From patchwork Mon Sep 30 04:47:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 174708 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp6648163ill; Sun, 29 Sep 2019 21:49:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqzJ+IjIqmMk3P5JMw3Nyuxi3HvBEZsDOcbbESWb0mLzZtelhw9US/M9f8RWrlchrFsPKUON X-Received: by 2002:aa7:8f03:: with SMTP id x3mr19077939pfr.91.1569818956692; Sun, 29 Sep 2019 21:49:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569818956; cv=none; d=google.com; s=arc-20160816; b=s+NZzZMBwQkTSkCBmg+5kdVBuYG5gt5VhbxK6Fk/E9fNnlfTj8kwWgkwTdNb4NivR9 Sku05d/65zIOLcArw26SuxSi7fw4Iez6WBRhRfO+WMKv0QQORTWDFw8bLimv56Tue7N2 8z+80I7W3+lnVYLUH1urSkH1i4Ksf9LIPj03x0su+b3dHbCSfWHm5bbY/4uD4g5ZaU2H lfZdmnSJXMXFPFPMgHtFPfzxmtcQeI4mpuvw5ZT5W7HbcEFi58cBbL9Bdo/UAi3xTl0H 6yMKW3afs5QwgM6Kqjc6ciaupGjaf4Fwz2Bx79+jI/JR2hj4oBk+DEtN+py2NFIF6vY3 yXtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=K+96q/3v4nv+uCw8l4wMbDdxybsEghDjQ39WlnqLAmo=; b=CqyWyzvqH4Owb2RyBGXSclTtDwSqqO0i/yMJiLD1endonAFovjbLKX6yG5tk3sVS26 FkX0w0Dw/CDXfdhZ2qGhjADy3SRdiYbwQHt8ixxhindZK2AA96qfesTn5d2f3ABKsRWn dG4taTbUCJ5adkOV/agH+i5FxNOV1NB64VSi6jJPZf9PmdGS6jTH12gQpGlsUDh9kmSj o+oJBYxoQaaw8yelQ98EbTX5o8uRx0FsSELVIV8qyIGSGaPn/oHz/hlB2uMNun0A2vTB G5zIaniWa8R5MLao2acucvpAqWKXDXYCMYela4Ng6GYJr6fZj5lkKyIxXcx+mo+PVTPQ S1MQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=K6ss2NPi; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id ev17si13002209pjb.46.2019.09.29.21.49.16; Sun, 29 Sep 2019 21:49:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=K6ss2NPi; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id D2E9E7F371; Mon, 30 Sep 2019 04:48:41 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) by mail.openembedded.org (Postfix) with ESMTP id 614287BD97 for ; Mon, 30 Sep 2019 04:47:59 +0000 (UTC) Received: by mail-pf1-f195.google.com with SMTP id q5so4840127pfg.13 for ; Sun, 29 Sep 2019 21:48:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=dQOskvLO4+Pm/JYq2/qiTkf+C0DW09nZSD+JVJDcubw=; b=K6ss2NPiybPoUXsRpSz/8ehqDEfwJEWnF9ZoN2DFzxfTHL53rJkbLzU1tiu2BeW8Vz Q5mYAiVDnaVp0w3k9ctecQVzv6PcOTFwfvcmTWOKwtkTfD/bMGq0SEAya9STR44864ZQ 3M/ioCg9im9jrFqyXFPVVFbIYqkSLznxI7OtptgPhGl+baR1BPdVrQqJeLLuwg56qmny CrOe2LSsT1Uc7YB/EEcB3RjpImmqZ/fq5bmXp/ls9nlC8/YCXcLAq5DbQvBywCh+tu0c yeyXR6st3iipuMxoyEMDld2ta5rLeuUvhFGWmmVw5rOFBs5t66b5QUbaxDgvAtdbgP3M 1RgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=dQOskvLO4+Pm/JYq2/qiTkf+C0DW09nZSD+JVJDcubw=; b=jYzimQ9a3IbQFfklrdhIzHcXt/hnsOHGDmtQMh8WEt9B4qxEgZbAgM5DSWijf7iI4Q 3X/Ri15970VHeSGU5l/1f1/ASy2N4TSCqw2BAPh4bt2Llp/h0LzGXlXJMV+cuyzE3nw6 79cRzhd8Ka2Wj/07J5EhKLD1EOKFWpjC4IJHGBSLFJBxG5LyC3JSxsFPcJW9tpo7xsqN ahmhyu4iOt6X2WsP104ncl2nuoNvowLSoThKrdcxyXEr+V+RmguvgeQfhNKRjLoTZrwn CLVYlPCWd/lrkhRBHJta796GEvRHhGSd2kCfa4fvKN3l2VguR/qsUjbZWbpBJosVCjJK kM9w== X-Gm-Message-State: APjAAAVxs5Tq4x6FKhwe8Ynvg+m1IcdilCbRcnCGm+WBsbwKY3HtnaV1 MFx1cN96fHcORjUBQbBhF6VDY9ynYrI= X-Received: by 2002:aa7:8813:: with SMTP id c19mr19123011pfo.101.1569818880450; Sun, 29 Sep 2019 21:48:00 -0700 (PDT) Received: from akuster-ThinkPad-T460s.hsd1.ca.comcast.net ([2601:202:4180:a5c0:edf9:811d:ad92:85c2]) by smtp.gmail.com with ESMTPSA id h15sm18888493pgn.76.2019.09.29.21.47.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Sep 2019 21:47:59 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Sun, 29 Sep 2019 21:47:01 -0700 Message-Id: <9be34806ddfbe0e8d214290e0623f2b9779a14b7.1569818533.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [warrior-next 06/54] libid3tag: handle unknown encodings (CVE-2017-11550) X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton (From OE-Core rev: 5090afc1b07e62f70ebcf63a7abb75b8552f0a52) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../libid3tag/libid3tag/unknown-encoding.patch | 39 ++++++++++++++++++++++ .../libid3tag/libid3tag_0.15.1b.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch new file mode 100644 index 0000000..f0867b5 --- /dev/null +++ b/meta/recipes-multimedia/libid3tag/libid3tag/unknown-encoding.patch @@ -0,0 +1,39 @@ +In case of an unknown/invalid encoding, id3_parse_string() will +return NULL, but the return value wasn't checked resulting +in segfault in id3_ucs4_length(). This is the only place +the return value wasn't checked. + +Patch taken from Debian: +https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/ + +CVE: CVE-2017-11550 +Upstream-Status: Pending +Signed-off-by: Ross Burton + +diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf +--- libid3tag-0.15.1b~/compat.gperf 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000 +@@ -236,6 +236,10 @@ + + encoding = id3_parse_uint(&data, 1); + string = id3_parse_string(&data, end - data, encoding, 0); ++ if (!string) ++ { ++ continue; ++ } + + if (id3_ucs4_length(string) < 4) { + free(string); +diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c +--- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.000000000 +0000 ++++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000 +@@ -165,6 +165,9 @@ + case ID3_FIELD_TEXTENCODING_UTF_8: + ucs4 = id3_utf8_deserialize(ptr, length); + break; ++ default: ++ /* FIXME: Unknown encoding! Print warning? */ ++ return NULL; + } + + if (ucs4 && !full) { diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb index 43edd3f..0312a61 100644 --- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb +++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb @@ -14,6 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \ file://obsolete_automake_macros.patch \ file://0001-Fix-gperf-3.1-incompatibility.patch \ file://10_utf16.patch \ + file://unknown-encoding.patch \ " UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/" UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P.*)/$" From patchwork Mon Sep 30 04:47:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 174709 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp6648226ill; Sun, 29 Sep 2019 21:49:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqxwLPEOdM5jo0BH0kGckmh/1mcqgnDUxrGc5T6DBLKK76M7vlRVh+Y5y6NqDtR6mDMO3/a6 X-Received: by 2002:a63:4754:: with SMTP id w20mr22703414pgk.134.1569818964338; Sun, 29 Sep 2019 21:49:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569818964; cv=none; d=google.com; s=arc-20160816; b=X6bNiwZ8FrSkX0722d3bszzrMH1eS/ZNJIkly92JE266gbjG/6IRT8k+PpKdo8D1Jy MHmJUDEO0fTOSKupqrlu9MrSijWOdVlGfH4O6vcTM0MC7MLHo+vjo8CIvrmjz5ATwYNr j+N44P7QRRMvfs6OChkYwZqYKw8NopDmwuB52ySC0T1gYO1LNjd1OWd8jbX6IXyzQyf7 4Q61B2w8udlwfcb7Qx+vGhxuKFxafcM79Yr4ch3x42kokZrlRNH5DR5olfKYyCpAu82Q uaQEcBPboy93YtHza7KnKvTjAY7MvVV3roCK/FcRrpeXYo3KEPglyo1KVYcgMm/770W+ SWeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=aw/kiuQuw8PHySoV4AVgBQQGcyNQI2dfE18pzDOGe4w=; b=G5jXvY801BecPU+bdZB51N+nPtQGQ8W+01GuB45ZEuWw2j070Cv+vUjcvkIXsJL5k7 URdHVnytytfWkDoHFWRJOtIFjVa7CcXcOKluCjj2D5uAvAG4C0xBS89HiELlHTHfL7a5 GSi0wMNxeHt8aAhEHC1a9oFPYLw/zS4XgilwCtx5ylaSweInuiC1abJmN7W/STE0HNZ+ IHvCVjYapNL1HSTade192FkqkUGJlsAI8aIbXEPsZNOngb9l6MkMxc/ZPVjoJb43mzRm y9PXZ2x1Hh7O5VZf+ftpmTjRgkCKei2NQwz/agbz+EolCbsTJ6lLd8e0U4qzKI/64xYP RtxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=es3xS8Xg; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id ev17si13002209pjb.46.2019.09.29.21.49.23; Sun, 29 Sep 2019 21:49:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=es3xS8Xg; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 0C51D7F37B; Mon, 30 Sep 2019 04:48:43 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by mail.openembedded.org (Postfix) with ESMTP id 792926D728 for ; Mon, 30 Sep 2019 04:48:00 +0000 (UTC) Received: by mail-pg1-f181.google.com with SMTP id c17so6678660pgg.4 for ; Sun, 29 Sep 2019 21:48:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=nUH7MkGfM3M2BiD7pDQVoBZUwXRw47CBguDNEuVxBTA=; b=es3xS8XgOx6q7/eWt/PSQ1obWg608gyops+QGC/DzPc6oNDiOcYWmVMzwimHWL/x7g 1xv8Q2XPMj5nuftUHMbA3qCPkNVv1sFLoUnf99EN4wXDr+lmy+SRbfS2wVF085209/L7 4FZPK7ZoCtnD7P4YfzPQE+Wg4E/n7ol1nC+avQMWDV+iFZn6XCqlM6M6hnwGBNVtxKHH r6LysFPEO/re/QFmpkWbHeQQwRjCGJnHPYRSODlJx0lXCk1eC7MrEVv+OZe6HF3TzGX5 JLrBJLBV0dIKig2fPkYPzSLFWCFocwpJ3Ay6QBRnmlTAAdvPkkwGXdOUjBlW98fuuswR NlzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=nUH7MkGfM3M2BiD7pDQVoBZUwXRw47CBguDNEuVxBTA=; b=ZC1zWSWQPlkvmchopN5m1ZlIFrn4ocSaMk+CXxxo9ZcT7yo749BT0wteJu3NWj2xxM dmA8aOLzZy3m7YS0aHcEhAdidpaapm6yipBB/9BkSU60lKo2A1oV5Q6vnGLAY4bAQ3kl xD/mQ9r4G7KLdc67t3zGCG+crL7ROeo6w6G8oZRrnZ754uMqiyBfkUQAIGHRr2mkTZs7 6tegqfV4vmrWoSd0eUqddYm3LkmvWwet0ivNALO/7v1kCv+31bUl7f5BD+mz4erYj1AJ BgZw2DsJB9namWjVrp36P//103ChpvB0CLjyc19KBGPhHEzI/sMcFCTaqANElRZWXrOo PUhg== X-Gm-Message-State: APjAAAUnabVRQ0yhcPdZaq6G03x6/YqKxRn7rD2DPERn/H76EIWRL4UY EhJP2eGFWyWL1sp0Xf2XO4e/S357lhw= X-Received: by 2002:a17:90a:bc49:: with SMTP id t9mr24212691pjv.21.1569818881404; Sun, 29 Sep 2019 21:48:01 -0700 (PDT) Received: from akuster-ThinkPad-T460s.hsd1.ca.comcast.net ([2601:202:4180:a5c0:edf9:811d:ad92:85c2]) by smtp.gmail.com with ESMTPSA id h15sm18888493pgn.76.2019.09.29.21.48.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Sep 2019 21:48:00 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Sun, 29 Sep 2019 21:47:02 -0700 Message-Id: <203439837077275d632a62050f6606bd203c2484.1569818533.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [warrior-next 07/54] libid3tag: CVE-2017-11551 is the same as CVE-2004-2779 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton (From OE-Core rev: 0663e5f8f906803685f018061d51fd6277916e50) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch | 1 + 1 file changed, 1 insertion(+) -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch b/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch index 8d09ce7..10e0890 100644 --- a/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch +++ b/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.patch @@ -6,6 +6,7 @@ https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch Upstream-Status: Pending CVE: CVE-2004-2779 +CVE: CVE-2017-11551 Signed-off-by: Changqing Li From patchwork Mon Sep 30 04:47:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 174710 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp6648301ill; Sun, 29 Sep 2019 21:49:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqwgLHnk+LmJaETefeTYlW+i0qLhd4aqmQAjuq80iHBbZJYRSIPmLKOitBJW/9ALunvGi0iy X-Received: by 2002:a17:90a:ab85:: with SMTP id n5mr24601433pjq.117.1569818972723; Sun, 29 Sep 2019 21:49:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569818972; cv=none; d=google.com; s=arc-20160816; b=jfhn5tIz4YlnwXGWZDb4xlXQDPrDH2IWSTymjjKdpom2XH/Z8IEo9WXXwVz4GaVPQA J6sdvG+AzmeJ8VGFdPwnlk8iI0iadPT0kBL1dBH9UeTbnlt0A0eyx+0wBUNZzffJ1x5p QuA/TPMgUNqxWfHCVX86a9dSIZu98JXB050nKXj7uMAqSzO0Zobi5gxukOwq6DASGyEW 47wtT+fMm8jPOXcWiQcKbIp1Q272QtFuxW3p/Pv9FBxqGhXtsXorY+cK79GpnorQdSUR Csc/0nlqUBT6HTFBpeP8W/Q90Xw30e3q8A5bbCOLSk/3UMQzpVAkTFflCfGt8SXLLhrx 9gHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=nKs4YIwZOUIpV8SfjeDKgom8cicln2RO4591jzg9lHg=; b=KmGLssymCdx28vpMZXkHqyNEDOSJO9RrDeYcHkhwZnl0coRvqTdf/6cC8LbfGCx7dk fENU12TUkLocSscgftgNfHtVww39hzYCYqAm3BYqtzrIHoegkM5ORrsYOO+5KlTzMiAu kQrfum/c9NZ0gGOZlhReltkD09fDDzfcA6Rk5kpgmMXkNO1m/cJqnATsQA05OWMhtUEk kIk11mBqC4UyjTpGH/7AknMMVZQqtVhcihTh75Rfc2rCgIRkh2wodADLvzwlO696Wi0v VTtymWqSvB3nNzDjG3EwmwC2dxqKDuyC3D1HeF1R5gqUcbcfTTz/C6RqWWJy35pUVLID il3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=Kdafcl1W; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id b1si12637026pjo.4.2019.09.29.21.49.32; Sun, 29 Sep 2019 21:49:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=Kdafcl1W; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 3ABAE7F382; Mon, 30 Sep 2019 04:48:44 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mail.openembedded.org (Postfix) with ESMTP id 678CA79CB3 for ; Mon, 30 Sep 2019 04:48:01 +0000 (UTC) Received: by mail-pf1-f179.google.com with SMTP id h195so4861767pfe.5 for ; Sun, 29 Sep 2019 21:48:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=hnT581ksGjvHz3tiL++Grc54cuBUBtoclFnz+7uX0dY=; b=Kdafcl1Wa1xOimBU8+B+2q8QbJ4ek7+6U5q1fvhX+qySJpcrJFMrpwlTVsTAfuLw3+ e8XBLnb+k5E3wxNTK9z69yavDQbjIeu0Of3c3Eaer8u/AUEWaPClXI453pDOAgqdBWFn ns/vvkE5iR6ryQrc1SdaTn2N01KtZu0Uc8FXb61XUdQJTYAJwjRtGR6ZECXH5bkzb1ET 4kcebOMFoPLyspUtLYuMn7dFxFOAMl5o1DnEThuZZ8I821iKr6DHLn+vVKxrd0Lor9F5 xu+hQDofXrGKp50UDRHoh6b39tvua9lffDjledqBPFkkgOsaFuRiiLM4NO+vbekNukoj HZpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=hnT581ksGjvHz3tiL++Grc54cuBUBtoclFnz+7uX0dY=; b=WtUxNKm7P1IxJUc/Rn2LY2smmtFb7CVUw7dhdFRHxW908O5/+nYbfu0ZBGq0s6Gy49 AGjcBGN2SEZKn9FWChfYpu07bph6LNYKwUjhfgxmWJ05xP1BPPwxs194S4vauQ7IJ1Dn 59xR3Ve8oFhwm3Jwekzj3BBRQDdIJK/iAyn4nfIGYK2NBpWQroXa88pq265GkeYYxm1W NxFZtHaLX5NloLWZA4OthYOy9odF9QR7ot4nxzMDqFCTPvL+wkdu7DY5ceKMA8JMDuhT lKYG07vnQVKu5Lm+2Hv4zZ8RsEhODqmfg9SiO+odwbi4i9kCLHDqBiQO5YVD1MHLTA5N NNKA== X-Gm-Message-State: APjAAAVfr3O+LR3yRYRqC8+rlwTNkchYLssLO9RzqP5YPPoGuptrlIsl pySdkxXvGjEL1Z+TDes7+ZT6lsFxQ7g= X-Received: by 2002:a63:66c4:: with SMTP id a187mr22351890pgc.85.1569818882348; Sun, 29 Sep 2019 21:48:02 -0700 (PDT) Received: from akuster-ThinkPad-T460s.hsd1.ca.comcast.net ([2601:202:4180:a5c0:edf9:811d:ad92:85c2]) by smtp.gmail.com with ESMTPSA id h15sm18888493pgn.76.2019.09.29.21.48.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Sep 2019 21:48:01 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Sun, 29 Sep 2019 21:47:03 -0700 Message-Id: X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [warrior-next 08/54] tiff: fix CVE-2019-6128 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton (From OE-Core rev: 7293e417dd9bdd04fe0fec177a76c9286234ed46) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../libtiff/tiff/CVE-2019-6128.patch | 52 ++++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 2 +- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch new file mode 100644 index 0000000..6f1fd4d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-6128.patch @@ -0,0 +1,52 @@ +CVE: CVE-2019-6128 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 Mon Sep 17 00:00:00 2001 +From: Scott Gayou +Date: Wed, 23 Jan 2019 15:03:53 -0500 +Subject: [PATCH] Fix for simple memory leak that was assigned CVE-2019-6128. + +pal2rgb failed to free memory on a few errors. This was reported +here: http://bugzilla.maptools.org/show_bug.cgi?id=2836. +--- + tools/pal2rgb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c +index 01d8502ec..9492f1cf1 100644 +--- a/tools/pal2rgb.c ++++ b/tools/pal2rgb.c +@@ -118,12 +118,14 @@ main(int argc, char* argv[]) + shortv != PHOTOMETRIC_PALETTE) { + fprintf(stderr, "%s: Expecting a palette image.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + if (!TIFFGetField(in, TIFFTAG_COLORMAP, &rmap, &gmap, &bmap)) { + fprintf(stderr, + "%s: No colormap (not a valid palette image).\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + bitspersample = 0; +@@ -131,11 +133,14 @@ main(int argc, char* argv[]) + if (bitspersample != 8) { + fprintf(stderr, "%s: Sorry, can only handle 8-bit images.\n", + argv[optind]); ++ (void) TIFFClose(in); + return (-1); + } + out = TIFFOpen(argv[optind+1], "w"); +- if (out == NULL) ++ if (out == NULL) { ++ (void) TIFFClose(in); + return (-2); ++ } + cpTags(in, out); + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength); +-- +2.21.0 diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index 152fa81..a82d744 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb @@ -6,8 +6,8 @@ CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ + file://CVE-2019-6128.patch" " - SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" From patchwork Mon Sep 30 04:47:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 174711 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp6648408ill; Sun, 29 Sep 2019 21:49:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzdQAKXeVdHufMPHfvSLyyRyg0PrcZxhyDUYFJzenWCCktRXM2QPDVTDd3xc718OBzItizv X-Received: by 2002:a17:90a:264a:: with SMTP id l68mr24914128pje.74.1569818983340; Sun, 29 Sep 2019 21:49:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569818983; cv=none; d=google.com; s=arc-20160816; b=dgQ2EpCEjL6dfFxGgcGMSgplhNiiwKCsRRkmcWmvREILdRCPG1vumygq6SMzewUz1R OzowPhLJSHucfL/e1B4LP+Hylzm2eEGyLHOObIXNn0rEWshd9IuAuk1dCM4ihHA0Jl+e zVU0YGUFBindkcluJ072ABQk5j7HIhbu6VuCDpb65S+IBIQ3eT/JQaDfW64mAj3yqssu fDVnINBFlue0ccuh0/9QNsEVF5KZLbMtqKalX0n/5NZwvHOYlDx4RUYyoyJaS3CgLfKJ ViCt7EFxaL9Z3SZu1HyZ6aTyK9ywXBSKkyj44hTsgYEern/Vfc0ZF4V2Xo9Q7jDV4Z6D 4TUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=ejbzneT1czepXYgWGrCA/0uN7Wn1JAehgsQFcWkJe5g=; b=ydoogu0QKa3dsqSlB7wCbeqiRT113FAOpJgWcEQJBen0m1Pw+/jjan4ePbHKhEr9wE AwXVEZkvn1IaV8YnobHuuyFQCcB/kObPKAfZLvE0SN1oXcvY3RKeJ9JahNREjk0yADlw LxKIGbggcbisXI9LOVy32b8cJ9KX55dxRsBh3sb3EtDVKKOFk34zs5xPftS8JPKUQKJf +32rckUuEWdOLuU9/wrGXuKwR/FaOQvgsOPKW15Own/f3P6995Y91pNF0zuwa/e3etfC vuY+mGeKNAxHOxCgjtSl38pJxbEYZrDpRfqhyIRjYMVPH4cWSOx9M7qAPzHY+mD8K1XC BUvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=tmDPK8N9; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id d8si13303027pgj.367.2019.09.29.21.49.43; Sun, 29 Sep 2019 21:49:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=tmDPK8N9; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id D9E987F2DB; Mon, 30 Sep 2019 04:48:45 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mail.openembedded.org (Postfix) with ESMTP id 6645D6D409 for ; Mon, 30 Sep 2019 04:48:02 +0000 (UTC) Received: by mail-pf1-f180.google.com with SMTP id 205so4872793pfw.2 for ; Sun, 29 Sep 2019 21:48:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=3pIZnIk0lHetOo/VGL1JT/6O03AleRFQfmhuCRz4bmk=; b=tmDPK8N9qCTKiB403TvHpokMMknIN9w6ebG2EQUyl6yTk2xL7CqeDzYzzMUKyzUJcw WGQJWk+bbRKrTyuGcCLMJJ20UIHatV7XNasksdT1d2p0sxciuCr1VYaFMt5GLwUHjZcw PnhQarfu1pAvoh7S0zLJUEwSFpBGyigqZblxAXVHiDwv3/Gk3VeNMCsnLnxdzuNEa7h3 IRtXw5rRQfEh5U7EiVDfGfbPLgoJJ4bwGSFw1ef6DzoAU+IgceYRSXNMo6DTsT+OtUQQ CCKu7oULHtG993ELRujdsW0LckUYhdTeD9PDQIAkjn7i2m3Tt9m3XSAwwWskIIlQdv8Q qq8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=3pIZnIk0lHetOo/VGL1JT/6O03AleRFQfmhuCRz4bmk=; b=I4XCTdRTkw8imePil5IQ24DXHTrvLQ/5TyY8QQ18moH6UTl0Q9rfDKEiVf9woqEInv h+bteKzpLUJhv2886zYXW7Liha1j6zhs4i1pSqBFEK24jhCCIchXOV+b6vGCdX1jZnbX laOkyJFQrFuqxk38sIS/wWRzBzDjbASBaRIvqQVivpY07PFxFt2VhGcIObpFYYVvepia BFX0FXgi4tXNeIzgpr8XndZvHS11u+4aXcY0U7nbAUapygWjjo2v4PnkIeX9Hx045IGX hJWO7t+uCtFMOsnRLbRpnd1j5uEd4RhZBNA/2b8fgbQMnUPgCr/IziYIetXOa26Z6US4 hevA== X-Gm-Message-State: APjAAAUqhg26pEC6bTwFVkH2v4eiF7+4pNo/Y1x6WNitYFWg/SWPqiLE SrUySo9RDa/OFWn5pn7CCaWadZmhZjQ= X-Received: by 2002:a63:d1a:: with SMTP id c26mr22660926pgl.286.1569818883330; Sun, 29 Sep 2019 21:48:03 -0700 (PDT) Received: from akuster-ThinkPad-T460s.hsd1.ca.comcast.net ([2601:202:4180:a5c0:edf9:811d:ad92:85c2]) by smtp.gmail.com with ESMTPSA id h15sm18888493pgn.76.2019.09.29.21.48.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Sep 2019 21:48:02 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Sun, 29 Sep 2019 21:47:04 -0700 Message-Id: <3c036ee32a8080c12a8c31abed6f0e989c06a306.1569818533.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [warrior-next 09/54] tiff: fix CVE-2019-7663 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton (From OE-Core rev: d06d6910d1ec9374bb15e02809e64e81198731b6) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../libtiff/tiff/CVE-2019-7663.patch | 77 ++++++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 3 +- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch new file mode 100644 index 0000000..f244fb2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2019-7663.patch @@ -0,0 +1,77 @@ +CVE: CVE-2019-7663 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From c6fc6c1fa895024c86285c58efd6424cf8078f32 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 10:05:33 +0100 +Subject: [PATCH 1/2] check that (Tile Width)*(Samples/Pixel) do no overflow + +fixes bug 2833 +--- + tools/tiffcp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 2f406e2d..f0ee2c02 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1408,7 +1408,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + int status = 1; + uint32 imagew = TIFFRasterScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew*spp; ++ int iskew; + tsize_t tilesize = TIFFTileSize(in); + tdata_t tilebuf; + uint8* bufp = (uint8*) buf; +@@ -1416,6 +1416,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + ++ if (spp > (0x7fffffff / tilew)) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); ++ return 0; ++ } ++ iskew = imagew - tilew*spp; + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) + return 0; +-- +2.20.1 + + +From da6454aa80b9bb3154dfab4e8b21637de47531e0 Mon Sep 17 00:00:00 2001 +From: Thomas Bernard +Date: Mon, 11 Feb 2019 21:42:03 +0100 +Subject: [PATCH 2/2] tiffcp.c: use INT_MAX + +--- + tools/tiffcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index f0ee2c02..8c81aa4f 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + +@@ -1416,7 +1417,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + uint32 row; + uint16 bps = 0, bytes_per_sample; + +- if (spp > (0x7fffffff / tilew)) ++ if (spp > (INT_MAX / tilew)) + { + TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)"); + return 0; +-- +2.20.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb index a82d744..8e3e227 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.10.bb @@ -6,7 +6,8 @@ CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://libtool2.patch \ - file://CVE-2019-6128.patch" + file://CVE-2019-6128.patch \ + file://CVE-2019-7663.patch \ " SRC_URI[md5sum] = "114192d7ebe537912a2b97408832e7fd" SRC_URI[sha256sum] = "2c52d11ccaf767457db0c46795d9c7d1a8d8f76f68b0b800a3dfe45786b996e4" From patchwork Mon Sep 30 04:47:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 174712 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp6651166ill; Sun, 29 Sep 2019 21:54:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqyDbDxmKVpUIxwbHYdHMjUiovsIi754K51vAaHsn9ayp4r71gEuEPfDUjJS0eVJBWanRIo9 X-Received: by 2002:a17:90a:bf0e:: with SMTP id c14mr23649881pjs.69.1569819251298; Sun, 29 Sep 2019 21:54:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569819251; cv=none; d=google.com; s=arc-20160816; b=GI4DHO5h0q4Y1xu5OdlX/OhlmD+L332HbWKcdK18K1kNNGCVGi9iBYbsKLN6iLkImG ZVmtjyIw7F1JIoi6meNakv6Q1TM8pJ6FFB7r2oaMtERr46g4PXstACHCGd7CBp0+AOD3 1EkPVWXDdrj6wdkcybHCMOJEVkmBWjfUxsPgzaayYv1lZ51m9SfdRk912o2vqojgzRu/ oPW9Xs0FRscddRwjGV4yDc0j8HAsV5cOPlHRNiKSAMOK+bu4ulesXfP0ZvZyi5e9hk9n cmkRMRtZlE5ye8/IdZlzLGJY1QAwD8ylaBGKoLMaPbApvvvqgZh/LCnqZNOwU9rJfn2N ny3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=OFBObqdMbV/XFlLFcFr9vYYEN40ueg+9f4T5zERyw0k=; b=UWSEtudS9NT0k5eHD5ESEfNs8bH4Zd09vzd+Y1nZbxUbRBvTF6yy2o2R6CQ5c3Q2le Pcfo2gT4P/52sHtverRBgtkE4LnGKxZ4eR/gWdPZr8xwCnHk4OJT9qulJLFzR2i6nIVP NXBzMgC367dTXPtt1sEy+zw3LHckOhZ03l6s637yHyCnl8Xz1Dc5qcx/sUkvNi9Qz2TC xoXaL0d0UFSibNXJ9P5xNfjKbetIcVcP5g2I+yOMBI+ds9MtIchFHdTup4KyzZ/CQEK9 miyzIuz6aQ5wfL17oJ7+6Rv7ZX2JrDNSM+o8CkW+/kzaWQ/yo26kSSiqrSfaoHTM0L+t x7ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=UAk70bC2; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id t1si2408203ply.267.2019.09.29.21.54.11; Sun, 29 Sep 2019 21:54:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=UAk70bC2; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id E11B07F4A8; Mon, 30 Sep 2019 04:49:27 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) by mail.openembedded.org (Postfix) with ESMTP id F38DC6C0F4 for ; Mon, 30 Sep 2019 04:48:36 +0000 (UTC) Received: by mail-pf1-f194.google.com with SMTP id b128so4877562pfa.1 for ; Sun, 29 Sep 2019 21:48:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=sRFkFtQNu/c9RuPbZQKQ20iMl/cNy+QCK9j3pq4pBWs=; b=UAk70bC2HGcdzMyIaY1698ptkCaDvfWhN+wdbjYl+FxWXRrmSstceKDP0YfQIBZSrH lijfO1jfA6Oth/rpd0YTRKsbCjxy8+XsBEgb8TjNMxf1lu8SRXcp/uQrsPr3Jga1KcRP CP9S/N6v2miQ74dNBHTQHEhGbYy/noOuKpBHknyHzKMRka4AtzVwZ4sHw8LpOjytZjcp qdmy6CmLHryR9pjMd0aGjeI4qaZgY6HAs8msRnwf4+nCT+LNf3mc0TlgDQLO3GZQOznQ C5/jiSlr6LCJLyajd5LAS/FiRvZliVCfNoyk4Vhh/Oiqwv+CZphENtFGG4LH2a1WhnIU AsAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=sRFkFtQNu/c9RuPbZQKQ20iMl/cNy+QCK9j3pq4pBWs=; b=H+K79ILOsU55YlGa7OmcGddohThaO+FbTz4FV+rDuGwWtHtHyD/8cF66voLWZt5BYJ jVkFZcDmVY1a1+LT/Gq0964x413PZKbV3qpLjSS9zdw3Aik9TSXmpAkbj4RRf5q32xvf MFNsAbml/74Y9Gx0RHIubYrpzUItsUKSWHMaISgAAysYx0MQ8e0H3zRaUbgqArpYrkks NfQKXSM5J/C+FwLc74A0twpYEYoJFiNZgPdE9pcRe4sEYlOeXqLcN8WFuSGyqstkeYkO FlE+MsUD+QOG+EAYyILcUIwJ+oD2+MxyiJMObeteFTiMDUwO60d8zHpLEXAzk6L0V3zY lOqg== X-Gm-Message-State: APjAAAWcxEWmaN+brl+mnvLbDUfQGsevtG6Rp2ikGoydsxOdkKQR65p7 VS0xv+WiJGSKp9wHYrPUFyNfaQfXNAI= X-Received: by 2002:a63:5007:: with SMTP id e7mr21209151pgb.2.1569818917801; Sun, 29 Sep 2019 21:48:37 -0700 (PDT) Received: from akuster-ThinkPad-T460s.hsd1.ca.comcast.net ([2601:202:4180:a5c0:edf9:811d:ad92:85c2]) by smtp.gmail.com with ESMTPSA id h15sm18888493pgn.76.2019.09.29.21.48.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Sep 2019 21:48:37 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Sun, 29 Sep 2019 21:47:38 -0700 Message-Id: <6b4c4fbaef8b4655efbc542fb7b97081dbaed8ce.1569818533.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [warrior-next 43/54] kernel-fitimage: uboot-sign: fix missing signature X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Jun Nie u-boot.bin with dtb & signature should be placed in ${B} so that it can be deployed by u-boot as expected. Otherwise, the version without signature is installed. Signed-off-by: Jun Nie Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta/classes/uboot-sign.bbclass | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 8beafff..1fc2a37 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -66,7 +66,7 @@ concat_dtb_helper() { install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then cd ${DEPLOYDIR} - cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${UBOOT_BINARY} > ${UBOOT_IMAGE} + cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE} else bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." fi @@ -77,10 +77,12 @@ concat_dtb() { mkdir -p ${DEPLOYDIR} if [ -n "${UBOOT_CONFIG}" ]; then for config in ${UBOOT_MACHINE}; do + CONFIG_B_PATH="${config}" cd ${B}/${config} concat_dtb_helper done else + CONFIG_B_PATH="" cd ${B} concat_dtb_helper fi From patchwork Mon Sep 30 04:47:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 174713 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp6652085ill; Sun, 29 Sep 2019 21:55:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqxaGKdn8JpbUfN5I3uhRv6Cm7p0TctTe5k8HhBd7r2SseuPUBJ7vEWZYEcOMe7Y8CA0dkWF X-Received: by 2002:a63:5807:: with SMTP id m7mr22263657pgb.371.1569819334895; Sun, 29 Sep 2019 21:55:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569819334; cv=none; d=google.com; s=arc-20160816; b=T090Oh0KWjlxvl1HBZUUUQVQkyLNx1J0NVsxiYWuhAFgiZjSJoQEpSi3LM/pyYF50E ck95jKrXpxKeD1P+c9VFxYfGLtG26hDZeV4kvSJfsIhx8TC+fSbGyzxFFuvQfKtZyBAY ZgR8oRDKcovZeVtlqDiJHoa5yoIfeqQRlN0Zvf5Q0OfJZLQ8dQRDWo8pEQAl6h1Pp4Eu diu/pKkZpJbBCrYzQlfEgrkl3TUMLVCPriYajlozPHMufMgZ1UdnGBZxzh/f17JWTy7G +qPKvUyanNBObKAAGI0jSRU+G6m6QvQKkQVTfJBHmhMMtyaQJREngDNfD9TSpzgTNyoY EzBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :references:in-reply-to:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=jv7IT5yhYjrexwzVdXhZseolEmrrLwVuDtHIkvqA9ro=; b=oq+x3r1xUElQ/SNRbGuE/D8DXxnnTe8PX5sJm/MYmnXkEjS24ZMJHsio7lr4roFsMe 0SPfpZhjE8obNXFy2Vq3iYX3fk/URB/AHNF+yVH/MlQBmLcLq3PhHN2Ljr1vtWzHDt9E vz4Svft/JO0zC/Aj++IGoC4rZ7cEiCy13iaZxV8qcMosE2K5Ae9dYy5zlQgspGp0YCCL m/W1dpI2HJ/Xb/R3r0+jR/z63kaEFwt8deuzm0Sl0b3FCSkfC2y6M3tF+uITWCpJCCon xQIoR10hJLg0AZVdgz/+imrorq+lUHVjZXfHysd18MaNDe9yOSIgXNW3JBn3rHCbjOfx vl6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=djOydBWx; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id b1si10160926pls.314.2019.09.29.21.55.34; Sun, 29 Sep 2019 21:55:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=djOydBWx; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id AF7B87F4DD; Mon, 30 Sep 2019 04:49:40 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mail.openembedded.org (Postfix) with ESMTP id AE71F7F39A for ; Mon, 30 Sep 2019 04:48:48 +0000 (UTC) Received: by mail-pl1-f179.google.com with SMTP id q24so3394597plr.13 for ; Sun, 29 Sep 2019 21:48:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version:in-reply-to:references :content-transfer-encoding; bh=nyBU1WZEg82AsMm7w9+yEPv9So3ye6YweWfYknwz4is=; b=djOydBWxvHO0xhROvPrVhSfyRTO4JrkivJsMGWCB4mUYXSQhFAXReQngP92vI9b50F rHXhn0PN2Z6fUnEvHHKJ1T3/izwZJBJcsUV80F1WXCR4OMWfgCAIymSV2UuVXjjdJ9JF Tpla9zqA2gMk3kd6XmxkEFHYDboUKhACdIrBW+4G4E0SWBKQTAnKGD7PCs8J8yx/P8T4 F3YbBqVMVtfkisAWB8gTGWXGuDU0JMFD9p3FkWS8je0mcCE8k4okGTuLjVZG4DkjmnVV Bz3nMNlbkG2h59KR2WD2i0WWnLB4MWhXYRmVTOVzQba9vcDauQaH885yQbtE8rMLHTmY 5uhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :in-reply-to:references:content-transfer-encoding; bh=nyBU1WZEg82AsMm7w9+yEPv9So3ye6YweWfYknwz4is=; b=qbkGt2Pm4IAwOWcsvk5CNaZdiUAmTaOdfQKKsJwiB0qKLYGz+D5fYLrYjN5fpn0OWG /aifO7ESLX1gEgS5Vviy5ND4Fz22/SVyV189JCn7SowIlfdXNPdOM47Zcz23BlY843KW DIal1BcvcNNMhH8c0gEtjibkLxL8gQk0j0f/qzf8c5AaRGQ6+1FeKlxZIBO0zqksw4lr FrJCZ6HNAWRljkvi09raPu+fNV52ya0b4Cd/6y/FlZUmTeFWI9rzwkcTd/cx8KB6yeUI NYob1Fx+nmrCbadK36zsKMNxHFbw81OUC4qtqfKLATKX0MxBitXRDpYo0aC8/e8M5ADB E5cA== X-Gm-Message-State: APjAAAUKSGLaDkpWaHOHkHVFnOW3XgQGMn1brwh3tAsWd5OBR04iIG+U TXEf29jqGTniqb2aEHfXwan/+fzG9IU= X-Received: by 2002:a17:902:8d98:: with SMTP id v24mr18161747plo.265.1569818928854; Sun, 29 Sep 2019 21:48:48 -0700 (PDT) Received: from akuster-ThinkPad-T460s.hsd1.ca.comcast.net ([2601:202:4180:a5c0:edf9:811d:ad92:85c2]) by smtp.gmail.com with ESMTPSA id h15sm18888493pgn.76.2019.09.29.21.48.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Sep 2019 21:48:48 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Sun, 29 Sep 2019 21:47:49 -0700 Message-Id: <8c87e78547c598cada1bce92e7b25d85b994e2eb.1569818533.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 In-Reply-To: References: Subject: [OE-core] [warrior-next 54/54] cve-check: backport rewrite from master X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton As detailed at [1] the XML feeds provided by NIST are being discontinued on October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be inoperable after this date. To ensure that cve-check continues working, backport the following commits from master to move away from the unmaintained cve-check-tool to our own Python code that fetches the JSON: 546d14135c5 cve-update-db: New recipe to update CVE database bc144b028f6 cve-check: Remove dependency to cve-check-tool-native 7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name 3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator c0eabd30d7b cve-update-db: Use std library instead of urllib3 27eb839ee65 cve-check: be idiomatic 09be21f4d17 cve-update-db: Manage proxy if needed. 975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch 0325dd72714 cve-update-db: Catch request.urlopen errors. 4078da92b49 cve-check: Depends on cve-update-db-native f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table bc0195be1b1 cve-check: Update unpatched CVE matching c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded. 07bb8b25e17 cve-check: remove redundant readline CVE whitelisting 5388ed6d137 cve-check-tool: remove 270ac00cb43 cve-check.bbclass: initialize to_append e6bf9000987 cve-check: allow comparison of Vendor as well as Product 91770338f76 cve-update-db-native: use SQL placeholders instead of format strings 7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST 78de2cb39d7 cve-update-db-native: Remove hash column from database. 4b301030cf9 cve-update-db-native: use os.path.join instead of + f0d822fad2a cve-update-db: actually inherit native b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion bb4e53af33d cve-update-db-native: improve metadata parsing 94227459792 cve-update-db-native: clean up JSON fetching 95438d52b73 cve-update-db-native: fix https proxy issues 1f9a963b9ff glibc: exclude child recipes from CVE scanning [1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement Signed-off-by: Ross Burton Signed-off-by: Armin Kuster --- meta/classes/cve-check.bbclass | 142 ++++++++------ meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/glibc/glibc-locale.inc | 3 + meta/recipes-core/glibc/glibc-mtrace.inc | 3 + meta/recipes-core/glibc/glibc-scripts.inc | 3 + meta/recipes-core/meta/cve-update-db-native.bb | 195 +++++++++++++++++++ .../cve-check-tool/cve-check-tool_5.6.4.bb | 62 ------ ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ----- ...ow-overriding-default-CA-certificate-file.patch | 215 --------------------- ...ogress-in-percent-when-downloading-CVE-db.patch | 135 ------------- ...are-computed-vs-expected-sha256-digit-str.patch | 52 ----- .../check-for-malloc_trim-before-using-it.patch | 51 ----- 12 files changed, 292 insertions(+), 620 deletions(-) create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 743bc08..c00d291 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db" +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db" CVE_CHECK_LOG ?= "${T}/cve.log" CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" @@ -37,32 +37,33 @@ CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" # Whitelist for packages (PN) -CVE_CHECK_PN_WHITELIST = "\ - glibc-locale \ -" +CVE_CHECK_PN_WHITELIST ?= "" -# Whitelist for CVE and version of package -CVE_CHECK_CVE_WHITELIST = "{\ - 'CVE-2014-2524': ('6.3','5.2',), \ -}" +# Whitelist for CVE. If a CVE is found, then it is considered patched. +# The value is a string containing space separated CVE values: +# +# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' +# +CVE_CHECK_WHITELIST ?= "" python do_cve_check () { """ Check recipe for patched and unpatched CVEs """ - if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): patched_cves = get_patches_cves(d) patched, unpatched = check_cves(d, patched_cves) if patched or unpatched: cve_data = get_cve_info(d, patched + unpatched) cve_write_data(d, patched, unpatched, cve_data) else: - bb.note("Failed to update CVE database, skipping CVE check") + bb.note("No CVE database found, skipping CVE check") + } addtask cve_check after do_unpack before do_build -do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db" +do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" do_cve_check[nostamp] = "1" python cve_check_cleanup () { @@ -163,65 +164,94 @@ def get_patches_cves(d): def check_cves(d, patched_cves): """ - Run cve-check-tool looking for patched and unpatched CVEs. + Connect to the NVD database and find unpatched cves. """ - import ast, csv, tempfile, subprocess, io + from distutils.version import LooseVersion - cves_patched = [] cves_unpatched = [] - bpn = d.getVar("CVE_PRODUCT") + # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) + products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) - if not bpn: + if not products: return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - cves = " ".join(patched_cves) - cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") - cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) - cve_cmd = "cve-check-tool" - cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] # If the recipe has been whitlisted we return empty lists if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], []) - try: - # Write the faux CSV file to be used with cve-check-tool - fd, faux = tempfile.mkstemp(prefix="cve-faux-") - with os.fdopen(fd, "w") as f: - for pn in bpn.split(): - f.write("%s,%s,%s,\n" % (pn, pv, cves)) - cmd.append(faux) - - output = subprocess.check_output(cmd).decode("utf-8") - bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output)) - except subprocess.CalledProcessError as e: - bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output)) - finally: - os.remove(faux) - - for row in csv.reader(io.StringIO(output)): - # Third row has the unpatched CVEs - if row[2]: - for cve in row[2].split(): - # Skip if the CVE has been whitlisted for the current version - if pv in cve_whitelist.get(cve,[]): - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) + old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") + if old_cve_whitelist: + bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.") + cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() + + import sqlite3 + db_file = d.getVar("CVE_CHECK_DB_FILE") + conn = sqlite3.connect(db_file) + + for product in products: + c = conn.cursor() + if ":" in product: + vendor, product = product.split(":", 1) + c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor)) + else: + c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,)) + + for row in c: + cve = row[0] + version_start = row[3] + operator_start = row[4] + version_end = row[5] + operator_end = row[6] + + if cve in cve_whitelist: + bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) + elif cve in patched_cves: + bb.note("%s has been patched" % (cve)) + else: + to_append = False + if (operator_start == '=' and pv == version_start): + cves_unpatched.append(cve) else: + if operator_start: + try: + to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) + to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + except: + bb.note("%s: Failed to compare %s %s %s for %s" % + (product, pv, operator_start, version_start, cve)) + to_append_start = False + else: + to_append_start = False + + if operator_end: + try: + to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) + to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + except: + bb.note("%s: Failed to compare %s %s %s for %s" % + (product, pv, operator_end, version_end, cve)) + to_append_end = False + else: + to_append_end = False + + if operator_start and operator_end: + to_append = to_append_start and to_append_end + else: + to_append = to_append_start or to_append_end + + if to_append: cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) - # Fourth row has patched CVEs - if row[3]: - for cve in row[3].split(): - cves_patched.append(cve) - bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve)) + bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) + conn.close() - return (cves_patched, cves_unpatched) + return (list(patched_cves), cves_unpatched) def get_cve_info(d, cves): """ - Get CVE information from the database used by cve-check-tool. + Get CVE information from the database. Unfortunately the only way to get CVE info is set the output to html (hard to parse) or query directly the database. @@ -241,9 +271,10 @@ def get_cve_info(d, cves): for row in cur.execute(query, tuple(cves)): cve_data[row[0]] = {} cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["score"] = row[2] - cve_data[row[0]]["modified"] = row[3] - cve_data[row[0]]["vector"] = row[4] + cve_data[row[0]]["scorev2"] = row[2] + cve_data[row[0]]["scorev3"] = row[3] + cve_data[row[0]]["modified"] = row[4] + cve_data[row[0]]["vector"] = row[5] conn.close() return cve_data @@ -270,7 +301,8 @@ def cve_write_data(d, patched, unpatched, cve_data): unpatched_cves.append(cve) write_string += "CVE STATUS: Unpatched\n" write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 950b8e8..660a52a 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -135,6 +135,7 @@ RECIPE_MAINTAINER_pn-cryptodev-tests = "Robert Yang " RECIPE_MAINTAINER_pn-cups = "Chen Qi " RECIPE_MAINTAINER_pn-curl = "Armin Kuster " RECIPE_MAINTAINER_pn-cve-check-tool = "Ross Burton " +RECIPE_MAINTAINER_pn-cve-update-db-native = "Ross Burton " RECIPE_MAINTAINER_pn-cwautomacros = "Ross Burton " RECIPE_MAINTAINER_pn-db = "Mark Hatle " RECIPE_MAINTAINER_pn-dbus = "Chen Qi " diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc index 17f5b78..3f77221 100644 --- a/meta/recipes-core/glibc/glibc-locale.inc +++ b/meta/recipes-core/glibc/glibc-locale.inc @@ -100,3 +100,6 @@ do_install() { inherit libc-package BBCLASSEXTEND = "nativesdk" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc index d703c14..ef9d60e 100644 --- a/meta/recipes-core/glibc/glibc-mtrace.inc +++ b/meta/recipes-core/glibc/glibc-mtrace.inc @@ -11,3 +11,6 @@ do_install() { install -d -m 0755 ${D}${bindir} install -m 0755 ${SRC}/mtrace ${D}${bindir}/ } + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc index 2a2b415..14a14e4 100644 --- a/meta/recipes-core/glibc/glibc-scripts.inc +++ b/meta/recipes-core/glibc/glibc-scripts.inc @@ -18,3 +18,6 @@ do_install() { # sotruss script requires sotruss-lib.so (given by libsotruss package), # to produce trace of the library calls. RDEPENDS_${PN} += "libsotruss" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb new file mode 100644 index 0000000..2c427a5 --- /dev/null +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -0,0 +1,195 @@ +SUMMARY = "Updates the NVD CVE database" +LICENSE = "MIT" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native + +deltask do_unpack +deltask do_patch +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot + +python () { + if not d.getVar("CVE_CHECK_DB_FILE"): + raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") +} + +python do_populate_cve_db() { + """ + Update NVD database with json data feed + """ + + import sqlite3, urllib, urllib.parse, shutil, gzip + from datetime import date + + BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" + YEAR_START = 2002 + + db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK') + db_file = os.path.join(db_dir, 'nvdcve_1.0.db') + json_tmpfile = os.path.join(db_dir, 'nvd.json.gz') + proxy = d.getVar("https_proxy") + + if proxy: + # instantiate an opener but do not install it as the global + # opener unless if we're really sure it's applicable for all + # urllib requests + proxy_handler = urllib.request.ProxyHandler({'https': proxy}) + proxy_opener = urllib.request.build_opener(proxy_handler) + else: + proxy_opener = None + + cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') + + if not os.path.isdir(db_dir): + os.mkdir(db_dir) + + # Connect to database + conn = sqlite3.connect(db_file) + c = conn.cursor() + + initialize_db(c) + + for year in range(YEAR_START, date.today().year + 1): + year_url = BASE_URL + str(year) + meta_url = year_url + ".meta" + json_url = year_url + ".json.gz" + + # Retrieve meta last modified date + + response = None + + if proxy_opener: + response = proxy_opener.open(meta_url) + else: + req = urllib.request.Request(meta_url) + response = urllib.request.urlopen(req) + + if response: + for l in response.read().decode("utf-8").splitlines(): + key, value = l.split(":", 1) + if key == "lastModifiedDate": + last_modified = value + break + else: + bb.warn("Cannot parse CVE metadata, update failed") + return + + # Compare with current db last modified date + c.execute("select DATE from META where YEAR = ?", (year,)) + meta = c.fetchone() + if not meta or meta[0] != last_modified: + # Clear products table entries corresponding to current year + c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)) + + # Update db with current year json file + try: + if proxy_opener: + response = proxy_opener.open(json_url) + else: + req = urllib.request.Request(json_url) + response = urllib.request.urlopen(req) + + if response: + update_db(c, gzip.decompress(response.read()).decode('utf-8')) + c.execute("insert or replace into META values (?, ?)", [year, last_modified]) + except urllib.error.URLError as e: + cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') + bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) + return + + # Update success, set the date to cve_check file. + if year == date.today().year: + cve_f.write('CVE database update : %s\n\n' % date.today()) + + cve_f.close() + conn.commit() + conn.close() +} + +def initialize_db(c): + c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") + c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ + SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ + VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ + VERSION_END TEXT, OPERATOR_END TEXT)") + +def parse_node_and_insert(c, node, cveId): + # Parse children node if needed + for child in node.get('children', ()): + parse_node_and_insert(c, child, cveId) + + def cpe_generator(): + for cpe in node.get('cpe_match', ()): + if not cpe['vulnerable']: + return + cpe23 = cpe['cpe23Uri'].split(':') + vendor = cpe23[3] + product = cpe23[4] + version = cpe23[5] + + if version != '*': + # Version is defined, this is a '=' match + yield [cveId, vendor, product, version, '=', '', ''] + else: + # Parse start version, end version and operators + op_start = '' + op_end = '' + v_start = '' + v_end = '' + + if 'versionStartIncluding' in cpe: + op_start = '>=' + v_start = cpe['versionStartIncluding'] + + if 'versionStartExcluding' in cpe: + op_start = '>' + v_start = cpe['versionStartExcluding'] + + if 'versionEndIncluding' in cpe: + op_end = '<=' + v_end = cpe['versionEndIncluding'] + + if 'versionEndExcluding' in cpe: + op_end = '<' + v_end = cpe['versionEndExcluding'] + + yield [cveId, vendor, product, v_start, op_start, v_end, op_end] + + c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()) + +def update_db(c, jsondata): + import json + root = json.loads(jsondata) + + for elt in root['CVE_Items']: + if not elt['impact']: + continue + + cveId = elt['cve']['CVE_data_meta']['ID'] + cveDesc = elt['cve']['description']['description_data'][0]['value'] + date = elt['lastModifiedDate'] + accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector'] + cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore'] + + try: + cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] + except: + cvssv3 = 0.0 + + c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) + + configurations = elt['configurations']['nodes'] + for config in configurations: + parse_node_and_insert(c, config, cveId) + + +addtask do_populate_cve_db before do_fetch +do_populate_cve_db[nostamp] = "1" + +EXCLUDE_FROM_WORLD = "1" diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb deleted file mode 100644 index 1c84fb1..0000000 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ /dev/null @@ -1,62 +0,0 @@ -SUMMARY = "cve-check-tool" -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\ -The tool will identify potentially vunlnerable software packages within Linux distributions through version matching." -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool" -SECTION = "Development/Tools" -LICENSE = "GPL-2.0+" -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" - -SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ - file://check-for-malloc_trim-before-using-it.patch \ - file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ - file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ - file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ - file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \ - " - -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" -SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b" - -UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases" - -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates" - -RDEPENDS_${PN} = "ca-certificates" - -inherit pkgconfig autotools - -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins" -CFLAGS_append = " -Wno-error=pedantic" - -do_populate_cve_db() { - if [ "${BB_NO_NETWORK}" = "1" ] ; then - bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected" - return - fi - - # In case we don't inherit cve-check class, use default values defined in the class. - cve_dir="${CVE_CHECK_DB_DIR}" - cve_file="${CVE_CHECK_TMP_FILE}" - - [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK" - [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" - - unused="${@bb.utils.export_proxies(d)}" - bbdebug 2 "Updating cve-check-tool database located in $cve_dir" - # --cacert works around curl-native not finding the CA bundle - if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then - printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" - else - bbwarn "Error in executing cve-check-update" - if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then - bbwarn "Failed to update cve-check-tool database, CVEs won't be checked" - fi - fi -} - -addtask populate_cve_db after do_populate_sysroot -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot" -do_populate_cve_db[nostamp] = "1" -do_populate_cve_db[progress] = "percent" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch deleted file mode 100644 index 4a82cf2..0000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001 -From: Peter Marko -Date: Thu, 13 Apr 2017 23:09:52 +0200 -Subject: [PATCH] Fix freeing memory allocated by sqlite - -Upstream-Status: Backport -Signed-off-by: Peter Marko ---- - src/core.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/core.c b/src/core.c -index 6263031..6788f16 100644 ---- a/src/core.c -+++ b/src/core.c -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - if (err) { -- free(err); -+ sqlite3_free(err); - } - - return true; --- -2.1.4 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch deleted file mode 100644 index 3d8ebd1..0000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 -From: Jussi Kukkonen -Date: Thu, 9 Feb 2017 14:51:28 +0200 -Subject: [PATCH] curl: allow overriding default CA certificate file - -Similar to curl, --cacert can now be used in cve-check-tool and -cve-check-update to override the default CA certificate file. Useful -in cases where the system default is unsuitable (for example, -out-dated) or broken (as in OE's current native libcurl, which embeds -a path string from one build host and then uses it on another although -the right path may have become something different). - -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] - -Signed-off-by: Patrick Ohly - - -Took Patrick Ohlys original patch from meta-security-isafw, rebased -on top of other patches. - -Signed-off-by: Jussi Kukkonen ---- - src/library/cve-check-tool.h | 1 + - src/library/fetch.c | 10 +++++++++- - src/library/fetch.h | 3 ++- - src/main.c | 5 ++++- - src/update-main.c | 4 +++- - src/update.c | 12 +++++++----- - src/update.h | 2 +- - 7 files changed, 27 insertions(+), 10 deletions(-) - -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h -index e4bb5b1..f89eade 100644 ---- a/src/library/cve-check-tool.h -+++ b/src/library/cve-check-tool.h -@@ -43,6 +43,7 @@ typedef struct CveCheckTool { - bool bugs; /**output_file = output_file; -+ self->cacert_file = cacert_file; - - if (!csv_mode && self->output_file) { - quiet = false; -@@ -530,7 +533,7 @@ int main(int argc, char **argv) - if (status) { - fprintf(stderr, "Update of db forced\n"); - cve_db_unlock(); -- if (!update_db(quiet, db_path->str)) { -+ if (!update_db(quiet, db_path->str, self->cacert_file)) { - fprintf(stderr, "DB update failure\n"); - goto cleanup; - } -diff --git a/src/update-main.c b/src/update-main.c -index 2379cfa..c52d9d0 100644 ---- a/src/update-main.c -+++ b/src/update-main.c -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ - static gchar *nvds = NULL; - static bool _show_version = false; - static bool _quiet = false; -+static const char *_cacert_file = NULL; - - static GOptionEntry _entries[] = { - { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, - { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, - { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, - { .short_name = 0 } - }; - -@@ -88,7 +90,7 @@ int main(int argc, char **argv) - goto end; - } - -- if (update_db(_quiet, db_path->str)) { -+ if (update_db(_quiet, db_path->str, _cacert_file)) { - ret = EXIT_SUCCESS; - } else { - fprintf(stderr, "Failed to update database\n"); -diff --git a/src/update.c b/src/update.c -index 070560a..8cb4a39 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) - - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, - bool db_exist, bool verbose, -- unsigned int this_percent, unsigned int next_percent) -+ unsigned int this_percent, unsigned int next_percent, -+ const char *cacert_file) - { - const char nvd_uri[] = URI_PREFIX; - autofree(cve_string) *uri_meta = NULL; -@@ -331,14 +332,14 @@ refetch: - } - - /* Fetch NVD META file */ -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); - if (st == FETCH_STATUS_FAIL) { - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); - return -1; - } - - /* Fetch NVD XML file */ -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); - switch (st) { - case FETCH_STATUS_FAIL: - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); -@@ -391,7 +392,7 @@ refetch: - return 0; - } - --bool update_db(bool quiet, const char *db_file) -+bool update_db(bool quiet, const char *db_file, const char *cacert_file) - { - autofree(char) *db_dir = NULL; - autofree(CveDB) *cve_db = NULL; -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) - if (!quiet) - fprintf(stderr, "completed: %u%%\r", start_percent); - rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, -- start_percent, end_percent); -+ start_percent, end_percent, -+ cacert_file); - switch (rc) { - case 0: - if (!quiet) -diff --git a/src/update.h b/src/update.h -index b8e9911..ceea0c3 100644 ---- a/src/update.h -+++ b/src/update.h -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); - - int update_required(const char *db_file); - --bool update_db(bool quiet, const char *db_file); -+bool update_db(bool quiet, const char *db_file, const char *cacert_file); - - - /* --- -2.1.4 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch deleted file mode 100644 index 8ea6f68..0000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch +++ /dev/null @@ -1,135 +0,0 @@ -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= -Date: Mon, 26 Sep 2016 12:12:41 +0100 -Subject: [PATCH] print progress in percent when downloading CVE db -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream-Status: Pending -Signed-off-by: André Draszik ---- - src/library/fetch.c | 28 +++++++++++++++++++++++++++- - src/library/fetch.h | 3 ++- - src/update.c | 16 ++++++++++++---- - 3 files changed, 41 insertions(+), 6 deletions(-) - -diff --git a/src/library/fetch.c b/src/library/fetch.c -index 06d4b30..0fe6d76 100644 ---- a/src/library/fetch.c -+++ b/src/library/fetch.c -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f - return fwrite(ptr, size, nmemb, f->f); - } - --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) -+struct percent_t { -+ unsigned int start; -+ unsigned int end; -+}; -+ -+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow) -+{ -+ (void) ultotal; -+ (void) ulnow; -+ -+ struct percent_t *percent = (struct percent_t *) ptr; -+ -+ if (dltotal && percent && percent->end >= percent->start) { -+ unsigned int diff = percent->end - percent->start; -+ if (diff) { -+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal)); -+ } -+ } -+ -+ return 0; -+} -+ -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -+ unsigned int start_percent, unsigned int end_percent) - { - FetchStatus ret = FETCH_STATUS_FAIL; - CURLcode res; - struct stat st; - CURL *curl = NULL; - struct fetch_t *f = NULL; -+ struct percent_t percent = { .start = start_percent, .end = end_percent }; - - curl = curl_easy_init(); - if (!curl) { -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) - } - if (verbose) { - (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L); -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent); -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new); - } - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func); - if (res != CURLE_OK) { -diff --git a/src/library/fetch.h b/src/library/fetch.h -index 70c3779..4cce5d1 100644 ---- a/src/library/fetch.h -+++ b/src/library/fetch.h -@@ -28,7 +28,8 @@ typedef enum { - * @param verbose Whether to be verbose - * @return A FetchStatus, indicating the operation taken - */ --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose); -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -+ unsigned int this_percent, unsigned int next_percent); - - /** - * Attempt to extract the given gzipped file -diff --git a/src/update.c b/src/update.c -index 30fbe96..eaeeefd 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) - } - - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, -- bool db_exist, bool verbose) -+ bool db_exist, bool verbose, -+ unsigned int this_percent, unsigned int next_percent) - { - const char nvd_uri[] = URI_PREFIX; - autofree(cve_string) *uri_meta = NULL; -@@ -330,14 +331,14 @@ refetch: - } - - /* Fetch NVD META file */ -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose); -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); - if (st == FETCH_STATUS_FAIL) { - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); - return -1; - } - - /* Fetch NVD XML file */ -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose); -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); - switch (st) { - case FETCH_STATUS_FAIL: - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file) - for (int i = YEAR_START; i <= year+1; i++) { - int y = i > year ? -1 : i; - int rc; -+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START); -+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START); - -- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet); -+ if (!quiet) -+ fprintf(stderr, "completed: %u%%\r", start_percent); -+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, -+ start_percent, end_percent); - switch (rc) { - case 0: -+ if (!quiet) -+ fprintf(stderr,"completed: %u%%\r", end_percent); - continue; - case ENOMEM: - goto oom; --- -2.9.3 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch deleted file mode 100644 index 458c0cc..0000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 -From: Sergey Popovich -Date: Fri, 21 Apr 2017 07:32:23 -0700 -Subject: [PATCH] update: Compare computed vs expected sha256 digit string - ignoring case - -We produce sha256 digest string using %x snprintf() -qualifier for each byte of digest which uses alphabetic -characters from "a" to "f" in lower case to represent -integer values from 10 to 15. - -Previously all of the NVD META files supply sha256 -digest string for corresponding XML file in lower case. - -However due to some reason this changed recently to -provide digest digits in upper case causing fetched -data consistency checks to fail. This prevents database -from being updated periodically. - -While commit c4f6e94 (update: Do not treat sha256 failure -as fatal if requested) adds useful option to skip -digest validation at all and thus provides workaround for -this situation, it might be unacceptable for some -deployments where we need to ensure that downloaded -data is consistent before start parsing it and update -SQLite database. - -Use strcasecmp() to compare two digest strings case -insensitively and addressing this case. - -Upstream-Status: Backport -Signed-off-by: Sergey Popovich ---- - src/update.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/update.c b/src/update.c -index 8588f38..3cc6b67 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) - snprintf(&csum_data[idx], len, "%02hhx", digest[i]); - } - -- ret = streq(csum_meta, csum_data); -+ ret = !strcasecmp(csum_meta, csum_data); - - err_unmap: - munmap(buffer, length); --- -2.11.0 - diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch deleted file mode 100644 index 0774ad9..0000000 --- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Mon, 22 Aug 2016 22:54:24 -0700 -Subject: [PATCH] Check for malloc_trim before using it - -malloc_trim is gnu specific and not all libc -implement it, threfore write a configure check -to poke for it first and use the define to -guard its use. - -Helps in compiling on musl based systems - -Signed-off-by: Khem Raj ---- -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48] - configure.ac | 2 ++ - src/core.c | 4 ++-- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d3b66ce..79c3542 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0]) - m4_define([openssl_required_version],[1.0.0]) - # TODO: Set minimum sqlite - -+AC_CHECK_FUNCS_ONCE(malloc_trim) -+ - PKG_CHECK_MODULES(CVE_CHECK_TOOL, - [ - glib-2.0 >= glib_required_version, -diff --git a/src/core.c b/src/core.c -index 6263031..0d5df29 100644 ---- a/src/core.c -+++ b/src/core.c -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname) - } - - b = true; -- -+#ifdef HAVE_MALLOC_TRIM - malloc_trim(0); -- -+#endif - xmlFreeTextReader(r); - if (fd) { - close(fd); --- -2.9.3 -