file: fix CVE-2019-18218

(From OE-Core rev: 626f518df57868250ea467532b8cf2968d78df6d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-11-04 12:14:55 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-05 10:37:11 +0000
commit: 35c5388a7dcadea3ee3f1126676d9f8c452abc0e (patch)
tree: 0e4d771757fa9bfef27e4c36d29e4e7097405a1c
parent: 7035b4b21e02786932a512ae2f954bed441f8adf (diff)
download: poky-35c5388a7dcadea3ee3f1126676d9f8c452abc0e.tar.gz
2 files changed, 57 insertions, 1 deletions
diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch
new file mode 100644
index 0000000000..3d02c5ad4b
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch
@@ -0,0 +1,55 @@
+cdf_read_property_info in cdf.c in file through 5.37 does not restrict the
+number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte
+out-of-bounds write).
+CVE: CVE-2019-18218
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 26 Aug 2019 14:31:39 +0000
+Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
+---
+ src/cdf.c | 9 ++++-----
+ src/cdf.h | 1 +
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+diff --git a/src/cdf.c b/src/cdf.c
+index 9d6396742..bb81d6374 100644
+--- a/src/cdf.c
+++ b/src/cdf.c
+@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+                                goto out;
+                        }
+                        nelements = CDF_GETUINT32(q, 1);
+-                       if (nelements == 0) {
+-                               DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+                       if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+                               DPRINTF(("CDF_VECTOR with nelements == %"
+                                   SIZE_T_FORMAT "u\n", nelements));
+                                goto out;
+                        }
+                        slen = 2;
+@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+                                        goto out;
+                                inp += nelem;
+                        }
+-                       DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+-                           nelements));
+                        for (j = 0; j < nelements && i < sh.sh_properties;
+                            j++, i++)
+                        {
+diff --git a/src/cdf.h b/src/cdf.h
+index 2f7e554b7..05056668f 100644
+--- a/src/cdf.h
+++ b/src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT                                 10000
+#define CDF_ELEMENT_LIMIT                              100000
+ 
+ #define CDF_SECID_NULL                                 0
+ #define CDF_SECID_FREE                                 -1
diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb
index c53a120b84..71801f9d47 100644
--- a/meta/recipes-devtools/file/file_5.37.bb
+++ b/meta/recipes-devtools/file/file_5.37.bb
@@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native"
 # Blacklist a bogus tag in upstream check
 UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
-SRC_URI = "git://github.com/file/file.git"
+SRC_URI = "git://github.com/file/file.git \
+           file://CVE-2019-18218.patch"
 SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398"
 S = "${WORKDIR}/git"
author	Ross Burton <ross.burton@intel.com>	2019-11-04 12:14:55 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-11-05 10:37:11 +0000
commit	35c5388a7dcadea3ee3f1126676d9f8c452abc0e (patch)
tree	0e4d771757fa9bfef27e4c36d29e4e7097405a1c
parent	7035b4b21e02786932a512ae2f954bed441f8adf (diff)
download	poky-35c5388a7dcadea3ee3f1126676d9f8c452abc0e.tar.gz

diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch new file mode 100644 index 0000000000..3d02c5ad4b --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch
@@ -0,0 +1,55 @@
		1	cdf_read_property_info in cdf.c in file through 5.37 does not restrict the
		2	number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte
		3	out-of-bounds write).
		4
		5	CVE: CVE-2019-18218
		6	Upstream-Status: Backport
		7	Signed-off-by: Ross Burton <ross.burton@intel.com>
		8
		9	From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
		10	From: Christos Zoulas <christos@zoulas.com>
		11	Date: Mon, 26 Aug 2019 14:31:39 +0000
		12	Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
		13
		14	---
		15	src/cdf.c \| 9 ++++-----
		16	src/cdf.h \| 1 +
		17	2 files changed, 5 insertions(+), 5 deletions(-)
		18
		19	diff --git a/src/cdf.c b/src/cdf.c
		20	index 9d6396742..bb81d6374 100644
		21	--- a/src/cdf.c
		22	+++ b/src/cdf.c
		23	@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h,
		24	goto out;
		25	}
		26	nelements = CDF_GETUINT32(q, 1);
		27	- if (nelements == 0) {
		28	- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
		29	+ if (nelements > CDF_ELEMENT_LIMIT \|\| nelements == 0) {
		30	+ DPRINTF(("CDF_VECTOR with nelements == %"
		31	+ SIZE_T_FORMAT "u\n", nelements));
		32	goto out;
		33	}
		34	slen = 2;
		35	@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t sst, const cdf_header_t h,
		36	goto out;
		37	inp += nelem;
		38	}
		39	- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
		40	- nelements));
		41	for (j = 0; j < nelements && i < sh.sh_properties;
		42	j++, i++)
		43	{
		44	diff --git a/src/cdf.h b/src/cdf.h
		45	index 2f7e554b7..05056668f 100644
		46	--- a/src/cdf.h
		47	+++ b/src/cdf.h
		48	@@ -48,6 +48,7 @@
		49	typedef int32_t cdf_secid_t;
		50
		51	#define CDF_LOOP_LIMIT 10000
		52	+#define CDF_ELEMENT_LIMIT 100000
		53
		54	#define CDF_SECID_NULL 0
		55	#define CDF_SECID_FREE -1


diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb index c53a120b84..71801f9d47 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.37.bb
@@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native"
14	# Blacklist a bogus tag in upstream check	14	# Blacklist a bogus tag in upstream check
15	UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"	15	UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
16		16
17	SRC_URI = "git://github.com/file/file.git"	17	SRC_URI = "git://github.com/file/file.git \
		18	file://CVE-2019-18218.patch"
18		19
19	SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398"	20	SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398"
20	S = "${WORKDIR}/git"	21	S = "${WORKDIR}/git"