nspr: Fix for CVE-2014-1545

Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.Per: http://cwe.mitre.org/data/definitions/787.html (From OE-Core rev: 191cab2f679491c2b6ddba49c5cf4886dcd22f57) (From OE-Core rev: bebfeb6d4deac18601edda8dcac0f32c3382cb06) Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Xufeng Zhang <xufeng.zhang@windriver.com> 2014-07-23 23:27:47 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-10 15:06:06 +0100
commit: 014309709558c47e1b2ed4c79d79b5398201f5f4 (patch)
tree: 845e3a3bacdb9d14d1eb55a924ae2eff55093a21
parent: 4b1b58074959f5d6ecc8dc0a8fedeb5ae7e8c528 (diff)
download: poky-014309709558c47e1b2ed4c79d79b5398201f5f4.tar.gz
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch
new file mode 100644
index 0000000000..565ff168e0
--- /dev/null
+++ b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch
@@ -0,0 +1,67 @@
+Fix for CVE-2014-1545
+Upstream-Status: Backport
+Backported from nspr-4.10.6.tar.gz.
+---
+--- a/pr/src/io/prprf.c
+++ b/pr/src/io/prprf.c
+@@ -50,6 +50,10 @@
+ #include "prlog.h"
+ #include "prmem.h"
+ 
+#ifdef _MSC_VER
+#define snprintf _snprintf
+#endif
+
+ /*
+ ** WARNING: This code may *NOT* call PR_LOG (because PR_LOG calls it)
+ */
+@@ -330,7 +334,7 @@
+ ** Convert a double precision floating point number into its printable
+ ** form.
+ **
+-** XXX stop using sprintf to convert floating point
+** XXX stop using snprintf to convert floating point
+ */
+ static int cvt_f(SprintfState *ss, double d, const char *fmt0, const char *fmt1)
+ {
+@@ -338,15 +342,14 @@
+     char fout[300];
+     int amount = fmt1 - fmt0;
+ 
+-    PR_ASSERT((amount > 0) && (amount < sizeof(fin)));
+-    if (amount >= sizeof(fin)) {
+-       /* Totally bogus % command to sprintf. Just ignore it */
+    if (amount <= 0 || amount >= sizeof(fin)) {
+        /* Totally bogus % command to snprintf. Just ignore it */
+        return 0;
+     }
+     memcpy(fin, fmt0, amount);
+     fin[amount] = 0;
+ 
+-    /* Convert floating point using the native sprintf code */
+    /* Convert floating point using the native snprintf code */
+ #ifdef DEBUG
+     {
+         const char *p = fin;
+@@ -356,14 +359,11 @@
+         }
+     }
+ #endif
+-    sprintf(fout, fin, d);
+-
+-    /*
+-    ** This assert will catch overflow's of fout, when building with
+-    ** debugging on. At least this way we can track down the evil piece
+-    ** of calling code and fix it!
+-    */
+-    PR_ASSERT(strlen(fout) < sizeof(fout));
+    memset(fout, 0, sizeof(fout));
+    snprintf(fout, sizeof(fout), fin, d);
+    /* Explicitly null-terminate fout because on Windows snprintf doesn't
+     * append a null-terminator if the buffer is too small. */
+    fout[sizeof(fout) - 1] = '\0';
+ 
+     return (*ss->stuff)(ss, fout, strlen(fout));
+ }
diff --git a/meta/recipes-support/nspr/nspr_4.10.3.bb b/meta/recipes-support/nspr/nspr_4.10.3.bb
index 0adfe3b3a3..60e1bfa7b1 100644
--- a/meta/recipes-support/nspr/nspr_4.10.3.bb
+++ b/meta/recipes-support/nspr/nspr_4.10.3.bb
@@ -9,6 +9,7 @@ SRC_URI = "ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v${PV}/src/nspr-$
           file://remove-rpath-from-tests.patch \
           file://fix-build-on-x86_64.patch \
           file://trickly-fix-build-on-x86_64.patch \
+           file://nspr-CVE-2014-1545.patch \
          "
 SRC_URI += "file://nspr.pc.in"
author	Xufeng Zhang <xufeng.zhang@windriver.com>	2014-07-23 23:27:47 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-10 15:06:06 +0100
commit	014309709558c47e1b2ed4c79d79b5398201f5f4 (patch)
tree	845e3a3bacdb9d14d1eb55a924ae2eff55093a21
parent	4b1b58074959f5d6ecc8dc0a8fedeb5ae7e8c528 (diff)
download	poky-014309709558c47e1b2ed4c79d79b5398201f5f4.tar.gz

diff --git a/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch new file mode 100644 index 0000000000..565ff168e0 --- /dev/null +++ b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch
@@ -0,0 +1,67 @@
		1	Fix for CVE-2014-1545
		2
		3	Upstream-Status: Backport
		4
		5	Backported from nspr-4.10.6.tar.gz.
		6	---
		7	--- a/pr/src/io/prprf.c
		8	+++ b/pr/src/io/prprf.c
		9	@@ -50,6 +50,10 @@
		10	#include "prlog.h"
		11	#include "prmem.h"
		12
		13	+#ifdef _MSC_VER
		14	+#define snprintf _snprintf
		15	+#endif
		16	+
		17	/*
		18	** WARNING: This code may NOT call PR_LOG (because PR_LOG calls it)
		19	*/
		20	@@ -330,7 +334,7 @@
		21	** Convert a double precision floating point number into its printable
		22	** form.
		23	**
		24	-** XXX stop using sprintf to convert floating point
		25	+** XXX stop using snprintf to convert floating point
		26	*/
		27	static int cvt_f(SprintfState ss, double d, const char fmt0, const char *fmt1)
		28	{
		29	@@ -338,15 +342,14 @@
		30	char fout[300];
		31	int amount = fmt1 - fmt0;
		32
		33	- PR_ASSERT((amount > 0) && (amount < sizeof(fin)));
		34	- if (amount >= sizeof(fin)) {
		35	- /* Totally bogus % command to sprintf. Just ignore it */
		36	+ if (amount <= 0 \|\| amount >= sizeof(fin)) {
		37	+ /* Totally bogus % command to snprintf. Just ignore it */
		38	return 0;
		39	}
		40	memcpy(fin, fmt0, amount);
		41	fin[amount] = 0;
		42
		43	- /* Convert floating point using the native sprintf code */
		44	+ /* Convert floating point using the native snprintf code */
		45	#ifdef DEBUG
		46	{
		47	const char *p = fin;
		48	@@ -356,14 +359,11 @@
		49	}
		50	}
		51	#endif
		52	- sprintf(fout, fin, d);
		53	-
		54	- /*
		55	- ** This assert will catch overflow's of fout, when building with
		56	- ** debugging on. At least this way we can track down the evil piece
		57	- ** of calling code and fix it!
		58	- */
		59	- PR_ASSERT(strlen(fout) < sizeof(fout));
		60	+ memset(fout, 0, sizeof(fout));
		61	+ snprintf(fout, sizeof(fout), fin, d);
		62	+ /* Explicitly null-terminate fout because on Windows snprintf doesn't
		63	+ * append a null-terminator if the buffer is too small. */
		64	+ fout[sizeof(fout) - 1] = '\0';
		65
		66	return (*ss->stuff)(ss, fout, strlen(fout));
		67	}


diff --git a/meta/recipes-support/nspr/nspr_4.10.3.bb b/meta/recipes-support/nspr/nspr_4.10.3.bb index 0adfe3b3a3..60e1bfa7b1 100644 --- a/meta/recipes-support/nspr/nspr_4.10.3.bb +++ b/meta/recipes-support/nspr/nspr_4.10.3.bb
@@ -9,6 +9,7 @@ SRC_URI = "ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v${PV}/src/nspr-$
9	file://remove-rpath-from-tests.patch \	9	file://remove-rpath-from-tests.patch \
10	file://fix-build-on-x86_64.patch \	10	file://fix-build-on-x86_64.patch \
11	file://trickly-fix-build-on-x86_64.patch \	11	file://trickly-fix-build-on-x86_64.patch \
		12	file://nspr-CVE-2014-1545.patch \
12	"	13	"
13		14
14	SRC_URI += "file://nspr.pc.in"	15	SRC_URI += "file://nspr.pc.in"