diff options
author | Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com> | 2020-07-27 11:00:35 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-07-27 19:54:00 +0100 |
commit | 411f47cdcb74109a103166477d606c88db6175ee (patch) | |
tree | ec6b9bd826e67b343e27161354a17648d1b454c0 /meta/recipes-devtools/json-c | |
parent | a8605c66ef5afe7c3583366781dfd90fe3526398 (diff) | |
download | openembedded-core-411f47cdcb74109a103166477d606c88db6175ee.tar.gz |
json-c: update to 0.15
Remove upstreamed patch.
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/json-c')
-rw-r--r-- | meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch | 160 | ||||
-rw-r--r-- | meta/recipes-devtools/json-c/json-c_0.15.bb (renamed from meta/recipes-devtools/json-c/json-c_0.14.bb) | 6 |
2 files changed, 2 insertions, 164 deletions
diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch deleted file mode 100644 index a45cfb61bc..0000000000 --- a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Mon, 4 May 2020 19:41:16 +0200 -Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow. - -If the assignment of stop overflows due to idx and count being -larger than SIZE_T_MAX in sum, out of boundary access could happen. - -It takes invalid usage of this function for this to happen, but -I decided to add this check so array_list_del_idx is as safe against -bad usage as the other arraylist functions. - -Upstream-Status: Backport [https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be] -CVE: CVE-2020-12762 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> - ---- - arraylist.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arraylist.c b/arraylist.c -index 12ad8af6d3..e5524aca75 100644 ---- a/arraylist.c -+++ b/arraylist.c -@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count) - { - size_t i, stop; - -+ /* Avoid overflow in calculation with large indices. */ -+ if (idx > SIZE_T_MAX - count) -+ return -1; - stop = idx + count; - if (idx >= arr->length || stop > arr->length) - return -1; - -From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Mon, 4 May 2020 19:46:45 +0200 -Subject: [PATCH 2/3] Prevent division by zero in linkhash. - -If a linkhash with a size of zero is created, then modulo operations -are prone to division by zero operations. - -Purely protective measure against bad usage. ---- - linkhash.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linkhash.c b/linkhash.c -index 7ea58c0abf..f05cc38030 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -12,6 +12,7 @@ - - #include "config.h" - -+#include <assert.h> - #include <limits.h> - #include <stdarg.h> - #include <stddef.h> -@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h - int i; - struct lh_table *t; - -+ /* Allocate space for elements to avoid divisions by zero. */ -+ assert(size > 0); - t = (struct lh_table *)calloc(1, sizeof(struct lh_table)); - if (!t) - return NULL; - -From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Mon, 4 May 2020 19:47:25 +0200 -Subject: [PATCH 3/3] Fix integer overflows. - -The data structures linkhash and printbuf are limited to 2 GB in size -due to a signed integer being used to track their current size. - -If too much data is added, then size variable can overflow, which is -an undefined behaviour in C programming language. - -Assuming that a signed int overflow just leads to a negative value, -like it happens on many sytems (Linux i686/amd64 with gcc), then -printbuf is vulnerable to an out of boundary write on 64 bit systems. ---- - linkhash.c | 7 +++++-- - printbuf.c | 19 ++++++++++++++++--- - 2 files changed, 21 insertions(+), 5 deletions(-) - -diff --git a/linkhash.c b/linkhash.c -index f05cc38030..51e90b13a2 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con - { - unsigned long n; - -- if (t->count >= t->size * LH_LOAD_FACTOR) -- if (lh_table_resize(t, t->size * 2) != 0) -+ if (t->count >= t->size * LH_LOAD_FACTOR) { -+ /* Avoid signed integer overflow with large tables. */ -+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX; -+ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) - return -1; -+ } - - n = h % t->size; - -diff --git a/printbuf.c b/printbuf.c -index 976c12dde5..00822fac4f 100644 ---- a/printbuf.c -+++ b/printbuf.c -@@ -15,6 +15,7 @@ - - #include "config.h" - -+#include <limits.h> - #include <stdio.h> - #include <stdlib.h> - #include <string.h> -@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - if (p->size >= min_size) - return 0; -- -- new_size = p->size * 2; -- if (new_size < min_size + 8) -+ /* Prevent signed integer overflows with large buffers. */ -+ if (min_size > INT_MAX - 8) -+ return -1; -+ if (p->size > INT_MAX / 2) - new_size = min_size + 8; -+ else { -+ new_size = p->size * 2; -+ if (new_size < min_size + 8) -+ new_size = min_size + 8; -+ } - #ifdef PRINTBUF_DEBUG - MC_DEBUG("printbuf_memappend: realloc " - "bpos=%d min_size=%d old_size=%d new_size=%d\n", -@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - int printbuf_memappend(struct printbuf *p, const char *buf, int size) - { -+ /* Prevent signed integer overflows with large buffers. */ -+ if (size > INT_MAX - p->bpos - 1) -+ return -1; - if (p->size <= p->bpos + size + 1) - { - if (printbuf_extend(p, p->bpos + size + 1) < 0) -@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) - - if (offset == -1) - offset = pb->bpos; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (len > INT_MAX - offset) -+ return -1; - size_needed = offset + len; - if (pb->size < size_needed) - { diff --git a/meta/recipes-devtools/json-c/json-c_0.14.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb index 1d501d1294..2968590dd8 100644 --- a/meta/recipes-devtools/json-c/json-c_0.14.bb +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb @@ -4,11 +4,9 @@ HOMEPAGE = "https://github.com/json-c/json-c/wiki" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" -SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ - file://CVE-2020-12762.patch \ -" +SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz" -SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870" +SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6" UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+" |