diff options
author | Spectrejan <jan@spectrejan.de> | 2021-12-03 10:12:30 +0100 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-12-03 12:28:09 -0800 |
commit | 69f94af4d91215e7d4e225bab54bf3bcfee42f1c (patch) | |
tree | 25bbda0c8c3a2c62786975846cd55b5f6e323e30 | |
parent | fba8ff0d916383ce65045c36ba4c805b5a2dfcc0 (diff) | |
download | meta-openembedded-69f94af4d91215e7d4e225bab54bf3bcfee42f1c.tar.gz |
brotli: add patch to fix CVE-2020-8927
Port patch to fix CVE-2020-8927 for brotli from Debian Buster
CVE: CVE-2020-8927
Signed-off-by: Jan Kraemer <jan@spectrejan.de>
[Fixup to apply with URL changes]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch | 44 | ||||
-rw-r--r-- | meta-oe/recipes-extended/brotli/brotli_1.0.7.bb | 4 |
2 files changed, 47 insertions, 1 deletions
diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch new file mode 100644 index 000000000..c21794d14 --- /dev/null +++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001 | ||
2 | From: Jan Kraemer <jan@spectrejan.de> | ||
3 | Date: Thu, 7 Oct 2021 12:48:04 +0200 | ||
4 | Subject: [PATCH] brotli: fix CVE-2020-8927 | ||
5 | |||
6 | [No upstream tracking] -- | ||
7 | |||
8 | This fixes a potential overflow when input chunk is >2GiB in | ||
9 | BrotliGetAvailableBits by capping the returned value to 2^30 | ||
10 | |||
11 | Fixed in brotli version 1.0.8 | ||
12 | https://github.com/google/brotli as of commit id | ||
13 | 223d80cfbec8fd346e32906c732c8ede21f0cea6 | ||
14 | |||
15 | Patch taken from Debian Buster: 1.0.7-2+deb10u1 | ||
16 | http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc | ||
17 | https://security-tracker.debian.org/tracker/CVE-2020-8927 | ||
18 | |||
19 | |||
20 | Upstream-Status: Backported | ||
21 | CVE: CVE-2020-8927 | ||
22 | |||
23 | Signed-off-by: Jan Kraemer <jan@spectrejan.de> | ||
24 | --- | ||
25 | c/dec/bit_reader.h | 5 ++++- | ||
26 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h | ||
29 | index c06e914..0d20312 100644 | ||
30 | --- a/c/dec/bit_reader.h | ||
31 | +++ b/c/dec/bit_reader.h | ||
32 | @@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits( | ||
33 | } | ||
34 | |||
35 | /* Returns amount of unread bytes the bit reader still has buffered from the | ||
36 | - BrotliInput, including whole bytes in br->val_. */ | ||
37 | + BrotliInput, including whole bytes in br->val_. Result is capped with | ||
38 | + maximal ring-buffer size (larger number won't be utilized anyway). */ | ||
39 | static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) { | ||
40 | + static const size_t kCap = (size_t)1 << 30; | ||
41 | + if (br->avail_in > kCap) return kCap; | ||
42 | return br->avail_in + (BrotliGetAvailableBits(br) >> 3); | ||
43 | } | ||
44 | |||
diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb index 731eaf63a..77fef778a 100644 --- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb +++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb | |||
@@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues" | |||
6 | LICENSE = "MIT" | 6 | LICENSE = "MIT" |
7 | LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b" | 7 | LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b" |
8 | 8 | ||
9 | SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https" | 9 | SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \ |
10 | file://0001-brotli-fix-CVE-2020-8927.patch \ | ||
11 | " | ||
10 | # tag 1.0.7 | 12 | # tag 1.0.7 |
11 | SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541" | 13 | SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541" |
12 | S = "${WORKDIR}/git" | 14 | S = "${WORKDIR}/git" |