diff options
author | Andre McCurdy <armccurdy@gmail.com> | 2015-03-19 10:50:18 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-03-25 12:52:51 +0000 |
commit | 1f718df76e462b1432d11de860daaf57bb59c1f2 (patch) | |
tree | 34c810f1a3bfc968402bd8337b9dc7cc32be7d62 /meta/recipes-core/busybox | |
parent | 93e3df91aaebd48b9c4af946247f3488681d32b6 (diff) | |
download | poky-1f718df76e462b1432d11de860daaf57bb59c1f2.tar.gz |
busybox: lzop: add overflow check (CVE-2014-4607)
Backport from busybox 1_22_stable branch:
http://git.busybox.net/busybox/commit/?h=1_22_stable&id=5698ff93233b47218a677fd7facd8cc90211d1a4
(From OE-Core rev: 680fc6e7c571f70cffa9799c21604e0719504591)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/busybox')
-rw-r--r-- | meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch | 71 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.22.1.bb | 1 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch b/meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch new file mode 100644 index 0000000000..63d49481a3 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | Upstream-status: Backport | ||
2 | http://git.busybox.net/busybox/commit/?h=1_22_stable&id=5698ff93233b47218a677fd7facd8cc90211d1a4 | ||
3 | |||
4 | From 5698ff93233b47218a677fd7facd8cc90211d1a4 Mon Sep 17 00:00:00 2001 | ||
5 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
6 | Date: Mon, 30 Jun 2014 10:14:34 +0200 | ||
7 | Subject: [PATCH] lzop: add overflow check | ||
8 | |||
9 | See CVE-2014-4607 | ||
10 | http://www.openwall.com/lists/oss-security/2014/06/26/20 | ||
11 | |||
12 | function old new delta | ||
13 | lzo1x_decompress_safe 1010 1031 +21 | ||
14 | |||
15 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
16 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
17 | (cherry picked from commit a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3) | ||
18 | --- | ||
19 | archival/libarchive/liblzo.h | 2 ++ | ||
20 | archival/libarchive/lzo1x_d.c | 3 +++ | ||
21 | 2 files changed, 5 insertions(+) | ||
22 | |||
23 | diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h | ||
24 | index 843997c..4596620 100644 | ||
25 | --- a/archival/libarchive/liblzo.h | ||
26 | +++ b/archival/libarchive/liblzo.h | ||
27 | @@ -76,11 +76,13 @@ | ||
28 | # define TEST_IP (ip < ip_end) | ||
29 | # define NEED_IP(x) \ | ||
30 | if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun | ||
31 | +# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun | ||
32 | |||
33 | # undef TEST_OP /* don't need both of the tests here */ | ||
34 | # define TEST_OP 1 | ||
35 | # define NEED_OP(x) \ | ||
36 | if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun | ||
37 | +# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun | ||
38 | |||
39 | #define HAVE_ANY_OP 1 | ||
40 | |||
41 | diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c | ||
42 | index 9bc1270..40b167e 100644 | ||
43 | --- a/archival/libarchive/lzo1x_d.c | ||
44 | +++ b/archival/libarchive/lzo1x_d.c | ||
45 | @@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, | ||
46 | ip++; | ||
47 | NEED_IP(1); | ||
48 | } | ||
49 | + TEST_IV(t); | ||
50 | t += 15 + *ip++; | ||
51 | } | ||
52 | /* copy literals */ | ||
53 | @@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, | ||
54 | ip++; | ||
55 | NEED_IP(1); | ||
56 | } | ||
57 | + TEST_IV(t); | ||
58 | t += 31 + *ip++; | ||
59 | } | ||
60 | #if defined(COPY_DICT) | ||
61 | @@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, | ||
62 | ip++; | ||
63 | NEED_IP(1); | ||
64 | } | ||
65 | + TEST_IV(t); | ||
66 | t += 7 + *ip++; | ||
67 | } | ||
68 | #if defined(COPY_DICT) | ||
69 | -- | ||
70 | 1.9.1 | ||
71 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.22.1.bb b/meta/recipes-core/busybox/busybox_1.22.1.bb index 77365201b5..3934278328 100644 --- a/meta/recipes-core/busybox/busybox_1.22.1.bb +++ b/meta/recipes-core/busybox/busybox_1.22.1.bb | |||
@@ -33,6 +33,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
33 | file://recognize_connmand.patch \ | 33 | file://recognize_connmand.patch \ |
34 | file://busybox-cross-menuconfig.patch \ | 34 | file://busybox-cross-menuconfig.patch \ |
35 | file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \ | 35 | file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \ |
36 | file://lzop-add-overflow-check.patch \ | ||
36 | " | 37 | " |
37 | 38 | ||
38 | SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e" | 39 | SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e" |