From b6d4cd74cebeded8a49c06c6d7a52c32769f3ed8 Mon Sep 17 00:00:00 2001 From: Martin Borg Date: Thu, 1 Mar 2018 10:39:47 +0100 Subject: freetype/libarchive/gnutls: Drop CVE patches The CVEs have been fixed in upstream poky/rocko. Signed-off-by: Martin Borg --- .../libarchive/CVE-2016-10349_CVE-2016-10350.patch | 40 ----------- .../libarchive/libarchive/CVE-2017-5601.patch | 28 -------- recipes-extended/libarchive/libarchive_%.bbappend | 6 -- .../freetype/freetype/CVE-2017-8105.patch | 77 ---------------------- recipes-graphics/freetype/freetype_%.bbappend | 5 -- recipes-support/gnutls/gnutls/CVE-2017-7868.patch | 59 ----------------- recipes-support/gnutls/gnutls_%.bbappend | 5 -- 7 files changed, 220 deletions(-) delete mode 100644 recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch delete mode 100644 recipes-extended/libarchive/libarchive/CVE-2017-5601.patch delete mode 100644 recipes-extended/libarchive/libarchive_%.bbappend delete mode 100644 recipes-graphics/freetype/freetype/CVE-2017-8105.patch delete mode 100644 recipes-graphics/freetype/freetype_%.bbappend delete mode 100644 recipes-support/gnutls/gnutls/CVE-2017-7868.patch delete mode 100644 recipes-support/gnutls/gnutls_%.bbappend diff --git a/recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch b/recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch deleted file mode 100644 index f2a922d..0000000 --- a/recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 88eb9e1d73fef46f04677c25b1697b8e25777ed3 Mon Sep 17 00:00:00 2001 -From: Joerg Sonnenberger -Date: Thu, 1 Dec 2016 19:56:43 +0100 -Subject: [PATCH] Reread the CAB header skipping the self-extracting binary - code. - -Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15 as found -by the "OSS-Fuzz" project. - -CVE: CVE-2016-10349 CVE-2016-10350 -Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3] - -Signed-off-by: Sona Sarmadi ---- - libarchive/archive_read_support_format_cab.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libarchive/archive_read_support_format_cab.c b/libarchive/archive_read_support_format_cab.c -index fc70684..099f4a8 100644 ---- a/libarchive/archive_read_support_format_cab.c -+++ b/libarchive/archive_read_support_format_cab.c -@@ -645,12 +645,13 @@ cab_read_header(struct archive_read *a) - cab = (struct cab *)(a->format->data); - if (cab->found_header == 0 && - p[0] == 'M' && p[1] == 'Z') { -- /* This is an executable? Must be self-extracting... */ -+ /* This is an executable? Must be self-extracting... */ - err = cab_skip_sfx(a); - if (err < ARCHIVE_WARN) - return (err); - -- if ((p = __archive_read_ahead(a, sizeof(*p), NULL)) == NULL) -+ /* Re-read header after processing the SFX. */ -+ if ((p = __archive_read_ahead(a, 42, NULL)) == NULL) - return (truncated_error(a)); - } - --- -1.9.1 - diff --git a/recipes-extended/libarchive/libarchive/CVE-2017-5601.patch b/recipes-extended/libarchive/libarchive/CVE-2017-5601.patch deleted file mode 100644 index a5298f5..0000000 --- a/recipes-extended/libarchive/libarchive/CVE-2017-5601.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 Mon Sep 17 00:00:00 2001 -From: Martin Matuska -Date: Thu, 19 Jan 2017 22:00:18 +0100 -Subject: [PATCH] Fail with negative lha->compsize in lha_read_file_header_1() - Fixes a heap buffer overflow reported in Secunia SA74169 - -CVE: CVE-2017-5601 -Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9.patch] - -Signed-off-by: Sona Sarmadi ---- - libarchive/archive_read_support_format_lha.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c -index 52a5531b0..d77a7c2e4 100644 ---- a/libarchive/archive_read_support_format_lha.c -+++ b/libarchive/archive_read_support_format_lha.c -@@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha) - /* Get a real compressed file size. */ - lha->compsize -= extdsize - 2; - -+ if (lha->compsize < 0) -+ goto invalid; /* Invalid compressed file size */ -+ - if (sum_calculated != headersum) { - archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, - "LHa header sum error"); diff --git a/recipes-extended/libarchive/libarchive_%.bbappend b/recipes-extended/libarchive/libarchive_%.bbappend deleted file mode 100644 index 6c273a6..0000000 --- a/recipes-extended/libarchive/libarchive_%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-5601.patch \ - file://CVE-2016-10349_CVE-2016-10350.patch \ - " diff --git a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch deleted file mode 100644 index 00c1d9d..0000000 --- a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 239ef121fed25aa478b740bf52dce4db1a00ba59 Mon Sep 17 00:00:00 2001 -From: Sona Sarmadi -Date: Mon, 28 Aug 2017 14:12:29 +0200 -Subject: [PATCH] freetype: fix for CVE-2017-8105 - -[psaux] Better protect `flex' handling. - -Reported as - - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 - -* src/psaux/t1decode.c (t1_decoder_parse_charstrings) -: Since there is not a single flex operator but a -series of subroutine calls, malformed fonts can call arbitrary other -operators after the start of a flex, possibly adding points. For -this reason we have to check the available number of points before -inserting a point. - -CVE: CVE-2017-8105 -Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791] - -Signed-off-by: Sona Sarmadi ---- - ChangeLog | 15 +++++++++++++++ - src/psaux/t1decode.c | 9 +++++++++ - 2 files changed, 24 insertions(+) - -diff --git a/ChangeLog b/ChangeLog -index 23f5748..2f89909 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,18 @@ -+2017-03-23 Werner Lemberg -+ -+ [psaux] Better protect `flex' handling. -+ -+ Reported as -+ -+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 -+ -+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings) -+ : Since there is not a single flex operator but a -+ series of subroutine calls, malformed fonts can call arbitrary other -+ operators after the start of a flex, possibly adding points. For -+ this reason we have to check the available number of points before -+ inserting a point. -+ - 2016-09-08 Werner Lemberg - - * Version 2.7.1 released. -diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c -index 1cd9d73..bc5e3d2 100644 ---- a/src/psaux/t1decode.c -+++ b/src/psaux/t1decode.c -@@ -780,10 +780,19 @@ - /* point without adding any point to the outline */ - idx = decoder->num_flex_vectors++; - if ( idx > 0 && idx < 7 ) -+ { -+ /* in malformed fonts it is possible to have other */ -+ /* opcodes in the middle of a flex (which don't */ -+ /* increase `num_flex_vectors'); we thus have to */ -+ /* check whether we can add a point */ -+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) -+ goto Syntax_Error; -+ - t1_builder_add_point( builder, - x, - y, - (FT_Byte)( idx == 3 || idx == 6 ) ); -+ } - } - break; - --- -1.9.1 - diff --git a/recipes-graphics/freetype/freetype_%.bbappend b/recipes-graphics/freetype/freetype_%.bbappend deleted file mode 100644 index cd1be4b..0000000 --- a/recipes-graphics/freetype/freetype_%.bbappend +++ /dev/null @@ -1,5 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-8105.patch \ - " diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch deleted file mode 100644 index dca7861..0000000 --- a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Mon, 20 Feb 2017 11:13:08 +0100 -Subject: [PATCH] cdk_pkt_read: enforce packet limits - -That ensures that there are no overflows in the subsequent -calculations. - -Resolves the oss-fuzz found bug: -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 - -Relates: #159 - -CVE: CVE-2017-7869 -Upstream-Status: Backport - -Signed-off-by: Nikos Mavrogiannopoulos -Signed-off-by: Sona Sarmadi ---- - lib/opencdk/read-packet.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c -index 8055a63..ead6480 100644 ---- a/lib/opencdk/read-packet.c -+++ b/lib/opencdk/read-packet.c -@@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) - return 0; - } - -+#define MAX_PACKET_LEN (1<<24) - - /** - * cdk_pkt_read: -@@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) - else - read_old_length(inp, ctb, &pktlen, &pktsize); - -+ /* enforce limits to ensure that the following calculations -+ * do not overflow */ -+ if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { -+ _cdk_log_info("cdk_pkt_read: too long packet\n"); -+ return gnutls_assert_val(CDK_Inv_Packet); -+ } -+ - pkt->pkttype = pkttype; - pkt->pktlen = pktlen; - pkt->pktsize = pktsize + pktlen; -@@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) - break; - - case CDK_PKT_USER_ID: -+ - pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id - + pkt->pktlen + 1); - if (!pkt->pkt.user_id) --- -libgit2 0.26.0 - diff --git a/recipes-support/gnutls/gnutls_%.bbappend b/recipes-support/gnutls/gnutls_%.bbappend deleted file mode 100644 index d2d927c..0000000 --- a/recipes-support/gnutls/gnutls_%.bbappend +++ /dev/null @@ -1,5 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://CVE-2017-7868.patch \ - " -- cgit v1.2.3-54-g00ecf