libcomps: fix CVE-2019-3817

(From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89) Signed-off-by: Kevin Weng <t-keweng@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org> 2019-08-13 23:25:58 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:52:28 +0100
commit: 4e6a44598fe877ac4942fbdc8f0c576b234de6cc (patch)
tree: 8a439ce44d130b15fb06b228599e212792dbb844
parent: 9da2eb4bef29c4cb86fc825088be3df5c615cfb2 (diff)
download: poky-4e6a44598fe877ac4942fbdc8f0c576b234de6cc.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch b/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
new file mode 100644
index 0000000000..b8cfb3c4db
--- /dev/null
+++ b/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
@@ -0,0 +1,97 @@
+From cea10cd1f2ef6bb4edaac0c1d46d47bf237c42b8 Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <rschiron@redhat.com>
+Date: Mon, 21 Jan 2019 18:11:42 +0100
+Subject: [PATCH] Fix UAF in comps_objmrtree_unite function
+The added field is not used at all in many places and it is probably the
+left-over of some copy-paste.
+Upstream-Status: Backport
+[https://github.com/rpm-software-management/libcomps/commit
+/e3a5d056633677959ad924a51758876d415e7046]
+CVE: CVE-2019-3817
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ libcomps/src/comps_mradix.c    | 2 --
+ libcomps/src/comps_objmradix.c | 2 --
+ libcomps/src/comps_objradix.c  | 2 --
+ libcomps/src/comps_radix.c     | 1 -
+ 4 files changed, 7 deletions(-)
+diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c
+index 338cb07..6ceb7c9 100644
+--- a/libcomps/src/comps_mradix.c
+++ b/libcomps/src/comps_mradix.c
+@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+         parent_pair = (struct Pair*) it->data;
+         free(it);
+ 
+-        pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c
+index 9be6648..8771c89 100644
+--- a/libcomps/src/comps_objmradix.c
+++ b/libcomps/src/comps_objmradix.c
+@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+         parent_pair = (struct Pair*) it->data;
+         free(it);
+ 
+-        pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c
+index a790270..0ebaf22 100644
+--- a/libcomps/src/comps_objradix.c
+++ b/libcomps/src/comps_objradix.c
+@@ -692,7 +692,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -711,7 +710,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+         //printf("key-part:%s\n", parent_pair->key);
+         free(it);
+ 
+-        //pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c
+index ada4fda..05dcaf2 100644
+--- a/libcomps/src/comps_radix.c
+++ b/libcomps/src/comps_radix.c
+@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+-- 
+2.22.0
diff --git a/meta/recipes-devtools/libcomps/libcomps_git.bb b/meta/recipes-devtools/libcomps/libcomps_git.bb
index e69bf67729..b657f3377c 100644
--- a/meta/recipes-devtools/libcomps/libcomps_git.bb
+++ b/meta/recipes-devtools/libcomps/libcomps_git.bb
@@ -6,6 +6,7 @@ SRC_URI = "git://github.com/rpm-software-management/libcomps.git \
           file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
           file://0002-Set-library-installation-path-correctly.patch \
           file://0001-Make-__comps_objmrtree_all-static-inline.patch \
+           file://CVE-2019-3817.patch \
           "
 PV = "0.1.8+git${SRCPV}"
author	Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>	2019-08-13 23:25:58 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +0100
commit	4e6a44598fe877ac4942fbdc8f0c576b234de6cc (patch)
tree	8a439ce44d130b15fb06b228599e212792dbb844
parent	9da2eb4bef29c4cb86fc825088be3df5c615cfb2 (diff)
download	poky-4e6a44598fe877ac4942fbdc8f0c576b234de6cc.tar.gz

diff --git a/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch b/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch new file mode 100644 index 0000000000..b8cfb3c4db --- /dev/null +++ b/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
@@ -0,0 +1,97 @@
		1	From cea10cd1f2ef6bb4edaac0c1d46d47bf237c42b8 Mon Sep 17 00:00:00 2001
		2	From: Riccardo Schirone <rschiron@redhat.com>
		3	Date: Mon, 21 Jan 2019 18:11:42 +0100
		4	Subject: [PATCH] Fix UAF in comps_objmrtree_unite function
		5
		6	The added field is not used at all in many places and it is probably the
		7	left-over of some copy-paste.
		8
		9	Upstream-Status: Backport
		10	[https://github.com/rpm-software-management/libcomps/commit
		11	/e3a5d056633677959ad924a51758876d415e7046]
		12
		13	CVE: CVE-2019-3817
		14
		15	Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
		16	---
		17	libcomps/src/comps_mradix.c \| 2 --
		18	libcomps/src/comps_objmradix.c \| 2 --
		19	libcomps/src/comps_objradix.c \| 2 --
		20	libcomps/src/comps_radix.c \| 1 -
		21	4 files changed, 7 deletions(-)
		22
		23	diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c
		24	index 338cb07..6ceb7c9 100644
		25	--- a/libcomps/src/comps_mradix.c
		26	+++ b/libcomps/src/comps_mradix.c
		27	@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree rt1, COMPS_MRTree rt2) {
		28	struct Pair {
		29	COMPS_HSList * subnodes;
		30	char * key;
		31	- char added;
		32	} pair, parent_pair;
		33
		34	pair = malloc(sizeof(struct Pair));
		35	@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree rt1, COMPS_MRTree rt2) {
		36	parent_pair = (struct Pair*) it->data;
		37	free(it);
		38
		39	- pair->added = 0;
		40	for (it = tmp_subnodes->first; it != NULL; it=it->next) {
		41	pair = malloc(sizeof(struct Pair));
		42	pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes;
		43	diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c
		44	index 9be6648..8771c89 100644
		45	--- a/libcomps/src/comps_objmradix.c
		46	+++ b/libcomps/src/comps_objmradix.c
		47	@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree rt1, COMPS_ObjMRTree rt2) {
		48	struct Pair {
		49	COMPS_HSList * subnodes;
		50	char * key;
		51	- char added;
		52	} pair, parent_pair;
		53
		54	pair = malloc(sizeof(struct Pair));
		55	@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree rt1, COMPS_ObjMRTree rt2) {
		56	parent_pair = (struct Pair*) it->data;
		57	free(it);
		58
		59	- pair->added = 0;
		60	for (it = tmp_subnodes->first; it != NULL; it=it->next) {
		61	pair = malloc(sizeof(struct Pair));
		62	pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes;
		63	diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c
		64	index a790270..0ebaf22 100644
		65	--- a/libcomps/src/comps_objradix.c
		66	+++ b/libcomps/src/comps_objradix.c
		67	@@ -692,7 +692,6 @@ void comps_objrtree_unite(COMPS_ObjRTree rt1, COMPS_ObjRTree rt2) {
		68	struct Pair {
		69	COMPS_HSList * subnodes;
		70	char * key;
		71	- char added;
		72	} pair, parent_pair;
		73
		74	pair = malloc(sizeof(struct Pair));
		75	@@ -711,7 +710,6 @@ void comps_objrtree_unite(COMPS_ObjRTree rt1, COMPS_ObjRTree rt2) {
		76	//printf("key-part:%s\n", parent_pair->key);
		77	free(it);
		78
		79	- //pair->added = 0;
		80	for (it = tmp_subnodes->first; it != NULL; it=it->next) {
		81	pair = malloc(sizeof(struct Pair));
		82	pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes;
		83	diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c
		84	index ada4fda..05dcaf2 100644
		85	--- a/libcomps/src/comps_radix.c
		86	+++ b/libcomps/src/comps_radix.c
		87	@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree rt1, COMPS_RTree rt2) {
		88	struct Pair {
		89	COMPS_HSList * subnodes;
		90	char * key;
		91	- char added;
		92	} pair, parent_pair;
		93
		94	pair = malloc(sizeof(struct Pair));
		95	--
		96	2.22.0
		97


diff --git a/meta/recipes-devtools/libcomps/libcomps_git.bb b/meta/recipes-devtools/libcomps/libcomps_git.bb index e69bf67729..b657f3377c 100644 --- a/meta/recipes-devtools/libcomps/libcomps_git.bb +++ b/meta/recipes-devtools/libcomps/libcomps_git.bb
@@ -6,6 +6,7 @@ SRC_URI = "git://github.com/rpm-software-management/libcomps.git \
6	file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \	6	file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
7	file://0002-Set-library-installation-path-correctly.patch \	7	file://0002-Set-library-installation-path-correctly.patch \
8	file://0001-Make-__comps_objmrtree_all-static-inline.patch \	8	file://0001-Make-__comps_objmrtree_all-static-inline.patch \
		9	file://CVE-2019-3817.patch \
9	"	10	"
10		11
11	PV = "0.1.8+git${SRCPV}"	12	PV = "0.1.8+git${SRCPV}"