files lie at the +@@ -593,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + if (error > error_in_archive) + error_in_archive = error; + /* ...and keep going (unless disk full or user break) */ +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || ++ error == PK_BOMB) { + /* clear reached_end to signal premature stop ... */ + reached_end = FALSE; + /* ... and cancel scanning the central directory */ +@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; ++ if (cover_within((cover_t *)G.cover, request)) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; + +@@ -1593,6 +1741,18 @@ reprompt: + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ if (error != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); + #endif +@@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + } + + undefer_input(__G); ++ ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ /* skip over data descriptor (harder than it sounds, due to signature ++ * ambiguity) ++ */ ++# define SIG 0x08074b50 ++# define LOW 0xffffffff ++ uch buf[12]; ++ unsigned shy = 12 - readbuf((char *)buf, 12); ++ ulg crc = shy ? 0 : makelong(buf); ++ ulg clen = shy ? 0 : makelong(buf + 4); ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ ++ if (crc == SIG && /* if not SIG, no signature */ ++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ ++ (clen == SIG && /* if not SIG, no signature */ ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ ++ (ulen == SIG && /* if not SIG, no signature */ ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ /* if not SIG, have signature */ ++ ))))) ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); ++ if (G.zip64) ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ if (shy) ++ error = PK_ERR; ++ } ++ + return error; + + } /* end function extract_or_test_member() */ +diff --git a/globals.c b/globals.c +index fa8cca5..1e0f608 100644 +--- a/globals.c ++++ b/globals.c +@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor() + # if (!defined(NO_TIMESTAMPS)) + uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ + # endif ++ G.cover = NULL; /* not allocated yet */ + #endif + + uO.lflag=(-1); +diff --git a/globals.h b/globals.h +index 11b7215..2bdcdeb 100644 +--- a/globals.h ++++ b/globals.h +@@ -260,12 +260,15 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + ++ int zip64; /* true if Zip64 info in extra field */ ++ + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ + int reported_backslash; /* extract.c static */ + int disk_full; + int newfile; ++ void **cover; /* used in extract.c for bomb detection */ + + int didCRlast; /* fileio static */ + ulg numlines; /* fileio static: number of lines printed */ +diff --git a/process.c b/process.c +index a3c1a4d..208619c 100644 +--- a/process.c ++++ b/process.c +@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ + } + #endif + ++ /* Free the cover span list and the cover structure. */ ++ if (G.cover != NULL) { ++ free(*(G.cover)); ++ free(G.cover); ++ G.cover = NULL; ++ } ++ + } /* end function free_G_buffers() */ + + +@@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff ++ G.zip64 = FALSE; + + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; +@@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); + offset += 4; + } ++ ++ G.zip64 = TRUE; + #if 0 + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ +diff --git a/unzip.h b/unzip.h +index 5b2a326..ed24a5b 100644 +--- a/unzip.h ++++ b/unzip.h +@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec { + #define PK_NOZIP 9 /* zipfile not found */ + #define PK_PARAM 10 /* bad or illegal parameters specified */ + #define PK_FIND 11 /* no files found */ ++#define PK_BOMB 12 /* likely zip bomb */ + #define PK_DISK 50 /* disk full */ + #define PK_EOF 51 /* unexpected EOF */ + +-- +2.22.0.vfs.1.1.57.gbaf16c8 diff --git a/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch new file mode 100644 index 00000000..fd26fdd8 --- /dev/null +++ b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch @@ -0,0 +1,121 @@ +From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Thu, 25 Jul 2019 20:43:17 -0700 +Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central + directory. + +There is a zip-like file in the Firefox distribution, omni.ja, +which is a zip container with the central directory placed at the +start of the file instead of after the local entries as required +by the zip standard. This commit marks the actual location of the +central directory, as well as the end of central directory records, +as disallowed locations. This now permits such containers to not +raise a zip bomb alert, where in fact there are no overlaps. + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + extract.c | 25 +++++++++++++++++++------ + process.c | 6 ++++++ + unzpriv.h | 10 ++++++++++ + 3 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/extract.c b/extract.c +index 2bb72ba..a9dcca8 100644 +--- a/extract.c ++++ b/extract.c +@@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +diff --git a/process.c b/process.c +index 208619c..5f8f6c6 100644 +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +diff --git a/unzpriv.h b/unzpriv.h +index c8d3eab..5e177c7 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb index daba7227..464d73d0 100644 --- a/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb @@ -22,6 +22,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://symlink.patch \ file://0001-unzip-fix-CVE-2018-1000035.patch \ file://CVE-2018-18384.patch \ + file://CVE-2019-13232_p1.patch \ + file://CVE-2019-13232_p2.patch \ + file://CVE-2019-13232_p3.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch new file mode 100644 index 00000000..cbc4a127 --- /dev/null +++ b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch @@ -0,0 +1,73 @@ +From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Wed, 26 Dec 2018 13:51:48 +0100 +Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default + +* src/init.c (defaults): Set enable_xattr to false by default +* src/main.c (print_help): Reverse option logic of --xattr +* doc/wget.texi: Add description for --xattr + +Users may not be aware that the origin URL and Referer are saved +including credentials, and possibly access tokens within +the urls. + +CVE: CVE-2018-20483 patch 1 +Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8] +Signed-off-by: Aviraj CJ <acj@cisco.com> +--- + doc/wget.texi | 8 ++++++++ + src/init.c | 4 ---- + src/main.c | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/doc/wget.texi b/doc/wget.texi +index eaf6b380..3f9d7c1c 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -540,6 +540,14 @@ right NUMBER. + Set preferred location for Metalink resources. This has effect if multiple + resources with same priority are available. + ++@cindex xattr ++@item --xattr ++Enable use of file system's extended attributes to save the ++original URL and the Referer HTTP header value if used. ++ ++Be aware that the URL might contain private information like ++access tokens or credentials. ++ + + @cindex force html + @item -F +diff --git a/src/init.c b/src/init.c +index eb81ab47..800970c5 100644 +--- a/src/init.c ++++ b/src/init.c +@@ -509,11 +509,7 @@ defaults (void) + opt.hsts = true; + #endif + +-#ifdef ENABLE_XATTR +- opt.enable_xattr = true; +-#else + opt.enable_xattr = false; +-#endif + } + + /* Return the user's home directory (strdup-ed), or NULL if none is +diff --git a/src/main.c b/src/main.c +index 81db9319..6ac1621b 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -754,7 +754,7 @@ Download:\n"), + #endif + #ifdef ENABLE_XATTR + N_("\ +- --no-xattr turn off storage of metadata in extended file attributes\n"), ++ --xattr turn on storage of metadata in extended file attributes\n"), + #endif + "\n", + +-- +2.19.1 + diff --git a/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch new file mode 100644 index 00000000..72ce8a0b --- /dev/null +++ b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch @@ -0,0 +1,127 @@ +From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Wed, 26 Dec 2018 14:38:18 +0100 +Subject: [PATCH 2/2] Don't save user/pw with --xattr + +Also the Referer info is reduced to scheme+host+port. + +* src/ftp.c (getftp): Change params of set_file_metadata() +* src/http.c (gethttp): Change params of set_file_metadata() +* src/xattr.c (set_file_metadata): Remove user/password from origin URL, + reduce Referer value to scheme/host/port. +* src/xattr.h: Change prototype of set_file_metadata() + +CVE: CVE-2018-20483 patch 2 +Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa] +Signed-off-by: Aviraj CJ <acj@cisco.com> +--- + src/ftp.c | 2 +- + src/http.c | 4 ++-- + src/xattr.c | 24 ++++++++++++++++++++---- + src/xattr.h | 3 ++- + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/src/ftp.c b/src/ftp.c +index 69148936..db8a6267 100644 +--- a/src/ftp.c ++++ b/src/ftp.c +@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n")); + + #ifdef ENABLE_XATTR + if (opt.enable_xattr) +- set_file_metadata (u->url, NULL, fp); ++ set_file_metadata (u, NULL, fp); + #endif + + fd_close (local_sock); +diff --git a/src/http.c b/src/http.c +index 77bdbbed..472c328f 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, + if (opt.enable_xattr) + { + if (original_url != u) +- set_file_metadata (u->url, original_url->url, fp); ++ set_file_metadata (u, original_url, fp); + else +- set_file_metadata (u->url, NULL, fp); ++ set_file_metadata (u, NULL, fp); + } + #endif + +diff --git a/src/xattr.c b/src/xattr.c +index 66524226..0f20fadf 100644 +--- a/src/xattr.c ++++ b/src/xattr.c +@@ -21,6 +21,7 @@ + #include <string.h> + + #include "log.h" ++#include "utils.h" + #include "xattr.h" + + #ifdef USE_XATTR +@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp) + #endif /* USE_XATTR */ + + int +-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) ++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp) + { + /* Save metadata about where the file came from (requested, final URLs) to + * user POSIX Extended Attributes of retrieved file. +@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) + * [http://0pointer.de/lennart/projects/mod_mime_xattr/]. + */ + int retval = -1; ++ char *value; + + if (!origin_url || !fp) + return retval; + +- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp); +- if ((!retval) && referrer_url) +- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp); ++ value = url_string (origin_url, URL_AUTH_HIDE); ++ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp); ++ xfree (value); ++ ++ if (!retval && referrer_url) ++ { ++ struct url u; ++ ++ memset(&u, 0, sizeof(u)); ++ u.scheme = referrer_url->scheme; ++ u.host = referrer_url->host; ++ u.port = referrer_url->port; ++ ++ value = url_string (&u, 0); ++ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp); ++ xfree (value); ++ } + + return retval; + } +diff --git a/src/xattr.h b/src/xattr.h +index 10f3ed11..40c7a8d3 100644 +--- a/src/xattr.h ++++ b/src/xattr.h +@@ -16,12 +16,13 @@ + along with this program; if not, see <http://www.gnu.org/licenses/>. */ + + #include <stdio.h> ++#include <url.h> + + #ifndef _XATTR_H + #define _XATTR_H + + /* Store metadata name/value attributes against fp. */ +-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp); ++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp); + + #if defined(__linux) + /* libc on Linux has fsetxattr (5 arguments). */ +-- +2.19.1 + diff --git a/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb b/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb index 920b74de..a53844bb 100644 --- a/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb +++ b/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb @@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-improve-reproducibility.patch \ file://CVE-2019-5953.patch \ + file://CVE-2018-20483_p1.patch \ + file://CVE-2018-20483_p2.patch \ " SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da" |