From 191cab2f679491c2b6ddba49c5cf4886dcd22f57 Mon Sep 17 00:00:00 2001 From: Xufeng Zhang Date: Wed, 23 Jul 2014 23:27:47 -0400 Subject: nspr: Fix for CVE-2014-1545 Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.Per: http://cwe.mitre.org/data/definitions/787.html Signed-off-by: Xufeng Zhang Signed-off-by: Jackie Huang Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- .../nspr/nspr/nspr-CVE-2014-1545.patch | 67 ++++++++++++++++++++++ meta/recipes-support/nspr/nspr_4.10.3.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch diff --git a/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch new file mode 100644 index 0000000000..565ff168e0 --- /dev/null +++ b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch @@ -0,0 +1,67 @@ +Fix for CVE-2014-1545 + +Upstream-Status: Backport + +Backported from nspr-4.10.6.tar.gz. +--- +--- a/pr/src/io/prprf.c ++++ b/pr/src/io/prprf.c +@@ -50,6 +50,10 @@ + #include "prlog.h" + #include "prmem.h" + ++#ifdef _MSC_VER ++#define snprintf _snprintf ++#endif ++ + /* + ** WARNING: This code may *NOT* call PR_LOG (because PR_LOG calls it) + */ +@@ -330,7 +334,7 @@ + ** Convert a double precision floating point number into its printable + ** form. + ** +-** XXX stop using sprintf to convert floating point ++** XXX stop using snprintf to convert floating point + */ + static int cvt_f(SprintfState *ss, double d, const char *fmt0, const char *fmt1) + { +@@ -338,15 +342,14 @@ + char fout[300]; + int amount = fmt1 - fmt0; + +- PR_ASSERT((amount > 0) && (amount < sizeof(fin))); +- if (amount >= sizeof(fin)) { +- /* Totally bogus % command to sprintf. Just ignore it */ ++ if (amount <= 0 || amount >= sizeof(fin)) { ++ /* Totally bogus % command to snprintf. Just ignore it */ + return 0; + } + memcpy(fin, fmt0, amount); + fin[amount] = 0; + +- /* Convert floating point using the native sprintf code */ ++ /* Convert floating point using the native snprintf code */ + #ifdef DEBUG + { + const char *p = fin; +@@ -356,14 +359,11 @@ + } + } + #endif +- sprintf(fout, fin, d); +- +- /* +- ** This assert will catch overflow's of fout, when building with +- ** debugging on. At least this way we can track down the evil piece +- ** of calling code and fix it! +- */ +- PR_ASSERT(strlen(fout) < sizeof(fout)); ++ memset(fout, 0, sizeof(fout)); ++ snprintf(fout, sizeof(fout), fin, d); ++ /* Explicitly null-terminate fout because on Windows snprintf doesn't ++ * append a null-terminator if the buffer is too small. */ ++ fout[sizeof(fout) - 1] = '\0'; + + return (*ss->stuff)(ss, fout, strlen(fout)); + } diff --git a/meta/recipes-support/nspr/nspr_4.10.3.bb b/meta/recipes-support/nspr/nspr_4.10.3.bb index 0adfe3b3a3..60e1bfa7b1 100644 --- a/meta/recipes-support/nspr/nspr_4.10.3.bb +++ b/meta/recipes-support/nspr/nspr_4.10.3.bb @@ -9,6 +9,7 @@ SRC_URI = "ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v${PV}/src/nspr-$ file://remove-rpath-from-tests.patch \ file://fix-build-on-x86_64.patch \ file://trickly-fix-build-on-x86_64.patch \ + file://nspr-CVE-2014-1545.patch \ " SRC_URI += "file://nspr.pc.in" -- cgit 1.2.3-korg