summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-11-04 12:14:55 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-13 22:02:15 +0000
commit495005ae3c4e5f2e36ed1a81b885f5405c6266a9 (patch)
tree0c2ca49d9d6e047bb92605b52f8ca4223e475a40
parentcf1117859e0019d37fd2a1cfa47dcf89bda3d22f (diff)
downloadpoky-495005ae3c4e5f2e36ed1a81b885f5405c6266a9.tar.gz
file: fix CVE-2019-18218
(From OE-Core rev: 2435c38e109cac68476ee672eca09b4cd6237ed4) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/file/file/CVE-2019-18218.patch55
-rw-r--r--meta/recipes-devtools/file/file_5.37.bb3
2 files changed, 57 insertions, 1 deletions
diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch
new file mode 100644
index 0000000000..3d02c5ad4b
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-18218.patch
@@ -0,0 +1,55 @@
1cdf_read_property_info in cdf.c in file through 5.37 does not restrict the
2number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte
3out-of-bounds write).
4
5CVE: CVE-2019-18218
6Upstream-Status: Backport
7Signed-off-by: Ross Burton <ross.burton@intel.com>
8
9From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
10From: Christos Zoulas <christos@zoulas.com>
11Date: Mon, 26 Aug 2019 14:31:39 +0000
12Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
13
14---
15 src/cdf.c | 9 ++++-----
16 src/cdf.h | 1 +
17 2 files changed, 5 insertions(+), 5 deletions(-)
18
19diff --git a/src/cdf.c b/src/cdf.c
20index 9d6396742..bb81d6374 100644
21--- a/src/cdf.c
22+++ b/src/cdf.c
23@@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
24 goto out;
25 }
26 nelements = CDF_GETUINT32(q, 1);
27- if (nelements == 0) {
28- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
29+ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
30+ DPRINTF(("CDF_VECTOR with nelements == %"
31+ SIZE_T_FORMAT "u\n", nelements));
32 goto out;
33 }
34 slen = 2;
35@@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
36 goto out;
37 inp += nelem;
38 }
39- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
40- nelements));
41 for (j = 0; j < nelements && i < sh.sh_properties;
42 j++, i++)
43 {
44diff --git a/src/cdf.h b/src/cdf.h
45index 2f7e554b7..05056668f 100644
46--- a/src/cdf.h
47+++ b/src/cdf.h
48@@ -48,6 +48,7 @@
49 typedef int32_t cdf_secid_t;
50
51 #define CDF_LOOP_LIMIT 10000
52+#define CDF_ELEMENT_LIMIT 100000
53
54 #define CDF_SECID_NULL 0
55 #define CDF_SECID_FREE -1
diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb
index 6547d12888..509b6cea6e 100644
--- a/meta/recipes-devtools/file/file_5.37.bb
+++ b/meta/recipes-devtools/file/file_5.37.bb
@@ -14,7 +14,8 @@ DEPENDS_class-native = "zlib-native"
14# Blacklist a bogus tag in upstream check 14# Blacklist a bogus tag in upstream check
15UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)" 15UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
16 16
17SRC_URI = "git://github.com/file/file.git" 17SRC_URI = "git://github.com/file/file.git \
18 file://CVE-2019-18218.patch"
18 19
19SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398" 20SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398"
20S = "${WORKDIR}/git" 21S = "${WORKDIR}/git"