diff --git a/README.rst b/README.rst index 9a6dbe1..aebc132 100644 --- a/README.rst +++ b/README.rst @@ -27,8 +27,8 @@ The repository consists mostly of externally hosted subrepositories: +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ | `opus `_ | `1.4 `_ | `BSD-3 license `_ | +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ -| `FFmpeg `_ | `7.0.1 `_ | `LGPL v2.1 license `_ | -| | `(Source Snapshot) `_ | | +| `FFmpeg `_ | `7.0.2 `_ | `LGPL v2.1 license `_ | +| | `(Source Snapshot) `_ | | +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ | `OpenCV `_ | `4.10.0 `_ | `Apache License 2.0 `_ | +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ @@ -50,7 +50,7 @@ The repository consists mostly of externally hosted subrepositories: +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ | `cfitsio `_ | `4.1.0 `_ | `MIT-like license (NASA) `_ | +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ -| `curl `_ | `8.8.0 `_ | `CURL license `_ | +| `curl `_ | `8.9.1 `_ | `CURL license `_ | +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ | `OpenSSL `_ | `3.3.1 `_ | `Apache 2.0 license `_ | +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+ diff --git a/build_scripts/build_aws-sdk-cpp.sh b/build_scripts/build_aws-sdk-cpp.sh index c8fad41..a238643 100755 --- a/build_scripts/build_aws-sdk-cpp.sh +++ b/build_scripts/build_aws-sdk-cpp.sh @@ -42,6 +42,7 @@ echo "set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC")" >> ${TOOLCHAIN_FILE} # Build and install static OpenSSL libs to a temporary dir pushd ${ROOT_DIR}/third_party/openssl +patch -p1 < ${ROOT_DIR}/patches/openssl/openssl-CVE-2024-5535.patch CFLAGS="$CFLAGS -fPIC -Wa,--noexecstack" declare -a OPTS diff --git a/build_scripts/build_libtiff.sh b/build_scripts/build_libtiff.sh index 57b8d99..c91ba16 100755 --- a/build_scripts/build_libtiff.sh +++ b/build_scripts/build_libtiff.sh @@ -20,6 +20,7 @@ patch -p1 < ${ROOT_DIR}/patches/0001-Fix-wget-complaing-about-expired-git.savann patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-6228.patch patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-6277.patch patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-52356.patch +patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2024-7006.patch mkdir -p build cd build diff --git a/patches/libtiff-CVE-2024-7006.patch b/patches/libtiff-CVE-2024-7006.patch new file mode 100644 index 0000000..fc39ed1 --- /dev/null +++ b/patches/libtiff-CVE-2024-7006.patch @@ -0,0 +1,61 @@ +From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 1 Dec 2023 20:12:25 +0100 +Subject: [PATCH] Check return value of _TIFFCreateAnonField(). + +Fixes #624 +--- + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirread.c | 16 ++++++---------- + 2 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index bff7592a..2338ca21 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, + if (fld == NULL) + { + fld = _TIFFCreateAnonField(tif, tag, dt); +- if (!_TIFFMergeFields(tif, fld, 1)) ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + return NULL; + } + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index c7969414..242912f3 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif) + dp->tdir_tag, dp->tdir_tag); + /* the following knowingly leaks the + anonymous field structure */ +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR( + tif, module, +@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, + "Unknown field with tag %" PRIu16 " (0x%" PRIx16 + ") encountered", + dp->tdir_tag, dp->tdir_tag); +- if (!_TIFFMergeFields( +- tif, +- _TIFFCreateAnonField(tif, dp->tdir_tag, +- (TIFFDataType)dp->tdir_type), +- 1)) ++ const TIFFField *fld = _TIFFCreateAnonField( ++ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); ++ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + { + TIFFWarningExtR(tif, module, + "Registering anonymous field with tag %" PRIu16 +-- +2.25.1 + diff --git a/patches/openssl/openssl-CVE-2024-5535.patch b/patches/openssl/openssl-CVE-2024-5535.patch new file mode 100644 index 0000000..1998687 --- /dev/null +++ b/patches/openssl/openssl-CVE-2024-5535.patch @@ -0,0 +1,111 @@ +From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Tomas Mraz +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/24716) + +(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e) +--- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 5ec6ac4b63..4c20ac4bf1 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.25.1 + diff --git a/third_party/FFmpeg b/third_party/FFmpeg index af25a4b..e3a61e9 160000 --- a/third_party/FFmpeg +++ b/third_party/FFmpeg @@ -1 +1 @@ -Subproject commit af25a4bfd2503caf3ee485b27b99b620302f5718 +Subproject commit e3a61e91030696348b56361bdf80ea358aef4a19 diff --git a/third_party/curl b/third_party/curl index fd567d4..83bedbd 160000 --- a/third_party/curl +++ b/third_party/curl @@ -1 +1 @@ -Subproject commit fd567d4f06857f4fc8e2f64ea727b1318f76ad33 +Subproject commit 83bedbd730d62b83744cc26fa0433d3f6e2e4cd6