[yocto] [RFC] CVEs on sumo branch

Sinan Kaya okaya at kernel.org
Fri Sep 21 12:43:38 PDT 2018


I'm sure this has been discussed recently but I wanted to raise this question
one more time as I have seen a lot of CVEs patches getting pulled into the sumo
branch recently.

We started enabling the cve-check feature and are triaging the results of CVE
reports. We think that the following CVEs need attention and need to be pulled
into the sumo branch.

There are two approaches to solve this problem:
1. upgrade these packages to the respective versions:

CVE-2018-13785: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350
CVE-2018-8740: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e
CVE-2017-15874: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e
CVE-2017-14501: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd
CVE-2018-11237: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2
CVE-2017-7960: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585

2. Apply the attached patches to sumo branch.

We'd like to hear the community opinion.

Sinan


-------------- next part --------------
From e486e61f26c9d0fd2851a2b1056071b34be65e7d Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li at windriver.com>
Date: Tue, 28 Aug 2018 17:39:23 +0800
Subject: [PATCH 1/6] libcroco: patch for CVE-2017-7960

Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 .../libcroco/libcroco/CVE-2017-7960.patch     | 56 +++++++++++++++++++
 .../libcroco/libcroco_0.6.12.bb               |  2 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch

diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch b/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
new file mode 100644
index 0000000000..f6f43c3d26
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,56 @@
+input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+
+Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/
+                 commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394]
+
+CVE: CVE-2017-7960 
+
+Signed-off-by: Changqing Li <changqing.li at windriver.com>
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+                  *we should  free buf here because it's own by CRInput.
+                  *(see the last parameter of cr_input_new_from_buf().
+                  */
+-                buf = NULL ;
++                buf = NULL;
+         }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++        gulong nb_bytes_left = 0;
++
+         g_return_val_if_fail (a_this && PRIVATE (a_this)
+                               && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+         if (PRIVATE (a_this)->end_of_input == TRUE)
+                 return CR_END_OF_INPUT_ERROR;
+ 
++        nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++        if (nb_bytes_left < 1) {
++                return CR_END_OF_INPUT_ERROR;
++        }
++
+         *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+         if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+                 if (*a_char == '\n') {
+                         PRIVATE (a_this)->end_of_line = TRUE;
+                 }
+-
+         }
+ 
+         return status;
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.12.bb b/meta/recipes-support/libcroco/libcroco_0.6.12.bb
index d86ddd6464..5b962ee738 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.12.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.12.bb
@@ -16,5 +16,7 @@ BINCONFIG = "${bindir}/croco-0.6-config"
 
 inherit gnomebase gtk-doc binconfig-disabled
 
+SRC_URI += "file://CVE-2017-7960.patch"
+
 SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce"
 SRC_URI[archive.sha256sum] = "ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860"
-- 
2.19.0
-------------- next part --------------
From 297a200543cafe043b870c668acd14b2e21381fd Mon Sep 17 00:00:00 2001
From: Zheng Ruoqin <zhengrq.fnst at cn.fujitsu.com>
Date: Tue, 26 Jun 2018 13:44:17 +0800
Subject: [PATCH 2/6] glibc: fix CVE-2018-11237

glibc: fix CVE-2018-11237

Signed-off-by: Zheng Ruoqin <zhengrq.fnst at cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 .../glibc/glibc/CVE-2018-11237.patch          | 82 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.27.bb         |  1 +
 2 files changed, 83 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2018-11237.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
new file mode 100644
index 0000000000..632aa565e4
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2018-11237.patch
@@ -0,0 +1,82 @@
+From 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab at suse.de>
+Date: Tue, 22 May 2018 10:37:59 +0200
+Subject: [PATCH] Don't write beyond destination in
+ __mempcpy_avx512_no_vzeroupper (bug 23196)
+
+When compiled as mempcpy, the return value is the end of the destination
+buffer, thus it cannot be used to refer to the start of it.
+
+2018-05-23  Andreas Schwab  <schwab at suse.de>
+
+       [BZ #23196]
+       CVE-2018-11237
+       * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+       (L(preloop_large)): Save initial destination pointer in %r11 and
+       use it instead of %rax after the loop.
+       * string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
+
+CVE: CVE-2018-11237
+Upstream-Status: Backport
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst at cn.fujitsu.com>
+---
+ ChangeLog                                               | 9 +++++++++
+ string/test-mempcpy.c                                   | 1 +
+ sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index fa0a07c..bc09dec 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2018-05-23  Andreas Schwab  <schwab at suse.de>
++
++	[BZ #23196]
++	CVE-2018-11237
++	* sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++	(L(preloop_large)): Save initial destination pointer in %r11 and
++	use it instead of %rax after the loop.
++	* string/test-mempcpy.c (MIN_PAGE_SIZE): Define.
++
+ 2018-05-09  Paul Pluzhnikov  <ppluzhnikov at google.com>
+ 
+ 	[BZ #22786]
+diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
+index c08fba8..d98ecdd 100644
+--- a/string/test-mempcpy.c
++++ b/string/test-mempcpy.c
+@@ -18,6 +18,7 @@
+    <http://www.gnu.org/licenses/>.  */
+ 
+ #define MEMCPY_RESULT(dst, len) (dst) + (len)
++#define MIN_PAGE_SIZE 131072
+ #define TEST_MAIN
+ #define TEST_NAME "mempcpy"
+ #include "test-string.h"
+diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+index 23c0f7a..a55cf6f 100644
+--- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
++++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
+@@ -335,6 +335,7 @@ L(preloop_large):
+ 	ja	L(preloop_large_bkw)
+ 	vmovups	(%rsi), %zmm4
+ 	vmovups	0x40(%rsi), %zmm5
++	mov     %rdi, %r11
+ 
+ /* Align destination for access with non-temporal stores in the loop.  */
+ 	mov	%rdi, %r8
+@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
+ 	cmp	$256, %rdx
+ 	ja	L(gobble_256bytes_nt_loop)
+ 	sfence
+-	vmovups	%zmm4, (%rax)
+-	vmovups	%zmm5, 0x40(%rax)
++	vmovups %zmm4, (%r11)
++	vmovups %zmm5, 0x40(%r11)
+ 	jmp	L(check)
+ 
+ L(preloop_large_bkw):
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/glibc/glibc_2.27.bb b/meta/recipes-core/glibc/glibc_2.27.bb
index 22a9881eaf..adee494c2e 100644
--- a/meta/recipes-core/glibc/glibc_2.27.bb
+++ b/meta/recipes-core/glibc/glibc_2.27.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0030-plural_c_no_preprocessor_lines.patch \
            file://CVE-2017-18269.patch \
            file://CVE-2018-11236.patch \
+           file://CVE-2018-11237.patch \
 "
 
 NATIVESDKFIXES ?= ""
-- 
2.19.0
-------------- next part --------------
From 78f85abbc1f3fc9ae3a7276706edd94b83bb18a5 Mon Sep 17 00:00:00 2001
From: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
Date: Mon, 27 Aug 2018 22:43:19 +0530
Subject: [PATCH 3/6] libarchive: CVE-2017-14501

iso9660: validate directory record length

Affects libarchive <= 3.3.2

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 .../libarchive/CVE-2017-14501.patch           | 79 +++++++++++++++++++
 .../libarchive/libarchive_3.3.2.bb            |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch
new file mode 100644
index 0000000000..1038102e6b
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14501.patch
@@ -0,0 +1,79 @@
+From f9569c086ff29259c73790db9cbf39fe8fb9d862 Mon Sep 17 00:00:00 2001
+From: John Starks <jostarks at microsoft.com>
+Date: Wed, 25 Jul 2018 12:16:34 -0700
+Subject: [PATCH] iso9660: validate directory record length
+
+CVE: CVE-2017-14501
+Upstream-Status: Backport [https://github.com/mmatuska/libarchive/commit/13e87dcd9c37b533127cceb9f3e1e5a38d95e784]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
+---
+ libarchive/archive_read_support_format_iso9660.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index f01d37bf..089bb723 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -409,7 +409,8 @@ static int	next_entry_seek(struct archive_read *, struct iso9660 *,
+ 		    struct file_info **);
+ static struct file_info *
+ 		parse_file_info(struct archive_read *a,
+-		    struct file_info *parent, const unsigned char *isodirrec);
++		    struct file_info *parent, const unsigned char *isodirrec,
++		    size_t reclen);
+ static int	parse_rockridge(struct archive_read *a,
+ 		    struct file_info *file, const unsigned char *start,
+ 		    const unsigned char *end);
+@@ -1022,7 +1023,7 @@ read_children(struct archive_read *a, struct file_info *parent)
+ 			if (*(p + DR_name_len_offset) == 1
+ 			    && *(p + DR_name_offset) == '\001')
+ 				continue;
+-			child = parse_file_info(a, parent, p);
++			child = parse_file_info(a, parent, p, b - p);
+ 			if (child == NULL) {
+ 				__archive_read_consume(a, skip_size);
+ 				return (ARCHIVE_FATAL);
+@@ -1112,7 +1113,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ 	 */
+ 	seenJoliet = iso9660->seenJoliet;/* Save flag. */
+ 	iso9660->seenJoliet = 0;
+-	file = parse_file_info(a, NULL, block);
++	file = parse_file_info(a, NULL, block, vd->size);
+ 	if (file == NULL)
+ 		return (ARCHIVE_FATAL);
+ 	iso9660->seenJoliet = seenJoliet;
+@@ -1144,7 +1145,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660)
+ 			return (ARCHIVE_FATAL);
+ 		}
+ 		iso9660->seenJoliet = 0;
+-		file = parse_file_info(a, NULL, block);
++		file = parse_file_info(a, NULL, block, vd->size);
+ 		if (file == NULL)
+ 			return (ARCHIVE_FATAL);
+ 		iso9660->seenJoliet = seenJoliet;
+@@ -1749,7 +1750,7 @@ archive_read_format_iso9660_cleanup(struct archive_read *a)
+  */
+ static struct file_info *
+ parse_file_info(struct archive_read *a, struct file_info *parent,
+-    const unsigned char *isodirrec)
++    const unsigned char *isodirrec, size_t reclen)
+ {
+ 	struct iso9660 *iso9660;
+ 	struct file_info *file, *filep;
+@@ -1763,7 +1764,11 @@ parse_file_info(struct archive_read *a, struct file_info *parent,
+ 
+ 	iso9660 = (struct iso9660 *)(a->format->data);
+ 
+-	dr_len = (size_t)isodirrec[DR_length_offset];
++	if (reclen == 0 || reclen < (dr_len = (size_t)isodirrec[DR_length_offset])) {
++		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
++			"Invalid directory record length");
++		return (NULL);
++	}
+ 	name_len = (size_t)isodirrec[DR_name_len_offset];
+ 	location = archive_le32dec(isodirrec + DR_extent_offset);
+ 	fsize = toi(isodirrec + DR_size_offset, DR_size_size);
+-- 
+2.13.3
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 3269716473..e3d90b276a 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2017-14502.patch \
            file://non-recursive-extract-and-list.patch \
            file://CVE-2017-14503.patch \
+           file://CVE-2017-14501.patch \
           "
 
 SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"
-- 
2.19.0
-------------- next part --------------
From 57e4d8316c0c7a96913002cc78c2c4a1244919ad Mon Sep 17 00:00:00 2001
From: Sinan Kaya <okaya at kernel.org>
Date: Fri, 21 Sep 2018 04:20:44 +0000
Subject: [PATCH 4/6] busybox: CVE-2017-15874

Description:
Heap overflow in decompress_unlzma
https://nvd.nist.gov/vuln/detail/CVE-2017-15874

Fixed-by:
From: Andrej Valek <andrej.valek at siemens.com>
Subject: [PATCH] unlzma: fix another SEGV case

Backported to yocto baseline.

Signed-off-by: Sinan Kaya <okaya at kernel.org>
---
 .../busybox/busybox/CVE-2017-15874.patch      | 28 +++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.27.2.bb   |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2017-15874.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
new file mode 100644
index 0000000000..dece92c160
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
@@ -0,0 +1,28 @@
+From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux at googlemail.com>
+Date: Fri, 27 Oct 2017 15:37:03 +0200
+Subject: [PATCH] unlzma: fix SEGV, closes 10436
+
+Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
+---
+ archival/libarchive/decompress_unlzma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 29eee2a..41e492f 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						pos = buffer_pos - rep0;
+ 						if ((int32_t)pos < 0) {
+ 							pos += header.dict_size;
++							/* bug 10436 has an example file where this triggers: */
++							if ((int32_t)pos < 0)
++								goto bad;
++
+ 							/* see unzip_bad_lzma_2.zip: */
+ 							if (pos >= buffer_size)
+ 								goto bad;
+-- 
+2.19.0
+
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 1ce4823d47..bab29728ee 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://busybox-CVE-2017-16544.patch \
            file://busybox-fix-lzma-segfaults.patch \
            file://umount-ignore-c.patch \
+           file://CVE-2017-15874.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-- 
2.19.0
-------------- next part --------------
From 7ef747575350a70f8429f3094f3962bd0ed3b857 Mon Sep 17 00:00:00 2001
From: Sinan Kaya <okaya at kernel.org>
Date: Fri, 21 Sep 2018 05:26:21 +0000
Subject: [PATCH 5/6] libpng: CVE-2018-13785

Cherry-pick upstream patch:
https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2

Description of the vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2018-13785

Signed-off-by: Sinan Kaya <okaya at kernel.org>
---
 .../libpng/files/CVE-2018-13785.patch         | 35 +++++++++++++++++++
 .../libpng/libpng_1.6.34.bb                   |  4 ++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 0000000000..3ffbe0813e
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,35 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta at gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b517..5ba995abf 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
++         (size_t)png_ptr->width
++         * (size_t)png_ptr->channels
++         * (png_ptr->bit_depth > 8? 2: 1)
++         + 1
++         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
++         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+2.19.0
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d032289..3877d6cbf0 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+           file://CVE-2018-13785.patch \
+"
 SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
 SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
 
-- 
2.19.0
-------------- next part --------------
From 68326fcd58249202c6c67a25bc47acdc4034bfb4 Mon Sep 17 00:00:00 2001
From: Sinan Kaya <okaya at kernel.org>
Date: Fri, 21 Sep 2018 16:45:30 +0000
Subject: [PATCH 6/6] sqlite3: CVE-2018-13785

port from:
https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w

CVE detail:
https://nvd.nist.gov/vuln/detail/CVE-2018-8740

Signed-off-by: Sinan Kaya <okaya at kernel.org>
---
 .../sqlite/files/CVE-2018-8740.patch          | 52 +++++++++++++++++++
 meta/recipes-support/sqlite/sqlite3_3.22.0.bb |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2018-8740.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
new file mode 100644
index 0000000000..7cec1f489c
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
@@ -0,0 +1,52 @@
+From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya at kernel.org>
+Date: Fri, 21 Sep 2018 16:22:01 +0000
+Subject: [PATCH] sqlite3: CVE-2018-8740
+
+port from:
+https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w
+
+CVE detail:
+https://nvd.nist.gov/vuln/detail/CVE-2018-8740
+
+Signed-off-by: Sinan Kaya <okaya at kernel.org>
+---
+ sqlite3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 73c69ef..6863bc6 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable(
+   p = pParse->pNewTable;
+   if( p==0 ) return;
+ 
+-  assert( !db->init.busy || !pSelect );
+-
+   /* If the db->init.busy is 1 it means we are reading the SQL off the
+   ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+   ** So do not write to the disk again.  Extract the root page number
+@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable(
+   ** table itself.  So mark it read-only.
+   */
+   if( db->init.busy ){
++    if( pSelect ){
++     sqlite3ErrorMsg(pParse, "");
++     return;
++    }
+     p->tnum = db->init.newTnum;
+     if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
+   }
+@@ -117813,7 +117815,7 @@ static void corruptSchema(
+     char *z;
+     if( zObj==0 ) zObj = "?";
+     z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
+-    if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
++    if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+     sqlite3DbFree(db, *pData->pzErrMsg);
+     *pData->pzErrMsg = z;
+   }
+-- 
+2.19.0
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
index ef88659e97..b90f89886a 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 
 SRC_URI = "\
   http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+  file://CVE-2018-8740.patch \
   "
 SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d"
 SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612"
-- 
2.19.0


More information about the yocto mailing list