From patchwork Thu Sep 28 02:48:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31282 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A556FCE7AE4 for ; Thu, 28 Sep 2023 02:48:58 +0000 (UTC) Received: from mail-oi1-f174.google.com (mail-oi1-f174.google.com [209.85.167.174]) by mx.groups.io with SMTP id smtpd.web11.6169.1695869335002814750 for ; Wed, 27 Sep 2023 19:48:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vB6I5nvP; spf=softfail (domain: sakoman.com, ip: 209.85.167.174, mailfrom: steve@sakoman.com) Received: by mail-oi1-f174.google.com with SMTP id 5614622812f47-3af608eb34bso906372b6e.1 for ; Wed, 27 Sep 2023 19:48:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1695869334; x=1696474134; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eL88MDJxmEvj0pXDqioiC4K3Q+p+A8WiOdcvGy7rbOU=; b=vB6I5nvPItKlgscNLJdfRpCAjHuojRPtpDPNzUynE4OAt5NSinNnxLgBr4kHsmwdtt sUlisNujl6pycI1gXXYLVj4Z2xWh/7V2BuPb7mQuHgQavz1YcxM3T8W37vGyspytZ0BI kPQj5KyDlge2V9HDp/yyvmAhV5K6ysnaPvP+tfl9/dr1s2G5mDjmqfy1TDOlGjieUYx7 zz69gC8YoniKG+AbWohgJfB0Nc9El+1XcSzo16Y2MSVyegWnhTQ8evStErAhjzpQTec3 YlNSc86oWyfsnfBcd8wDafoAzgITa7XUES4R+/4k8kDG98DWB1l697DJ76FQ5sPcmNcc wMVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695869334; x=1696474134; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eL88MDJxmEvj0pXDqioiC4K3Q+p+A8WiOdcvGy7rbOU=; b=VA41mJgXGEF3JqRgXDUDM5Y9Qeym5eDB4feU5sb7d7mMm2cO9hKiXt38GQT1d1HM70 F4G7cnEtsYu3A1p53/JmaCZiOs1zv3HXNHQDRGTkpz55Vg5s98r4eDUC52FOkh/LJekD naCTZfeOXT8u5Y/TAWQSSsyzLV0Y7KN2M3n814FQp3Id4txmGshCVXDC0RvnBMBekKBD 5Tt1M1mv8N+VM1VNZ33f58G9EsnG97cbdrHAR2bHYxa4RwEMl1mnIqoPrgdYGvIpgIFm ug+8oOu33eFw2STrBubsAIEFo2UVCj7/uppZrgRH0VzWV2j8hE28R4oJo9mbjVIWM2E2 E30Q== X-Gm-Message-State: AOJu0YwpDZggwg7lYo++mU0/5KJUS8Kt7nZCOz06dToukvopXF5Ks4Ke CglSYdS1zAM8Mth9ZNQAz6NBY4IxpwTbC6pR4wE= X-Google-Smtp-Source: AGHT+IG+FWSSw0pdGlzr5TFe+XIDM5CMnvWsOgLbgjU+eUAeT6KlILBw68akXSkP+j3JR9/aLE6Y6w== X-Received: by 2002:a05:6808:64d:b0:3a7:1e3e:7f97 with SMTP id z13-20020a056808064d00b003a71e3e7f97mr3774626oih.4.1695869333808; Wed, 27 Sep 2023 19:48:53 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id n3-20020aa79043000000b0068e12e6954csm1850214pfo.36.2023.09.27.19.48.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 19:48:53 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/17] shadow: Fix CVE-2023-4641 Date: Wed, 27 Sep 2023 16:48:30 -1000 Message-Id: <734a3e1fb5ee8ded3097a94c7ee8696518346166.1695869144.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 28 Sep 2023 02:48:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188351 From: Soumya Sambu shadow-utils: possible password leak during passwd(1) change Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../shadow/files/CVE-2023-4641-0001.patch | 36 +++++ .../shadow/files/CVE-2023-4641-0002.patch | 147 ++++++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 2 + 3 files changed, 185 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch new file mode 100644 index 0000000000..2d3c462f4d --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-4641-0001.patch @@ -0,0 +1,36 @@ +From 58b6e97a9eef866e9e479fb781aaaf59fb11ef36 Mon Sep 17 00:00:00 2001 +From: Christian Göttsche +Date: Mon Apr 25 12:17:40 2022 +0200 +Subject: [PATCH 1/2] passwd: erase password copy on all error branches + +CVE: CVE-2023-4641 + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/58b6e97a9eef866e9e479fb781aaaf59fb11ef36] + +Signed-off-by: Soumya Sambu +--- + src/passwd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/passwd.c b/src/passwd.c +index 80531ec..8c6f81a 100644 +--- a/src/passwd.c ++++ b/src/passwd.c +@@ -289,6 +289,7 @@ static int new_password (const struct passwd *pw) + cp = getpass (_("New password: ")); + if (NULL == cp) { + memzero (orig, sizeof orig); ++ memzero (pass, sizeof pass); + return -1; + } + if (warned && (strcmp (pass, cp) != 0)) { +@@ -316,6 +317,7 @@ static int new_password (const struct passwd *pw) + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { + memzero (orig, sizeof orig); ++ memzero (pass, sizeof pass); + return -1; + } + if (strcmp (cp, pass) != 0) { +-- +2.40.0 diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch new file mode 100644 index 0000000000..a37379d7a0 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-4641-0002.patch @@ -0,0 +1,147 @@ +From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH 2/2] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") +Reported-by: Alejandro Colomar +Cc: Serge Hallyn +Cc: Iker Pedrosa +Cc: Seth Arnold +Cc: Christian Brauner +Cc: Balint Reczey +Cc: Sam James +Cc: David Runge +Cc: Andreas Jaeger +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar + +CVE: CVE-2023-4641 + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] + +Signed-off-by: Soumya Sambu +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index c7c9477..00ca569 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.40.0 diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 3c1dd2f98e..57b5002e8b 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -18,6 +18,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP} file://useradd \ file://CVE-2023-29383.patch \ file://0001-Overhaul-valid_field.patch \ + file://CVE-2023-4641-0001.patch \ + file://CVE-2023-4641-0002.patch \ " SRC_URI:append:class-target = " \ From patchwork Thu Sep 28 02:48:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A62EECE7AE5 for ; Thu, 28 Sep 2023 02:48:58 +0000 (UTC) Received: from mail-vk1-f180.google.com (mail-vk1-f180.google.com [209.85.221.180]) by mx.groups.io with SMTP id smtpd.web10.6267.1695869336947476652 for ; Wed, 27 Sep 2023 19:48:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=EfRTAdFi; spf=softfail (domain: sakoman.com, ip: 209.85.221.180, mailfrom: steve@sakoman.com) Received: by mail-vk1-f180.google.com with SMTP id 71dfb90a1353d-496a775af2fso4621817e0c.0 for ; Wed, 27 Sep 2023 19:48:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1695869335; x=1696474135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=weD//oPJA4T98dUW5eFuSvl0r7CHxPoNlwnyQo7ZTE8=; b=EfRTAdFifnhial0ZCLZ+1RP1nccab7y5FrjlqTBuRZ7K3vZYaM30xyLHcHfYSmOAny QcP3tZW6ICevsYNLdqKdUbznWWU/+fAD2Q1303UQeLBtOvEoNQRtyoujV5TQOgInL5bH 9FuXPkKLvUWq4jusTK+bNm9kslg2USKGj6Bnfp3jSV8+YAcu4X9TFqpNCV+tBFILv6GB nOhCdEa5yCeW4Z4zQtHtaEnJp6IM7DOxscSguUd3xWHNe8bNdF/8cXxa/3eo4TkpZD4/ l1hw0n+OEAl22b5xhzYEu/ch7poJf2KD6OcpQIrR2U0vUGZRdFUiiLD8sKLhQK1yQlLN QYrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695869335; x=1696474135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=weD//oPJA4T98dUW5eFuSvl0r7CHxPoNlwnyQo7ZTE8=; b=Yak9lq0VSDr3OQlKWtMaj+hCin0oMggeanf2oNMtzgPya4yrQiktfYYwJ4yqh4iYG6 z8XAOoIt0fFyUXsS40wJFFvgesdzn7QrOQovJojjuCcJt+ubfq6KCuwurFD0txNRz2DA Popphb1ShHlz/4WKOSJDXpgQ73fvTb4eddpKzgDi24sRTHAgOTpxBJouKWI1wUBoprCj 5wJuAPGRrytAY3XLnSY/MGHTv4uXW+6ju45Wld0BbAGGMwxjq37n+eRl+q3JSwFtJdve TI58EimAgPDa2jwHWcriz96DeFIJFjbRSTOloeDxgWWeaMUbMivJ9bRZxDfemmOY/+Xc /fgg== X-Gm-Message-State: AOJu0YzuZv8FgI8/UfYbAsQ5665IxCBdDfYNoN+Ot5/h8BqbZXnOuFUy UtoLd9sys93Xv7ueGti61xO7wzIIKtdESNZ6KBM= X-Google-Smtp-Source: AGHT+IHc6L3hGbTg/FvT9ldWTS45w5MD1ZXX189r1U09CP2Q21DWgX69zDKOZhmA15LLuZLfr8pK1w== X-Received: by 2002:a1f:c645:0:b0:47e:8a9:478c with SMTP id w66-20020a1fc645000000b0047e08a9478cmr2933562vkf.16.1695869335440; Wed, 27 Sep 2023 19:48:55 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id n3-20020aa79043000000b0068e12e6954csm1850214pfo.36.2023.09.27.19.48.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 19:48:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/17] ghostscript: fix CVE-2023-43115 Date: Wed, 27 Sep 2023 16:48:31 -1000 Message-Id: <1d169e50f28c93434461aa3ecbc47c21509143e9.1695869144.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 28 Sep 2023 02:48:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188352 From: Archana Polampalli In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). References: https://nvd.nist.gov/vuln/detail/CVE-2023-43115 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2023-43115.patch | 62 +++++++++++++++++++ .../ghostscript/ghostscript_9.55.0.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..979f354ed5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch @@ -0,0 +1,62 @@ +From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: [PATCH] IJS device - try and secure the IJS server startup + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command line. This does at +least provide minimal security against malicious PostScript programs. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe] + +CVE: CVE-2023-43115 + +Signed-off-by: Archana Polampalli +--- + devices/gdevijs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevijs.c b/devices/gdevijs.c +index 8cbd84b97..16f5a1752 100644 +--- a/devices/gdevijs.c ++++ b/devices/gdevijs.c +@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev) + static const char rgb[] = "DeviceRGB"; + gx_device_ijs *ijsdev = (gx_device_ijs *)dev; + ++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) ++ return_error(gs_error_invalidaccess); + if (!ijsdev->ColorSpace) { + ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1, + "gsijs_initialize"); +@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) + if (code >= 0) + code = gsijs_read_string(plist, "IjsServer", + ijsdev->IjsServer, sizeof(ijsdev->IjsServer), +- dev->LockSafetyParams, is_open); ++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); + + if (code >= 0) + code = gsijs_read_string_malloc(plist, "DeviceManufacturer", +-- +2.40.0 diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index ad0b008cab..4c4c22cf39 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -38,6 +38,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2023-36664-0001.patch \ file://CVE-2023-36664-0002.patch \ file://CVE-2023-38559.patch \ + file://CVE-2023-43115.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Thu Sep 28 02:48:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31284 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7818BCE7AE7 for ; Thu, 28 Sep 2023 02:49:08 +0000 (UTC) Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) by mx.groups.io with SMTP id smtpd.web11.6170.1695869338323822774 for ; Wed, 27 Sep 2023 19:48:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=qWnd/g+e; spf=softfail (domain: sakoman.com, ip: 209.85.219.47, mailfrom: steve@sakoman.com) Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-65b162328edso36237056d6.2 for ; Wed, 27 Sep 2023 19:48:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1695869337; x=1696474137; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oDKUVbP8cK8HdrBnWwDLpYvgeoxUjuW9h0IUWjVer8s=; b=qWnd/g+eN8ZzAQI3beFHTLwQFFrk9XhkfILHzrqoHlYSl8ZIwe7Nvxn5yd4je5VuWD RlcAxJC0zEcx/rEjTCE2/KM221dal3Ip419+8RIwgc/Rolmp23nmCnrbonLJrrGtv/ii Ha/TfSZM1NDcGyFWknKQszGBPGSlSvssp1dudFe0Okr3LfPapxxphFw9q6cPKWw0Tvjr Zwx04hSisw0onbOxz85oct3fBpLwxdHxrAu16pD+YzOMLCC2/cJTO0QqEyAW5LmLTEHJ tbaYFxaUjJriPuGdz5nZI2AM6VzB7517gAP9Do9h3qBhey+ykoJB+H1Pr7RJ6ycmIkee kNnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695869337; x=1696474137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oDKUVbP8cK8HdrBnWwDLpYvgeoxUjuW9h0IUWjVer8s=; b=d9fO+vMf98H479u5DONPh0sD1uCchDPePMsQpV7m2+FyJzyIvmq9SN9iUKshDhNZKw dJNSKYov7fNKx4TIOgfl/BlDQFnk0LledBcUKgnxoURM02jBtNInu9OMwAUeMVv+Y9EC BUPxU/gXNpyxZQpYVfGwcvAhgAtO+3abZKE8JD8mOLDBdaK+y1XS2RS+CWNdNE9i865c PA0qCD8idByby0zEQIUxeZf6kyzHQRKDdszmZko7gdry4kb830p9zUTZlMax01Gbat6S i0gHaTVKfjbxLkZTMBLRADHlIbdHHf8DM768pIGMDb+yyJbec1PbrW4eolJCWbrr010Y Xt5g== X-Gm-Message-State: AOJu0Yzp/HzVeJCm4PB+/VQI9QcWVDVYoGYBwdBFHNbAnWpUp/d0ct0j oyf6cWXF6U/dKal8Ptil2Gpl/GL/Su37QtKGSME= X-Google-Smtp-Source: AGHT+IG1do0ha1OS9kloa0MY052vqDOBO7jQmU4jR9tctPKoHvzIYl6gOdF8mmn6z5vBjMhCDRrZwA== X-Received: by 2002:a0c:e885:0:b0:65d:d:a116 with SMTP id b5-20020a0ce885000000b0065d000da116mr2701665qvo.61.1695869336974; Wed, 27 Sep 2023 19:48:56 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id n3-20020aa79043000000b0068e12e6954csm1850214pfo.36.2023.09.27.19.48.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 19:48:56 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/17] gstreamer1.0-plugins-bad: fix CVE-2023-40474 Date: Wed, 27 Sep 2023 16:48:32 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 28 Sep 2023 02:49:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188353 From: Archana Polampalli gst-plugins-bad: Heap-based buffer overflow in the MXF file demuxer when handling malformed files with uncompressed video in GStreamer versions before 1.22.6 Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../CVE-2023-40474.patch | 118 ++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 119 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch new file mode 100644 index 0000000000..dd5886863d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch @@ -0,0 +1,118 @@ +From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:45:01 +0300 +Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes + when handling invalid uncompressed video + +Check ahead of time when parsing the track information whether +width, height and bpp are valid and usable without overflows. + +Fixes ZDI-CAN-21660, CVE-2023-40474 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0] +CVE: CVE-2023-40474 + +Signed-off-by: Archana Polampalli +--- + gst/mxf/mxfup.c | 51 +++++++++++++++++---- + 1 file changed, 43 insertions(+), 8 deletions(-) + +diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c +index d72ed22cb7..0c0178c1c9 100644 +--- a/gst/mxf/mxfup.c ++++ b/gst/mxf/mxfup.c +@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gpointer mapping_data, GstBuffer ** outbuf) + { + MXFUPMappingData *data = mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; + + /* SMPTE 384M 7.1 */ + if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 +@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + } + } + +- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { ++ // Checked for overflows when parsing the descriptor ++ expected_in_stride = data->bpp * data->width; ++ out_stride = GST_ROUND_UP_4 (expected_in_stride); ++ expected_in_size = expected_in_stride * data->height; ++ out_size = out_stride * data->height; ++ ++ if (gst_buffer_get_size (buffer) != expected_in_size) { + GST_ERROR ("Invalid buffer size"); + gst_buffer_unref (buffer); + return GST_FLOW_ERROR; + } + +- if (data->bpp != 4 +- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { ++ if (data->bpp != 4 || out_stride != expected_in_stride) { + guint y; + GstBuffer *ret; + GstMapInfo inmap, outmap; + guint8 *indata, *outdata; + +- ret = +- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * +- data->height); ++ ret = gst_buffer_new_and_alloc (out_size); + gst_buffer_map (buffer, &inmap, GST_MAP_READ); + gst_buffer_map (ret, &outmap, GST_MAP_WRITE); + indata = inmap.data; +@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + + for (y = 0; y < data->height; y++) { + memcpy (outdata, indata, data->width * data->bpp); +- outdata += GST_ROUND_UP_4 (data->width * data->bpp); +- indata += data->width * data->bpp; ++ outdata += out_stride; ++ indata += expected_in_stride; + } + + gst_buffer_unmap (buffer, &inmap); +@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + return NULL; + } + ++ if (caps) { ++ MXFUPMappingData *data = *mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; ++ ++ // Do some checking of the parameters to see if they're valid and ++ // we can actually work with them. ++ if (data->image_start_offset > data->image_end_offset) { ++ GST_WARNING ("Invalid image start/end offset"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ ++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || ++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride ++ || !g_size_checked_mul (&expected_in_size, expected_in_stride, ++ data->height) ++ || !g_size_checked_mul (&out_size, out_stride, data->height)) { ++ GST_ERROR ("Invalid resolution or bit depth"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ } ++ + return caps; + } + +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 86b5301d8e..52acb30d74 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0002-avoid-including-sys-poll.h-directly.patch \ file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ + file://CVE-2023-40474.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" From patchwork Thu Sep 28 02:48:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F326CE7AE0 for ; Thu, 28 Sep 2023 02:49:08 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web11.6171.1695869339447928644 for ; Wed, 27 Sep 2023 19:48:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sgSENH/W; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-68fdcc37827so10098478b3a.0 for ; Wed, 27 Sep 2023 19:48:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1695869338; x=1696474138; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VgWMIG1vVhdJabW2WwJuBFB410gaaCitM8vzNJBI7n0=; b=sgSENH/WY7dUxhwpkGpw+AvUH+AloYV7rbgaC9bpB6wtN5vd8xGGIQfZCwQ1ix9PvO c34PJPXCfB37NdF8kdAt4YVXY7MQ4yyxMSFbhYM9jkWn5Cd0hhbWdc6brN6AgdQlhvMS Pco0WbKFE7M940/Wih+FLyym2XFOZHNBap0hmOAJ1bPRzdvCQ54HRA1JreRzRvv5oZ+O b/Niq0HWGkt+PIlgnaCC4wcm3sq1P39Epk+HOQRZ1iYYsXEHhl2nMErMQU88dLnFE4IS lZYbZni1oQobJTJBiy0A52sO9D9Qaz8Dwa6jjjN3qtCuFlpTfCKlAduRJNpaLDJiYDe3 6koQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695869338; x=1696474138; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VgWMIG1vVhdJabW2WwJuBFB410gaaCitM8vzNJBI7n0=; b=mykYbN4Hex8va2Jof/8fzLHL7du1gXbTXI/NYpskZi94MPVKBairno6FSU4nUpIOBA 7On2N1gqDIh3kuYRJwWREHYiVOZRvi0k2SpJhpJyaRFkl9Nd5vOmlzm7YLahBHIOOFim je8cJJxCiycpChmkBOgPDF1xdmh4BVAk8GQvexoHwf0v5/+kuniq5k9tYtxPeTUmeN+1 X/k5KpyCw1n8O7LYlVrXdupR72WHnZHUbkdK7ZpQUWSfUSn93f3/C3Xv19c3X+h+GRig b+GQjzRt0zUlv+z8RHnHZchzdZdfuuRmp4snJFLYvaH/lWMtuiKyFzmcpc0ZYmL7ltaE e4Lg== X-Gm-Message-State: AOJu0YxdVm3GagOHurmJiAagZNJJ92hOiP60L/EcmWdZ/79oyq7PjTH9 ypGP8w5XNETbVO9W31H8rPjeUOQnNHXjvBXWWQw= X-Google-Smtp-Source: AGHT+IFY0cQvBDsCxxJzuY2knDf/6B43K7gyOUPT52Z6srry89Cxo6Ng6FqoRQqWZDUvLNFUPQsOmA== X-Received: by 2002:a05:6a20:4413:b0:140:61f8:53f6 with SMTP id ce19-20020a056a20441300b0014061f853f6mr6924105pzb.29.1695869338463; Wed, 27 Sep 2023 19:48:58 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id n3-20020aa79043000000b0068e12e6954csm1850214pfo.36.2023.09.27.19.48.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 19:48:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/17] gstreamer1.0-plugins-bad: fix CVE-2023-40475 Date: Wed, 27 Sep 2023 16:48:33 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 28 Sep 2023 02:49:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188354 From: Archana Polampalli gst-plugins-bad: Integer overflow leading to heap overwrite in MXF file handling with AES3 audio Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../CVE-2023-40475.patch | 49 +++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch new file mode 100644 index 0000000000..ab9ac7afaa --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch @@ -0,0 +1,49 @@ +From 72742dee30cce7bf909639f82de119871566ce39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:47:03 +0300 +Subject: [PATCH] mxfdemux: Check number of channels for AES3 audio + +Only up to 8 channels are allowed and using a higher number would cause +integer overflows when copying the data, and lead to out of bound +writes. + +Also check that each buffer is at least 4 bytes long to avoid another +overflow. + +Fixes ZDI-CAN-21661, CVE-2023-40475 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39] +CVE: CVE-2023-40475 + +Signed-off-by: Archana Polampalli +--- + gst/mxf/mxfd10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c +index 03854d9303..0ad0d2d283 100644 +--- a/gst/mxf/mxfd10.c ++++ b/gst/mxf/mxfd10.c +@@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gst_buffer_map (buffer, &map, GST_MAP_READ); + + /* Now transform raw AES3 into raw audio, see SMPTE 331M */ +- if ((map.size - 4) % 32 != 0) { ++ if (map.size < 4 || (map.size - 4) % 32 != 0) { + gst_buffer_unmap (buffer, &map); + GST_ERROR ("Invalid D10 sound essence buffer size"); + return GST_FLOW_ERROR; +@@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + GstAudioFormat audio_format; + + if (s->channel_count == 0 || ++ s->channel_count > 8 || + s->quantization_bits == 0 || + s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { + GST_ERROR ("Invalid descriptor"); +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 52acb30d74..d5f1e794cd 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -11,6 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ file://CVE-2023-40474.patch \ + file://CVE-2023-40475.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" From patchwork Thu Sep 28 02:48:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31285 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87BACCE7AE9 for ; Thu, 28 Sep 2023 02:49:08 +0000 (UTC) Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179]) by mx.groups.io with SMTP id smtpd.web10.6268.1695869341163427514 for ; Wed, 27 Sep 2023 19:49:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=NqYY4rKl; spf=softfail (domain: sakoman.com, ip: 209.85.167.179, mailfrom: steve@sakoman.com) Received: by mail-oi1-f179.google.com with SMTP id 5614622812f47-3af608eb367so924101b6e.2 for ; Wed, 27 Sep 2023 19:49:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1695869340; x=1696474140; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=A0UtW4nEo3hmoVsNeEOFGYyc02HRc7Sjaf0D9aFQyE4=; b=NqYY4rKlNsjbs9sLIShrFndoHt8rWffGT68fHoPE8e5LUpVVGDkmNm6OgR7wxTsid+ 2CF+Dxa/siCQ95T+LxcVglocK7xqU4Tdx2IKSN0CD23b/KSZrFJiA1Dg124RFxl85Ede gp1lIBA3bquJTuD/kHT4+N5CAvkR9wYImEr/UxSgUZQyAdpic2+nPy4MrPfi53o8zdph 6NqzFdX54afZf19tXJDpfBhPZCRls8YLdL/F6UAk0h7LKgFGrcXW19JIGAG0NV8dbx7v AKWNEA9a6xpPO3NeqPz7ToZZXy4aHEKcxTlkIxv6S9CZGNz6Xr/RJ4ioR/CBvIbC/1s0 J+dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695869340; x=1696474140; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A0UtW4nEo3hmoVsNeEOFGYyc02HRc7Sjaf0D9aFQyE4=; b=twtH41LqDezr9m34vwSI6z1Dy2G/dY1XxyVXATtyHHptFnQFhRmWHahXfSCkrLl+Hk 3WiGvk0N29s1l3fuvUwGUA75ghzWgbIcL6UDlkFHeYJtZpNvZi7leiss74903y1GR14b M7hLU1X3bZhUdHS6wSP+jpD254AIgjYK7v7DXEcjXLxkHq1WtK+jV/MHt3DGHEL5V27T lNkbZXO8J80qIZygTxMJZbrd6WvX2D67NtKyvdkLCehrpyTTqJgPwjsRqhq6dhlHwZBE SCMLntDiaAIvwuB98gEujUy226l/nr/ZYyWzgOihcU9k/c2AISxQvo84hO/rUsJdwseO Jaqg== X-Gm-Message-State: AOJu0YwiTIuzcDOdpcoJw4uw1SHLxa2InpbHmMCaoMJB8jmK8J18+mwU 8mUBqqLlaYE12y+KJ17JO7g8SyaQ9v58TABWyp4= X-Google-Smtp-Source: AGHT+IE7D+o7E0DeTBdJUA+z7e2elRYLOZg9ZG+n2hwVl4n7lEbbk6bzBnLKg3I57xVFcpnERFLRFQ== X-Received: by 2002:a05:6808:d4a:b0:3ae:55e6:1e34 with SMTP id w10-20020a0568080d4a00b003ae55e61e34mr3778411oik.58.1695869339983; Wed, 27 Sep 2023 19:48:59 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id n3-20020aa79043000000b0068e12e6954csm1850214pfo.36.2023.09.27.19.48.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 19:48:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/17] gstreamer1.0-plugins-bad: fix CVE-2023-40476 Date: Wed, 27 Sep 2023 16:48:34 -1000 Message-Id: <2abcf03fbe343596de38113c655028c157763245.1695869144.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 28 Sep 2023 02:49:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188355 From: Archana Polampalli gst-plugins-bad: h265parser: Fix possible overflow using max_sub_layers_minus1 Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../CVE-2023-40476.patch | 44 +++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch new file mode 100644 index 0000000000..7810e98024 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch @@ -0,0 +1,44 @@ +From 1b51467ea640bcc73c97f3186350d72cbfba5cb4 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Wed, 9 Aug 2023 12:49:19 -0400 +Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1 + +This fixes a possible overflow that can be triggered by an invalid value of +max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, +but the allowed range is 0 to 6 only. + +Fixes ZDI-CAN-21768, CVE-2023-40476 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9] +CVE: CVE-2023-40476 + +Signed-off-by: Archana Polampalli + +--- + gst-libs/gst/codecparsers/gsth265parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index a4e7549..3db1c38 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) + + READ_UINT8 (&nr, vps->max_layers_minus1, 6); + READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); + + /* skip reserved_0xffff_16bits */ +@@ -1849,6 +1850,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, + sps->vps = vps; + + READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); + + if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index d5f1e794cd..fbaabda3f9 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -12,6 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ file://CVE-2023-40474.patch \ file://CVE-2023-40475.patch \ + file://CVE-2023-40476.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" From patchwork Thu Sep 28 02:48:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31288 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C909CE7AEB for ; Thu, 28 Sep 2023 02:49:08 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web10.6270.1695869342527551467 for ; Wed, 27 Sep 2023 19:49:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=P4HK8jXA; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-68fdcc37827so10098511b3a.0 for ; Wed, 27 Sep 2023 19:49:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1695869342; x=1696474142; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0BR65heOwPjf8UR8I4XEEG51b/uWW5lbGXG/KZ8njsE=; b=P4HK8jXAucxYctcs3C/AOFOHw2KdadOqhYjuQhKkM0f7OBkV5QkxGnVtHzg7K2+BuD qRmKlOwZ/1bgI1+FknUdXoJEJr06ByYIVe0I5ABDEt2eaBxP4Lcp3l6R2RX1jmm6uW6c GTUx0PsC7FAEbHOBDALeH1C2TUrTY2l6kqNZ7pFeMhQBShZm3I0hoeGmMDdPYwge7PxF 3BTElHqy51VctIeN8tHC1SV15QqOjhskP8y2zRFAVY5PWaQpA14fthbkiCLwEBFkQHMA GXanlb7aNDl/FEQ0tN98mBdDdvhqCpxbydFCDCSd8s01l2gVbFWiJM/l2s9lKCCZGdFr d74A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695869342; x=1696474142; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0BR65heOwPjf8UR8I4XEEG51b/uWW5lbGXG/KZ8njsE=; b=XSBIxsSJGoOLykrePJcG2+uK8OS8iz5RiZXNLPCcJukDcRGsN4sUxEXnW/ereoy8MI wJUP8ey/gddnCN2yDcnjYq0YxRxyStzBrt2rg+84Rq+vy2j80E9E/doEzk4pj4hx9sOx qrc1HjV2dDaNWyviHds6S9KKkhIvZhJTaYDO5VQZ5n3VNHJjZ8UF0IF6683ZKYFXwfP+ kk4zTTVm4oskJ8/PPU8kdRUlSYc42MvK8opWkpdgiMczakiHhPsoN2jqMaEi6V6LSgTb fZv2G4wPn96uYf5LFdjy5IMy7bITH7AU3+K3zjyJs9D0Wb9OlUpy+TRwWrbZlxZjlYLb REOw== X-Gm-Message-State: AOJu0Yx/Pl1dAeztL/+7vu9tPYHDlXg9W+xkNlKeITUQen5KvUDHYJDC D9dBSUvKqiEiinOvS46D+5t0UN2LJYqIzygaG+E= X-Google-Smtp-Source: AGHT+IGHgkh4Pc8O7QDsFNyHEq5DabGe/HnITBK/qZ6eW4R9FTjh2Fx4VsBTI0q6S9QOFqqfjx+GyQ== X-Received: by 2002:a05:6a20:4413:b0:140:61f8:53f6 with SMTP id ce19-20020a056a20441300b0014061f853f6mr6924254pzb.29.1695869341542; Wed, 27 Sep 2023 19:49:01 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id n3-20020aa79043000000b0068e12e6954csm1850214pfo.36.2023.09.27.19.49.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 19:49:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/17] go: Fix CVE-2023-39318 Date: Wed, 27 Sep 2023 16:48:35 -1000 Message-Id: <35fa5c12f86bda2c8542bdb57074f55808697a42.1695869144.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 28 Sep 2023 02:49:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188356 From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 1 + .../go/go-1.21/CVE-2023-39318.patch | 238 ++++++++++++++++++ 2 files changed, 239 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c753a26a7e..ed2645bc12 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -44,6 +44,7 @@ SRC_URI += "\ file://CVE-2023-24531_2.patch \ file://CVE-2023-29409.patch \ file://CVE-2023-39319.patch \ + file://CVE-2023-39318.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 0000000000..85c6ec97c8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 ++++ + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 ++++++++++++++++++++----------- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f5f44a1..feb6517 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a