2 files changed, 91 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch b/meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch
new file mode 100644
index 0000000000..77e82b1674
--- /dev/null
+++ b/meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch
@@ -0,0 +1,88 @@
+From e91600a7aae3bafbefbe13abf771e61badd16286 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 16 Oct 2018 14:26:11 +0800
+Subject: [PATCH] vasnprintf: Fix heap memory overrun bug.
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+* tests/test-vasnprintf.c (test_function): Add another test.
+Upstream-Status: Backport [http://git.savannah.gnu.org/gitweb/?p=gnulib.git;
+a=commitdiff;h=278b4175c9d7dd47c1a3071554aac02add3b3c35]
+CVE: CVE-2018-17942
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ChangeLog               |  8 ++++++++
+ lib/vasnprintf.c        |  4 +++-
+ tests/test-vasnprintf.c | 19 ++++++++++++++++++-
+ 3 files changed, 29 insertions(+), 2 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 9864353..5ff76a3 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,11 @@
+2018-09-23  Bruno Haible  <bruno@clisp.org>
+       vasnprintf: Fix heap memory overrun bug.
+       Reported by Ben Pfaff <blp@cs.stanford.edu> in
+       <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+       * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+       memory.
+       * tests/test-vasnprintf.c (test_function): Add another test.
+
+ 2017-08-21  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+        vc-list-files: port to Solaris 10
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 2e4eb19..45de49f 100644
+--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
+  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
+     digits of a, followed by 1 byte for the terminating NUL.  */
+  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
+diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
+index 2dd869f..ff68d5c 100644
+--- a/tests/test-vasnprintf.c
+++ b/tests/test-vasnprintf.c
+@@ -53,7 +53,24 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...))
+       ASSERT (result != NULL);
+       ASSERT (strcmp (result, "12345") == 0);
+       ASSERT (length == 5);
+-      if (size < 6)
+      if (size < 5 + 1)
+        ASSERT (result != buf);
+      ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
+      if (result != buf)
+        free (result);
+    }
+   /* Note: This test assumes IEEE 754 representation of 'double' floats.  */
+  for (size = 0; size <= 8; size++)
+    {
+      size_t length;
+      char *result;
+       memcpy (buf, "DEADBEEF", 8);
+      length = size;
+      result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
+      ASSERT (result != NULL);
+      ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0);
+      ASSERT (length == 126);
+      if (size < 126 + 1)
+         ASSERT (result != buf);
+       ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
+       if (result != buf)
+-- 
+2.7.4
diff --git a/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb b/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb
index 4a7d84a21b..e048810554 100644
--- a/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb
+++ b/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5"
 SRCREV = "b23000de1e47c7d580e0e220966dd1ee42a5e5bc"
 SRC_URI = "git://git.sv.gnu.org/gnulib;protocol=git \
+           file://CVE-2018-17942.patch \
 "
 S = "${WORKDIR}/git"
@@ -22,6 +23,8 @@ do_install () {
    cd ${S}
    git checkout master
    git clone ${S} ${D}/${datadir}/gnulib
+    cd ${D}/${datadir}/gnulib
+    git am ${WORKDIR}/CVE-2018-17942.patch
 }
 do_patch[noexec] = "1"

diff --git a/meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch b/meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch new file mode 100644 index 0000000000..77e82b1674 --- /dev/null +++ b/meta-oe/recipes-support/gnulib/gnulib/CVE-2018-17942.patch
@@ -0,0 +1,88 @@
		1	From e91600a7aae3bafbefbe13abf771e61badd16286 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Tue, 16 Oct 2018 14:26:11 +0800
		4	Subject: [PATCH] vasnprintf: Fix heap memory overrun bug.
		5
		6	Reported by Ben Pfaff <blp@cs.stanford.edu> in
		7	<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
		8
		9	* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
		10	memory.
		11	* tests/test-vasnprintf.c (test_function): Add another test.
		12
		13	Upstream-Status: Backport [http://git.savannah.gnu.org/gitweb/?p=gnulib.git;
		14	a=commitdiff;h=278b4175c9d7dd47c1a3071554aac02add3b3c35]
		15
		16	CVE: CVE-2018-17942
		17
		18	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		19	---
		20	ChangeLog \| 8 ++++++++
		21	lib/vasnprintf.c \| 4 +++-
		22	tests/test-vasnprintf.c \| 19 ++++++++++++++++++-
		23	3 files changed, 29 insertions(+), 2 deletions(-)
		24
		25	diff --git a/ChangeLog b/ChangeLog
		26	index 9864353..5ff76a3 100644
		27	--- a/ChangeLog
		28	+++ b/ChangeLog
		29	@@ -1,3 +1,11 @@
		30	+2018-09-23 Bruno Haible <bruno@clisp.org>
		31	+ vasnprintf: Fix heap memory overrun bug.
		32	+ Reported by Ben Pfaff <blp@cs.stanford.edu> in
		33	+ <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
		34	+ * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
		35	+ memory.
		36	+ * tests/test-vasnprintf.c (test_function): Add another test.
		37	+
		38	2017-08-21 Paul Eggert <eggert@cs.ucla.edu>
		39
		40	vc-list-files: port to Solaris 10
		41	diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
		42	index 2e4eb19..45de49f 100644
		43	--- a/lib/vasnprintf.c
		44	+++ b/lib/vasnprintf.c
		45	@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
		46	size_t a_len = a.nlimbs;
		47	/* 0.03345 is slightly larger than log(2)/(9log(10)). /
		48	size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
		49	- char c_ptr = (char ) malloc (xsum (c_len, extra_zeroes));
		50	+ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
		51	+ digits of a, followed by 1 byte for the terminating NUL. */
		52	+ char c_ptr = (char ) malloc (xsum (xsum (extra_zeroes, c_len), 1));
		53	if (c_ptr != NULL)
		54	{
		55	char *d_ptr = c_ptr;
		56	diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
		57	index 2dd869f..ff68d5c 100644
		58	--- a/tests/test-vasnprintf.c
		59	+++ b/tests/test-vasnprintf.c
		60	@@ -53,7 +53,24 @@ test_function (char * (my_asnprintf) (char , size_t , const char , ...))
		61	ASSERT (result != NULL);
		62	ASSERT (strcmp (result, "12345") == 0);
		63	ASSERT (length == 5);
		64	- if (size < 6)
		65	+ if (size < 5 + 1)
		66	+ ASSERT (result != buf);
		67	+ ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
		68	+ if (result != buf)
		69	+ free (result);
		70	+ }
		71	+ /* Note: This test assumes IEEE 754 representation of 'double' floats. */
		72	+ for (size = 0; size <= 8; size++)
		73	+ {
		74	+ size_t length;
		75	+ char *result;
		76	+ memcpy (buf, "DEADBEEF", 8);
		77	+ length = size;
		78	+ result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
		79	+ ASSERT (result != NULL);
		80	+ ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0);
		81	+ ASSERT (length == 126);
		82	+ if (size < 126 + 1)
		83	ASSERT (result != buf);
		84	ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
		85	if (result != buf)
		86	--
		87	2.7.4
		88


diff --git a/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb b/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb index 4a7d84a21b..e048810554 100644 --- a/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb +++ b/meta-oe/recipes-support/gnulib/gnulib_2017-08-20.18.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5"
14	SRCREV = "b23000de1e47c7d580e0e220966dd1ee42a5e5bc"	14	SRCREV = "b23000de1e47c7d580e0e220966dd1ee42a5e5bc"
15		15
16	SRC_URI = "git://git.sv.gnu.org/gnulib;protocol=git \	16	SRC_URI = "git://git.sv.gnu.org/gnulib;protocol=git \
		17	file://CVE-2018-17942.patch \
17	"	18	"
18		19
19	S = "${WORKDIR}/git"	20	S = "${WORKDIR}/git"
@@ -22,6 +23,8 @@ do_install () {
22	cd ${S}	23	cd ${S}
23	git checkout master	24	git checkout master
24	git clone ${S} ${D}/${datadir}/gnulib	25	git clone ${S} ${D}/${datadir}/gnulib
		26	cd ${D}/${datadir}/gnulib
		27	git am ${WORKDIR}/CVE-2018-17942.patch
25	}	28	}
26		29
27	do_patch[noexec] = "1"	30	do_patch[noexec] = "1"