libbsd: Security fix CVE-2016-2090

CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) (From OE-Core rev: ab29efb8e85020a3621079c7fde217c1bfaa5289) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-11 16:20:34 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-18 11:03:10 +0000
commit: 06d9c894636352a6c93711c7284d02b0c794a527 (patch)
tree: a477f1bbf9225069df4ffcdb8388fbd638902d87
parent: d7be819eedc584881130c461be8b3ad7cf519e13 (diff)
download: poky-06d9c894636352a6c93711c7284d02b0c794a527.tar.gz
2 files changed, 53 insertions, 1 deletions
diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
new file mode 100644
index 0000000000..2eaae1386d
--- /dev/null
+++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
@@ -0,0 +1,50 @@
+From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
+From: Hanno Boeck <hanno@hboeck.de>
+Date: Wed, 27 Jan 2016 15:10:11 +0100
+Subject: [PATCH] Fix heap buffer overflow in fgetwln()
+In the function fgetwln() there's a 4 byte heap overflow.
+There is a while loop that has this check to see whether there's still
+enough space in the buffer:
+                if (!fb->len || wused > fb->len) {
+If this is true more memory gets allocated. However this test won't be
+true if wused == fb->len, but at that point wused already points out
+of the buffer. Some lines later there's a write to the buffer:
+                fb->wbuf[wused++] = wc;
+This bug was found with the help of address sanitizer.
+Warned-by: ASAN
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
+Signed-off-by: Guillem Jover <guillem@hadrons.org>
+Upstream-Status: Backport
+http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
+CVE: CVE-2016-2090
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/fgetwln.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/fgetwln.c b/src/fgetwln.c
+index 9ee0776..aa3f927 100644
+--- a/src/fgetwln.c
+++ b/src/fgetwln.c
+@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
+        fb->fp = stream;
+ 
+        while ((wc = fgetwc(stream)) != WEOF) {
+-               if (!fb->len || wused > fb->len) {
+               if (!fb->len || wused >= fb->len) {
+                        wchar_t *wp;
+ 
+                        if (fb->len)
+-- 
+2.3.5
diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
index 902666da7f..8d9a708a15 100644
--- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c"
 SECTION = "libs"
 DEPENDS = ""
-SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz"
+SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
+           file://CVE-2016-2090.patch \
+           "
 SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"
 SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"
author	Armin Kuster <akuster@mvista.com>	2016-02-11 16:20:34 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-18 11:03:10 +0000
commit	06d9c894636352a6c93711c7284d02b0c794a527 (patch)
tree	a477f1bbf9225069df4ffcdb8388fbd638902d87
parent	d7be819eedc584881130c461be8b3ad7cf519e13 (diff)
download	poky-06d9c894636352a6c93711c7284d02b0c794a527.tar.gz

diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch new file mode 100644 index 0000000000..2eaae1386d --- /dev/null +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
@@ -0,0 +1,50 @@
		1	From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
		2	From: Hanno Boeck <hanno@hboeck.de>
		3	Date: Wed, 27 Jan 2016 15:10:11 +0100
		4	Subject: [PATCH] Fix heap buffer overflow in fgetwln()
		5
		6	In the function fgetwln() there's a 4 byte heap overflow.
		7
		8	There is a while loop that has this check to see whether there's still
		9	enough space in the buffer:
		10
		11	if (!fb->len \|\| wused > fb->len) {
		12
		13	If this is true more memory gets allocated. However this test won't be
		14	true if wused == fb->len, but at that point wused already points out
		15	of the buffer. Some lines later there's a write to the buffer:
		16
		17	fb->wbuf[wused++] = wc;
		18
		19	This bug was found with the help of address sanitizer.
		20
		21	Warned-by: ASAN
		22	Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
		23	Signed-off-by: Guillem Jover <guillem@hadrons.org>
		24
		25	Upstream-Status: Backport
		26	http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
		27
		28	CVE: CVE-2016-2090
		29	Signed-off-by: Armin Kuster <akuster@mvista.com>
		30
		31	---
		32	src/fgetwln.c \| 2 +-
		33	1 file changed, 1 insertion(+), 1 deletion(-)
		34
		35	diff --git a/src/fgetwln.c b/src/fgetwln.c
		36	index 9ee0776..aa3f927 100644
		37	--- a/src/fgetwln.c
		38	+++ b/src/fgetwln.c
		39	@@ -60,7 +60,7 @@ fgetwln(FILE stream, size_t lenp)
		40	fb->fp = stream;
		41
		42	while ((wc = fgetwc(stream)) != WEOF) {
		43	- if (!fb->len \|\| wused > fb->len) {
		44	+ if (!fb->len \|\| wused >= fb->len) {
		45	wchar_t *wp;
		46
		47	if (fb->len)
		48	--
		49	2.3.5
		50


diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb index 902666da7f..8d9a708a15 100644 --- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb +++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c"
13	SECTION = "libs"	13	SECTION = "libs"
14	DEPENDS = ""	14	DEPENDS = ""
15		15
16	SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz"	16	SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
		17	file://CVE-2016-2090.patch \
		18	"
17		19
18	SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"	20	SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"
19	SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"	21	SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"