Skip to content

Commit

Permalink
Patch OSS vulnerabilities (#119)
Browse files Browse the repository at this point in the history 
* Patch openssl for CVE-2024-5535
* Patch libtiff for CVE-2024-7006
* Update FFmpeg 7.0.1 -> 7.0.2
* Update curl 8.8.0 -> 8.9.1
---------

Signed-off-by: Kamil Tokarski <[email protected]>
  • Loading branch information
@stiepan
stiepan authored Aug 30, 2024
1 parent b172614 commit 6d93550
Show file tree
Hide file tree
Showing 7 changed files with 179 additions and 5 deletions.
6 changes: 3 additions & 3 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ The repository consists mostly of externally hosted subrepositories:
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
| `opus <https://github.com/xiph/opus>`_ | `1.4 <https://github.com/xiph/opus/releases/tag/v1.4>`_ | `BSD-3 license <https://github.com/xiph/opus/blob/master/COPYING>`_ |
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
| `FFmpeg <https://github.com/FFmpeg/FFmpeg>`_ | `7.0.1 <https://github.com/FFmpeg/FFmpeg/releases/tag/n7.0.1>`_ | `LGPL v2.1 license <https://github.com/FFmpeg/FFmpeg/blob/master/LICENSE.md>`_ |
| | `(Source Snapshot) <https://developer.download.nvidia.com/compute/redist/nvidia-dali/FFmpeg-n7.0.1.tar.gz>`_ | |
| `FFmpeg <https://github.com/FFmpeg/FFmpeg>`_ | `7.0.2 <https://github.com/FFmpeg/FFmpeg/releases/tag/n7.0.2>`_ | `LGPL v2.1 license <https://github.com/FFmpeg/FFmpeg/blob/master/LICENSE.md>`_ |
| | `(Source Snapshot) <https://developer.download.nvidia.com/compute/redist/nvidia-dali/FFmpeg-n7.0.2.tar.gz>`_ | |
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
| `OpenCV <https://github.com/opencv/opencv/>`_ | `4.10.0 <https://github.com/opencv/opencv/releases/tag/4.10.0>`_ | `Apache License 2.0 <https://github.com/opencv/opencv/blob/master/LICENSE>`_ |
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
Expand All @@ -50,7 +50,7 @@ The repository consists mostly of externally hosted subrepositories:
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
| `cfitsio <https://github.com/healpy/cfitsio.git>`_ | `4.1.0 <https://github.com/healpy/cfitsio/commit/316e95008492b597b3cbcf84168df22996fe2b6f>`_ | `MIT-like license (NASA) <https://github.com/healpy/cfitsio/blob/master/License.txt>`_ |
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
| `curl <https://github.com/curl/curl.git>`_ | `8.8.0 <https://github.com/curl/curl/releases/tag/curl-8_8_0>`_ | `CURL license <https://github.com/curl/curl/blob/master/LICENSES/curl.txt>`_ |
| `curl <https://github.com/curl/curl.git>`_ | `8.9.1 <https://github.com/curl/curl/releases/tag/curl-8_9_1>`_ | `CURL license <https://github.com/curl/curl/blob/master/LICENSES/curl.txt>`_ |
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
| `OpenSSL <https://github.com/openssl/openssl.git>`_ | `3.3.1 <https://github.com/openssl/openssl/tree/openssl-3.3.1>`_ | `Apache 2.0 license <https://github.com/openssl/openssl/blob/master/LICENSE.txt>`_ |
+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
Expand Down
1 change: 1 addition & 0 deletions build_scripts/build_aws-sdk-cpp.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ echo "set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC")" >> ${TOOLCHAIN_FILE}

# Build and install static OpenSSL libs to a temporary dir
pushd ${ROOT_DIR}/third_party/openssl
patch -p1 < ${ROOT_DIR}/patches/openssl/openssl-CVE-2024-5535.patch

CFLAGS="$CFLAGS -fPIC -Wa,--noexecstack"
declare -a OPTS
Expand Down
1 change: 1 addition & 0 deletions build_scripts/build_libtiff.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ patch -p1 < ${ROOT_DIR}/patches/0001-Fix-wget-complaing-about-expired-git.savann
patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-6228.patch
patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-6277.patch
patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-52356.patch
patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2024-7006.patch

mkdir -p build
cd build
Expand Down
61 changes: 61 additions & 0 deletions patches/libtiff-CVE-2024-7006.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
From: Su_Laus <[email protected]>
Date: Fri, 1 Dec 2023 20:12:25 +0100
Subject: [PATCH] Check return value of _TIFFCreateAnonField().

Fixes #624
---
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirread.c | 16 ++++++----------
2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index bff7592a..2338ca21 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
if (fld == NULL)
{
fld = _TIFFCreateAnonField(tif, tag, dt);
- if (!_TIFFMergeFields(tif, fld, 1))
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
return NULL;
}

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index c7969414..242912f3 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif)
dp->tdir_tag, dp->tdir_tag);
/* the following knowingly leaks the
anonymous field structure */
- if (!_TIFFMergeFields(
- tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type),
- 1))
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
{
TIFFWarningExtR(
tif, module,
@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
"Unknown field with tag %" PRIu16 " (0x%" PRIx16
") encountered",
dp->tdir_tag, dp->tdir_tag);
- if (!_TIFFMergeFields(
- tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type),
- 1))
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
{
TIFFWarningExtR(tif, module,
"Registering anonymous field with tag %" PRIu16
--
2.25.1

111 changes: 111 additions & 0 deletions patches/openssl/openssl-CVE-2024-5535.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001
From: Matt Caswell <[email protected]>
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH] Fix SSL_select_next_proto

Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Tomas Mraz <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/24716)

(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e)
---
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 23 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5ec6ac4b63..4c20ac4bf1 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);

/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}

- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}

#ifndef OPENSSL_NO_NEXTPROTONEG
--
2.25.1

2 changes: 1 addition & 1 deletion third_party/FFmpeg
Submodule FFmpeg updated 182 files
2 changes: 1 addition & 1 deletion third_party/curl
Submodule curl updated 1388 files

0 comments on commit 6d93550

Please sign in to comment.