diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2023-12-05 10:15:51 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-08 11:45:59 -1000 |
commit | d0120e8aec661db194ef0af02598e1553fc98008 (patch) | |
tree | cb951367cd271dcc17e1a03a0c5248ae5458d865 | |
parent | 97b8007eff7c72dcc01cae6fc376f514f201c9e5 (diff) | |
download | poky-d0120e8aec661db194ef0af02598e1553fc98008.tar.gz |
epiphany: fix CVE-2022-29536
(From OE-Core rev: 507b9de9df375721cd307163fe06c3ee567385e8)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-gnome/epiphany/epiphany_3.34.4.bb | 1 | ||||
-rw-r--r-- | meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch | 46 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb index e2afb29c12..f43bfd6a67 100644 --- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb | |||
@@ -16,6 +16,7 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl" | |||
16 | 16 | ||
17 | SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \ | 17 | SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \ |
18 | file://0002-help-meson.build-disable-the-use-of-yelp.patch \ | 18 | file://0002-help-meson.build-disable-the-use-of-yelp.patch \ |
19 | file://CVE-2022-29536.patch \ | ||
19 | " | 20 | " |
20 | SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b" | 21 | SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b" |
21 | SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d" | 22 | SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d" |
diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch new file mode 100644 index 0000000000..71cfc1238a --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | CVE: CVE-2022-29536 | ||
2 | Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001 | ||
6 | From: Michael Catanzaro <mcatanzaro@redhat.com> | ||
7 | Date: Fri, 15 Apr 2022 18:09:46 -0500 | ||
8 | Subject: [PATCH] Fix memory corruption in ephy_string_shorten() | ||
9 | |||
10 | This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228. | ||
11 | |||
12 | I got my browser stuck in a crash loop today while visiting a website | ||
13 | with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only | ||
14 | condition in which ephy_string_shorten() is ever used. Turns out this | ||
15 | commit is wrong: an ellipses is a multibyte character (three bytes in | ||
16 | UTF-8) and so we're writing past the end of the buffer when calling | ||
17 | strcat() here. Ooops. | ||
18 | |||
19 | Shame it took nearly four years to notice and correct this. | ||
20 | |||
21 | Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106> | ||
22 | --- | ||
23 | lib/ephy-string.c | 5 ++--- | ||
24 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
25 | |||
26 | diff --git a/lib/ephy-string.c b/lib/ephy-string.c | ||
27 | index 35a148ab32..8e524d52ca 100644 | ||
28 | --- a/lib/ephy-string.c | ||
29 | +++ b/lib/ephy-string.c | ||
30 | @@ -114,11 +114,10 @@ ephy_string_shorten (char *str, | ||
31 | /* create string */ | ||
32 | bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str); | ||
33 | |||
34 | - /* +1 for ellipsis, +1 for trailing NUL */ | ||
35 | - new_str = g_new (gchar, bytes + 1 + 1); | ||
36 | + new_str = g_new (gchar, bytes + strlen ("…") + 1); | ||
37 | |||
38 | strncpy (new_str, str, bytes); | ||
39 | - strcat (new_str, "…"); | ||
40 | + strncpy (new_str + bytes, "…", strlen ("…") + 1); | ||
41 | |||
42 | g_free (str); | ||
43 | |||
44 | -- | ||
45 | GitLab | ||
46 | |||