2 files changed, 47 insertions, 1 deletions
diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
new file mode 100644
index 0000000000..c21794d147
--- /dev/null
+++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
@@ -0,0 +1,44 @@
+From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001
+From: Jan Kraemer <jan@spectrejan.de>
+Date: Thu, 7 Oct 2021 12:48:04 +0200
+Subject: [PATCH] brotli: fix CVE-2020-8927
+[No upstream tracking] --
+This fixes a potential overflow when input chunk is >2GiB in
+BrotliGetAvailableBits by capping the returned value to 2^30
+Fixed in brotli version 1.0.8
+https://github.com/google/brotli as of commit id
+223d80cfbec8fd346e32906c732c8ede21f0cea6
+Patch taken from Debian Buster: 1.0.7-2+deb10u1
+http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc
+https://security-tracker.debian.org/tracker/CVE-2020-8927
+Upstream-Status: Backported
+CVE: CVE-2020-8927
+Signed-off-by: Jan Kraemer <jan@spectrejan.de>
+---
+ c/dec/bit_reader.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h
+index c06e914..0d20312 100644
+--- a/c/dec/bit_reader.h
+++ b/c/dec/bit_reader.h
+@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits(
+ }
+ /* Returns amount of unread bytes the bit reader still has buffered from the
+-   BrotliInput, including whole bytes in br->val_. */
+   BrotliInput, including whole bytes in br->val_. Result is capped with
+   maximal ring-buffer size (larger number won't be utilized anyway). */
+ static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
+  static const size_t kCap = (size_t)1 << 30;
+  if (br->avail_in > kCap) return kCap;
+   return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
+ }
diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
index 731eaf63a8..77fef778a4 100644
--- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
+++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
@@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b"
-SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \
+           file://0001-brotli-fix-CVE-2020-8927.patch \
+           "
 # tag 1.0.7
 SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541"
 S = "${WORKDIR}/git"

diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch new file mode 100644 index 0000000000..c21794d147 --- /dev/null +++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch
@@ -0,0 +1,44 @@
		1	From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001
		2	From: Jan Kraemer <jan@spectrejan.de>
		3	Date: Thu, 7 Oct 2021 12:48:04 +0200
		4	Subject: [PATCH] brotli: fix CVE-2020-8927
		5
		6	[No upstream tracking] --
		7
		8	This fixes a potential overflow when input chunk is >2GiB in
		9	BrotliGetAvailableBits by capping the returned value to 2^30
		10
		11	Fixed in brotli version 1.0.8
		12	https://github.com/google/brotli as of commit id
		13	223d80cfbec8fd346e32906c732c8ede21f0cea6
		14
		15	Patch taken from Debian Buster: 1.0.7-2+deb10u1
		16	http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc
		17	https://security-tracker.debian.org/tracker/CVE-2020-8927
		18
		19
		20	Upstream-Status: Backported
		21	CVE: CVE-2020-8927
		22
		23	Signed-off-by: Jan Kraemer <jan@spectrejan.de>
		24	---
		25	c/dec/bit_reader.h \| 5 ++++-
		26	1 file changed, 4 insertions(+), 1 deletion(-)
		27
		28	diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h
		29	index c06e914..0d20312 100644
		30	--- a/c/dec/bit_reader.h
		31	+++ b/c/dec/bit_reader.h
		32	@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits(
		33	}
		34
		35	/* Returns amount of unread bytes the bit reader still has buffered from the
		36	- BrotliInput, including whole bytes in br->val_. */
		37	+ BrotliInput, including whole bytes in br->val_. Result is capped with
		38	+ maximal ring-buffer size (larger number won't be utilized anyway). */
		39	static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
		40	+ static const size_t kCap = (size_t)1 << 30;
		41	+ if (br->avail_in > kCap) return kCap;
		42	return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
		43	}
		44


diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb index 731eaf63a8..77fef778a4 100644 --- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb +++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb
@@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues"
6	LICENSE = "MIT"	6	LICENSE = "MIT"
7	LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b"	7	LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b"
8		8
9	SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https"	9	SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \
		10	file://0001-brotli-fix-CVE-2020-8927.patch \
		11	"
10	# tag 1.0.7	12	# tag 1.0.7
11	SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541"	13	SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541"
12	S = "${WORKDIR}/git"	14	S = "${WORKDIR}/git"