[OE-core] ][PATCH] iptables: upgrade 1.6.2 -> 1.8.2

Changhyeok Bae Sat, 13 Apr 2019 12:22:34 -0700

To enable security flash, get the build error. To fix this,
0003-extensions-format-security-fixes-in-libipt_icmp.patch is required.


Signed-off-by: Changhyeok Bae <changhyeok....@gmail.com>
---
 ...ions-format-security-fixes-in-libipt_icmp.patch | 61 ++++++++++++++++++++++
 .../{iptables_1.6.2.bb => iptables_1.8.2.bb}       |  5 +-
 2 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 
meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
 rename meta/recipes-extended/iptables/{iptables_1.6.2.bb => iptables_1.8.2.bb} 
(91%)

diff --git 
a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
 
b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
new file mode 100644
index 0000000..0029661
--- /dev/null
+++ 
b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
@@ -0,0 +1,61 @@
+From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <ad...@pld-linux.org>
+Date: Wed, 14 Nov 2018 07:35:28 +0100
+Subject: extensions: format-security fixes in libip[6]t_icmp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
+introduced support for gcc feature to check format string against passed
+argument.  This commit adds missing bits to extenstions's libipt_icmp.c
+and libip6t_icmp6.c that were causing build to fail.
+
+Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
+Signed-off-by: Adam Go????biowski <ad...@pld-linux.org>
+Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
+
+Upstream-Status: Backporting
+---
+ extensions/libip6t_icmp6.c | 4 ++--
+ extensions/libipt_icmp.c   | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
+index 45a71875..cc7bfaeb 100644
+--- a/extensions/libip6t_icmp6.c
++++ b/extensions/libip6t_icmp6.c
+@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, 
unsigned int icmptype,
+       type_name = icmp6_type_xlate(icmptype);
+ 
+       if (type_name) {
+-              xt_xlate_add(xl, type_name);
++              xt_xlate_add(xl, "%s", type_name);
+       } else {
+               for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
+                       if (icmpv6_codes[i].type == icmptype &&
+@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, 
unsigned int icmptype,
+                               break;
+ 
+               if (i != ARRAY_SIZE(icmpv6_codes))
+-                      xt_xlate_add(xl, icmpv6_codes[i].name);
++                      xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
+               else
+                       return 0;
+       }
+diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
+index 54189976..e76257c5 100644
+--- a/extensions/libipt_icmp.c
++++ b/extensions/libipt_icmp.c
+@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, 
unsigned int icmptype,
+                       if (icmp_codes[i].type == icmptype &&
+                           icmp_codes[i].code_min == code_min &&
+                           icmp_codes[i].code_max == code_max) {
+-                              xt_xlate_add(xl, icmp_codes[i].name);
++                              xt_xlate_add(xl, "%s", icmp_codes[i].name);
+                               return 1;
+                       }
+       }
+-- 
+cgit v1.2.1
+
diff --git a/meta/recipes-extended/iptables/iptables_1.6.2.bb 
b/meta/recipes-extended/iptables/iptables_1.8.2.bb
similarity index 91%
rename from meta/recipes-extended/iptables/iptables_1.6.2.bb
rename to meta/recipes-extended/iptables/iptables_1.8.2.bb
index a57cac3..ad2c1a6 100644
--- a/meta/recipes-extended/iptables/iptables_1.6.2.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.2.bb
@@ -10,10 +10,11 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 
\
            
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
            
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
+           file://0003-extensions-format-security-fixes-in-libipt_icmp.patch  \
 "
 
-SRC_URI[md5sum] = "7d2b7847e4aa8832a18437b8a4c1873d"
-SRC_URI[sha256sum] = 
"55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733"
+SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"
+SRC_URI[sha256sum] = 
"a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af"
 
 inherit autotools pkgconfig
 
-- 
2.7.4

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] ][PATCH] iptables: upgrade 1.6.2 -> 1.8.2

Reply via email to