diff options
| author | Yi Fan Yu <yifan.yu@windriver.com> | 2021-01-28 17:23:31 -0500 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-01-30 10:41:03 +0000 |
| commit | c679c1cac2af2ad1f1a2f8b2c75f3c5fde2b5ea2 (patch) | |
| tree | 847c74c6360d8e701cb332f60086e3c1d77753eb /meta/recipes-core | |
| parent | 36aef08dcd5e45c4138ccd72e8de01157f7213c4 (diff) | |
| download | poky-c679c1cac2af2ad1f1a2f8b2c75f3c5fde2b5ea2.tar.gz | |
glibc: fix CVE-2020-27618
iconv: Accept redundant shift sequences in IBM1364
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1893708
(From OE-Core rev: 78a381ec75e48283397a7fe9eaad2afbb070c235)
Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
| -rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2020-27618.patch | 91 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc_2.32.bb | 1 |
2 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-27618.patch b/meta/recipes-core/glibc/glibc/CVE-2020-27618.patch new file mode 100644 index 0000000000..bf32238357 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-27618.patch | |||
| @@ -0,0 +1,91 @@ | |||
| 1 | From 20e6c868c29f5a6121cbb88f3387bb9b884a4206 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Arjun Shankar <arjun@redhat.com> | ||
| 3 | Date: Wed, 4 Nov 2020 12:19:38 +0100 | ||
| 4 | Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ | ||
| 5 | #26224] | ||
| 6 | |||
| 7 | The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets | ||
| 8 | share converter logic (iconvdata/ibm1364.c) which would reject | ||
| 9 | redundant shift sequences when processing input in these character | ||
| 10 | sets. This led to a hang in the iconv program (CVE-2020-27618). | ||
| 11 | |||
| 12 | This commit adjusts the converter to ignore redundant shift sequences | ||
| 13 | and adds test cases for iconv_prog hangs that would be triggered upon | ||
| 14 | their rejection. This brings the implementation in line with other | ||
| 15 | converters that also ignore redundant shift sequences (e.g. IBM930 | ||
| 16 | etc., fixed in commit 692de4b3960d). | ||
| 17 | |||
| 18 | Reviewed-by: Carlos O'Donell <carlos@redhat.com> | ||
| 19 | |||
| 20 | Upstream-Status: Backport | ||
| 21 | [https://sourceware.org/git/?p=glibc.git;a=commit; | ||
| 22 | h=9a99c682144bdbd40792ebf822fe9264e0376fb5] | ||
| 23 | |||
| 24 | CVE: CVE-2020-27618 | ||
| 25 | Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> | ||
| 26 | --- | ||
| 27 | iconv/tst-iconv_prog.sh | 16 ++++++++++------ | ||
| 28 | iconvdata/ibm1364.c | 14 ++------------ | ||
| 29 | 2 files changed, 12 insertions(+), 18 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/iconv/tst-iconv_prog.sh b/iconv/tst-iconv_prog.sh | ||
| 32 | index 8298136b7f..d8db7b335c 100644 | ||
| 33 | --- a/iconv/tst-iconv_prog.sh | ||
| 34 | +++ b/iconv/tst-iconv_prog.sh | ||
| 35 | @@ -102,12 +102,16 @@ hangarray=( | ||
| 36 | "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE" | ||
| 37 | "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE" | ||
| 38 | "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE" | ||
| 39 | -# These are known hangs that are yet to be fixed: | ||
| 40 | -# "\x00\x0f;-c;IBM1364;UTF-8" | ||
| 41 | -# "\x00\x0f;-c;IBM1371;UTF-8" | ||
| 42 | -# "\x00\x0f;-c;IBM1388;UTF-8" | ||
| 43 | -# "\x00\x0f;-c;IBM1390;UTF-8" | ||
| 44 | -# "\x00\x0f;-c;IBM1399;UTF-8" | ||
| 45 | +"\x00\x0f;-c;IBM1364;UTF-8" | ||
| 46 | +"\x0e\x0e;-c;IBM1364;UTF-8" | ||
| 47 | +"\x00\x0f;-c;IBM1371;UTF-8" | ||
| 48 | +"\x0e\x0e;-c;IBM1371;UTF-8" | ||
| 49 | +"\x00\x0f;-c;IBM1388;UTF-8" | ||
| 50 | +"\x0e\x0e;-c;IBM1388;UTF-8" | ||
| 51 | +"\x00\x0f;-c;IBM1390;UTF-8" | ||
| 52 | +"\x0e\x0e;-c;IBM1390;UTF-8" | ||
| 53 | +"\x00\x0f;-c;IBM1399;UTF-8" | ||
| 54 | +"\x0e\x0e;-c;IBM1399;UTF-8" | ||
| 55 | "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE" | ||
| 56 | "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE" | ||
| 57 | "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE" | ||
| 58 | diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c | ||
| 59 | index 49e7267ab4..521f0825b7 100644 | ||
| 60 | --- a/iconvdata/ibm1364.c | ||
| 61 | +++ b/iconvdata/ibm1364.c | ||
| 62 | @@ -158,24 +158,14 @@ enum | ||
| 63 | \ | ||
| 64 | if (__builtin_expect (ch, 0) == SO) \ | ||
| 65 | { \ | ||
| 66 | - /* Shift OUT, change to DBCS converter. */ \ | ||
| 67 | - if (curcs == db) \ | ||
| 68 | - { \ | ||
| 69 | - result = __GCONV_ILLEGAL_INPUT; \ | ||
| 70 | - break; \ | ||
| 71 | - } \ | ||
| 72 | + /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ | ||
| 73 | curcs = db; \ | ||
| 74 | ++inptr; \ | ||
| 75 | continue; \ | ||
| 76 | } \ | ||
| 77 | if (__builtin_expect (ch, 0) == SI) \ | ||
| 78 | { \ | ||
| 79 | - /* Shift IN, change to SBCS converter. */ \ | ||
| 80 | - if (curcs == sb) \ | ||
| 81 | - { \ | ||
| 82 | - result = __GCONV_ILLEGAL_INPUT; \ | ||
| 83 | - break; \ | ||
| 84 | - } \ | ||
| 85 | + /* Shift IN, change to SBCS converter (redundant escape okay). */ \ | ||
| 86 | curcs = sb; \ | ||
| 87 | ++inptr; \ | ||
| 88 | continue; \ | ||
| 89 | -- | ||
| 90 | 2.29.2 | ||
| 91 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb index d43c8c56cb..edf196c428 100644 --- a/meta/recipes-core/glibc/glibc_2.32.bb +++ b/meta/recipes-core/glibc/glibc_2.32.bb | |||
| @@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
| 47 | file://CVE-2020-29562.patch \ | 47 | file://CVE-2020-29562.patch \ |
| 48 | file://CVE-2020-29573.patch \ | 48 | file://CVE-2020-29573.patch \ |
| 49 | file://CVE-2019-25013.patch \ | 49 | file://CVE-2019-25013.patch \ |
| 50 | file://CVE-2020-27618.patch \ | ||
| 50 | " | 51 | " |
| 51 | S = "${WORKDIR}/git" | 52 | S = "${WORKDIR}/git" |
| 52 | B = "${WORKDIR}/build-${TARGET_SYS}" | 53 | B = "${WORKDIR}/build-${TARGET_SYS}" |