diff options
| author |   Kai Kang <kai.kang@windriver.com> | 2015-05-28 09:26:14 +0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-06-28 09:41:57 +0100 |
| commit | 204f24855a00f595ddfa040ae149b4184721603f (patch) | |
| tree | 55dab3b69974a40d59e4d9b785fedda3a26011ae /meta/recipes-support | |
| parent | 5450caccd45a2ee35ee227cdd64e66a304909a0e (diff) | |
| download | openembedded-core-204f24855a00f595ddfa040ae149b4184721603f.tar.gz | |
gpgme: fix CVE-2014-3564
Backport patch to fix CVE-2014-3564.
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f
(From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Diffstat (limited to 'meta/recipes-support')
| -rw-r--r-- | meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch | 56 | ||||
| -rw-r--r-- | meta/recipes-support/gpgme/gpgme_1.4.3.bb | 4 |
2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch new file mode 100644 index 0000000000..c728f58658 --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch @@ -0,0 +1,56 @@ +Upstream-Status: Backport + +Backport patch to fix CVE-2014-3564. + +http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Wed, 30 Jul 2014 11:04:55 +0200 +Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver + engines. + +After a realloc (realloc is also used for initial alloc) the allocated +size if the buffer is not correctly recorded. Thus an overflow can be +introduced by receiving data with different line lengths in a specific +order. This is not easy exploitable because libassuan constructs the +line. However a crash has been reported and thus it might be possible +to constructs an exploit. + +CVE-id: CVE-2014-3564 +Reported-by: Tomáš Trnka +--- + src/engine-gpgsm.c | 2 +- + src/engine-uiserver.c | 2 +- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c +index 8ec1598..3a83757 100644 +--- a/src/engine-gpgsm.c ++++ b/src/engine-gpgsm.c +@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd) + else + { + *aline = newline; +- gpgsm->colon.attic.linesize += linelen + 1; ++ gpgsm->colon.attic.linesize = *alinelen + linelen + 1; + } + } + if (!err) +diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c +index 2738c36..a7184b7 100644 +--- a/src/engine-uiserver.c ++++ b/src/engine-uiserver.c +@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd) + else + { + *aline = newline; +- uiserver->colon.attic.linesize += linelen + 1; ++ uiserver->colon.attic.linesize = *alinelen + linelen + 1; + } + } + if (!err) +-- +2.1.4 diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb index 98fd68b837..61213efcbf 100644 --- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb +++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb @@ -10,7 +10,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ file://src/engine.h;endline=22;md5=4b6d8ba313d9b564cc4d4cfb1640af9d" SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \ - file://gpgme.pc" + file://gpgme.pc \ + file://gpgme-fix-CVE-2014-3564.patch \ + " SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672" SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496" |