diff options
| author |   Armin Kuster <akuster@mvista.com> | 2016-02-10 15:42:34 -0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-21 09:37:19 +0000 |
| commit | 4fe0654253d7444f2c445a30b06623cef036b2bb (patch) | |
| tree | c2ea10af63ee74df3f89af90cc819b89151d53e9 | |
| parent | e56aba3a822f072f8ed2062a691762a4a970a3f0 (diff) | |
| download | openembedded-core-contrib-4fe0654253d7444f2c445a30b06623cef036b2bb.tar.gz | |
uclibc: Security fix CVE-2016-2224
CVE-2016-2224 Do not follow compressed items forever.
This change is being provide to comply to Yocto compatiblity.
Signed-off-by: Armin Kuster <akuster@mvista.com>
| -rw-r--r-- | meta/recipes-core/uclibc/uclibc-git.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch | 49 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc index dcb616d0d2..d3fb2a8a8e 100644 --- a/meta/recipes-core/uclibc/uclibc-git.inc +++ b/meta/recipes-core/uclibc/uclibc-git.inc @@ -19,5 +19,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \ file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \ file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \ file://0001-wire-in-syncfs.patch \ + file://CVE-2016-2224.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch new file mode 100644 index 0000000000..218b60a85c --- /dev/null +++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch @@ -0,0 +1,49 @@ +From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001 +From: Waldemar Brodkorb <wbx@openadk.org> +Date: Sun, 17 Jan 2016 15:47:22 +0100 +Subject: [PATCH] Do not follow compressed items forever. + +It is possible to get stuck in an infinite loop when receiving a +specially crafted DNS reply. Exit the loop after a number of iteration +and consider the packet invalid. + +Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> +Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> + +Upstream-status: Backport +http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515 + +CVE: CVE-2016-2224 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libc/inet/resolv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: git/libc/inet/resolv.c +=================================================================== +--- git.orig/libc/inet/resolv.c ++++ git/libc/inet/resolv.c +@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char + bool measure = 1; + unsigned total = 0; + unsigned used = 0; ++ unsigned maxiter = 256; + + if (!packet) + return -1; + +- while (1) { ++ while (--maxiter) { + if (offset >= packet_len) + return -1; + b = packet[offset++]; +@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char + else + dest[used++] = '\0'; + } ++ if (!maxiter) ++ return -1; + + /* The null byte must be counted too */ + if (measure) |