diff options
author | Ross Burton <ross.burton@intel.com> | 2019-11-04 12:14:55 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-11-10 14:00:42 -0800 |
commit | 2435c38e109cac68476ee672eca09b4cd6237ed4 (patch) | |
tree | 097fc9c81fef8f825ea3ac374fef80e7963ff22a /meta/recipes-devtools | |
parent | 664c8f9837db7b20ff540d5f6373e4ae0f2b4b02 (diff) | |
download | openembedded-core-contrib-2435c38e109cac68476ee672eca09b4cd6237ed4.tar.gz |
file: fix CVE-2019-18218
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/file/file/CVE-2019-18218.patch | 55 | ||||
-rw-r--r-- | meta/recipes-devtools/file/file_5.37.bb | 3 |
2 files changed, 57 insertions, 1 deletions
diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch new file mode 100644 index 0000000000..3d02c5ad4b --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch @@ -0,0 +1,55 @@ +cdf_read_property_info in cdf.c in file through 5.37 does not restrict the +number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte +out-of-bounds write). + +CVE: CVE-2019-18218 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <christos@zoulas.com> +Date: Mon, 26 Aug 2019 14:31:39 +0000 +Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) + +--- + src/cdf.c | 9 ++++----- + src/cdf.h | 1 + + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/cdf.c b/src/cdf.c +index 9d6396742..bb81d6374 100644 +--- a/src/cdf.c ++++ b/src/cdf.c +@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + } + nelements = CDF_GETUINT32(q, 1); +- if (nelements == 0) { +- DPRINTF(("CDF_VECTOR with nelements == 0\n")); ++ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { ++ DPRINTF(("CDF_VECTOR with nelements == %" ++ SIZE_T_FORMAT "u\n", nelements)); + goto out; + } + slen = 2; +@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + goto out; + inp += nelem; + } +- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", +- nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { +diff --git a/src/cdf.h b/src/cdf.h +index 2f7e554b7..05056668f 100644 +--- a/src/cdf.h ++++ b/src/cdf.h +@@ -48,6 +48,7 @@ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 ++#define CDF_ELEMENT_LIMIT 100000 + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb index 6547d12888..509b6cea6e 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.37.bb @@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native" # Blacklist a bogus tag in upstream check UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)" -SRC_URI = "git://github.com/file/file.git" +SRC_URI = "git://github.com/file/file.git \ + file://CVE-2019-18218.patch" SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398" S = "${WORKDIR}/git" |