diff options
author | Ross Burton <ross.burton@intel.com> | 2019-06-24 19:13:08 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | 45e662b445970d6f57b8787c0c61b903cdfaa238 (patch) | |
tree | 00f44ca721eaa0ff40ca96127f8a4defb9cd254f /meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | |
parent | f749c69115dcc3918d1fd0acd379852288193345 (diff) | |
download | poky-45e662b445970d6f57b8787c0c61b903cdfaa238.tar.gz |
glibc: backport CVE fixes
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591
(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)
Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2016-10739.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | 232 |
1 files changed, 232 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch new file mode 100644 index 0000000000..7eb55d6663 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | |||
@@ -0,0 +1,232 @@ | |||
1 | CVE: CVE-2016-10739 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001 | ||
6 | From: Florian Weimer <fweimer@redhat.com> | ||
7 | Date: Mon, 21 Jan 2019 08:59:42 +0100 | ||
8 | Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style | ||
9 | |||
10 | (cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0) | ||
11 | --- | ||
12 | ChangeLog | 5 ++ | ||
13 | resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++------------------------- | ||
14 | 2 files changed, 106 insertions(+), 91 deletions(-) | ||
15 | |||
16 | diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c | ||
17 | index 022f7ea084..32f58b0e13 100644 | ||
18 | --- a/resolv/inet_addr.c | ||
19 | +++ b/resolv/inet_addr.c | ||
20 | @@ -1,3 +1,21 @@ | ||
21 | +/* Legacy IPv4 text-to-address functions. | ||
22 | + Copyright (C) 2019 Free Software Foundation, Inc. | ||
23 | + This file is part of the GNU C Library. | ||
24 | + | ||
25 | + The GNU C Library is free software; you can redistribute it and/or | ||
26 | + modify it under the terms of the GNU Lesser General Public | ||
27 | + License as published by the Free Software Foundation; either | ||
28 | + version 2.1 of the License, or (at your option) any later version. | ||
29 | + | ||
30 | + The GNU C Library is distributed in the hope that it will be useful, | ||
31 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
32 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
33 | + Lesser General Public License for more details. | ||
34 | + | ||
35 | + You should have received a copy of the GNU Lesser General Public | ||
36 | + License along with the GNU C Library; if not, see | ||
37 | + <http://www.gnu.org/licenses/>. */ | ||
38 | + | ||
39 | /* | ||
40 | * Copyright (c) 1983, 1990, 1993 | ||
41 | * The Regents of the University of California. All rights reserved. | ||
42 | @@ -78,105 +96,97 @@ | ||
43 | #include <limits.h> | ||
44 | #include <errno.h> | ||
45 | |||
46 | -/* | ||
47 | - * Ascii internet address interpretation routine. | ||
48 | - * The value returned is in network order. | ||
49 | - */ | ||
50 | +/* ASCII IPv4 Internet address interpretation routine. The value | ||
51 | + returned is in network order. */ | ||
52 | in_addr_t | ||
53 | -__inet_addr(const char *cp) { | ||
54 | - struct in_addr val; | ||
55 | +__inet_addr (const char *cp) | ||
56 | +{ | ||
57 | + struct in_addr val; | ||
58 | |||
59 | - if (__inet_aton(cp, &val)) | ||
60 | - return (val.s_addr); | ||
61 | - return (INADDR_NONE); | ||
62 | + if (__inet_aton (cp, &val)) | ||
63 | + return val.s_addr; | ||
64 | + return INADDR_NONE; | ||
65 | } | ||
66 | weak_alias (__inet_addr, inet_addr) | ||
67 | |||
68 | -/* | ||
69 | - * Check whether "cp" is a valid ascii representation | ||
70 | - * of an Internet address and convert to a binary address. | ||
71 | - * Returns 1 if the address is valid, 0 if not. | ||
72 | - * This replaces inet_addr, the return value from which | ||
73 | - * cannot distinguish between failure and a local broadcast address. | ||
74 | - */ | ||
75 | +/* Check whether "cp" is a valid ASCII representation of an IPv4 | ||
76 | + Internet address and convert it to a binary address. Returns 1 if | ||
77 | + the address is valid, 0 if not. This replaces inet_addr, the | ||
78 | + return value from which cannot distinguish between failure and a | ||
79 | + local broadcast address. */ | ||
80 | int | ||
81 | -__inet_aton(const char *cp, struct in_addr *addr) | ||
82 | +__inet_aton (const char *cp, struct in_addr *addr) | ||
83 | { | ||
84 | - static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; | ||
85 | - in_addr_t val; | ||
86 | - char c; | ||
87 | - union iaddr { | ||
88 | - uint8_t bytes[4]; | ||
89 | - uint32_t word; | ||
90 | - } res; | ||
91 | - uint8_t *pp = res.bytes; | ||
92 | - int digit; | ||
93 | - | ||
94 | - int saved_errno = errno; | ||
95 | - __set_errno (0); | ||
96 | - | ||
97 | - res.word = 0; | ||
98 | - | ||
99 | - c = *cp; | ||
100 | - for (;;) { | ||
101 | - /* | ||
102 | - * Collect number up to ``.''. | ||
103 | - * Values are specified as for C: | ||
104 | - * 0x=hex, 0=octal, isdigit=decimal. | ||
105 | - */ | ||
106 | - if (!isdigit(c)) | ||
107 | - goto ret_0; | ||
108 | - { | ||
109 | - char *endp; | ||
110 | - unsigned long ul = strtoul (cp, (char **) &endp, 0); | ||
111 | - if (ul == ULONG_MAX && errno == ERANGE) | ||
112 | - goto ret_0; | ||
113 | - if (ul > 0xfffffffful) | ||
114 | - goto ret_0; | ||
115 | - val = ul; | ||
116 | - digit = cp != endp; | ||
117 | - cp = endp; | ||
118 | - } | ||
119 | - c = *cp; | ||
120 | - if (c == '.') { | ||
121 | - /* | ||
122 | - * Internet format: | ||
123 | - * a.b.c.d | ||
124 | - * a.b.c (with c treated as 16 bits) | ||
125 | - * a.b (with b treated as 24 bits) | ||
126 | - */ | ||
127 | - if (pp > res.bytes + 2 || val > 0xff) | ||
128 | - goto ret_0; | ||
129 | - *pp++ = val; | ||
130 | - c = *++cp; | ||
131 | - } else | ||
132 | - break; | ||
133 | - } | ||
134 | - /* | ||
135 | - * Check for trailing characters. | ||
136 | - */ | ||
137 | - if (c != '\0' && (!isascii(c) || !isspace(c))) | ||
138 | - goto ret_0; | ||
139 | - /* | ||
140 | - * Did we get a valid digit? | ||
141 | - */ | ||
142 | - if (!digit) | ||
143 | - goto ret_0; | ||
144 | - | ||
145 | - /* Check whether the last part is in its limits depending on | ||
146 | - the number of parts in total. */ | ||
147 | - if (val > max[pp - res.bytes]) | ||
148 | + static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; | ||
149 | + in_addr_t val; | ||
150 | + char c; | ||
151 | + union iaddr | ||
152 | + { | ||
153 | + uint8_t bytes[4]; | ||
154 | + uint32_t word; | ||
155 | + } res; | ||
156 | + uint8_t *pp = res.bytes; | ||
157 | + int digit; | ||
158 | + | ||
159 | + int saved_errno = errno; | ||
160 | + __set_errno (0); | ||
161 | + | ||
162 | + res.word = 0; | ||
163 | + | ||
164 | + c = *cp; | ||
165 | + for (;;) | ||
166 | + { | ||
167 | + /* Collect number up to ``.''. Values are specified as for C: | ||
168 | + 0x=hex, 0=octal, isdigit=decimal. */ | ||
169 | + if (!isdigit (c)) | ||
170 | + goto ret_0; | ||
171 | + { | ||
172 | + char *endp; | ||
173 | + unsigned long ul = strtoul (cp, &endp, 0); | ||
174 | + if (ul == ULONG_MAX && errno == ERANGE) | ||
175 | goto ret_0; | ||
176 | - | ||
177 | - if (addr != NULL) | ||
178 | - addr->s_addr = res.word | htonl (val); | ||
179 | - | ||
180 | - __set_errno (saved_errno); | ||
181 | - return (1); | ||
182 | - | ||
183 | -ret_0: | ||
184 | - __set_errno (saved_errno); | ||
185 | - return (0); | ||
186 | + if (ul > 0xfffffffful) | ||
187 | + goto ret_0; | ||
188 | + val = ul; | ||
189 | + digit = cp != endp; | ||
190 | + cp = endp; | ||
191 | + } | ||
192 | + c = *cp; | ||
193 | + if (c == '.') | ||
194 | + { | ||
195 | + /* Internet format: | ||
196 | + a.b.c.d | ||
197 | + a.b.c (with c treated as 16 bits) | ||
198 | + a.b (with b treated as 24 bits). */ | ||
199 | + if (pp > res.bytes + 2 || val > 0xff) | ||
200 | + goto ret_0; | ||
201 | + *pp++ = val; | ||
202 | + c = *++cp; | ||
203 | + } | ||
204 | + else | ||
205 | + break; | ||
206 | + } | ||
207 | + /* Check for trailing characters. */ | ||
208 | + if (c != '\0' && (!isascii (c) || !isspace (c))) | ||
209 | + goto ret_0; | ||
210 | + /* Did we get a valid digit? */ | ||
211 | + if (!digit) | ||
212 | + goto ret_0; | ||
213 | + | ||
214 | + /* Check whether the last part is in its limits depending on the | ||
215 | + number of parts in total. */ | ||
216 | + if (val > max[pp - res.bytes]) | ||
217 | + goto ret_0; | ||
218 | + | ||
219 | + if (addr != NULL) | ||
220 | + addr->s_addr = res.word | htonl (val); | ||
221 | + | ||
222 | + __set_errno (saved_errno); | ||
223 | + return 1; | ||
224 | + | ||
225 | + ret_0: | ||
226 | + __set_errno (saved_errno); | ||
227 | + return 0; | ||
228 | } | ||
229 | weak_alias (__inet_aton, inet_aton) | ||
230 | libc_hidden_def (__inet_aton) | ||
231 | -- | ||
232 | 2.11.0 | ||