Browse Source

Merge pull request #10975 from paulfertser/bump-openocd

openocd: update to current master, allow building without USB
lilik-openwrt-22.03
Mirko Vogt 5 years ago
committed by GitHub
parent
commit
d1cc51cd1a
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 101 deletions
  1. +31
    -9
      utils/openocd/Makefile
  2. +0
    -45
      utils/openocd/patches/100-bind-localhost-only.patch
  3. +0
    -47
      utils/openocd/patches/101-cve-2018-5704-css-fix.patch

+ 31
- 9
utils/openocd/Makefile View File

@ -8,14 +8,15 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=openocd
PKG_SOURCE_VERSION:=0.10.0
PKG_VERSION:=v$(PKG_SOURCE_VERSION)
PKG_RELEASE:=2
PKG_SOURCE_URL:=@SF/openocd
PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.bz2
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION)
PKG_HASH:=7312e7d680752ac088b8b8f2b5ba3ff0d30e0a78139531847be4b75c101316ae
PKG_SOURCE_VERSION:=v0.10.0-1000-gdb23c13d
PKG_VERSION:=$(PKG_SOURCE_VERSION)
PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_URL:=git://git.code.sf.net/p/openocd/code
PKG_MIRROR_HASH:=6f8c0ecf240427654ad5e911b44f78996da931209280f4a19c1215802ff14638
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
@ -26,6 +27,8 @@ PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS:=CONFIG_PACKAGE_openocd_with_usb
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/nls.mk
@ -34,7 +37,18 @@ define Package/openocd
CATEGORY:=Utilities
TITLE:=OpenOCD Utility
URL:=http://openocd.sf.net/
DEPENDS:=+libusb-1.0 +libusb-compat +libftdi1 +hidapi
DEPENDS:=+PACKAGE_openocd_with_usb:libusb-1.0 \
+PACKAGE_openocd_with_usb:libusb-compat \
+PACKAGE_openocd_with_usb:libftdi1 \
+PACKAGE_openocd_with_usb:hidapi
endef
define Package/openocd/config
if PACKAGE_openocd
config PACKAGE_openocd_with_usb
bool "Build with support for USB adapters."
default y
endif
endef
define Package/openocd/description
@ -55,13 +69,21 @@ the GNU GDB program (and the others who talk GDB protocol, e.g. IDA
Pro).
endef
define Build/Prepare
$(call Build/Prepare/Default)
-$(RM) $(PKG_BUILD_DIR)/guess-rev.sh
endef
CONFIGURE_ARGS += \
--prefix="/usr" \
--disable-werror \
MAKEINFO=true \
$(if $(CONFIG_PACKAGE_openocd_with_usb),,PKG_CONFIG=false) \
--enable-dummy \
--enable-sysfsgpio
TARGET_CFLAGS += -DRELSTR=\\\"-$(PKG_VERSION)-$(PKG_RELEASE)-OpenWrt\\\"
define Build/Compile
+$(MAKE_VARS) \
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH)


+ 0
- 45
utils/openocd/patches/100-bind-localhost-only.patch View File

@ -1,45 +0,0 @@
Subject: Bind to IPv4 localhost by default
Origin: other, http://openocd.zylin.com/#/c/4331/2
Last-Update: 2018-01-18
From f8630b0b15e30dc6c51270006a4e075c79cf466a Mon Sep 17 00:00:00 2001
From: Paul Fertser <fercerpav@gmail.com>
Date: Sat, 13 Jan 2018 16:22:10 +0300
Subject: [PATCH] server: bind to IPv4 localhost by default
Since OpenOCD basically allows to perform arbitrary actions on behalf of
the running user, it makes sense to restrict the exposure by default.
If you need network connectivity and your environment is safe enough,
use "bindto 0.0.0.0" to switch to the old behaviour.
Change-Id: I4a4044b90d0ecb30118cea96fc92a7bcff0924e0
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
---
diff --git a/doc/openocd.texi b/doc/openocd.texi
index 7f5b72e..5c7f465 100644
--- a/doc/openocd.texi
+++ b/doc/openocd.texi
@@ -7017,7 +7017,7 @@
@deffn Command bindto [name]
Specify address by name on which to listen for incoming TCP/IP connections.
-By default, OpenOCD will listen on all available interfaces.
+By default, OpenOCD will listen on the loopback interface only.
@end deffn
@anchor{targetstatehandling}
diff --git a/src/server/server.c b/src/server/server.c
index 1e52e97..ea1e898 100644
--- a/src/server/server.c
+++ b/src/server/server.c
@@ -259,7 +259,7 @@
c->sin.sin_family = AF_INET;
if (bindto_name == NULL)
- c->sin.sin_addr.s_addr = INADDR_ANY;
+ c->sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
else {
hp = gethostbyname(bindto_name);
if (hp == NULL) {

+ 0
- 47
utils/openocd/patches/101-cve-2018-5704-css-fix.patch View File

@ -1,47 +0,0 @@
Subject: Prevent some forms of Cross Protocol Scripting attacks
Author: Andreas Fritiofson <andreas.fritiofson@gmail.com>
Origin: other, http://openocd.zylin.com/#/c/4335/
Bug-Debian: https://bugs.debian.org/887488
Last-Update: 2018-01-18
From 3a223ca3ebc7ac24d7726a0cd58e5695bc813657 Mon Sep 17 00:00:00 2001
From: Andreas Fritiofson <andreas.fritiofson@gmail.com>
Date: Sat, 13 Jan 2018 21:00:47 +0100
Subject: [PATCH] CVE-2018-5704: Prevent some forms of Cross Protocol Scripting attacks
OpenOCD can be targeted by a Cross Protocol Scripting attack from
a web browser running malicious code, such as the following PoC:
var x = new XMLHttpRequest();
x.open("POST", "http://127.0.0.1:4444", true);
x.send("exec xcalc\r\n");
This mitigation should provide some protection from browser-based
attacks and is based on the corresponding fix in Redis:
https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758
Change-Id: Ia96ebe19b74b5805dc228bf7364c7971a90a4581
Signed-off-by: Andreas Fritiofson <andreas.fritiofson@gmail.com>
Reported-by: Josef Gajdusek <atx@atx.name>
---
diff --git a/src/server/startup.tcl b/src/server/startup.tcl
index 64ace40..dd1b31e 100644
--- a/src/server/startup.tcl
+++ b/src/server/startup.tcl
@@ -8,3 +8,14 @@
# one target
reset halt
}
+
+proc prevent_cps {} {
+ echo "Possible SECURITY ATTACK detected."
+ echo "It looks like somebody is sending POST or Host: commands to OpenOCD."
+ echo "This is likely due to an attacker attempting to use Cross Protocol Scripting"
+ echo "to compromise your OpenOCD instance. Connection aborted."
+ exit
+}
+
+proc POST {args} { prevent_cps }
+proc Host: {args} { prevent_cps }

Loading…
Cancel
Save