Patch OSS vulnerabilities

README.rst

@@ -27,8 +27,8 @@ The repository consists mostly of externally hosted subrepositories:
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
 | `opus <https://github.com/xiph/opus>`_                                       | `1.4 <https://github.com/xiph/opus/releases/tag/v1.4>`_                                                           | `BSD-3 license <https://github.com/xiph/opus/blob/master/COPYING>`_                                                 |
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
-| `FFmpeg <https://github.com/FFmpeg/FFmpeg>`_                                 | `7.0.1 <https://github.com/FFmpeg/FFmpeg/releases/tag/n7.0.1>`_                                                   | `LGPL v2.1 license <https://github.com/FFmpeg/FFmpeg/blob/master/LICENSE.md>`_                                      |
-|                                                                              | `(Source Snapshot) <https://developer.download.nvidia.com/compute/redist/nvidia-dali/FFmpeg-n7.0.1.tar.gz>`_      |                                                                                                                     |
+| `FFmpeg <https://github.com/FFmpeg/FFmpeg>`_                                 | `7.0.2 <https://github.com/FFmpeg/FFmpeg/releases/tag/n7.0.2>`_                                                   | `LGPL v2.1 license <https://github.com/FFmpeg/FFmpeg/blob/master/LICENSE.md>`_                                      |
+|                                                                              | `(Source Snapshot) <https://developer.download.nvidia.com/compute/redist/nvidia-dali/FFmpeg-n7.0.2.tar.gz>`_      |                                                                                                                     |
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
 | `OpenCV <https://github.com/opencv/opencv/>`_                                | `4.10.0 <https://github.com/opencv/opencv/releases/tag/4.10.0>`_                                                  | `Apache License 2.0 <https://github.com/opencv/opencv/blob/master/LICENSE>`_                                        |
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
@@ -50,7 +50,7 @@ The repository consists mostly of externally hosted subrepositories:
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
 | `cfitsio <https://github.com/healpy/cfitsio.git>`_                           | `4.1.0 <https://github.com/healpy/cfitsio/commit/316e95008492b597b3cbcf84168df22996fe2b6f>`_                      | `MIT-like license (NASA) <https://github.com/healpy/cfitsio/blob/master/License.txt>`_                              |
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
-| `curl <https://github.com/curl/curl.git>`_                                   | `8.8.0 <https://github.com/curl/curl/releases/tag/curl-8_8_0>`_                                                   | `CURL license <https://github.com/curl/curl/blob/master/LICENSES/curl.txt>`_                                        |
+| `curl <https://github.com/curl/curl.git>`_                                   | `8.9.1 <https://github.com/curl/curl/releases/tag/curl-8_9_1>`_                                                   | `CURL license <https://github.com/curl/curl/blob/master/LICENSES/curl.txt>`_                                        |
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+
 | `OpenSSL <https://github.com/openssl/openssl.git>`_                          | `3.3.1 <https://github.com/openssl/openssl/tree/openssl-3.3.1>`_                                                  | `Apache 2.0 license <https://github.com/openssl/openssl/blob/master/LICENSE.txt>`_                                  |
 +------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------+

build_scripts/build_aws-sdk-cpp.sh

@@ -42,6 +42,7 @@ echo "set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC")" >> ${TOOLCHAIN_FILE}
 
 # Build and install static OpenSSL libs to a temporary dir
 pushd ${ROOT_DIR}/third_party/openssl
+patch -p1 < ${ROOT_DIR}/patches/openssl/openssl-CVE-2024-5535.patch
 
 CFLAGS="$CFLAGS -fPIC -Wa,--noexecstack"
 declare -a OPTS

build_scripts/build_libtiff.sh

@@ -20,6 +20,7 @@ patch -p1 < ${ROOT_DIR}/patches/0001-Fix-wget-complaing-about-expired-git.savann
 patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-6228.patch
 patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-6277.patch
 patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2023-52356.patch
+patch -p1 < ${ROOT_DIR}/patches/libtiff-CVE-2024-7006.patch
 
 mkdir -p build
 cd build

patches/libtiff-CVE-2024-7006.patch

@@ -0,0 +1,61 @@
+From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
+From: Su_Laus <[email protected]>
+Date: Fri, 1 Dec 2023 20:12:25 +0100
+Subject: [PATCH] Check return value of _TIFFCreateAnonField().
+
+Fixes #624
+---
+ libtiff/tif_dirinfo.c |  2 +-
+ libtiff/tif_dirread.c | 16 ++++++----------
+ 2 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index bff7592a..2338ca21 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
+     if (fld == NULL)
+     {
+         fld = _TIFFCreateAnonField(tif, tag, dt);
+-        if (!_TIFFMergeFields(tif, fld, 1))
++        if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+             return NULL;
+     }
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index c7969414..242912f3 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif)
+                                 dp->tdir_tag, dp->tdir_tag);
+                 /* the following knowingly leaks the
+                    anonymous field structure */
+-                if (!_TIFFMergeFields(
+-                        tif,
+-                        _TIFFCreateAnonField(tif, dp->tdir_tag,
+-                                             (TIFFDataType)dp->tdir_type),
+-                        1))
++                const TIFFField *fld = _TIFFCreateAnonField(
++                    tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++                if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+                 {
+                     TIFFWarningExtR(
+                         tif, module,
+@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
+                             "Unknown field with tag %" PRIu16 " (0x%" PRIx16
+                             ") encountered",
+                             dp->tdir_tag, dp->tdir_tag);
+-            if (!_TIFFMergeFields(
+-                    tif,
+-                    _TIFFCreateAnonField(tif, dp->tdir_tag,
+-                                         (TIFFDataType)dp->tdir_type),
+-                    1))
++            const TIFFField *fld = _TIFFCreateAnonField(
++                tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
++            if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+             {
+                 TIFFWarningExtR(tif, module,
+                                 "Registering anonymous field with tag %" PRIu16
+-- 
+2.25.1
+

patches/openssl/openssl-CVE-2024-5535.patch

@@ -0,0 +1,111 @@
+From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001
+From: Matt Caswell <[email protected]>
+Date: Fri, 31 May 2024 11:14:33 +0100
+Subject: [PATCH] Fix SSL_select_next_proto
+
+Ensure that the provided client list is non-NULL and starts with a valid
+entry. When called from the ALPN callback the client list should already
+have been validated by OpenSSL so this should not cause a problem. When
+called from the NPN callback the client list is locally configured and
+will not have already been validated. Therefore SSL_select_next_proto
+should not assume that it is correctly formatted.
+
+We implement stricter checking of the client protocol list. We also do the
+same for the server list while we are about it.
+
+CVE-2024-5535
+
+Reviewed-by: Tomas Mraz <[email protected]>
+Reviewed-by: Neil Horman <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/24716)
+
+(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e)
+---
+ ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 5ec6ac4b63..4c20ac4bf1 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+                           unsigned int server_len,
+                           const unsigned char *client, unsigned int client_len)
+ {
+-    unsigned int i, j;
+-    const unsigned char *result;
+-    int status = OPENSSL_NPN_UNSUPPORTED;
++    PACKET cpkt, csubpkt, spkt, ssubpkt;
++
++    if (!PACKET_buf_init(&cpkt, client, client_len)
++            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
++            || PACKET_remaining(&csubpkt) == 0) {
++        *out = NULL;
++        *outlen = 0;
++        return OPENSSL_NPN_NO_OVERLAP;
++    }
++
++    /*
++     * Set the default opportunistic protocol. Will be overwritten if we find
++     * a match.
++     */
++    *out = (unsigned char *)PACKET_data(&csubpkt);
++    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
+
+     /*
+      * For each protocol in server preference order, see if we support it.
+      */
+-    for (i = 0; i < server_len;) {
+-        for (j = 0; j < client_len;) {
+-            if (server[i] == client[j] &&
+-                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
+-                /* We found a match */
+-                result = &server[i];
+-                status = OPENSSL_NPN_NEGOTIATED;
+-                goto found;
++    if (PACKET_buf_init(&spkt, server, server_len)) {
++        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
++            if (PACKET_remaining(&ssubpkt) == 0)
++                continue; /* Invalid - ignore it */
++            if (PACKET_buf_init(&cpkt, client, client_len)) {
++                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
++                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
++                                     PACKET_remaining(&ssubpkt))) {
++                        /* We found a match */
++                        *out = (unsigned char *)PACKET_data(&ssubpkt);
++                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
++                        return OPENSSL_NPN_NEGOTIATED;
++                    }
++                }
++                /* Ignore spurious trailing bytes in the client list */
++            } else {
++                /* This should never happen */
++                return OPENSSL_NPN_NO_OVERLAP;
+             }
+-            j += client[j];
+-            j++;
+         }
+-        i += server[i];
+-        i++;
++        /* Ignore spurious trailing bytes in the server list */
+     }
+
+-    /* There's no overlap between our protocols and the server's list. */
+-    result = client;
+-    status = OPENSSL_NPN_NO_OVERLAP;
+-
+- found:
+-    *out = (unsigned char *)result + 1;
+-    *outlen = result[0];
+-    return status;
++    /*
++     * There's no overlap between our protocols and the server's list. We use
++     * the default opportunistic protocol selected earlier
++     */
++    return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ #ifndef OPENSSL_NO_NEXTPROTONEG
+-- 
+2.25.1
+