From 004d49958a83b2ab92301b67134d6910313d94d8 Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Tue, 2 Oct 2018 23:54:45 +0200 Subject: poky: sumo refresh 36d5cee56b..d240b885f2 Update poky to sumo HEAD. Changqing Li (1): libsndfile1: CVE-2018-13139 Chen Qi (2): runqemu: add SIGTERM handler to make sure things are cleaned up runqemu: fix handling of SIGTERM and the problem of line wrapping Hongxu Jia (1): nasm: fix CVE-2018-10016 Ioan-Adrian Ratiu (1): rootfs: always update the opkg index Jagadeesh Krishnanjanappa (1): runqemu: exit gracefully with an error message if qemu system is not evaluated Joe Slater (1): libtiff: fix CVE-2017-17095 Khem Raj (1): x264: Disable asm on musl/x86 Nicolas Dechesne (1): checklayer: avoid recursive loop in add_layer_dependencies Ola x Nilsson (1): externalsrc.bbclass: Set BB_DONT_CACHE for non-target recipes Richard Purdie (1): recipes: Update git.gnome.org addresses after upstream changes Sinan Kaya (3): libxml2: CVE-2018-14404 python3: CVE-2018-1061 git: CVE-2018-11233 Change-Id: Ic2daa2803af197180e605346f59bab03f8264e19 Signed-off-by: Brad Bishop --- poky/meta/classes/clutter.bbclass | 2 +- poky/meta/classes/externalsrc.bbclass | 4 +- poky/meta/classes/mirrors.bbclass | 2 +- poky/meta/conf/bitbake.conf | 2 +- poky/meta/lib/oe/rootfs.py | 5 +- .../mobile-broadband-provider-info_git.bb | 3 +- .../glib-networking/glib-networking_2.54.1.bb | 2 +- .../libxml/libxml2/CVE-2018-14404.patch | 58 ++++++++ poky/meta/recipes-core/libxml/libxml2_2.9.7.bb | 1 + .../git/files/CVE-2018-11233.patch | 44 ++++++ poky/meta/recipes-devtools/git/git.inc | 3 +- .../0001-eval-Eliminate-division-by-zero.patch | 40 +++++ poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb | 1 + .../python/python3/CVE-2018-1061.patch | 165 +++++++++++++++++++++ poky/meta/recipes-devtools/python/python3_3.5.5.bb | 1 + .../cantarell-fonts/cantarell-fonts_git.bb | 4 +- .../libsndfile/libsndfile1/CVE-2018-13139.patch | 35 +++++ .../libsndfile/libsndfile1_1.0.28.bb | 1 + .../libtiff/files/CVE-2017-17095.patch | 46 ++++++ poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 1 + poky/meta/recipes-multimedia/x264/x264_git.bb | 1 + .../update-output-syntax.patch | 2 +- poky/scripts/lib/checklayer/__init__.py | 4 + poky/scripts/runqemu | 42 +++++- 24 files changed, 451 insertions(+), 18 deletions(-) create mode 100644 poky/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch create mode 100644 poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch create mode 100644 poky/meta/recipes-devtools/nasm/nasm/0001-eval-Eliminate-division-by-zero.patch create mode 100644 poky/meta/recipes-devtools/python/python3/CVE-2018-1061.patch create mode 100644 poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch create mode 100644 poky/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch diff --git a/poky/meta/classes/clutter.bbclass b/poky/meta/classes/clutter.bbclass index 167407dfd..f5cd04f97 100644 --- a/poky/meta/classes/clutter.bbclass +++ b/poky/meta/classes/clutter.bbclass @@ -14,7 +14,7 @@ REALNAME = "${@get_real_name("${BPN}")}" CLUTTER_SRC_FTP = "${GNOME_MIRROR}/${REALNAME}/${VERMINOR}/${REALNAME}-${PV}.tar.xz;name=archive" -CLUTTER_SRC_GIT = "git://git.gnome.org/${REALNAME}" +CLUTTER_SRC_GIT = "git://gitlab.gnome.org/GNOME/${REALNAME};protocol=https" SRC_URI = "${CLUTTER_SRC_FTP}" S = "${WORKDIR}/${REALNAME}-${PV}" diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass index c9f5cf767..78a08c80a 100644 --- a/poky/meta/classes/externalsrc.bbclass +++ b/poky/meta/classes/externalsrc.bbclass @@ -41,8 +41,8 @@ python () { # re-parsed so that the file-checksums function for do_compile is run every # time. bpn = d.getVar('BPN') - if bpn == d.getVar('PN'): - classextend = (d.getVar('BBCLASSEXTEND') or '').split() + classextend = (d.getVar('BBCLASSEXTEND') or '').split() + if bpn == d.getVar('PN') or not classextend: if (externalsrc or ('native' in classextend and d.getVar('EXTERNALSRC_pn-%s-native' % bpn)) or diff --git a/poky/meta/classes/mirrors.bbclass b/poky/meta/classes/mirrors.bbclass index ed53dfbca..87bba4147 100644 --- a/poky/meta/classes/mirrors.bbclass +++ b/poky/meta/classes/mirrors.bbclass @@ -69,7 +69,7 @@ ${CPAN_MIRROR} http://search.cpan.org/CPAN/ \n \ MIRRORS += "\ git://salsa.debian.org/.* git://salsa.debian.org/PATH;protocol=https \n \ -git://git.gnome.org/.* git://git.gnome.org/browse/PATH;protocol=https \n \ +git://git.gnome.org/.* git://gitlab.gnome.org/GNOME/PATH;protocol=https \n \ git://git.savannah.gnu.org/.* git://git.savannah.gnu.org/git/PATH;protocol=https \n \ git://git.yoctoproject.org/.* git://git.yoctoproject.org/git/PATH;protocol=https \n \ git://.*/.* git://HOST/PATH;protocol=https \n \ diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf index ecc43a46f..ac403b188 100644 --- a/poky/meta/conf/bitbake.conf +++ b/poky/meta/conf/bitbake.conf @@ -624,7 +624,7 @@ BBLAYERS_FETCH_DIR ??= "${COREBASE}" APACHE_MIRROR = "http://archive.apache.org/dist" DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool" GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles" -GNOME_GIT = "git://git.gnome.org" +GNOME_GIT = "git://gitlab.gnome.org/GNOME" GNOME_MIRROR = "http://ftp.gnome.org/pub/GNOME/sources" GNU_MIRROR = "http://ftp.gnu.org/gnu" GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt" diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index f8f717c05..c156607bf 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -849,9 +849,8 @@ class OpkgRootfs(DpkgOpkgRootfs): opkg_pre_process_cmds = self.d.getVar('OPKG_PREPROCESS_COMMANDS') opkg_post_process_cmds = self.d.getVar('OPKG_POSTPROCESS_COMMANDS') - # update PM index files, unless users provide their own feeds - if (self.d.getVar('BUILD_IMAGES_FROM_FEEDS') or "") != "1": - self.pm.write_index() + # update PM index files + self.pm.write_index() execute_pre_post_process(self.d, opkg_pre_process_cmds) diff --git a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index dbc578e2d..57f521a6c 100644 --- a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -7,7 +7,8 @@ SRCREV = "befcbbc9867e742ac16415660b0b7521218a530c" PV = "20170310" PE = "1" -SRC_URI = "git://git.gnome.org/mobile-broadband-provider-info" +SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info;protocol=https" + S = "${WORKDIR}/git" inherit autotools diff --git a/poky/meta/recipes-core/glib-networking/glib-networking_2.54.1.bb b/poky/meta/recipes-core/glib-networking/glib-networking_2.54.1.bb index 2a6f8af2b..5d17a824f 100644 --- a/poky/meta/recipes-core/glib-networking/glib-networking_2.54.1.bb +++ b/poky/meta/recipes-core/glib-networking/glib-networking_2.54.1.bb @@ -1,6 +1,6 @@ SUMMARY = "GLib networking extensions" DESCRIPTION = "glib-networking contains the implementations of certain GLib networking features that cannot be implemented directly in GLib itself because of their dependencies." -HOMEPAGE = "http://git.gnome.org/browse/glib-networking/" +HOMEPAGE = "https://gitlab.gnome.org/GNOME/glib-networking/" BUGTRACKER = "http://bugzilla.gnome.org" LICENSE = "LGPLv2" diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch new file mode 100644 index 000000000..af3e7b2af --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch @@ -0,0 +1,58 @@ +From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. + +CVE: CVE-2018-14404 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594] +Signed-off-by: Sinan Kaya +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 35274731..3fcdc9e1 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.19.0 + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb index deb3488a7..c749a8165 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb @@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://libxml-m4-use-pkgconfig.patch \ file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \ file://fix-execution-of-ptests.patch \ + file://CVE-2018-14404.patch \ " SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba" diff --git a/poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch b/poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch new file mode 100644 index 000000000..f4468cf2f --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch @@ -0,0 +1,44 @@ +From 014281e62b7920a6d710a85089e00ca012b0744c Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Sun, 13 May 2018 12:09:42 -0400 +Subject: [PATCH] is_ntfs_dotgit: use a size_t for traversing string + +We walk through the "name" string using an int, which can +wrap to a negative value and cause us to read random memory +before our array (e.g., by creating a tree with a name >2GB, +since "int" is still 32 bits even on most 64-bit platforms). +Worse, this is easy to trigger during the fsck_tree() check, +which is supposed to be protecting us from malicious +garbage. + +Note one bit of trickiness in the existing code: we +sometimes assign -1 to "len" at the end of the loop, and +then rely on the "len++" in the for-loop's increment to take +it back to 0. This is still legal with a size_t, since +assigning -1 will turn into SIZE_MAX, which then wraps +around to 0 on increment. + +Signed-off-by: Jeff King +CVE: CVE-2018-11233 +Upstream-Status: Backport[https://github.com/git/git/commit/11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d] +Signed-off-by: Sinan Kaya +--- + path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/path.c b/path.c +index da8b65573..d31c795ff 100644 +--- a/path.c ++++ b/path.c +@@ -1305,7 +1305,7 @@ static int only_spaces_and_periods(const char *path, size_t len, size_t skip) + + int is_ntfs_dotgit(const char *name) + { +- int len; ++ size_t len; + + for (len = 0; ; len++) + if (!name[len] || name[len] == '\\' || is_dir_sep(name[len])) { +-- +2.19.0 + diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc index bea23ec78..8603c045c 100644 --- a/poky/meta/recipes-devtools/git/git.inc +++ b/poky/meta/recipes-devtools/git/git.inc @@ -8,7 +8,8 @@ PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ - file://CVE-2018-11235.patch" + file://CVE-2018-11235.patch \ + file://CVE-2018-11233.patch" S = "${WORKDIR}/git-${PV}" diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-eval-Eliminate-division-by-zero.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-eval-Eliminate-division-by-zero.patch new file mode 100644 index 000000000..6c332497c --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-eval-Eliminate-division-by-zero.patch @@ -0,0 +1,40 @@ +From ceec0d818798aeaa75ed4907e6135b0247ed46b2 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Sun, 14 Oct 2018 01:26:19 +0300 +Subject: [PATCH] eval: Eliminate division by zero + +When doing division we should detect if the value we're +divided by is not zero. Instead of is_unknown() helper +we should use is_just_unknown(). + +https://bugzilla.nasm.us/show_bug.cgi?id=3392515 +https://bugzilla.nasm.us/show_bug.cgi?id=3392473 + +Reported-by: Jun +Reported-by: stuartly +Signed-off-by: Cyrill Gorcunov + +Upstream-Status: Backport [https://github.com/netwide-assembler/nasm/commit/ceec0d818798aeaa75ed4907e6135b0247ed46b2.patch] +CVE: CVE-2018-10016 +Signed-off-by: Hongxu Jia + +--- + asm/eval.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/asm/eval.c b/asm/eval.c +index 1a6680f..7e727a4 100644 +--- a/asm/eval.c ++++ b/asm/eval.c +@@ -580,7 +580,7 @@ static expr *expr5(int critical) + " scalar values"); + return NULL; + } +- if (j != '*' && !is_unknown(f) && reloc_value(f) == 0) { ++ if (j != '*' && !is_just_unknown(f) && reloc_value(f) == 0) { + nasm_error(ERR_NONFATAL, "division by zero"); + return NULL; + } +-- +2.10.2 + diff --git a/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb b/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb index 6a02df485..730db1d8c 100644 --- a/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb +++ b/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb @@ -8,6 +8,7 @@ SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-assemble-Check-global-line-limit.patch \ file://0001-fix-CVE-2018-8882.patch \ file://0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch \ + file://0001-eval-Eliminate-division-by-zero.patch \ " SRC_URI[md5sum] = "0c581d482f39d5111879ca9601938f74" diff --git a/poky/meta/recipes-devtools/python/python3/CVE-2018-1061.patch b/poky/meta/recipes-devtools/python/python3/CVE-2018-1061.patch new file mode 100644 index 000000000..6373be389 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/CVE-2018-1061.patch @@ -0,0 +1,165 @@ +From 6d7ef39198856395edd62ef143bfcfaaf2ed6e25 Mon Sep 17 00:00:00 2001 +From: Ned Deily +Date: Sun, 11 Mar 2018 14:29:05 -0400 +Subject: [PATCH] [3.5] bpo-32981: Fix catastrophic backtracking vulns + (GH-5955) (#6034) + +* Prevent low-grade poplib REDOS (CVE-2018-1060) + +The regex to test a mail server's timestamp is susceptible to +catastrophic backtracking on long evil responses from the server. + +Happily, the maximum length of malicious inputs is 2K thanks +to a limit introduced in the fix for CVE-2013-1752. + +A 2KB evil response from the mail server would result in small slowdowns +(milliseconds vs. microseconds) accumulated over many apop calls. +This is a potential DOS vector via accumulated slowdowns. + +Replace it with a similar non-vulnerable regex. + +The new regex is RFC compliant. +The old regex was non-compliant in edge cases. + +* Prevent difflib REDOS (CVE-2018-1061) + +The default regex for IS_LINE_JUNK is susceptible to +catastrophic backtracking. +This is a potential DOS vector. + +Replace it with an equivalent non-vulnerable regex. + +Also introduce unit and REDOS tests for difflib. + +Co-authored-by: Tim Peters +Co-authored-by: Christian Heimes . +(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac) +CVE: CVE-2018-1061 +CVE: CVE-2018-1060 +Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b] +Signed-off-by: Sinan Kaya +--- + Lib/difflib.py | 2 +- + Lib/poplib.py | 2 +- + Lib/test/test_difflib.py | 22 ++++++++++++++++++- + Lib/test/test_poplib.py | 12 +++++++++- + Misc/ACKS | 1 + + .../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst | 4 ++++ + 6 files changed, 39 insertions(+), 4 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst + +diff --git a/Lib/difflib.py b/Lib/difflib.py +index 076bbac01d..b4ec335056 100644 +--- a/Lib/difflib.py ++++ b/Lib/difflib.py +@@ -1083,7 +1083,7 @@ class Differ: + + import re + +-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): ++def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match): + r""" + Return 1 for ignorable line: iff `line` is blank or contains a single '#'. + +diff --git a/Lib/poplib.py b/Lib/poplib.py +index 516b6f060d..2437ea0e27 100644 +--- a/Lib/poplib.py ++++ b/Lib/poplib.py +@@ -308,7 +308,7 @@ class POP3: + return self._shortcmd('RPOP %s' % user) + + +- timestamp = re.compile(br'\+OK.*(<[^>]+>)') ++ timestamp = re.compile(br'\+OK.[^<]*(<.*>)') + + def apop(self, user, password): + """Authorisation +diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py +index ab9debf8e2..b6c8a7dd5b 100644 +--- a/Lib/test/test_difflib.py ++++ b/Lib/test/test_difflib.py +@@ -466,13 +466,33 @@ class TestBytes(unittest.TestCase): + list(generator(*args)) + self.assertEqual(msg, str(ctx.exception)) + ++class TestJunkAPIs(unittest.TestCase): ++ def test_is_line_junk_true(self): ++ for line in ['#', ' ', ' #', '# ', ' # ', '']: ++ self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line)) ++ ++ def test_is_line_junk_false(self): ++ for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']: ++ self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line)) ++ ++ def test_is_line_junk_REDOS(self): ++ evil_input = ('\t' * 1000000) + '##' ++ self.assertFalse(difflib.IS_LINE_JUNK(evil_input)) ++ ++ def test_is_character_junk_true(self): ++ for char in [' ', '\t']: ++ self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char)) ++ ++ def test_is_character_junk_false(self): ++ for char in ['a', '#', '\n', '\f', '\r', '\v']: ++ self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char)) + + def test_main(): + difflib.HtmlDiff._default_prefix = 0 + Doctests = doctest.DocTestSuite(difflib) + run_unittest( + TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs, +- TestOutputFormat, TestBytes, Doctests) ++ TestOutputFormat, TestBytes, TestJunkAPIs, Doctests) + + if __name__ == '__main__': + test_main() +diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py +index bceeb93ad1..799e403652 100644 +--- a/Lib/test/test_poplib.py ++++ b/Lib/test/test_poplib.py +@@ -300,9 +300,19 @@ class TestPOP3Class(TestCase): + def test_rpop(self): + self.assertOK(self.client.rpop('foo')) + +- def test_apop(self): ++ def test_apop_normal(self): + self.assertOK(self.client.apop('foo', 'dummypassword')) + ++ def test_apop_REDOS(self): ++ # Replace welcome with very long evil welcome. ++ # NB The upper bound on welcome length is currently 2048. ++ # At this length, evil input makes each apop call take ++ # on the order of milliseconds instead of microseconds. ++ evil_welcome = b'+OK' + (b'<' * 1000000) ++ with test_support.swap_attr(self.client, 'welcome', evil_welcome): ++ # The evil welcome is invalid, so apop should throw. ++ self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb') ++ + def test_top(self): + expected = (b'+OK 116 bytes', + [b'From: postmaster@python.org', b'Content-Type: text/plain', +diff --git a/Misc/ACKS b/Misc/ACKS +index 1a35aad66c..72c5d740bd 100644 +--- a/Misc/ACKS ++++ b/Misc/ACKS +@@ -341,6 +341,7 @@ Kushal Das + Jonathan Dasteel + Pierre-Yves David + A. Jesse Jiryu Davis ++Jamie (James C.) Davis + Merlijn van Deen + John DeGood + Ned Deily +diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst +new file mode 100644 +index 0000000000..9ebabb44f9 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst +@@ -0,0 +1,4 @@ ++Regexes in difflib and poplib were vulnerable to catastrophic backtracking. ++These regexes formed potential DOS vectors (REDOS). They have been ++refactored. This resolves CVE-2018-1060 and CVE-2018-1061. ++Patch by Jamie Davis. +-- +2.19.0 + diff --git a/poky/meta/recipes-devtools/python/python3_3.5.5.bb b/poky/meta/recipes-devtools/python/python3_3.5.5.bb index 4dae4fa4c..c28be3292 100644 --- a/poky/meta/recipes-devtools/python/python3_3.5.5.bb +++ b/poky/meta/recipes-devtools/python/python3_3.5.5.bb @@ -37,6 +37,7 @@ SRC_URI += "\ file://configure.ac-fix-LIBPL.patch \ file://0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch \ file://pass-missing-libraries-to-Extension-for-mul.patch \ + file://CVE-2018-1061.patch \ " SRC_URI[md5sum] = "f3763edf9824d5d3a15f5f646083b6e0" SRC_URI[sha256sum] = "063d2c3b0402d6191b90731e0f735c64830e7522348aeb7ed382a83165d45009" diff --git a/poky/meta/recipes-graphics/cantarell-fonts/cantarell-fonts_git.bb b/poky/meta/recipes-graphics/cantarell-fonts/cantarell-fonts_git.bb index c71ab1165..9d8fb2828 100644 --- a/poky/meta/recipes-graphics/cantarell-fonts/cantarell-fonts_git.bb +++ b/poky/meta/recipes-graphics/cantarell-fonts/cantarell-fonts_git.bb @@ -5,7 +5,7 @@ DESCRIPTION = "The Cantarell font typeface is designed as a \ on-screen reading; in particular, reading web pages on an \ HTC Dream mobile phone." -HOMEPAGE = "https://git.gnome.org/browse/cantarell-fonts/" +HOMEPAGE = "https://gitlab.gnome.org/GNOME/cantarell-fonts/" SECTION = "fonts" LICENSE = "OFL-1.1" LIC_FILES_CHKSUM = "file://COPYING;md5=df91e3ffcab8cfb972a66bf11255188d" @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=df91e3ffcab8cfb972a66bf11255188d" PV = "0.0.24" SRCREV = "07b6ea2cbbebfc360aa4668612a376be5e214eaa" -SRC_URI = "git://git.gnome.org/cantarell-fonts;protocol=git;branch=master" +SRC_URI = "git://gitlab.gnome.org/GNOME/cantarell-fonts;protocol=https;branch=master" UPSTREAM_CHECK_GITTAGREGEX = "(?P(?!0\.13)(?!0\.10\.1)\d+\.\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch new file mode 100644 index 000000000..4ae3674df --- /dev/null +++ b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch @@ -0,0 +1,35 @@ +From 5473aeef7875e54bd0f786fbdd259a35aaee875c Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Wed, 10 Oct 2018 08:59:30 +0800 +Subject: [PATCH] libsndfile1: patch for CVE-2018-13139 + +Upstream-Status: Backport [https://github.com/bwarden/libsndfile/ +commit/df18323c622b54221ee7ace74b177cdcccc152d7] + +CVE: CVE-2018-13139 + +Signed-off-by: Changqing Li +--- + programs/sndfile-deinterleave.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c +index e27593e..721bee7 100644 +--- a/programs/sndfile-deinterleave.c ++++ b/programs/sndfile-deinterleave.c +@@ -89,6 +89,12 @@ main (int argc, char **argv) + exit (1) ; + } ; + ++ if (sfinfo.channels > MAX_CHANNELS) ++ { printf ("\nError : Input file '%s' has too many (%d) channels. Limit is %d.\n", ++ argv [1], sfinfo.channels, MAX_CHANNELS) ; ++ exit (1) ; ++ } ; ++ + state.channels = sfinfo.channels ; + sfinfo.channels = 1 ; + +-- +2.7.4 + diff --git a/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index ed43b7494..b28f67528 100644 --- a/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -12,6 +12,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2017-8363.patch \ file://CVE-2017-14245-14246.patch \ file://CVE-2017-14634.patch \ + file://CVE-2018-13139.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch new file mode 100644 index 000000000..9b9962ed3 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch @@ -0,0 +1,46 @@ +From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001 +From: Nathan Baker +Date: Thu, 25 Jan 2018 21:28:15 +0000 +Subject: [PATCH] Add workaround to pal2rgb buffer overflow. + +CVE: CVE-2017-17095 + +Upstream-Status: Backport (unchanged) [gitlab.com/libtiff/libtiff/commit/9171da5...] + +Signed-off-by: Joe Slater --- diff --git a/poky/scripts/lib/checklayer/__init__.py b/poky/scripts/lib/checklayer/__init__.py index 2618416fa..778804184 100644 --- a/poky/scripts/lib/checklayer/__init__.py +++ b/poky/scripts/lib/checklayer/__init__.py @@ -167,6 +167,10 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger): # multiple errors at once if ret is not None and layer_depend not in ret: ret.append(layer_depend) + else: + # we might have processed this dependency already, in which case + # we should not do it again (avoid recursive loop) + continue # Recursively process... if 'collections' not in layer_depend: diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu index d99849406..bd3aee0c2 100755 --- a/poky/scripts/runqemu +++ b/poky/scripts/runqemu @@ -27,6 +27,7 @@ import fcntl import shutil import glob import configparser +import signal class RunQemuError(Exception): """Custom exception to raise on known errors.""" @@ -233,6 +234,10 @@ class BaseConfig(object): # slirp qemus are running. self.mac_tap = "52:54:00:12:34:" self.mac_slirp = "52:54:00:12:35:" + # pid of the actual qemu process + self.qemupid = None + # avoid cleanup twice + self.cleaned = False def acquire_lock(self, error=True): logger.debug("Acquiring lockfile %s..." % self.lock) @@ -1110,6 +1115,11 @@ class BaseConfig(object): qbsys = 'riscv64' elif mach == 'qemuriscv32': qbsys = 'riscv32' + else: + logger.error("Unable to determine QEMU PC System emulator for %s machine." % mach) + logger.error("As %s is not among valid QEMU machines such as," % mach) + logger.error("qemux86-64, qemux86, qemuarm64, qemuarm, qemumips64, qemumips64el, qemumipsel, qemumips, qemuppc") + raise RunQemuError("Set qb_system_name with suitable QEMU PC System emulator in .*qemuboot.conf.") return 'qemu-system-%s' % qbsys @@ -1189,6 +1199,7 @@ class BaseConfig(object): self.qemu_opt += " -serial mon:vc -serial null" def start_qemu(self): + import shlex if self.kernel: kernel_opts = "-kernel %s -append '%s %s %s %s'" % (self.kernel, self.kernel_cmdline, self.kernel_cmdline_script, self.get('QB_KERNEL_CMDLINE_APPEND'), @@ -1198,12 +1209,25 @@ class BaseConfig(object): else: kernel_opts = "" cmd = "%s %s" % (self.qemu_opt, kernel_opts) + cmds = shlex.split(cmd) logger.info('Running %s\n' % cmd) - process = subprocess.Popen(cmd, shell=True, stderr=subprocess.PIPE) - if process.wait(): - logger.error("Failed to run qemu: %s", process.stderr.read().decode()) + process = subprocess.Popen(cmds, stderr=subprocess.PIPE) + self.qemupid = process.pid + retcode = process.wait() + if retcode: + if retcode == -signal.SIGTERM: + logger.info("Qemu terminated by SIGTERM") + else: + logger.error("Failed to run qemu: %s", process.stderr.read().decode()) def cleanup(self): + if self.cleaned: + return + + # avoid dealing with SIGTERM when cleanup function is running + signal.signal(signal.SIGTERM, signal.SIG_IGN) + + logger.info("Cleaning up") if self.cleantap: cmd = 'sudo %s %s %s' % (self.qemuifdown, self.tap, self.bindir_native) logger.debug('Running %s' % cmd) @@ -1227,6 +1251,8 @@ class BaseConfig(object): shutil.rmtree(self.rootfs) shutil.rmtree('%s.pseudo_state' % self.rootfs) + self.cleaned = True + def load_bitbake_env(self, mach=None): if self.bitbake_e: return @@ -1282,6 +1308,14 @@ def main(): return 0 try: config = BaseConfig() + + def sigterm_handler(signum, frame): + logger.info("SIGTERM received") + os.kill(config.qemupid, signal.SIGTERM) + config.cleanup() + subprocess.run(["tput", "smam"]) + signal.signal(signal.SIGTERM, sigterm_handler) + config.check_args() config.read_qemuboot() config.check_and_set() @@ -1300,8 +1334,8 @@ def main(): traceback.print_exc() return 1 finally: - print("Cleanup") config.cleanup() + subprocess.run(["tput", "smam"]) if __name__ == "__main__": sys.exit(main()) -- cgit v1.2.1