diff options
author | Armin Kuster <akuster@mvista.com> | 2016-02-11 16:20:34 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-18 11:03:10 +0000 |
commit | 06d9c894636352a6c93711c7284d02b0c794a527 (patch) | |
tree | a477f1bbf9225069df4ffcdb8388fbd638902d87 | |
parent | d7be819eedc584881130c461be8b3ad7cf519e13 (diff) | |
download | poky-06d9c894636352a6c93711c7284d02b0c794a527.tar.gz |
libbsd: Security fix CVE-2016-2090
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd
affects libbsd <= 0.8.1 (and therefore not needed in master)
(From OE-Core rev: ab29efb8e85020a3621079c7fde217c1bfaa5289)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/libbsd/files/CVE-2016-2090.patch | 50 | ||||
-rw-r--r-- | meta/recipes-support/libbsd/libbsd_0.7.0.bb | 4 |
2 files changed, 53 insertions, 1 deletions
diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch new file mode 100644 index 0000000000..2eaae1386d --- /dev/null +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hanno Boeck <hanno@hboeck.de> | ||
3 | Date: Wed, 27 Jan 2016 15:10:11 +0100 | ||
4 | Subject: [PATCH] Fix heap buffer overflow in fgetwln() | ||
5 | |||
6 | In the function fgetwln() there's a 4 byte heap overflow. | ||
7 | |||
8 | There is a while loop that has this check to see whether there's still | ||
9 | enough space in the buffer: | ||
10 | |||
11 | if (!fb->len || wused > fb->len) { | ||
12 | |||
13 | If this is true more memory gets allocated. However this test won't be | ||
14 | true if wused == fb->len, but at that point wused already points out | ||
15 | of the buffer. Some lines later there's a write to the buffer: | ||
16 | |||
17 | fb->wbuf[wused++] = wc; | ||
18 | |||
19 | This bug was found with the help of address sanitizer. | ||
20 | |||
21 | Warned-by: ASAN | ||
22 | Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 | ||
23 | Signed-off-by: Guillem Jover <guillem@hadrons.org> | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 | ||
27 | |||
28 | CVE: CVE-2016-2090 | ||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | src/fgetwln.c | 2 +- | ||
33 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
34 | |||
35 | diff --git a/src/fgetwln.c b/src/fgetwln.c | ||
36 | index 9ee0776..aa3f927 100644 | ||
37 | --- a/src/fgetwln.c | ||
38 | +++ b/src/fgetwln.c | ||
39 | @@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) | ||
40 | fb->fp = stream; | ||
41 | |||
42 | while ((wc = fgetwc(stream)) != WEOF) { | ||
43 | - if (!fb->len || wused > fb->len) { | ||
44 | + if (!fb->len || wused >= fb->len) { | ||
45 | wchar_t *wp; | ||
46 | |||
47 | if (fb->len) | ||
48 | -- | ||
49 | 2.3.5 | ||
50 | |||
diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb index 902666da7f..8d9a708a15 100644 --- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb +++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb | |||
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c" | |||
13 | SECTION = "libs" | 13 | SECTION = "libs" |
14 | DEPENDS = "" | 14 | DEPENDS = "" |
15 | 15 | ||
16 | SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz" | 16 | SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ |
17 | file://CVE-2016-2090.patch \ | ||
18 | " | ||
17 | 19 | ||
18 | SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0" | 20 | SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0" |
19 | SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb" | 21 | SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb" |