diff options
author | Sinan Kaya <okaya@kernel.org> | 2018-10-16 22:18:45 +0000 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2018-10-16 17:26:30 -0700 |
commit | bc14dcccfd7d048fbd826e571949a521d45fd86c (patch) | |
tree | 46226dc9312e3f8494a4997712bc0339327f5e6f /meta-oe/recipes-support/sharutils | |
parent | 256de4995c6bf42b82b07f275aa0f9adf43a1db0 (diff) | |
download | meta-openembedded-bc14dcccfd7d048fbd826e571949a521d45fd86c.tar.gz |
sharutils: CVE-2018-1000097
*CVE
Sharutils (unshar command) version 4.15.2 contains a Buffer Overflow
vulnerability in Affected component on the file unshar.c at line 75,
function looks_like_c_code. Failure to perform checking of the buffer
containing input line. that can result in Could lead to code execution.
This attack appear to be exploitable via Victim have to run unshar command
on a specially crafted file..
Affects = 4.15.2
CVE: CVE-2018-1000097
Ref: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000097.html?_ga=2.104716162.363845622.1539703460-954328166.1533363715
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/sharutils')
-rw-r--r-- | meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch | 61 | ||||
-rw-r--r-- | meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch new file mode 100644 index 00000000000..99dc4e3046f --- /dev/null +++ b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch @@ -0,0 +1,61 @@ +From bd68ae1271598e8fdc72f2adb457e6882604582d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Thu, 22 Feb 2018 16:39:43 +0100 +Subject: [PATCH] Fix a heap-buffer-overflow in find_archive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in +find_archive() reads up-to BUFSIZ bytes. + +On my system, BUFSIZ is 8192. rw_base_size is usually equaled to +a memory page size, 4096 on my system. Thus find_archive() can write +beyonded allocated memmory for rw_buffer array: + +$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4 +==30582== Memcheck, a memory error detector +==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. +==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info +==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4 +==30582== +==30582== Invalid write of size 1 +==30582== at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so) +==30582== by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so) +==30582== by 0x10BF60: fgets_unlocked (stdio2.h:320) +==30582== by 0x10BF60: find_archive (unshar.c:243) +==30582== by 0x10BF60: unshar_file (unshar.c:379) +==30582== by 0x10BCCC: validate_fname (unshar-opts.c:604) +==30582== by 0x10BCCC: main (unshar-opts.c:639) +==30582== Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd +==30582== at 0x4C2DBBB: malloc (vg_replace_malloc.c:299) +==30582== by 0x10C670: init_unshar (unshar.c:450) +==30582== by 0x10BC55: main (unshar-opts.c:630) + +This was reported in +<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>. + +CVE: CVE-2018-1000097 +Upstream-Status: no upstream [http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html] +Signed-off-by: Petr Písař <ppisar@redhat.com> +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + src/unshar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/unshar.c b/src/unshar.c +index 80bc3a9..0fc3773 100644 +--- a/src/unshar.c ++++ b/src/unshar.c +@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start) + off_t position = ftello (file); + + /* Read next line, fail if no more and no previous process. */ +- if (!fgets (rw_buffer, BUFSIZ, file)) ++ if (!fgets (rw_buffer, rw_base_size, file)) + { + if (!start) + error (0, 0, _("Found no shell commands in %s"), name); +-- +2.19.0 + diff --git a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb index 812fee955b5..c12289b5d0a 100644 --- a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb +++ b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb @@ -8,6 +8,7 @@ inherit gettext autotools SRC_URI = "ftp://ftp.gnu.org/gnu/${BPN}/${BP}.tar.gz \ file://0001-Fix-build-with-clang.patch \ + file://CVE-2018-1000097.patch \ " SRC_URI[md5sum] = "32a51b23e25ad5e6af4b89f228be1800" SRC_URI[sha256sum] = "ee336e68549664e7a19b117adf02edfdeac6307f22e5ba78baca457116914637" |