A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug
is triggered within the sms_decode_address_field() function during the SMS
PDU decoding. It is assumed that the attack scenario is accessible from a compromised
modem, a malicious base station, or just SMS.
(From OE-Core rev: 996c03dfb5295ec38286dee37c70c700b88e0a1e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug
is triggered within the decode_submit_report() function during the SMS decoding.
It is assumed that the attack scenario is accessible from a compromised modem,
a malicious base station, or just SMS. There is a bound check for this memcpy
length in decode_submit(), but it was forgotten in decode_submit_report().
(From OE-Core rev: 51cf006ac7b5b97e65864fb1cb6f5b47192c4ebf)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If DROPBEAR_RSAKEY_DIR has already been set before, e.g. by overwriting
the file dropbear.default, the line will still be appended a second time.
DROPBEAR_RSAKEY_DIR="/path/to/dropbear"
DROPBEAR_EXTRA_ARGS="-B"
DROPBEAR_RSAKEY_DIR=/var/lib/dropbear
(Backport of rev: 6045314d29)
(From OE-Core rev: 8a502301209ef144932ef5071c1a9b738db23270)
Signed-off-by: Michael Glembotzki <Michael.Glembotzki@iris-sensing.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw has been discovered in GnuTLS where an application crash can be induced
when attempting to verify a specially crafted .pem bundle using the
"certtool --verify-chain" command.
(From OE-Core rev: e63819fbabbde3d12df06ae302da70ab990df26d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability
that exploits deterministic behavior in systems like GnuTLS, leading to
side-channel leaks. In specific scenarios, such as when using the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in
nonce size from 513 to 512 bits, exposing a potential timing side-channel.
(From OE-Core rev: 18c4f65934331da48c597201c33334578e91a45d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
nghttp2 is an implementation of the Hypertext Transfer Protocol
version 2 in C. The nghttp2 library prior to version 1.61.0 keeps
reading the unbounded number of HTTP/2 CONTINUATION frames even
after a stream is reset to keep HPACK context in sync. This
causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0
mitigates this vulnerability by limiting the number of CONTINUATION
frames it accepts per stream. There is no workaround for this
vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28182
(From OE-Core rev: 85e65af4727695d61c225a5911325764f423c331)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-24576 only applies when invoking batch files (with the `bat` and `cmd` extensions) on Windows & No other platform or use is affected.
More details about CVE is here: https://nvd.nist.gov/vuln/detail/CVE-2024-24576
(From OE-Core rev: 44e0b6b028657d32de5971d6a42a88767ef8c710)
Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These test suites are full of timing-sensitive test cases, so skip
them too.
[ YOCTO #15321 ]
(From OE-Core rev: f94c74cee8b2650dd3211a49dc7e88bf60d2e6a7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd06c3668dbe9ec1cf9a0a84d7a6bc9851f9c662)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are several tests in the test suite which are very dependent on
timing and fail on a loaded host system, so skip them.
[ YOCTO #14825#14882#15081 ]
(From OE-Core rev: 161d336a6c57fddb36a0c4e8c2def84ce70128e3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 68beb4f4b5a0bea5d431decddf7656f18ac7a04a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Some tests hardcode assumptions on locales, which may not be present in
musl systems e.g., therefore add a way to skip such tests using -skip
option.
Skip unixInit-3* test on musl
(From OE-Core rev: a70f9039259d7d38c5a3e50f7003d3228d1ab692)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit fa66f1cee2d88c2276442e8b4aaeccde5490f9ea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add CVE-2023-51767 to CVE_CHECK_IGNORE to avoid in cve-check reports
as upstream does not consider CVE-2023-51767 a bug underlying in
OpenSSH and does not intent to address it in OpenSSH.
(From OE-Core rev: de4186610335201c69d8952d605bb291f4a7427c)
Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
Signed-off-by: Sana Kazi <sana.kazisk19@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2023-47100 is a duplicate of CVE-2023-47038. They have the same
advertised fix commit, which has already been merged into the
perl_5.34.3 sources used in kirkstone.
(From OE-Core rev: 8df158f39f1eed1e3ae88ddf935c67e067b72525)
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Typo prevents cupsd to start correctly with following error:
Unable to read "/etc/cups/cupsd.conf" due to errors.
Using `/usr/sbin/cupsd -t` to check the configuration:
Unknown authorization type Defaul on line 77 of /etc/cups/cupsd.conf.
Unknown Policy Limit directive AuthType on line 77 of /etc/cups/cupsd.conf.
(From OE-Core rev: eab100205bc5cdffc5ccc7752e1ee5abd9ebb58a)
Signed-off-by: Jonathan GUILLOT <jonathan@joggee.fr>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backports missing license from master to kirkstone.
(From OE-Core rev: 26a878cbfbb3bc7a6e892e105577ebf8138ce150)
Signed-off-by: Colin McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When using the gcc-sanitizers as part of the SDK on a Linux with a newer
kernel, the ASAN fails randomly. This was seen on Ubuntu 22.04.
This is also described at
https://stackoverflow.com/questions/77894856/possible-bug-in-gcc-sanitizers
Backport the fix from LLVM project, as gcc has not yet backported
anything for the 11 series.
(From OE-Core rev: 7af8e24d6c60a01e398b10a57939947fb156feec)
Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
https://github.com/urllib3/urllib3/releases/tag/1.26.18
Major changes in python3-urllib3 1.26.18:
- Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803)
(cherry picked from OE-Core rev: 74da05b63634c248910594456dae286947f33da5)
(From OE-Core rev: c473f32184ea0ab41f6eb4c8dcc1d7bb5fd7b16f)
Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
libexpat through 2.5.0 allows a denial of service (resource consumption) because
many full reparsings are required in the case of a large token for which multiple
buffer fills are needed.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52425
Changes related to test directory are not included as most of the files are not present
and are introduced in the later version.
(From OE-Core rev: 1bdcd10930a2998f6bbe56b3ba4c9b6c91203b39)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4448772b4af6143
(From OE-Core rev: 0156b57dcdb2e5acdd9421a7c24c235f13da2d97)
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
calling 'sync' from do_compile in the middle of big OE world
build harms the build time.
(From OE-Core rev: b2de7d75692fd4c9e0a6f46a099b89089edb10d4)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
==========
wireless-regdb: update regulatory database based on preceding changes
wireless-regdb: Update regulatory rules for Australia (AU) for June 2023
wireless-regdb: Update regulatory info for Türkiye (TR)
wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidel...
wireless-regdb: Update regulatory rules for Philippines (PH)
(From OE-Core rev: 3af65ed130493e14a87818b76b06f9ca7c717874)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When a CVE is updated to be rejected, matching database entries must be
removed. Otherwise:
* an incremental update is not equivalent the to an initial download.
* rejected CVEs might still appear as Unpatched in cve-check.
(From OE-Core rev: 717f0df5f35272f7706e4f92cc8b57cdda8066b6)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When a CVE is created, it often has no precise version information and
this is stored as "-" (matching any version). After an update, version
information is added. The previous "-" must be removed, otherwise, the
CVE is still "Unpatched" for cve-check.
(From OE-Core rev: 38402b5e89d43bf2a45c8f5f2d631033be5019cd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a URL to the doc of the API used in the function.
... and fix a small typo dabase -> database
(From OE-Core rev: a98387021d80b5055a773f909eb685513902fb12)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e0157b3b81333a24abd31dbb23a6abebca3e7ba7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE_CHECK_DB_FILE is already defined in cve-check.bbclass which is
always inherited in cve-update-nvd2-native (There is a check line 40).
Remove it to avoid confusion. Otherwise, this should not change
anything.
(From OE-Core rev: b6285f0549d1c708adfe147c63eb6cda24462ff3)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5f3f223885c17b7007c310273fc7c80b90a4105)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to
specify the maximum age of the database for doing an incremental update
For older databases, a full re-download is done.
With a value of "0", this forces a full-redownload.
(From OE-Core rev: 5259971a4785e7f664c0f588f34f8ef537c5c4c5)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a
recursive XML Entity Expansion condition can be triggered.This issue may lead to
a condition where data is expanded exponentially, which will quickly consume system
resources and cause a denial of service.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52426https://github.com/libexpat/libexpat/pull/777
(From OE-Core rev: aa20dd9eb68f04a5f1556123ad1b2398de911d93)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
