iptables: upgrade 1.8.2 -> 1.8.3

Remove upstreamed patches and manually package symlinks which aren't handled by do_split_package. Changelog: http://git.netfilter.org/iptables/log/?qt=range&q=v1.8.3...v1.8.2 (From OE-Core rev: 845af88f86f143ca0b119f0489397cd505571cae) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-04 23:02:22 +02:00 · 2019-07-22 08:22:56 +08:00
parent c46f497dbb
commit f7e07e4acd
3 changed files with 9 additions and 182 deletions
--- a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
+++ b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
@@ -1,61 +0,0 @@
-From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
-Date: Wed, 14 Nov 2018 07:35:28 +0100
-Subject: extensions: format-security fixes in libip[6]t_icmp
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-introduced support for gcc feature to check format string against passed
-argument.  This commit adds missing bits to extenstions's libipt_icmp.c
-and libip6t_icmp6.c that were causing build to fail.
-
-Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
-Upstream-Status: Backport
---
- extensions/libip6t_icmp6.c | 4 ++--
- extensions/libipt_icmp.c   | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
-index 45a71875..cc7bfaeb 100644
--- a/extensions/libip6t_icmp6.c
-+++ b/extensions/libip6t_icmp6.c
-@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 	type_name = icmp6_type_xlate(icmptype);
- 
- 	if (type_name) {
-		xt_xlate_add(xl, type_name);
-+		xt_xlate_add(xl, "%s", type_name);
- 	} else {
- 		for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
- 			if (icmpv6_codes[i].type == icmptype &&
-@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 				break;
- 
- 		if (i != ARRAY_SIZE(icmpv6_codes))
-			xt_xlate_add(xl, icmpv6_codes[i].name);
-+			xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
- 		else
- 			return 0;
- 	}
-diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
-index 54189976..e76257c5 100644
--- a/extensions/libipt_icmp.c
-+++ b/extensions/libipt_icmp.c
-@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 			if (icmp_codes[i].type == icmptype &&
- 			    icmp_codes[i].code_min == code_min &&
- 			    icmp_codes[i].code_max == code_max) {
-				xt_xlate_add(xl, icmp_codes[i].name);
-+				xt_xlate_add(xl, "%s", icmp_codes[i].name);
- 				return 1;
- 			}
- 	}
-- 
-cgit v1.2.1
-
--- a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
+++ b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
@@ -1,117 +0,0 @@
-From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Mon, 22 Apr 2019 23:17:27 +0200
-Subject: [PATCH] xshared: check for maximum buffer length in
- add_param_to_argv()
-
-Bail out if we go over the boundary, based on patch from Sebastian.
-
-Reported-by: Sebastian Neef <contact@0day.work>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
-Upstream-Status: Backport
-CVE: CVE-2019-11360
-Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
- iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
- 1 file changed, 28 insertions(+), 18 deletions(-)
-
-diff --git a/iptables/xshared.c b/iptables/xshared.c
-index fb186fb1..36a2ec5f 100644
--- a/iptables/xshared.c
-+++ b/iptables/xshared.c
-@@ -433,10 +433,24 @@ void save_argv(void)
- 	}
- }
- 
-+struct xt_param_buf {
-+	char	buffer[1024];
-+	int 	len;
-+};
-+
-+static void add_param(struct xt_param_buf *param, const char *curchar)
-+{
-+	param->buffer[param->len++] = *curchar;
-+	if (param->len >= sizeof(param->buffer))
-+		xtables_error(PARAMETER_PROBLEM,
-+			      "Parameter too long!");
-+}
-+
- void add_param_to_argv(char *parsestart, int line)
- {
-	int quote_open = 0, escaped = 0, param_len = 0;
-	char param_buffer[1024], *curchar;
-+	int quote_open = 0, escaped = 0;
-+	struct xt_param_buf param = {};
-+	char *curchar;
- 
- 	/* After fighting with strtok enough, here's now
- 	 * a 'real' parser. According to Rusty I'm now no
-@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
- 	for (curchar = parsestart; *curchar; curchar++) {
- 		if (quote_open) {
- 			if (escaped) {
-				param_buffer[param_len++] = *curchar;
-+				add_param(&param, curchar);
- 				escaped = 0;
- 				continue;
- 			} else if (*curchar == '\\') {
-@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
- 				quote_open = 0;
- 				*curchar = '"';
- 			} else {
-				param_buffer[param_len++] = *curchar;
-+				add_param(&param, curchar);
- 				continue;
- 			}
- 		} else {
-@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
- 		case ' ':
- 		case '\t':
- 		case '\n':
-			if (!param_len) {
-+			if (!param.len) {
- 				/* two spaces? */
- 				continue;
- 			}
- 			break;
- 		default:
- 			/* regular character, copy to buffer */
-			param_buffer[param_len++] = *curchar;
-
-			if (param_len >= sizeof(param_buffer))
-				xtables_error(PARAMETER_PROBLEM,
-					      "Parameter too long!");
-+			add_param(&param, curchar);
- 			continue;
- 		}
- 
-		param_buffer[param_len] = '\0';
-+		param.buffer[param.len] = '\0';
- 
- 		/* check if table name specified */
-		if ((param_buffer[0] == '-' &&
-		     param_buffer[1] != '-' &&
-		     strchr(param_buffer, 't')) ||
-		    (!strncmp(param_buffer, "--t", 3) &&
-		     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
-+		if ((param.buffer[0] == '-' &&
-+		     param.buffer[1] != '-' &&
-+		     strchr(param.buffer, 't')) ||
-+		    (!strncmp(param.buffer, "--t", 3) &&
-+		     !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
- 			xtables_error(PARAMETER_PROBLEM,
- 				      "The -t option (seen in line %u) cannot be used in %s.\n",
- 				      line, xt_params->program_name);
- 		}
- 
-		add_argv(param_buffer, 0);
-		param_len = 0;
-+		add_argv(param.buffer, 0);
-+		param.len = 0;
- 	}
- }
- 
-- 
-2.17.1
-
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
-           file://0003-extensions-format-security-fixes-in-libipt_icmp.patch  \
-           file://CVE-2019-11360.patch \
 "

-SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"
-SRC_URI[sha256sum] = "a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af"
+SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
+SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"

 inherit autotools pkgconfig

@@ -49,6 +47,13 @@ python populate_packages_prepend() {

 FILES_${PN} += "${datadir}/xtables"

+# Include the symlinks as well in respective packages
+FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
+FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
+
+INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
+INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
+
 ALLOW_EMPTY_${PN}-modules = "1"

 RDEPENDS_${PN} = "${PN}-module-xt-standard"