diff options
7 files changed, 0 insertions, 220 deletions
diff --git a/recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch b/recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch deleted file mode 100644 index f2a922d..0000000 --- a/recipes-extended/libarchive/libarchive/CVE-2016-10349_CVE-2016-10350.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | From 88eb9e1d73fef46f04677c25b1697b8e25777ed3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joerg Sonnenberger <joerg@bec.de> | ||
3 | Date: Thu, 1 Dec 2016 19:56:43 +0100 | ||
4 | Subject: [PATCH] Reread the CAB header skipping the self-extracting binary | ||
5 | code. | ||
6 | |||
7 | Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15 as found | ||
8 | by the "OSS-Fuzz" project. | ||
9 | |||
10 | CVE: CVE-2016-10349 CVE-2016-10350 | ||
11 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3] | ||
12 | |||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | libarchive/archive_read_support_format_cab.c | 5 +++-- | ||
16 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/libarchive/archive_read_support_format_cab.c b/libarchive/archive_read_support_format_cab.c | ||
19 | index fc70684..099f4a8 100644 | ||
20 | --- a/libarchive/archive_read_support_format_cab.c | ||
21 | +++ b/libarchive/archive_read_support_format_cab.c | ||
22 | @@ -645,12 +645,13 @@ cab_read_header(struct archive_read *a) | ||
23 | cab = (struct cab *)(a->format->data); | ||
24 | if (cab->found_header == 0 && | ||
25 | p[0] == 'M' && p[1] == 'Z') { | ||
26 | - /* This is an executable? Must be self-extracting... */ | ||
27 | + /* This is an executable? Must be self-extracting... */ | ||
28 | err = cab_skip_sfx(a); | ||
29 | if (err < ARCHIVE_WARN) | ||
30 | return (err); | ||
31 | |||
32 | - if ((p = __archive_read_ahead(a, sizeof(*p), NULL)) == NULL) | ||
33 | + /* Re-read header after processing the SFX. */ | ||
34 | + if ((p = __archive_read_ahead(a, 42, NULL)) == NULL) | ||
35 | return (truncated_error(a)); | ||
36 | } | ||
37 | |||
38 | -- | ||
39 | 1.9.1 | ||
40 | |||
diff --git a/recipes-extended/libarchive/libarchive/CVE-2017-5601.patch b/recipes-extended/libarchive/libarchive/CVE-2017-5601.patch deleted file mode 100644 index a5298f5..0000000 --- a/recipes-extended/libarchive/libarchive/CVE-2017-5601.patch +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | From 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Martin Matuska <martin@matuska.org> | ||
3 | Date: Thu, 19 Jan 2017 22:00:18 +0100 | ||
4 | Subject: [PATCH] Fail with negative lha->compsize in lha_read_file_header_1() | ||
5 | Fixes a heap buffer overflow reported in Secunia SA74169 | ||
6 | |||
7 | CVE: CVE-2017-5601 | ||
8 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9.patch] | ||
9 | |||
10 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
11 | --- | ||
12 | libarchive/archive_read_support_format_lha.c | 3 +++ | ||
13 | 1 file changed, 3 insertions(+) | ||
14 | |||
15 | diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c | ||
16 | index 52a5531b0..d77a7c2e4 100644 | ||
17 | --- a/libarchive/archive_read_support_format_lha.c | ||
18 | +++ b/libarchive/archive_read_support_format_lha.c | ||
19 | @@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha) | ||
20 | /* Get a real compressed file size. */ | ||
21 | lha->compsize -= extdsize - 2; | ||
22 | |||
23 | + if (lha->compsize < 0) | ||
24 | + goto invalid; /* Invalid compressed file size */ | ||
25 | + | ||
26 | if (sum_calculated != headersum) { | ||
27 | archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, | ||
28 | "LHa header sum error"); | ||
diff --git a/recipes-extended/libarchive/libarchive_%.bbappend b/recipes-extended/libarchive/libarchive_%.bbappend deleted file mode 100644 index 6c273a6..0000000 --- a/recipes-extended/libarchive/libarchive_%.bbappend +++ /dev/null | |||
@@ -1,6 +0,0 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://CVE-2017-5601.patch \ | ||
5 | file://CVE-2016-10349_CVE-2016-10350.patch \ | ||
6 | " | ||
diff --git a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch deleted file mode 100644 index 00c1d9d..0000000 --- a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | From 239ef121fed25aa478b740bf52dce4db1a00ba59 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Mon, 28 Aug 2017 14:12:29 +0200 | ||
4 | Subject: [PATCH] freetype: fix for CVE-2017-8105 | ||
5 | |||
6 | [psaux] Better protect `flex' handling. | ||
7 | |||
8 | Reported as | ||
9 | |||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 | ||
11 | |||
12 | * src/psaux/t1decode.c (t1_decoder_parse_charstrings) | ||
13 | <callothersubr>: Since there is not a single flex operator but a | ||
14 | series of subroutine calls, malformed fonts can call arbitrary other | ||
15 | operators after the start of a flex, possibly adding points. For | ||
16 | this reason we have to check the available number of points before | ||
17 | inserting a point. | ||
18 | |||
19 | CVE: CVE-2017-8105 | ||
20 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791] | ||
21 | |||
22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
23 | --- | ||
24 | ChangeLog | 15 +++++++++++++++ | ||
25 | src/psaux/t1decode.c | 9 +++++++++ | ||
26 | 2 files changed, 24 insertions(+) | ||
27 | |||
28 | diff --git a/ChangeLog b/ChangeLog | ||
29 | index 23f5748..2f89909 100644 | ||
30 | --- a/ChangeLog | ||
31 | +++ b/ChangeLog | ||
32 | @@ -1,3 +1,18 @@ | ||
33 | +2017-03-23 Werner Lemberg <wl@gnu.org> | ||
34 | + | ||
35 | + [psaux] Better protect `flex' handling. | ||
36 | + | ||
37 | + Reported as | ||
38 | + | ||
39 | + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 | ||
40 | + | ||
41 | + * src/psaux/t1decode.c (t1_decoder_parse_charstrings) | ||
42 | + <callothersubr>: Since there is not a single flex operator but a | ||
43 | + series of subroutine calls, malformed fonts can call arbitrary other | ||
44 | + operators after the start of a flex, possibly adding points. For | ||
45 | + this reason we have to check the available number of points before | ||
46 | + inserting a point. | ||
47 | + | ||
48 | 2016-09-08 Werner Lemberg <wl@gnu.org> | ||
49 | |||
50 | * Version 2.7.1 released. | ||
51 | diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c | ||
52 | index 1cd9d73..bc5e3d2 100644 | ||
53 | --- a/src/psaux/t1decode.c | ||
54 | +++ b/src/psaux/t1decode.c | ||
55 | @@ -780,10 +780,19 @@ | ||
56 | /* point without adding any point to the outline */ | ||
57 | idx = decoder->num_flex_vectors++; | ||
58 | if ( idx > 0 && idx < 7 ) | ||
59 | + { | ||
60 | + /* in malformed fonts it is possible to have other */ | ||
61 | + /* opcodes in the middle of a flex (which don't */ | ||
62 | + /* increase `num_flex_vectors'); we thus have to */ | ||
63 | + /* check whether we can add a point */ | ||
64 | + if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) | ||
65 | + goto Syntax_Error; | ||
66 | + | ||
67 | t1_builder_add_point( builder, | ||
68 | x, | ||
69 | y, | ||
70 | (FT_Byte)( idx == 3 || idx == 6 ) ); | ||
71 | + } | ||
72 | } | ||
73 | break; | ||
74 | |||
75 | -- | ||
76 | 1.9.1 | ||
77 | |||
diff --git a/recipes-graphics/freetype/freetype_%.bbappend b/recipes-graphics/freetype/freetype_%.bbappend deleted file mode 100644 index cd1be4b..0000000 --- a/recipes-graphics/freetype/freetype_%.bbappend +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://CVE-2017-8105.patch \ | ||
5 | " | ||
diff --git a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch b/recipes-support/gnutls/gnutls/CVE-2017-7868.patch deleted file mode 100644 index dca7861..0000000 --- a/recipes-support/gnutls/gnutls/CVE-2017-7868.patch +++ /dev/null | |||
@@ -1,59 +0,0 @@ | |||
1 | From 51464af713d71802e3c6d5ac15f1a95132a354fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
3 | Date: Mon, 20 Feb 2017 11:13:08 +0100 | ||
4 | Subject: [PATCH] cdk_pkt_read: enforce packet limits | ||
5 | |||
6 | That ensures that there are no overflows in the subsequent | ||
7 | calculations. | ||
8 | |||
9 | Resolves the oss-fuzz found bug: | ||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 | ||
11 | |||
12 | Relates: #159 | ||
13 | |||
14 | CVE: CVE-2017-7869 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> | ||
18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
19 | --- | ||
20 | lib/opencdk/read-packet.c | 9 +++++++++ | ||
21 | 1 file changed, 9 insertions(+) | ||
22 | |||
23 | diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c | ||
24 | index 8055a63..ead6480 100644 | ||
25 | --- a/lib/opencdk/read-packet.c | ||
26 | +++ b/lib/opencdk/read-packet.c | ||
27 | @@ -950,6 +950,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) | ||
28 | return 0; | ||
29 | } | ||
30 | |||
31 | +#define MAX_PACKET_LEN (1<<24) | ||
32 | |||
33 | /** | ||
34 | * cdk_pkt_read: | ||
35 | @@ -1002,6 +1003,13 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) | ||
36 | else | ||
37 | read_old_length(inp, ctb, &pktlen, &pktsize); | ||
38 | |||
39 | + /* enforce limits to ensure that the following calculations | ||
40 | + * do not overflow */ | ||
41 | + if (pktlen >= MAX_PACKET_LEN || pktsize >= MAX_PACKET_LEN) { | ||
42 | + _cdk_log_info("cdk_pkt_read: too long packet\n"); | ||
43 | + return gnutls_assert_val(CDK_Inv_Packet); | ||
44 | + } | ||
45 | + | ||
46 | pkt->pkttype = pkttype; | ||
47 | pkt->pktlen = pktlen; | ||
48 | pkt->pktsize = pktsize + pktlen; | ||
49 | @@ -1026,6 +1034,7 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt) | ||
50 | break; | ||
51 | |||
52 | case CDK_PKT_USER_ID: | ||
53 | + | ||
54 | pkt->pkt.user_id = cdk_calloc(1, sizeof *pkt->pkt.user_id | ||
55 | + pkt->pktlen + 1); | ||
56 | if (!pkt->pkt.user_id) | ||
57 | -- | ||
58 | libgit2 0.26.0 | ||
59 | |||
diff --git a/recipes-support/gnutls/gnutls_%.bbappend b/recipes-support/gnutls/gnutls_%.bbappend deleted file mode 100644 index d2d927c..0000000 --- a/recipes-support/gnutls/gnutls_%.bbappend +++ /dev/null | |||
@@ -1,5 +0,0 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += "file://CVE-2017-7868.patch \ | ||
5 | " | ||