diff options
| author |   Sinan Kaya <okaya@kernel.org> | 2018-10-05 03:55:15 +0000 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-10-18 11:08:45 +0100 |
| commit | d145f605c274386baf0dde023f15cddf37523f3b (patch) | |
| tree | 76358ad4bd197678c9af80e481b85e59ca804540 /meta/recipes-devtools | |
| parent | 1461bcc72e6649920ecf4226e006e5667c48a21c (diff) | |
| download | openembedded-core-contrib-d145f605c274386baf0dde023f15cddf37523f3b.tar.gz | |
git: CVE-2018-11233
* CVE-2018-11233
Code to sanity-check pathnames on NTFS can result in reading
out-of-bounds memory.
Affects < 2.17.1
CVE: CVE-2018-11233
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1583888
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-devtools')
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2018-11233.patch | 44 | ||||
| -rw-r--r-- | meta/recipes-devtools/git/git.inc | 3 |
2 files changed, 46 insertions, 1 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2018-11233.patch b/meta/recipes-devtools/git/files/CVE-2018-11233.patch new file mode 100644 index 0000000000..f4468cf2fd --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2018-11233.patch @@ -0,0 +1,44 @@ +From 014281e62b7920a6d710a85089e00ca012b0744c Mon Sep 17 00:00:00 2001 +From: Jeff King <peff@peff.net> +Date: Sun, 13 May 2018 12:09:42 -0400 +Subject: [PATCH] is_ntfs_dotgit: use a size_t for traversing string + +We walk through the "name" string using an int, which can +wrap to a negative value and cause us to read random memory +before our array (e.g., by creating a tree with a name >2GB, +since "int" is still 32 bits even on most 64-bit platforms). +Worse, this is easy to trigger during the fsck_tree() check, +which is supposed to be protecting us from malicious +garbage. + +Note one bit of trickiness in the existing code: we +sometimes assign -1 to "len" at the end of the loop, and +then rely on the "len++" in the for-loop's increment to take +it back to 0. This is still legal with a size_t, since +assigning -1 will turn into SIZE_MAX, which then wraps +around to 0 on increment. + +Signed-off-by: Jeff King <peff@peff.net> +CVE: CVE-2018-11233 +Upstream-Status: Backport[https://github.com/git/git/commit/11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d] +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/path.c b/path.c +index da8b65573..d31c795ff 100644 +--- a/path.c ++++ b/path.c +@@ -1305,7 +1305,7 @@ static int only_spaces_and_periods(const char *path, size_t len, size_t skip) + + int is_ntfs_dotgit(const char *name) + { +- int len; ++ size_t len; + + for (len = 0; ; len++) + if (!name[len] || name[len] == '\\' || is_dir_sep(name[len])) { +-- +2.19.0 + diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index bea23ec783..8603c045cc 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -8,7 +8,8 @@ PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ - file://CVE-2018-11235.patch" + file://CVE-2018-11235.patch \ + file://CVE-2018-11233.patch" S = "${WORKDIR}/git-${PV}" |