[OE-core] [PATCH 1/2] iptables: upgrade 1.8.2 -> 1.8.3

Anuj Mittal anuj.mittal at intel.com
Mon Jul 22 00:22:56 UTC 2019


Remove upstreamed patches and manually package symlinks which aren't
handled by do_split_package.

Changelog:
http://git.netfilter.org/iptables/log/?qt=range&q=v1.8.3...v1.8.2

Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
---
 ...format-security-fixes-in-libipt_icmp.patch |  61 ---------
 .../iptables/iptables/CVE-2019-11360.patch    | 117 ------------------
 .../{iptables_1.8.2.bb => iptables_1.8.3.bb}  |  13 +-
 3 files changed, 9 insertions(+), 182 deletions(-)
 delete mode 100644 meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
 delete mode 100644 meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
 rename meta/recipes-extended/iptables/{iptables_1.8.2.bb => iptables_1.8.3.bb} (84%)

diff --git a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
deleted file mode 100644
index e26594d19b..0000000000
--- a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg at pld-linux.org>
-Date: Wed, 14 Nov 2018 07:35:28 +0100
-Subject: extensions: format-security fixes in libip[6]t_icmp
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-introduced support for gcc feature to check format string against passed
-argument.  This commit adds missing bits to extenstions's libipt_icmp.c
-and libip6t_icmp6.c that were causing build to fail.
-
-Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-Signed-off-by: Adam Gołębiowski <adamg at pld-linux.org>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-
-Upstream-Status: Backport
----
- extensions/libip6t_icmp6.c | 4 ++--
- extensions/libipt_icmp.c   | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
-index 45a71875..cc7bfaeb 100644
---- a/extensions/libip6t_icmp6.c
-+++ b/extensions/libip6t_icmp6.c
-@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 	type_name = icmp6_type_xlate(icmptype);
- 
- 	if (type_name) {
--		xt_xlate_add(xl, type_name);
-+		xt_xlate_add(xl, "%s", type_name);
- 	} else {
- 		for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
- 			if (icmpv6_codes[i].type == icmptype &&
-@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 				break;
- 
- 		if (i != ARRAY_SIZE(icmpv6_codes))
--			xt_xlate_add(xl, icmpv6_codes[i].name);
-+			xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
- 		else
- 			return 0;
- 	}
-diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
-index 54189976..e76257c5 100644
---- a/extensions/libipt_icmp.c
-+++ b/extensions/libipt_icmp.c
-@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 			if (icmp_codes[i].type == icmptype &&
- 			    icmp_codes[i].code_min == code_min &&
- 			    icmp_codes[i].code_max == code_max) {
--				xt_xlate_add(xl, icmp_codes[i].name);
-+				xt_xlate_add(xl, "%s", icmp_codes[i].name);
- 				return 1;
- 			}
- 	}
--- 
-cgit v1.2.1
-
diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
deleted file mode 100644
index f67164fbcc..0000000000
--- a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo at netfilter.org>
-Date: Mon, 22 Apr 2019 23:17:27 +0200
-Subject: [PATCH] xshared: check for maximum buffer length in
- add_param_to_argv()
-
-Bail out if we go over the boundary, based on patch from Sebastian.
-
-Reported-by: Sebastian Neef <contact at 0day.work>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-
-Upstream-Status: Backport
-CVE: CVE-2019-11360
-Signed-off-by: Li Zhou <li.zhou at windriver.com>
----
- iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
- 1 file changed, 28 insertions(+), 18 deletions(-)
-
-diff --git a/iptables/xshared.c b/iptables/xshared.c
-index fb186fb1..36a2ec5f 100644
---- a/iptables/xshared.c
-+++ b/iptables/xshared.c
-@@ -433,10 +433,24 @@ void save_argv(void)
- 	}
- }
- 
-+struct xt_param_buf {
-+	char	buffer[1024];
-+	int 	len;
-+};
-+
-+static void add_param(struct xt_param_buf *param, const char *curchar)
-+{
-+	param->buffer[param->len++] = *curchar;
-+	if (param->len >= sizeof(param->buffer))
-+		xtables_error(PARAMETER_PROBLEM,
-+			      "Parameter too long!");
-+}
-+
- void add_param_to_argv(char *parsestart, int line)
- {
--	int quote_open = 0, escaped = 0, param_len = 0;
--	char param_buffer[1024], *curchar;
-+	int quote_open = 0, escaped = 0;
-+	struct xt_param_buf param = {};
-+	char *curchar;
- 
- 	/* After fighting with strtok enough, here's now
- 	 * a 'real' parser. According to Rusty I'm now no
-@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
- 	for (curchar = parsestart; *curchar; curchar++) {
- 		if (quote_open) {
- 			if (escaped) {
--				param_buffer[param_len++] = *curchar;
-+				add_param(&param, curchar);
- 				escaped = 0;
- 				continue;
- 			} else if (*curchar == '\\') {
-@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
- 				quote_open = 0;
- 				*curchar = '"';
- 			} else {
--				param_buffer[param_len++] = *curchar;
-+				add_param(&param, curchar);
- 				continue;
- 			}
- 		} else {
-@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
- 		case ' ':
- 		case '\t':
- 		case '\n':
--			if (!param_len) {
-+			if (!param.len) {
- 				/* two spaces? */
- 				continue;
- 			}
- 			break;
- 		default:
- 			/* regular character, copy to buffer */
--			param_buffer[param_len++] = *curchar;
--
--			if (param_len >= sizeof(param_buffer))
--				xtables_error(PARAMETER_PROBLEM,
--					      "Parameter too long!");
-+			add_param(&param, curchar);
- 			continue;
- 		}
- 
--		param_buffer[param_len] = '\0';
-+		param.buffer[param.len] = '\0';
- 
- 		/* check if table name specified */
--		if ((param_buffer[0] == '-' &&
--		     param_buffer[1] != '-' &&
--		     strchr(param_buffer, 't')) ||
--		    (!strncmp(param_buffer, "--t", 3) &&
--		     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
-+		if ((param.buffer[0] == '-' &&
-+		     param.buffer[1] != '-' &&
-+		     strchr(param.buffer, 't')) ||
-+		    (!strncmp(param.buffer, "--t", 3) &&
-+		     !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
- 			xtables_error(PARAMETER_PROBLEM,
- 				      "The -t option (seen in line %u) cannot be used in %s.\n",
- 				      line, xt_params->program_name);
- 		}
- 
--		add_argv(param_buffer, 0);
--		param_len = 0;
-+		add_argv(param.buffer, 0);
-+		param.len = 0;
- 	}
- }
- 
--- 
-2.17.1
-
diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
similarity index 84%
rename from meta/recipes-extended/iptables/iptables_1.8.2.bb
rename to meta/recipes-extended/iptables/iptables_1.8.3.bb
index 8d8483d95c..6ac3fc60c5 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.2.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
            file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
            file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
-           file://0003-extensions-format-security-fixes-in-libipt_icmp.patch  \
-           file://CVE-2019-11360.patch \
 "
 
-SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"
-SRC_URI[sha256sum] = "a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af"
+SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
+SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
 
 inherit autotools pkgconfig
 
@@ -49,6 +47,13 @@ python populate_packages_prepend() {
 
 FILES_${PN} += "${datadir}/xtables"
 
+# Include the symlinks as well in respective packages
+FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
+FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
+
+INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
+INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
+
 ALLOW_EMPTY_${PN}-modules = "1"
 
 RDEPENDS_${PN} = "${PN}-module-xt-standard"
-- 
2.20.1



More information about the Openembedded-core mailing list