11 files changed, 94 insertions, 749 deletions
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-Migrate-to-openssl-1.1.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-Migrate-to-openssl-1.1.patch
deleted file mode 100644
index 394aa16adc..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-Migrate-to-openssl-1.1.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From c9dcb6afef9c343d070aaff208d11a997a45a105 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 5 Sep 2018 22:19:38 -0700
-Subject: [PATCH] Migrate to openssl 1.1
-Upstream-Status: Backport [https://sourceforge.net/p/ipmitool/source/ci/1664902525a1c3771b4d8b3ccab7ea1ba6b2bdd1/]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- src/plugins/lanplus/lanplus_crypt_impl.c | 50 ++++++++++++++----------
- 1 file changed, 29 insertions(+), 21 deletions(-)
-diff --git a/src/plugins/lanplus/lanplus_crypt_impl.c b/src/plugins/lanplus/lanplus_crypt_impl.c
-index d5fac37..9652a5e 100644
--- a/src/plugins/lanplus/lanplus_crypt_impl.c
-+++ b/src/plugins/lanplus/lanplus_crypt_impl.c
-@@ -164,11 +164,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_t * iv,
-                                                        uint8_t       * output,
-                                                        uint32_t        * bytes_written)
- {
-       EVP_CIPHER_CTX ctx;
-       EVP_CIPHER_CTX_init(&ctx);
-       EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv);
-       EVP_CIPHER_CTX_set_padding(&ctx, 0);
-       
-+       EVP_CIPHER_CTX *ctx = NULL;
- 
-        *bytes_written = 0;
- 
-@@ -182,6 +178,14 @@ lanplus_encrypt_aes_cbc_128(const uint8_t * iv,
-                printbuf(input, input_length, "encrypting this data");
-        }
- 
-+       ctx = EVP_CIPHER_CTX_new();
-+       if (ctx == NULL) {
-+               lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed");
-+               return;
-+       }
-+       EVP_CIPHER_CTX_init(ctx);
-+       EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
-+       EVP_CIPHER_CTX_set_padding(ctx, 0);
- 
-        /*
-         * The default implementation adds a whole block of padding if the input
-@@ -191,28 +195,28 @@ lanplus_encrypt_aes_cbc_128(const uint8_t * iv,
-        assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
- 
- 
-       if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length))
-+       if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length))
-        {
-                /* Error */
-                *bytes_written = 0;
-               return;
-        }
-        else
-        {
-                uint32_t tmplen;
- 
-               if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen))
-+               if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen))
-                {
-+                       /* Error */
-                        *bytes_written = 0;
-                       return; /* Error */
-                }
-                else
-                {
-                        /* Success */
-                        *bytes_written += tmplen;
-                       EVP_CIPHER_CTX_cleanup(&ctx);
-                }
-        }
-+       /* performs cleanup and free */
-+       EVP_CIPHER_CTX_free(ctx);
- }
- 
- 
-@@ -239,11 +243,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_t * iv,
-                                                        uint8_t       * output,
-                                                        uint32_t        * bytes_written)
- {
-       EVP_CIPHER_CTX ctx;
-       EVP_CIPHER_CTX_init(&ctx);
-       EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv);
-       EVP_CIPHER_CTX_set_padding(&ctx, 0);
-
-+       EVP_CIPHER_CTX *ctx = NULL;
- 
-        if (verbose >= 5)
-        {
-@@ -252,12 +252,20 @@ lanplus_decrypt_aes_cbc_128(const uint8_t * iv,
-                printbuf(input, input_length, "decrypting this data");
-        }
- 
-
-        *bytes_written = 0;
- 
-        if (input_length == 0)
-                return;
- 
-+       ctx = EVP_CIPHER_CTX_new();
-+       if (ctx == NULL) {
-+               lprintf(LOG_DEBUG, "ERROR: EVP_CIPHER_CTX_new() failed");
-+               return;
-+       }
-+       EVP_CIPHER_CTX_init(ctx);
-+       EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
-+       EVP_CIPHER_CTX_set_padding(ctx, 0);
-+
-        /*
-         * The default implementation adds a whole block of padding if the input
-         * data is perfectly aligned.  We would like to keep that from happening.
-@@ -266,33 +274,33 @@ lanplus_decrypt_aes_cbc_128(const uint8_t * iv,
-        assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
- 
- 
-       if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length))
-+       if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length))
-        {
-                /* Error */
-                lprintf(LOG_DEBUG, "ERROR: decrypt update failed");
-                *bytes_written = 0;
-               return;
-        }
-        else
-        {
-                uint32_t tmplen;
- 
-               if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen))
-+               if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen))
-                {
-+                       /* Error */
-                        char buffer[1000];
-                        ERR_error_string(ERR_get_error(), buffer);
-                        lprintf(LOG_DEBUG, "the ERR error %s", buffer);
-                        lprintf(LOG_DEBUG, "ERROR: decrypt final failed");
-                        *bytes_written = 0;
-                       return; /* Error */
-                }
-                else
-                {
-                        /* Success */
-                        *bytes_written += tmplen;
-                       EVP_CIPHER_CTX_cleanup(&ctx);
-                }
-        }
-+       /* performs cleanup and free */
-+       EVP_CIPHER_CTX_free(ctx);
- 
-        if (verbose >= 5)
-        {
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-configure-Remove-the-logic-to-download-IANA-PEN-data.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-configure-Remove-the-logic-to-download-IANA-PEN-data.patch
new file mode 100644
index 0000000000..442f132718
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-configure-Remove-the-logic-to-download-IANA-PEN-data.patch
@@ -0,0 +1,41 @@
+From 63d72f97bd106dd2101cd7fdac6df4f7a053d67c Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 2 Sep 2022 08:27:39 -0700
+Subject: [PATCH] configure: Remove the logic to download IANA PEN database
+ during configure
+OE will do all downloading before it starts to configure therefore this
+step is moved out into bitbake recipe, so we can make it immutable build
+Upstream-Status: Inappropriate [OE-Specific]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.ac | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+--- a/configure.ac
+++ b/configure.ac
+@@ -56,21 +56,7 @@ if test "x$exec_prefix" = "xNONE"; then
+        exec_prefix="$prefix"
+ fi
+ 
+-if test "x$WGET" = "x"; then
+-       if test "x$CURL" = "x"; then
+-               AC_MSG_WARN([** Neither wget nor curl could be found.])
+-               AC_MSG_WARN([** IANA PEN database will not be installed by `make install` !])
+-       else
+-               DOWNLOAD="$CURL --location --progress-bar"
+-               AM_CONDITIONAL([DOWNLOAD], [true])
+-       fi
+-else
+-       DOWNLOAD="$WGET -c -nd -O -"
+-       AM_CONDITIONAL([DOWNLOAD], [true])
+-fi
+-
+-AC_MSG_WARN([** Download is:])
+-AC_MSG_WARN($DOWNLOAD)
+AM_CONDITIONAL([DOWNLOAD], [false])
+ AC_SUBST(DOWNLOAD, $DOWNLOAD)
+ 
+ dnl
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
deleted file mode 100644
index eadfb7ead3..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 24aed93efb30a8f557aedc2f03b6ccec758ccbf4 Mon Sep 17 00:00:00 2001
-From: Chrostoper Ertl <chertl@microsoft.com>
-Date: Thu, 28 Nov 2019 16:44:18 +0000
-Subject: [PATCH 1/5] fru: Fix buffer overflow in ipmi_spd_print_fru
-Partial fix for CVE-2020-5208, see
-https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
-The `ipmi_spd_print_fru` function has a similar issue as the one fixed
-by the previous commit in `read_fru_area_section`. An initial request is
-made to get the `fru.size`, which is used as the size for the allocation
-of `spd_data`. Inside a loop, further requests are performed to get the
-copy sizes which are not checked before being used as the size for a
-copy into the buffer.
-Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10]
-CVE: CVE-2020-5208
-Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
- lib/dimm_spd.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
-index 91ae117..4c9c21d 100644
--- a/lib/dimm_spd.c
-+++ b/lib/dimm_spd.c
-@@ -1014,7 +1014,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
-        struct ipmi_rq req;
-        struct fru_info fru;
-        uint8_t *spd_data, msg_data[4];
-       int len, offset;
-+       uint32_t len, offset;
- 
-        msg_data[0] = id;
- 
-@@ -1091,6 +1091,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
-                }
- 
-                len = rsp->data[0];
-+               if(rsp->data_len < 1
-+                  || len > rsp->data_len - 1
-+                  || len > fru.size - offset)
-+               {
-+                       printf(" Not enough buffer size");
-+                       return -1;
-+               }
-                memcpy(&spd_data[offset], rsp->data + 1, len);
-                offset += len;
-        } while (offset < fru.size);
-- 
-1.9.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
deleted file mode 100644
index b65e3ef1a6..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From e824c23316ae50beb7f7488f2055ac65e8b341f2 Mon Sep 17 00:00:00 2001
-From: Chrostoper Ertl <chertl@microsoft.com>
-Date: Thu, 28 Nov 2019 16:33:59 +0000
-Subject: [PATCH] fru: Fix buffer overflow vulnerabilities
-Partial fix for CVE-2020-5208, see
-https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
-The `read_fru_area_section` function only performs size validation of
-requested read size, and falsely assumes that the IPMI message will not
-respond with more than the requested amount of data; it uses the
-unvalidated response size to copy into `frubuf`. If the response is
-larger than the request, this can result in overflowing the buffer.
-The same issue affects the `read_fru_area` function.
-Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
-CVE: CVE-2020-5208
-Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
- lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++--
- 1 file changed, 31 insertions(+), 2 deletions(-)
-diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
-index c2a139d..2e323ff 100644
--- a/lib/ipmi_fru.c
-+++ b/lib/ipmi_fru.c
-@@ -663,7 +663,10 @@ int
- read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
-                        uint32_t offset, uint32_t length, uint8_t *frubuf)
- {
-       uint32_t off = offset, tmp, finish;
-+       uint32_t off = offset;
-+       uint32_t tmp;
-+       uint32_t finish;
-+       uint32_t size_left_in_buffer;
-        struct ipmi_rs * rsp;
-        struct ipmi_rq req;
-        uint8_t msg_data[4];
-@@ -676,10 +679,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
- 
-        finish = offset + length;
-        if (finish > fru->size) {
-+               memset(frubuf + fru->size, 0, length - fru->size);
-                finish = fru->size;
-                lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
-                        "Adjusting to %d",
-                        offset + length, finish - offset);
-+               length = finish - offset;
-        }
- 
-        memset(&req, 0, sizeof(req));
-@@ -715,6 +720,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
-                }
-        }
- 
-+       size_left_in_buffer = length;
-        do {
-                tmp = fru->access ? off >> 1 : off;
-                msg_data[0] = id;
-@@ -756,9 +762,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
-                }
- 
-                tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
-+               if(rsp->data_len < 1
-+                  || tmp > rsp->data_len - 1
-+                  || tmp > size_left_in_buffer)
-+               {
-+                       printf(" Not enough buffer size");
-+                       return -1;
-+               }
-+
-                memcpy(frubuf, rsp->data + 1, tmp);
-                off += tmp;
-                frubuf += tmp;
-+               size_left_in_buffer -= tmp;
-                /* sometimes the size returned in the Info command
-                * is too large.  return 0 so higher level function
-                * still attempts to parse what was returned */
-@@ -791,7 +806,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
-                        uint32_t offset, uint32_t length, uint8_t *frubuf)
- {
-        static uint32_t fru_data_rqst_size = 20;
-       uint32_t off = offset, tmp, finish;
-+       uint32_t off = offset;
-+       uint32_t tmp, finish;
-+       uint32_t size_left_in_buffer;
-        struct ipmi_rs * rsp;
-        struct ipmi_rq req;
-        uint8_t msg_data[4];
-@@ -804,10 +821,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
- 
-        finish = offset + length;
-        if (finish > fru->size) {
-+               memset(frubuf + fru->size, 0, length - fru->size);
-                finish = fru->size;
-                lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
-                        "Adjusting to %d",
-                        offset + length, finish - offset);
-+               length = finish - offset;
-        }
- 
-        memset(&req, 0, sizeof(req));
-@@ -822,6 +841,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
-        if (fru->access && fru_data_rqst_size > 16)
- #endif
-                fru_data_rqst_size = 16;
-+
-+       size_left_in_buffer = length;
-        do {
-                tmp = fru->access ? off >> 1 : off;
-                msg_data[0] = id;
-@@ -853,8 +874,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
-                }
- 
-                tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
-+               if(rsp->data_len < 1
-+                  || tmp > rsp->data_len - 1
-+                  || tmp > size_left_in_buffer)
-+               {
-+                       printf(" Not enough buffer size");
-+                       return -1;
-+               }
-                memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
-                off += tmp;
-+               size_left_in_buffer -= tmp;
- 
-                /* sometimes the size returned in the Info command
-                * is too large.  return 0 so higher level function
-- 
-2.17.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-hpmfwupg-move-variable-definition-to-.c-file.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-hpmfwupg-move-variable-definition-to-.c-file.patch
deleted file mode 100644
index a765c3ab2f..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-hpmfwupg-move-variable-definition-to-.c-file.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 3f7bb7218181745ca7762c1b4832cbb1c9e692f5 Mon Sep 17 00:00:00 2001
-From: Vaclav Dolezal <vdolezal@redhat.com>
-Date: Thu, 23 Jan 2020 11:26:32 +0100
-Subject: [PATCH] hpmfwupg: move variable definition to .c file
-Upstream-Status: Pending
-Signed-off-by: Vaclav Dolezal <vdolezal@redhat.com>
---
- include/ipmitool/ipmi_hpmfwupg.h | 2 +-
- lib/ipmi_hpmfwupg.c              | 2 ++
- 2 files changed, 3 insertions(+), 1 deletion(-)
-diff --git a/include/ipmitool/ipmi_hpmfwupg.h b/include/ipmitool/ipmi_hpmfwupg.h
-index de65292..07f597b 100644
--- a/include/ipmitool/ipmi_hpmfwupg.h
-+++ b/include/ipmitool/ipmi_hpmfwupg.h
-@@ -800,7 +800,7 @@ typedef struct _VERSIONINFO {
-        char descString[HPMFWUPG_DESC_STRING_LENGTH + 1];
- }VERSIONINFO, *PVERSIONINFO;
- 
-VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
-+extern VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
- 
- #define TARGET_VER (0x01)
- #define ROLLBACK_VER (0x02)
-diff --git a/lib/ipmi_hpmfwupg.c b/lib/ipmi_hpmfwupg.c
-index bbcffc0..d7cdcd6 100644
--- a/lib/ipmi_hpmfwupg.c
-+++ b/lib/ipmi_hpmfwupg.c
-@@ -58,6 +58,8 @@ ipmi_intf_get_max_request_data_size(struct ipmi_intf * intf);
- 
- extern int verbose;
- 
-+VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
-+
- int HpmfwupgUpgrade(struct ipmi_intf *intf, char *imageFilename,
-                int activate, int, int);
- int HpmfwupgValidateImageIntegrity(struct HpmfwupgUpgradeCtx *pFwupgCtx);
-- 
-2.28.0
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-ipmi_fru.c-Provide-missing-function-declarations.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-ipmi_fru.c-Provide-missing-function-declarations.patch
new file mode 100644
index 0000000000..704bbdb5c7
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-ipmi_fru.c-Provide-missing-function-declarations.patch
@@ -0,0 +1,34 @@
+From e5bbf96edf776821f29ab67baed22a690bf8ab10 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 2 Sep 2022 07:30:10 -0700
+Subject: [PATCH] ipmi_fru.c: Provide missing function declarations
+Fixes build with clang-15+
+Upstream-Status: Submitted [https://github.com/ipmitool/ipmitool/pull/360]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/ipmi_fru.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index 3d1d8a1..5c5661c 100644
+--- a/lib/ipmi_fru.c
+++ b/lib/ipmi_fru.c
+@@ -60,6 +60,13 @@ static const char *section_id[4] = {
+        "Board Section",
+        "Product Section"
+ };
+/* From lib/ipmi_hpmfwupg.c: */
+uint16_t
+ipmi_intf_get_max_request_data_size(struct ipmi_intf * intf);
+
+/* From src/plugins/ipmi_intf.c: */
+uint16_t
+ipmi_intf_get_max_response_data_size(struct ipmi_intf * intf);
+ 
+ static const char * combined_voltage_desc[] = {
+        "12 V",
+-- 
+2.37.3
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
deleted file mode 100644
index b8742b1a81..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 81144cfba131b4ddbfcf9c530274b23bfc7e0ea8 Mon Sep 17 00:00:00 2001
-From: Chrostoper Ertl <chertl@microsoft.com>
-Date: Thu, 28 Nov 2019 16:51:49 +0000
-Subject: [PATCH 2/5] session: Fix buffer overflow in ipmi_get_session_info
-Partial fix for CVE-2020-5208, see
-https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
-The `ipmi_get_session_info` function does not properly check the
-response `data_len`, which is used as a copy size, allowing stack buffer
-overflow.
-Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22]
-CVE: CVE-2020-5208
-Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
- lib/ipmi_session.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
-index 4855bc4..71bef4c 100644
--- a/lib/ipmi_session.c
-+++ b/lib/ipmi_session.c
-@@ -319,8 +319,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
-                }
-                else
-                {
-                       memcpy(&session_info,  rsp->data, rsp->data_len);
-                       print_session_info(&session_info, rsp->data_len);
-+                       memcpy(&session_info,  rsp->data,
-+                              __min(rsp->data_len, sizeof(session_info)));
-+                       print_session_info(&session_info,
-+                                          __min(rsp->data_len, sizeof(session_info)));
-                }
-                break;
-                
-@@ -351,8 +353,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
-                                break;
-                        }
- 
-                       memcpy(&session_info,  rsp->data, rsp->data_len);
-                       print_session_info(&session_info, rsp->data_len);
-+                       memcpy(&session_info,  rsp->data,
-+                              __min(rsp->data_len, sizeof(session_info)));
-+                       print_session_info(&session_info,
-+                                          __min(rsp->data_len, sizeof(session_info)));
-                        
-                } while (i <= session_info.session_slot_count);
-                break;
-- 
-1.9.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-channel-Fix-buffer-overflow.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-channel-Fix-buffer-overflow.patch
deleted file mode 100644
index deebd356a7..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-channel-Fix-buffer-overflow.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 5057761e30e3a7682edab60f98f631616392ddc6 Mon Sep 17 00:00:00 2001
-From: Chrostoper Ertl <chertl@microsoft.com>
-Date: Thu, 28 Nov 2019 16:56:38 +0000
-Subject: [PATCH 3/3] channel: Fix buffer overflow
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Partial fix for CVE-2020-5208, see
-https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
-The `ipmi_get_channel_cipher_suites` function does not properly check
-the final response’s `data_len`, which can lead to stack buffer overflow
-on the final copy.
-Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4]
-CVE: CVE-2020-5208
-[Make some changes to apply it]
-Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
- include/ipmitool/ipmi_channel.h |  2 ++
- lib/ipmi_channel.c              | 10 ++++++++--
- 2 files changed, 10 insertions(+), 2 deletions(-)
-diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h
-index b138c26..d7cce5e 100644
--- a/include/ipmitool/ipmi_channel.h
-+++ b/include/ipmitool/ipmi_channel.h
-@@ -77,6 +77,8 @@ struct channel_access_t {
-        uint8_t user_level_auth;
- };
- 
-+#define MAX_CIPHER_SUITE_DATA_LEN 0x10
-+
- /*
-  * The Get Authentication Capabilities response structure
-  * From table 22-15 of the IPMI v2.0 spec
-diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
-index fab2e54..76ecdcd 100644
--- a/lib/ipmi_channel.c
-+++ b/lib/ipmi_channel.c
-@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
-                lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
-                return -1;
-        }
-       if (rsp->ccode > 0) {
-+       if (rsp->ccode
-+           || rsp->data_len < 1
-+           || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
-+       {
-                lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
-                        val2str(rsp->ccode, completion_code_vals));
-                return -1;
-@@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
-                        lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
-                        return -1;
-                }
-               if (rsp->ccode > 0) {
-+               if (rsp->ccode
-+                   || rsp->data_len < 1
-+                   || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
-+               {
-                        lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
-                                        val2str(rsp->ccode, completion_code_vals));
-                        return -1;
-- 
-2.18.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
deleted file mode 100644
index b5ce9e92ec..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From e6aa6076f65e71544bd6450d20d943d7baaccb9f Mon Sep 17 00:00:00 2001
-From: Chrostoper Ertl <chertl@microsoft.com>
-Date: Thu, 28 Nov 2019 17:06:39 +0000
-Subject: [PATCH 4/5] lanp: Fix buffer overflows in get_lan_param_select
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Partial fix for CVE-2020-5208, see
-https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
-The `get_lan_param_select` function is missing a validation check on the
-response’s `data_len`, which it then returns to caller functions, where
-stack buffer overflow can occur.
-Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10]
-CVE: CVE-2020-5208
-[Make some changes to apply it]
-Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
- lib/ipmi_lanp.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
-index 060e753..dee21ee 100644
--- a/lib/ipmi_lanp.c
-+++ b/lib/ipmi_lanp.c
-@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
-                /* set new ipaddr */
-                memcpy(data+3, temp, 4);
-                printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
-@@ -1932,7 +1932,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
-                /* set new macaddr */
-                memcpy(data+7, temp, 6);
-                printf("Setting LAN Alert %d MAC Address to "
-@@ -1947,7 +1947,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
- 
-                if (strncasecmp(argv[1], "def", 3) == 0 ||
-                    strncasecmp(argv[1], "default", 7) == 0) {
-@@ -1973,7 +1973,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
- 
-                if (strncasecmp(argv[1], "on", 2) == 0 ||
-                    strncasecmp(argv[1], "yes", 3) == 0) {
-@@ -1998,7 +1998,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
- 
-                if (strncasecmp(argv[1], "pet", 3) == 0) {
-                        printf("Setting LAN Alert %d destination to PET Trap\n", alert);
-@@ -2026,7 +2026,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
- 
-                if (str2uchar(argv[1], &data[2]) != 0) {
-                        lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
-@@ -2042,7 +2042,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
-                if (p == NULL) {
-                        return (-1);
-                }
-               memcpy(data, p->data, p->data_len);
-+               memcpy(data, p->data, __min(p->data_len, sizeof(data)));
- 
-                if (str2uchar(argv[1], &data[3]) != 0) {
-                        lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
-- 
-1.9.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-fru-sdr-Fix-id_string-buffer-overflows.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-fru-sdr-Fix-id_string-buffer-overflows.patch
deleted file mode 100644
index cf8b9254c8..0000000000
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-fru-sdr-Fix-id_string-buffer-overflows.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 26e64ca78ae844c5ceedde89531e2924d7d4594c Mon Sep 17 00:00:00 2001
-From: Chrostoper Ertl <chertl@microsoft.com>
-Date: Thu, 28 Nov 2019 17:13:45 +0000
-Subject: [PATCH 5/5] fru, sdr: Fix id_string buffer overflows
-Final part of the fixes for CVE-2020-5208, see
-https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
-9 variants of stack buffer overflow when parsing `id_string` field of
-SDR records returned from `CMD_GET_SDR` command.
-SDR record structs have an `id_code` field, and an `id_string` `char`
-array.
-The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
-which can be larger than expected 16 characters (if `id_code = 0xff`,
-then length will be `(0xff & 0x1f) + 1 = 32`).
-In numerous places, this can cause stack buffer overflow when copying
-into fixed buffer of size `17` bytes from this calculated length.
-Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637]
-CVE: CVE-2020-5208
-Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
- lib/ipmi_fru.c |  2 +-
- lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
- 2 files changed, 25 insertions(+), 17 deletions(-)
-diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
-index b71ea23..1decea2 100644
--- a/lib/ipmi_fru.c
-+++ b/lib/ipmi_fru.c
-@@ -3038,7 +3038,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru)
-                return 0;
- 
-        memset(desc, 0, sizeof(desc));
-       memcpy(desc, fru->id_string, fru->id_code & 0x01f);
-+       memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
-        desc[fru->id_code & 0x01f] = 0;
-        printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
- 
-diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
-index fa7b082..175a86f 100644
--- a/lib/ipmi_sdr.c
-+++ b/lib/ipmi_sdr.c
-@@ -2113,7 +2113,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf,
-                return -1;
- 
-        memset(desc, 0, sizeof (desc));
-       snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
-+       snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
- 
-        if (verbose) {
-                printf("Sensor ID              : %s (0x%x)\n",
-@@ -2164,7 +2164,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf,
-                return -1;
- 
-        memset(desc, 0, sizeof (desc));
-       snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
-+       snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
- 
-        if (verbose == 0) {
-                if (csv_output)
-@@ -2257,7 +2257,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf,
-        char desc[17];
- 
-        memset(desc, 0, sizeof (desc));
-       snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
-+       snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
- 
-        if (!verbose) {
-                if (csv_output)
-@@ -2314,7 +2314,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf,
-        char desc[17];
- 
-        memset(desc, 0, sizeof (desc));
-       snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
-+       snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
- 
-        if (!verbose) {
-                if (csv_output)
-@@ -2518,35 +2518,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf,uint16_t id,
- 
-    int rc =0;
-    char desc[17];
-+   const char *id_string;
-+   uint8_t id_code;
-    memset(desc, ' ', sizeof (desc));
- 
-    switch ( type) {
-       case SDR_RECORD_TYPE_FULL_SENSOR:
-       record.full = (struct sdr_record_full_sensor *) raw;
-      snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
-               (const char *)record.full->id_string);
-+      id_code = record.full->id_code;
-+      id_string = record.full->id_string;
-       break;
-+
-       case SDR_RECORD_TYPE_COMPACT_SENSOR:
-       record.compact = (struct sdr_record_compact_sensor *) raw        ;
-      snprintf(desc, (record.compact->id_code & 0x1f)  +1, "%s",
-               (const char *)record.compact->id_string);
-+      id_code = record.compact->id_code;
-+      id_string = record.compact->id_string;
-       break;
-+
-       case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
-       record.eventonly  = (struct sdr_record_eventonly_sensor *) raw ;
-      snprintf(desc, (record.eventonly->id_code & 0x1f)  +1, "%s",
-               (const char *)record.eventonly->id_string);
-      break;            
-+      id_code = record.eventonly->id_code;
-+      id_string = record.eventonly->id_string;
-+      break;
-+
-       case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
-       record.mcloc  = (struct sdr_record_mc_locator *) raw ;
-      snprintf(desc, (record.mcloc->id_code & 0x1f)  +1, "%s",
-               (const char *)record.mcloc->id_string);         
-+      id_code = record.mcloc->id_code;
-+      id_string = record.mcloc->id_string;
-       break;
-+
-       default:
-       rc = -1;
-      break;
-   }   
-+   }
-+   if (!rc) {
-+       snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
-+   }
- 
-      lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
-+   lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
-    return rc;
- }
- 
-- 
-1.9.1
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.19.bb
index 3337fe5006..0a600e23bb 100644
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.19.bb
@@ -21,24 +21,31 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=9aa91e13d644326bf281924212862184"
 DEPENDS = "openssl readline ncurses"
+SRCREV = "19d78782d795d0cf4ceefe655f616210c9143e62"
-SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \
+SRC_URI = "git://github.com/ipmitool/ipmitool;protocol=https;branch=master \
-           file://0001-Migrate-to-openssl-1.1.patch \
+           ${IANA_ENTERPRISE_NUMBERS} \
-           file://0001-fru-Fix-buffer-overflow-vulnerabilities.patch \
+           file://0001-ipmi_fru.c-Provide-missing-function-declarations.patch \
-           file://0001-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch \
+           file://0001-configure-Remove-the-logic-to-download-IANA-PEN-data.patch \
-           file://0002-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch \
-           file://0003-channel-Fix-buffer-overflow.patch \
-           file://0004-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch \
-           file://0005-fru-sdr-Fix-id_string-buffer-overflows.patch \
-           file://0001-hpmfwupg-move-variable-definition-to-.c-file.patch \
           "
-SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3"
+IANA_ENTERPRISE_NUMBERS ?= ""
-SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01"
+# Add these via bbappend if this database is needed by the system
+#IANA_ENTERPRISE_NUMBERS ?= "http://www.iana.org/assignments/enterprise-numbers;name=iana-enterprise-numbers;downloadfilename=iana-enterprise-numbers"
+#SRC_URI[iana-enterprise-numbers.sha256sum] = "cdd97fc08325667434b805eb589104ae63f7a9eb720ecea73cb55110b383934c"
+S = "${WORKDIR}/git"
 inherit autotools
+do_install:append() {
+        if [ -e ${WORKDIR}/iana-enterprise-numbers ]; then
+                install -Dm 0755 ${WORKDIR}/iana-enterprise-numbers ${D}${datadir}/misc/enterprise-numbers
+        fi
+}
 PACKAGES =+ "${PN}-ipmievd"
 FILES:${PN}-ipmievd += "${sbindir}/ipmievd"
+FILES:${PN} += "${datadir}/misc"
 # --disable-dependency-tracking speeds up the build
 # --enable-file-security adds some security checks