diff options
| author |   Adrian Bunk <bunk@stusta.de> | 2019-10-31 18:54:10 +0200 |
|---|---|---|
| committer |   Armin Kuster <akuster@mvista.com> | 2020-01-11 14:16:56 -0800 |
| commit | b2f276db16e37ee71dbea0215492ad3abc7d24d0 (patch) | |
| tree | 713c3576ed58f6205b8e1e697a6ba0bf2146af3b | |
| parent | 470838c777fc71a5785fa6fb62e9aa714712e5e2 (diff) | |
| download | meta-openembedded-contrib-b2f276db16e37ee71dbea0215492ad3abc7d24d0.tar.gz | |
gpsd: Fix CVE-2018-17937
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Armin Kuster <akuster@mvista.com>
| -rw-r--r-- | meta-oe/recipes-navigation/gpsd/gpsd-3.17/0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch | 46 | ||||
| -rw-r--r-- | meta-oe/recipes-navigation/gpsd/gpsd_3.17.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-oe/recipes-navigation/gpsd/gpsd-3.17/0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch b/meta-oe/recipes-navigation/gpsd/gpsd-3.17/0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch new file mode 100644 index 0000000000..1a8a6ac0ab --- /dev/null +++ b/meta-oe/recipes-navigation/gpsd/gpsd-3.17/0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch @@ -0,0 +1,46 @@ +From a6e718c0dd32501c8961b6ac0493b148b6489f14 Mon Sep 17 00:00:00 2001 +From: "Eric S. Raymond" <esr@thyrsus.com> +Date: Fri, 15 Jun 2018 13:26:28 -0400 +Subject: Add bounds check in in_escape state of JSON parser. + +CVE: CVE-2018-17937 +Upstream-Status: Backport +Signed-off-by: Adrian Bunk <bunk@stusta.de> + +--- + json.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/json.c b/json.c +index f5b59fba2..e7cac81fd 100644 +--- a/json.c ++++ b/json.c +@@ -374,6 +374,12 @@ static int json_internal_read_object(const char *cp, + if (pval == NULL) + /* don't update end here, leave at value start */ + return JSON_ERR_NULLPTR; ++ else if (pval > valbuf + JSON_VAL_MAX - 1 ++ || pval > valbuf + maxlen) { ++ json_debug_trace((1, "String value too long.\n")); ++ /* don't update end here, leave at value start */ ++ return JSON_ERR_STRLONG; /* */ ++ } + switch (*cp) { + case 'b': + *pval++ = '\b'; +@@ -394,8 +400,10 @@ static int json_internal_read_object(const char *cp, + for (n = 0; n < 4 && cp[n] != '\0'; n++) + uescape[n] = *cp++; + --cp; +- (void)sscanf(uescape, "%04x", &u); +- *pval++ = (char)u; /* will truncate values above 0xff */ ++ if (1 != sscanf(uescape, "%4x", &u)) { ++ return JSON_ERR_BADSTRING; ++ } ++ *pval++ = (unsigned char)u; /* will truncate values above 0xff */ + break; + default: /* handles double quote and solidus */ + *pval++ = *cp; +-- +2.20.1 + diff --git a/meta-oe/recipes-navigation/gpsd/gpsd_3.17.bb b/meta-oe/recipes-navigation/gpsd/gpsd_3.17.bb index e823e42a59..488fa3a52d 100644 --- a/meta-oe/recipes-navigation/gpsd/gpsd_3.17.bb +++ b/meta-oe/recipes-navigation/gpsd/gpsd_3.17.bb @@ -11,6 +11,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \ file://0001-SConstruct-prefix-includepy-with-sysroot-and-drop-sy.patch \ file://0004-SConstruct-disable-html-and-man-docs-building-becaus.patch \ file://0001-include-sys-ttydefaults.h.patch \ + file://0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch \ " SRC_URI[md5sum] = "e0cfadcf4a65dfbdd2afb11c58f4e4a1" SRC_URI[sha256sum] = "68e0dbecfb5831997f8b3d6ba48aed812eb465d8c0089420ab68f9ce4d85e77a" |