From 69f94af4d91215e7d4e225bab54bf3bcfee42f1c Mon Sep 17 00:00:00 2001 From: Spectrejan Date: Fri, 3 Dec 2021 10:12:30 +0100 Subject: brotli: add patch to fix CVE-2020-8927 Port patch to fix CVE-2020-8927 for brotli from Debian Buster CVE: CVE-2020-8927 Signed-off-by: Jan Kraemer [Fixup to apply with URL changes] Signed-off-by: Armin Kuster --- .../brotli/0001-brotli-fix-CVE-2020-8927.patch | 44 ++++++++++++++++++++++ meta-oe/recipes-extended/brotli/brotli_1.0.7.bb | 4 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch new file mode 100644 index 0000000000..c21794d147 --- /dev/null +++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch @@ -0,0 +1,44 @@ +From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001 +From: Jan Kraemer +Date: Thu, 7 Oct 2021 12:48:04 +0200 +Subject: [PATCH] brotli: fix CVE-2020-8927 + +[No upstream tracking] -- + +This fixes a potential overflow when input chunk is >2GiB in +BrotliGetAvailableBits by capping the returned value to 2^30 + +Fixed in brotli version 1.0.8 +https://github.com/google/brotli as of commit id +223d80cfbec8fd346e32906c732c8ede21f0cea6 + +Patch taken from Debian Buster: 1.0.7-2+deb10u1 +http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc +https://security-tracker.debian.org/tracker/CVE-2020-8927 + + +Upstream-Status: Backported +CVE: CVE-2020-8927 + +Signed-off-by: Jan Kraemer +--- + c/dec/bit_reader.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h +index c06e914..0d20312 100644 +--- a/c/dec/bit_reader.h ++++ b/c/dec/bit_reader.h +@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits( + } + + /* Returns amount of unread bytes the bit reader still has buffered from the +- BrotliInput, including whole bytes in br->val_. */ ++ BrotliInput, including whole bytes in br->val_. Result is capped with ++ maximal ring-buffer size (larger number won't be utilized anyway). */ + static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) { ++ static const size_t kCap = (size_t)1 << 30; ++ if (br->avail_in > kCap) return kCap; + return br->avail_in + (BrotliGetAvailableBits(br) >> 3); + } + diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb index 731eaf63a8..77fef778a4 100644 --- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb +++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb @@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b" -SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https" +SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \ + file://0001-brotli-fix-CVE-2020-8927.patch \ + " # tag 1.0.7 SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541" S = "${WORKDIR}/git" -- cgit 1.2.3-korg