diff options
Diffstat (limited to 'meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch')
| -rw-r--r-- | meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 |
1 files changed, 0 insertions, 49 deletions
diff --git a/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch deleted file mode 100644 index 3925a4abbb..0000000000 --- a/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch +++ /dev/null @@ -1,49 +0,0 @@ -From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 -From: Filipe Brandenburger <filbranden@google.com> -Date: Thu, 10 Jan 2019 14:53:33 -0800 -Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 - -The original code didn't account for the fact that strchr() would match on the -'\0' character, making it read past the end of the buffer if no non-whitespace -character was present. - -This bug was introduced in commit ec5ff4445cca6a which was first released in -systemd v221 and later fixed in commit 8595102d3ddde6 which was released in -v240, so versions in the range [v221, v240) are affected. - -Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b -also includes a change from systemd master which removes a heap buffer overflow -a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. - -CVE: CVE-2018-16866 -Upstream-Status: Backport -Signed-off-by: Marcus Cooper <marcusc@axis.com> ---- - src/journal/journald-syslog.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c -index 9dea116722..809b318c06 100644 ---- a/src/journal/journald-syslog.c -+++ b/src/journal/journald-syslog.c -@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) - e = l; - l--; - -- if (p[l-1] == ']') { -+ if (l > 0 && p[l-1] == ']') { - size_t k = l-1; - - for (;;) { -@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) - if (t) - *identifier = t; - -- if (strchr(WHITESPACE, p[e])) -+ if (p[e] != '\0' && strchr(WHITESPACE, p[e])) - e++; - *buf = p + e; - return e; --- -2.11.0 - |