From ab29efb8e85020a3621079c7fde217c1bfaa5289 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Thu, 11 Feb 2016 16:20:34 -0800 Subject: libbsd: Security fix CVE-2016-2090 CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) Signed-off-by: Armin Kuster Signed-off-by: Joshua Lock --- .../libbsd/files/CVE-2016-2090.patch | 50 ++++++++++++++++++++++ meta/recipes-support/libbsd/libbsd_0.7.0.bb | 4 +- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libbsd/files/CVE-2016-2090.patch diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch new file mode 100644 index 0000000000..2eaae1386d --- /dev/null +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch @@ -0,0 +1,50 @@ +From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001 +From: Hanno Boeck +Date: Wed, 27 Jan 2016 15:10:11 +0100 +Subject: [PATCH] Fix heap buffer overflow in fgetwln() + +In the function fgetwln() there's a 4 byte heap overflow. + +There is a while loop that has this check to see whether there's still +enough space in the buffer: + + if (!fb->len || wused > fb->len) { + +If this is true more memory gets allocated. However this test won't be +true if wused == fb->len, but at that point wused already points out +of the buffer. Some lines later there's a write to the buffer: + + fb->wbuf[wused++] = wc; + +This bug was found with the help of address sanitizer. + +Warned-by: ASAN +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 +Signed-off-by: Guillem Jover + +Upstream-Status: Backport +http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 + +CVE: CVE-2016-2090 +Signed-off-by: Armin Kuster + +--- + src/fgetwln.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fgetwln.c b/src/fgetwln.c +index 9ee0776..aa3f927 100644 +--- a/src/fgetwln.c ++++ b/src/fgetwln.c +@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) + fb->fp = stream; + + while ((wc = fgetwc(stream)) != WEOF) { +- if (!fb->len || wused > fb->len) { ++ if (!fb->len || wused >= fb->len) { + wchar_t *wp; + + if (fb->len) +-- +2.3.5 + diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb index 902666da7f..8d9a708a15 100644 --- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb +++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c" SECTION = "libs" DEPENDS = "" -SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz" +SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ + file://CVE-2016-2090.patch \ + " SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0" SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb" -- cgit 1.2.3-korg