Since Linux v2.4 it has been possible to stop all NFS server by running
rpc.nfsd 0
i.e. by requesting that zero threads be running. This is preferred as
it doesn't risk killing some other process which happens to be called
"nfsd".
Since Linux v6.6 - and other stable kernels to which
Commit: 390390240145 ("nfsd: don't allow nfsd threads to be
signalled.")
has been backported - sending a signal no longer works to stop nfs server
threads.
This patch changes the nfsserver script to use "rpc.nfsd 0" to stop
server threads.
(From OE-Core rev: 415e73d53e5342f3f6ff6acd521ded2df3fbca1f)
Signed-off-by: NeilBrown <neil@brown.name>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7b09ad289a36)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen) without a check for whether
the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be
larger than the amount of remaining packet data in the current state
of parsing. Values of stack memory locations may be sent over the
network in a response.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32366
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
(From OE-Core rev: 1b9156124b4a07e0e3e0ab09e87d654eae6c7b4e)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
(From OE-Core rev: ece0fb01bf28fa114f0a6e479491b4b6f565c80c)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch to remove vulnerable component.
This is a breaking change, but there will be no other fix for this CVE
as upstream did the deletion without providing a fix first.
If someone really needs this feature, which the commit message describes
as deprecated, bbappend with patch removal is possible.
License-Update: passprompt plugin removed
(From OE-Core rev: d04a2b5f4899845429e1c5893535f5df1221fcbf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Picked [1] per link in [2].
[1] 07272b05b0
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-13176
(From OE-Core rev: cb18163c11d7f8b62b829f203b00a4e14513c6cf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Picked upstream commit
https://repo.or.cz/socat.git/commitdiff/4ee1f31cf80019c5907876576d6dfd49368d660f
Since this was the only commit in 1.8.0.2 it also contained release
changes which were dropped.
(From OE-Core rev: aa3187749ae9e04b91ad18be733ce09be63a50db)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-52616:
A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs
randomly only once at startup, incrementing them sequentially after that. This
predictable behavior facilitates DNS spoofing attacks, allowing attackers to
guess transaction IDs.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-52616]
[https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm]
Upstream patches:
[f8710bdc8b]
(From OE-Core rev: 7708d0c346b23ab3e687e2a2ca464d77d55cebd7)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of SMS PDUs. The issue
results from the lack of proper validation of the length of user-
supplied data prior to copying it to a stack-based buffer. An
attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23460.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7547
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0
(From OE-Core rev: 8c32d91b64ae296d7832ddeb42983f4f3c237946)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23459.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7546
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63
(From OE-Core rev: 33b2a67b3134498e8c4845efddc7854b4d2315cd)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23458.
Reeference:
https://security-tracker.debian.org/tracker/CVE-2024-7545
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5
(From OE-Core rev: f062d2e4ad3d0a35a2dadda679632d5d213b8487)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23457.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7544
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a
(From OE-Core rev: c4e7d6fad2ed96296bcea2b7d12b41e1354eafa8)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23456.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7543
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7
(From OE-Core rev: 31ba25646b78d60923b1d897a43e37ef6f9edd51)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.
This vulnerability allows local attackers to execute arbitrary code
on affected installations of oFono. An attacker must first obtain
the ability to execute code on the target modem in order to exploit
this vulnerability.
The specific flaw exists within the parsing of responses from AT+CUSD
commands. The issue results from the lack of proper validation of the
length of user-supplied data prior to copying it to a stack-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of root. Was ZDI-CAN-23195.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7539
Upstream Patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc
(From OE-Core rev: b1626a0df6911172adafa85a99d36486eb7e2c62)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick patch from branch openssl-3.0.
(From OE-Core rev: 75e1dedf85ac093fc43eb88a59bfe980bb363bf9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Picked patches according to
http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt
First patch is style commit picked to have a clean cherry-pick of all
mentioned commits without any conflict.
Patch CVE-2024-3596_07.patch has hostapd code removed as it is not
present in wpa-supplicant download tarball.
(From OE-Core rev: 6f65fd4d98b5a5dcd410b2dcfeb2e6f229c3b973)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.
Quote:
So upstream isn't vulnerable as they only expose the dbus interface to
root. Downstreams like Ubuntu and Chromium added a patch that grants
access to the netdev group. The patch is the problem, not the upstream
code IMHO.
There is also a commit [3] associated with this CVE, however that only
provides build-time configuration to limit paths which can be accessed
but it acts only as a mitigation for distros which allow non-root users
to load crafted modules.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290
[2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
[3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747
(From OE-Core rev: 603047ab3c85009c384793cdbdd8e6ae1aebd737)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Updated SRC_URI link and format due to change in openssl website.
CVE's Fixed by upgrade:
CVE-2024-5535: Fixed possible buffer overread in SSL_select_next_proto().
CVE-2024-6119: Fixed possible denial of service in X.509 name checks
- Removed backports of CVE-2024-5535 as it is already fixed.
Detailed Information:
https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3014-and-3015-3-sep-2024
(From OE-Core rev: 299118bf8e50055de28139b23781f2d34eb6eae0)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
PEAP client: Update Phase 2 authentication requirements. Also see
https://www.top10vpn.com/research/wifi-vulnerabilities/
Patch is copied from scarthgap, the recipes differ too much for
cherry-pick even if they have the same version.
(From OE-Core rev: 5e1283f0afeaf0d0aa5e1c96fc571f69897e1ca8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive).
Race condition resulting in potential remote code execution.
A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems.
This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config)
though this makes denial-of service against sshd(8) considerably easier.
For more information, please refer to the release notes [1] and the
report from the Qualys Security Advisory Team [2] who discovered the bug.
[1] https://www.openssh.com/txt/release-9.8
[2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
References:
https://www.openssh.com/security.html
(From OE-Core rev: ddb998d16fd869acb00a1cd8038ada20fd32aa8b)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
v2: include the missing cve tag: CVE: CVE-2024-6387
v3: add the Signed-off-by on the CVE-2024-6387.patch
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE's Fixed by upgrade:
CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called
CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow
CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3
Removed backports of CVE-2024-2511 and CVE-2024-4603 as they are already
fixed.
Detailed Information:
https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024
(From OE-Core rev: 8f51bac2a05747ea186e928eda2358f2e6295883)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46
(From OE-Core rev: 601b81350c0f8487439885a576c4d7d883619a6d)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ppp package has "RSA Data Security" license text
in Message-Digest Algorithm source file md5.c and md4.c
Add RSA-MD in LICENSE field for ppp package
(From OE-Core rev: 24fd9b6756728a0337100f53a1c6e92aba092f9d)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug
is triggered within the sms_decode_address_field() function during the SMS
PDU decoding. It is assumed that the attack scenario is accessible from a compromised
modem, a malicious base station, or just SMS.
(From OE-Core rev: 996c03dfb5295ec38286dee37c70c700b88e0a1e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug
is triggered within the decode_submit_report() function during the SMS decoding.
It is assumed that the attack scenario is accessible from a compromised modem,
a malicious base station, or just SMS. There is a bound check for this memcpy
length in decode_submit(), but it was forgotten in decode_submit_report().
(From OE-Core rev: 51cf006ac7b5b97e65864fb1cb6f5b47192c4ebf)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add CVE-2023-51767 to CVE_CHECK_IGNORE to avoid in cve-check reports
as upstream does not consider CVE-2023-51767 a bug underlying in
OpenSSH and does not intent to address it in OpenSSH.
(From OE-Core rev: de4186610335201c69d8952d605bb291f4a7427c)
Signed-off-by: Sana Kazi <sana.kazi@kpit.com>
Signed-off-by: Sana Kazi <sana.kazisk19@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or
host name has shell metacharacters, and this name is referenced by an expansion
token in certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51385
Upstream patches:
7ef3787c84
(From OE-Core rev: 617640bd045f07b0870dc9f3bc838b3a9fbc3de7)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be
incompletely applied. When destination constraints are specified during
addition of PKCS#11-hosted private keys, these constraints are only applied
to the first key, even if a PKCS#11 token returns multiple keys.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51384
Upstream patches:
881d9c6af9
(From OE-Core rev: 7a745dd1aa13fbf110cc4d86ddbc86617975d6ad)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The tests don't actually need sudo on core-image-ptest-openssh.
Based on logs seen in
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 it seems
that socket errors from sudo are creeping into stderr which are failing
the banner ptest from openssh. Removing sudo should help removing
the stderr messages and possibly cure the banner test failures.
(From OE-Core rev: 47e754f483b674b207bfddcc8d4c5d9a3008e102)
(From OE-Core rev: bce20153973ceff3ac9fc98b30e726aa6698d8ee)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role
HID Device to initiate and establish an encrypted connection, and accept HID
keyboard reports,potentially permitting injection of HID messages when no user
interaction has occurred in the Central role to authorize such access. An example
affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases,
a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45866
Upstream patches:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
(From OE-Core rev: f03cb448574a730d85ed6d80bb58561674005ede)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
