summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-06-24 19:13:08 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-27 18:05:18 +0100
commit45e662b445970d6f57b8787c0c61b903cdfaa238 (patch)
tree00f44ca721eaa0ff40ca96127f8a4defb9cd254f
parentf749c69115dcc3918d1fd0acd379852288193345 (diff)
downloadpoky-45e662b445970d6f57b8787c0c61b903cdfaa238.tar.gz
glibc: backport CVE fixes
Backport the fixes for several CVEs from the 2.28 stable branch: - CVE-2016-10739 - CVE-2018-19591 (From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348) Signed-off-by: Ross Burton <ross.burton@intel.com> [Dropped CVE-2019-9169 as its in my contrib already] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2016-10739.patch232
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2018-19591.patch48
-rw-r--r--meta/recipes-core/glibc/glibc_2.28.bb2
3 files changed, 282 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
new file mode 100644
index 0000000000..7eb55d6663
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
@@ -0,0 +1,232 @@
1CVE: CVE-2016-10739
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001
6From: Florian Weimer <fweimer@redhat.com>
7Date: Mon, 21 Jan 2019 08:59:42 +0100
8Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style
9
10(cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)
11---
12 ChangeLog | 5 ++
13 resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++-------------------------
14 2 files changed, 106 insertions(+), 91 deletions(-)
15
16diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
17index 022f7ea084..32f58b0e13 100644
18--- a/resolv/inet_addr.c
19+++ b/resolv/inet_addr.c
20@@ -1,3 +1,21 @@
21+/* Legacy IPv4 text-to-address functions.
22+ Copyright (C) 2019 Free Software Foundation, Inc.
23+ This file is part of the GNU C Library.
24+
25+ The GNU C Library is free software; you can redistribute it and/or
26+ modify it under the terms of the GNU Lesser General Public
27+ License as published by the Free Software Foundation; either
28+ version 2.1 of the License, or (at your option) any later version.
29+
30+ The GNU C Library is distributed in the hope that it will be useful,
31+ but WITHOUT ANY WARRANTY; without even the implied warranty of
32+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
33+ Lesser General Public License for more details.
34+
35+ You should have received a copy of the GNU Lesser General Public
36+ License along with the GNU C Library; if not, see
37+ <http://www.gnu.org/licenses/>. */
38+
39 /*
40 * Copyright (c) 1983, 1990, 1993
41 * The Regents of the University of California. All rights reserved.
42@@ -78,105 +96,97 @@
43 #include <limits.h>
44 #include <errno.h>
45
46-/*
47- * Ascii internet address interpretation routine.
48- * The value returned is in network order.
49- */
50+/* ASCII IPv4 Internet address interpretation routine. The value
51+ returned is in network order. */
52 in_addr_t
53-__inet_addr(const char *cp) {
54- struct in_addr val;
55+__inet_addr (const char *cp)
56+{
57+ struct in_addr val;
58
59- if (__inet_aton(cp, &val))
60- return (val.s_addr);
61- return (INADDR_NONE);
62+ if (__inet_aton (cp, &val))
63+ return val.s_addr;
64+ return INADDR_NONE;
65 }
66 weak_alias (__inet_addr, inet_addr)
67
68-/*
69- * Check whether "cp" is a valid ascii representation
70- * of an Internet address and convert to a binary address.
71- * Returns 1 if the address is valid, 0 if not.
72- * This replaces inet_addr, the return value from which
73- * cannot distinguish between failure and a local broadcast address.
74- */
75+/* Check whether "cp" is a valid ASCII representation of an IPv4
76+ Internet address and convert it to a binary address. Returns 1 if
77+ the address is valid, 0 if not. This replaces inet_addr, the
78+ return value from which cannot distinguish between failure and a
79+ local broadcast address. */
80 int
81-__inet_aton(const char *cp, struct in_addr *addr)
82+__inet_aton (const char *cp, struct in_addr *addr)
83 {
84- static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
85- in_addr_t val;
86- char c;
87- union iaddr {
88- uint8_t bytes[4];
89- uint32_t word;
90- } res;
91- uint8_t *pp = res.bytes;
92- int digit;
93-
94- int saved_errno = errno;
95- __set_errno (0);
96-
97- res.word = 0;
98-
99- c = *cp;
100- for (;;) {
101- /*
102- * Collect number up to ``.''.
103- * Values are specified as for C:
104- * 0x=hex, 0=octal, isdigit=decimal.
105- */
106- if (!isdigit(c))
107- goto ret_0;
108- {
109- char *endp;
110- unsigned long ul = strtoul (cp, (char **) &endp, 0);
111- if (ul == ULONG_MAX && errno == ERANGE)
112- goto ret_0;
113- if (ul > 0xfffffffful)
114- goto ret_0;
115- val = ul;
116- digit = cp != endp;
117- cp = endp;
118- }
119- c = *cp;
120- if (c == '.') {
121- /*
122- * Internet format:
123- * a.b.c.d
124- * a.b.c (with c treated as 16 bits)
125- * a.b (with b treated as 24 bits)
126- */
127- if (pp > res.bytes + 2 || val > 0xff)
128- goto ret_0;
129- *pp++ = val;
130- c = *++cp;
131- } else
132- break;
133- }
134- /*
135- * Check for trailing characters.
136- */
137- if (c != '\0' && (!isascii(c) || !isspace(c)))
138- goto ret_0;
139- /*
140- * Did we get a valid digit?
141- */
142- if (!digit)
143- goto ret_0;
144-
145- /* Check whether the last part is in its limits depending on
146- the number of parts in total. */
147- if (val > max[pp - res.bytes])
148+ static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
149+ in_addr_t val;
150+ char c;
151+ union iaddr
152+ {
153+ uint8_t bytes[4];
154+ uint32_t word;
155+ } res;
156+ uint8_t *pp = res.bytes;
157+ int digit;
158+
159+ int saved_errno = errno;
160+ __set_errno (0);
161+
162+ res.word = 0;
163+
164+ c = *cp;
165+ for (;;)
166+ {
167+ /* Collect number up to ``.''. Values are specified as for C:
168+ 0x=hex, 0=octal, isdigit=decimal. */
169+ if (!isdigit (c))
170+ goto ret_0;
171+ {
172+ char *endp;
173+ unsigned long ul = strtoul (cp, &endp, 0);
174+ if (ul == ULONG_MAX && errno == ERANGE)
175 goto ret_0;
176-
177- if (addr != NULL)
178- addr->s_addr = res.word | htonl (val);
179-
180- __set_errno (saved_errno);
181- return (1);
182-
183-ret_0:
184- __set_errno (saved_errno);
185- return (0);
186+ if (ul > 0xfffffffful)
187+ goto ret_0;
188+ val = ul;
189+ digit = cp != endp;
190+ cp = endp;
191+ }
192+ c = *cp;
193+ if (c == '.')
194+ {
195+ /* Internet format:
196+ a.b.c.d
197+ a.b.c (with c treated as 16 bits)
198+ a.b (with b treated as 24 bits). */
199+ if (pp > res.bytes + 2 || val > 0xff)
200+ goto ret_0;
201+ *pp++ = val;
202+ c = *++cp;
203+ }
204+ else
205+ break;
206+ }
207+ /* Check for trailing characters. */
208+ if (c != '\0' && (!isascii (c) || !isspace (c)))
209+ goto ret_0;
210+ /* Did we get a valid digit? */
211+ if (!digit)
212+ goto ret_0;
213+
214+ /* Check whether the last part is in its limits depending on the
215+ number of parts in total. */
216+ if (val > max[pp - res.bytes])
217+ goto ret_0;
218+
219+ if (addr != NULL)
220+ addr->s_addr = res.word | htonl (val);
221+
222+ __set_errno (saved_errno);
223+ return 1;
224+
225+ ret_0:
226+ __set_errno (saved_errno);
227+ return 0;
228 }
229 weak_alias (__inet_aton, inet_aton)
230 libc_hidden_def (__inet_aton)
231--
2322.11.0
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch
new file mode 100644
index 0000000000..9c78a3dfa0
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch
@@ -0,0 +1,48 @@
1CVE: CVE-2018-19591
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From ce6ba630dbc96f49eb1f30366aa62261df4792f9 Mon Sep 17 00:00:00 2001
6From: Florian Weimer <fweimer@redhat.com>
7Date: Tue, 27 Nov 2018 16:12:43 +0100
8Subject: [PATCH] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong
9 name [BZ #23927]
10
11(cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408)
12---
13 ChangeLog | 7 +++++++
14 NEWS | 6 ++++++
15 sysdeps/unix/sysv/linux/if_index.c | 11 ++++++-----
16 3 files changed, 19 insertions(+), 5 deletions(-)
17
18diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c
19index e3d08982d9..782fc5e175 100644
20--- a/sysdeps/unix/sysv/linux/if_index.c
21+++ b/sysdeps/unix/sysv/linux/if_index.c
22@@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname)
23 return 0;
24 #else
25 struct ifreq ifr;
26- int fd = __opensock ();
27-
28- if (fd < 0)
29- return 0;
30-
31 if (strlen (ifname) >= IFNAMSIZ)
32 {
33 __set_errno (ENODEV);
34@@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname)
35 }
36
37 strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
38+
39+ int fd = __opensock ();
40+
41+ if (fd < 0)
42+ return 0;
43+
44 if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0)
45 {
46 int saved_errno = errno;
47--
482.11.0
diff --git a/meta/recipes-core/glibc/glibc_2.28.bb b/meta/recipes-core/glibc/glibc_2.28.bb
index 1bcec3ecb1..0839fa126d 100644
--- a/meta/recipes-core/glibc/glibc_2.28.bb
+++ b/meta/recipes-core/glibc/glibc_2.28.bb
@@ -48,6 +48,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
48 file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ 48 file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
49 file://0034-inject-file-assembly-directives.patch \ 49 file://0034-inject-file-assembly-directives.patch \
50 file://CVE-2019-9169.patch \ 50 file://CVE-2019-9169.patch \
51 file://CVE-2016-10739.patch \
52 file://CVE-2018-19591.patch \
51" 53"
52 54
53NATIVESDKFIXES ?= "" 55NATIVESDKFIXES ?= ""