diff options
| author |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-01-28 13:57:44 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-01-28 17:22:25 +0000 |
| commit | bc79395e2fcb886f224a4ad837fd93c779d2c53d (patch) | |
| tree | 2fdc65d98203dc934cfec4cb26018c390534b7f5 /meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | |
| parent | a8ab78824575bdfcdb9efe89378951d734c1cfa9 (diff) | |
| download | openembedded-core-contrib-bc79395e2fcb886f224a4ad837fd93c779d2c53d.tar.gz | |
systemd: Update recent CVE patches
* Added CVE tag, Upstream-Status tag and Sign-off-by tags.
* Removed the verification of the entry length in the header
* Squashed CVE-2018-16865 patches into one
* CVE-2018-16866 patch now taken from systemd-stable and includes
an additional heap buffer overflow fix.
Signed-off-by: Marcus Cooper <marcusc@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch')
| -rw-r--r-- | meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 0000000000..3925a4abbb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch @@ -0,0 +1,49 @@ +From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 +From: Filipe Brandenburger <filbranden@google.com> +Date: Thu, 10 Jan 2019 14:53:33 -0800 +Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 + +The original code didn't account for the fact that strchr() would match on the +'\0' character, making it read past the end of the buffer if no non-whitespace +character was present. + +This bug was introduced in commit ec5ff4445cca6a which was first released in +systemd v221 and later fixed in commit 8595102d3ddde6 which was released in +v240, so versions in the range [v221, v240) are affected. + +Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b +also includes a change from systemd master which removes a heap buffer overflow +a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. + +CVE: CVE-2018-16866 +Upstream-Status: Backport +Signed-off-by: Marcus Cooper <marcusc@axis.com> +--- + src/journal/journald-syslog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c +index 9dea116722..809b318c06 100644 +--- a/src/journal/journald-syslog.c ++++ b/src/journal/journald-syslog.c +@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) + e = l; + l--; + +- if (p[l-1] == ']') { ++ if (l > 0 && p[l-1] == ']') { + size_t k = l-1; + + for (;;) { +@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) + if (t) + *identifier = t; + +- if (strchr(WHITESPACE, p[e])) ++ if (p[e] != '\0' && strchr(WHITESPACE, p[e])) + e++; + *buf = p + e; + return e; +-- +2.11.0 + |