This includes CVE-fix for CVE-2024-41957, CVE-2024-41965 and CVE-2024-43374
Changes between 9.1.0114 -> 9.1.0682
====================================
https://github.com/vim/vim/compare/v9.1.0114...v9.1.0682
Note:
====
Removed patch "vim-add-knob-whether-elf.h-are-checked.patch" as libelf checks are removed from configure.ac as per
commit 1acc67ac44
(From OE-Core rev: 3312a57ce631ea6235055b3d4b4ac31d06c8a2ae)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6d2938e53cad5d9bf2e78a5403e9f9fab1db77b4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
https://www.vim.org/vim-9.1-released.php
Vim 9.1 is available
The Vim project is happy to announce that Vim 9.1 has finally been released.
This release is dedicated to Bram Moolenaar, Vim's lead developer for more
than 30 years, who passed away half a year ago. The Vim project wouldn't
exist without his work!
Vim 9.1 is mainly a bug fix release, it contains hundreds of bug fixes, a
few new features and there are many minor improvements.
Changes:
https://github.com/vim/vim/compare/v9.0.2190...v9.1.0114
CVE: CVE-2024-22667
(includes commit b39b240c38)
(From OE-Core rev: d5ae0ec5eca9324cffaa8f95d2cbdd8475979c45)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a patch [1] to fix the below build failure.
FAILED: libsoup/libsoup-2.4.so.1.11.0.p/soup-address.c.o
In file included from /usr/include/glib-2.0/gio/gnetworking.h:40,
from ../libsoup-2.72.0/libsoup/soup-address.c:14:
/usr/include/resolv.h:75:15: error: unknown type name ‘u_char’
const u_char **__query,
^~~~~~
[1] 5c3d431bdb
(From OE-Core rev: 963085afced737863cf4ff8515a1cf08365d5d87)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is open yet but seems to be disputed
This has not yet been disputed officially
Based on:
OE-Core rev: 4cba8ad405b1728afda3873f99ac88711ab85644
OE-Core rev: 7ec7384837f3e3fb68b25a6108ed7ec0f261a4aa
OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473
Squashed and converted to CVE_CHECK_IGNORE syntax
(From OE-Core rev: 70489234bff3f2b8613ce6f8069bae448fbc61ed)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw has been discovered in GnuTLS where an application crash can be induced
when attempting to verify a specially crafted .pem bundle using the
"certtool --verify-chain" command.
(From OE-Core rev: e63819fbabbde3d12df06ae302da70ab990df26d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability
that exploits deterministic behavior in systems like GnuTLS, leading to
side-channel leaks. In specific scenarios, such as when using the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in
nonce size from 513 to 512 bits, exposing a potential timing side-channel.
(From OE-Core rev: 18c4f65934331da48c597201c33334578e91a45d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
nghttp2 is an implementation of the Hypertext Transfer Protocol
version 2 in C. The nghttp2 library prior to version 1.61.0 keeps
reading the unbounded number of HTTP/2 CONTINUATION frames even
after a stream is reset to keep HPACK context in sync. This
causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0
mitigates this vulnerability by limiting the number of CONTINUATION
frames it accepts per stream. There is no workaround for this
vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28182
(From OE-Core rev: 85e65af4727695d61c225a5911325764f423c331)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4448772b4af6143
(From OE-Core rev: 0156b57dcdb2e5acdd9421a7c24c235f13da2d97)
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In oe-core 27824261 --enable-debug was added to the configure arguments
to turn on debugging symbols. However, enabling debug mode does more
than turn on debugging symbols and introduces some codepaths that can be
controlled with environment variables. Bluntly, the curl maintainer
says that --enable-debug should not be used in production:
https://curl.se/mail/lib-2023-01/0039.html
I did a build and verified that the curl-dbg package doesn't massively
shrink, so the debug symbols are still being built.
Remove the debug options and hide them behind a PACKAGECONFIG, with a
comment that it should not be used in production.
(From OE-Core rev: 01440b4968ded30c1970c335fe1598b684527831)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-24575:
libgit2 is a portable C implementation of the Git core methods provided
as a linkable library with a solid API, allowing to build Git functionality
into your application. Using well-crafted inputs to `git_revparse_single`
can cause the function to enter an infinite loop, potentially causing a
Denial of Service attack in the calling application. The revparse function
in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec
string. There is an edge-case during parsing that allows a bad actor to
force the loop conditions to access arbitrary memory. Potentially, this
could also leak memory if the extracted rev spec is reflected back to the
attacker. As such, libgit2 versions before 1.4.0 are not affected. Users
should upgrade to version 1.6.5 or 1.7.2.
CVE-2024-24577:
libgit2 is a portable C implementation of the Git core methods provided
as a linkable library with a solid API, allowing to build Git functionality
into your application. Using well-crafted inputs to `git_index_add` can
cause heap corruption that could be leveraged for arbitrary code execution.
There is an issue in the `has_dir_name` function in `src/libgit2/index.c`,
which frees an entry that should not be freed. The freed entry is later
used and overwritten with potentially bad actor-controlled data leading to
controlled heap corruption. Depending on the application that uses libgit2,
this could lead to arbitrary code execution. This issue has been patched
in version 1.6.5 and 1.7.2.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-24575https://security-tracker.debian.org/tracker/CVE-2024-24575https://nvd.nist.gov/vuln/detail/CVE-2024-24577https://security-tracker.debian.org/tracker/CVE-2024-24577
(From OE-Core rev: 942254eb3ef29c8672a35015c086721c4fbe5a4f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When saving HSTS data to an excessively long file name, curl could end up
removing all contents, making subsequent requests using that file unaware
of the HSTS status they should otherwise use.
(From OE-Core rev: e0f503594e7bc0da9771b69ca7243a34dcadbdde)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE reports that apple had to upgrade curl because of other
already reported CVEs:
* CVE-2023-38039: not affected, introduced in 7.84.0
* CVE-2023-38545: patch already backported
* CVE-2023-38546: patch already backported
* CVE-2023-42915: reference to itself
(From OE-Core rev: 2771a1248a251650f6e2e64731f56ed928c29ce5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
CVE-2024-0567
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
Upstream-Status: Backport
[40dbbd8de4
&
9edbdaa84e]
Reference: https://ubuntu.com/security/CVE-2024-0553https://ubuntu.com/security/CVE-2024-0567
(From OE-Core rev: de74fd5dea8cc71af1d457b4e688cfbe0f39e4d8)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 5eab65275d.
CVE-2023-32001 has been marked "REJECT" in the NVD CVE List as
there is no safe measure against it.
These CVEs are stored in the NVD, but do not show up in search results.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-32001
(From OE-Core rev: a3b6216bcb3425b6e30ca73488a5eb6ba58e4836)
Signed-off-by: Poonam Jadhav poonam.jadhav@kpit.com
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A previous commit attempted to fix reproducibility errors by forcing
regeneration of .po files. Unfortunately this triggered a different
type of reproducibility issue.
Work around this by adjusting the timestamps of the troublesome .po
files so they are not regenerated and we use the shipped upstream
versions of the files.
The shipped version of ru.cp1251.po doesn't seem to have been created
with the vim tooling and specifies CP1251 instead of cp1251, fix that.
(From OE-Core rev: 3c1e35562c31b8fa94ea10d18ddfdb4267566bf3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13d9551ba626f001c71bf908df16caf1d739cf13)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When making checkouts from git, the timestamps can vary and occasionally two files
can end up with the same stamp. This triggers make to regenerate ru.cp1251.po from
ru.po for example. If it isn't regenerated, the output isn't quite the same leading
to reproducibility issues (CP1251 vs cp1251).
Since we added all locales to buildtools tarball now, we can drop the locale
restrictions too. We need to generate a native binary for the sjis conversion
tool so also tweak that.
(From OE-Core rev: b2e62fb4d52b019728a4920553fa24f4626b881a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 042c1a501b1dae5ddb31307b461be02c3591c589)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of conditions are met.
(From OE-Core rev: 9c0c09b81594979aafd74511366316419d23046e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
(From OE-Core rev: 44971c945a615d07c91100f514377f7247796334)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE fix for CVE-2023-5535.
(From OE-Core rev: 7681436190354b5c5b6c3a82b3094badd81113de)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE fix for CVE-2023-5441.
(From OE-Core rev: 6c88137d4ab36054ac97cff0457d78ef503f383e)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes multiple CVE fixes.
The license change is due to changes in maintainership, the license
itself is unchanged.
(From OE-Core rev: 5f78a010a4ff53f4a216ec2ebe9b7a44c5c88790)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91e66b93a0c0928f0c2cfe78e22898a6c9800f34)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
vim 8.3 has been out for a long time, so this comment is obsolete.
However we still need UPSTREAM_VERSION_UNKNOWN, since we ignore
the last digit of the upstream version number.
Test result:
$ devtool check-upgrade-status vim
...
INFO: vim 9.0.1592 UNKNOWN Tom Rini <trini@konsulko.com> c0370529c027abc5b1698d53fcfb8c02a0c515da
(From OE-Core rev: 65f5de85c3f488136d1ec2b1f7fe8d8426d6c5b3)
(From OE-Core rev: 72af322b6b8afd64a59b30a4f0fc3f8c6dfaa06a)
Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 868a19357841470eb55fb7f1c4ab1af09dea99ed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: a0b41511766130883e93b5b8a07801a836beeb67)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
(From OE-Core rev: 0e6eb0f417079eaf76b003973c9d93338e6363b5)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a missing perl module dependency for the ptest packages and also
improve the run-ptest script so that the error log is saved allowing
easier debugging if this fails in future.
(From OE-Core rev: fbb9c596b8e6a8a1260dd7aefddf138d20bf64df)
(From OE-Core rev: 5908ccf65b5ca4a0473a57774f06515d6bc9f56c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c948fa025)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport commit mentioned in NVD DB links.
94e1c00176
(From OE-Core rev: 410cdbc70cfba709ec5bef508e772f52514ba28a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
