1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001
From: Ariadne Conill <ariadne@dereferenced.org>
Date: Wed, 15 Mar 2023 16:12:43 +0800
Subject: [PATCH] tuple: test for, and stop string processing, on truncation
otherwise a buffer overflow occurs.
this has been a bug in pkgconf since the beginning, it seems.
instead of disclosing the bug correctly, a "hotshot" developer
decided to blog about it instead. sigh.
https://nullprogram.com/blog/2023/01/18/
Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059]
CVE: CVE-2023-24056
Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
---
libpkgconf/tuple.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
index 2d550d8..b831070 100644
--- a/libpkgconf/tuple.c
+++ b/libpkgconf/tuple.c
@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
}
}
+ size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
ptr += (pptr - ptr);
kv = pkgconf_tuple_find_global(client, varname);
if (kv != NULL)
{
- strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
- bptr += strlen(kv);
+ size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
+ if (nlen > remain)
+ {
+ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+
+ bptr = buf + (PKGCONF_BUFSIZE - 1);
+ break;
+ }
+
+ bptr += nlen;
}
else
{
@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
if (kv != NULL)
{
+ size_t nlen;
+
parsekv = pkgconf_tuple_parse(client, vars, kv);
+ nlen = pkgconf_strlcpy(bptr, parsekv, remain);
+ free(parsekv);
- strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
- bptr += strlen(parsekv);
+ if (nlen > remain)
+ {
+ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
- free(parsekv);
+ bptr = buf + (PKGCONF_BUFSIZE - 1);
+ break;
+ }
+
+ bptr += nlen;
}
}
}
--
2.27.0
|