diff options
| author | Andre McCurdy <armccurdy@gmail.com> | 2015-03-19 10:50:18 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-03-25 12:52:51 +0000 |
| commit | 1f718df76e462b1432d11de860daaf57bb59c1f2 (patch) | |
| tree | 34c810f1a3bfc968402bd8337b9dc7cc32be7d62 /meta/recipes-core | |
| parent | 93e3df91aaebd48b9c4af946247f3488681d32b6 (diff) | |
| download | poky-1f718df76e462b1432d11de860daaf57bb59c1f2.tar.gz | |
busybox: lzop: add overflow check (CVE-2014-4607)
Backport from busybox 1_22_stable branch:
http://git.busybox.net/busybox/commit/?h=1_22_stable&id=5698ff93233b47218a677fd7facd8cc90211d1a4
(From OE-Core rev: 680fc6e7c571f70cffa9799c21604e0719504591)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
| -rw-r--r-- | meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch | 71 | ||||
| -rw-r--r-- | meta/recipes-core/busybox/busybox_1.22.1.bb | 1 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch b/meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch new file mode 100644 index 0000000000..63d49481a3 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/lzop-add-overflow-check.patch | |||
| @@ -0,0 +1,71 @@ | |||
| 1 | Upstream-status: Backport | ||
| 2 | http://git.busybox.net/busybox/commit/?h=1_22_stable&id=5698ff93233b47218a677fd7facd8cc90211d1a4 | ||
| 3 | |||
| 4 | From 5698ff93233b47218a677fd7facd8cc90211d1a4 Mon Sep 17 00:00:00 2001 | ||
| 5 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
| 6 | Date: Mon, 30 Jun 2014 10:14:34 +0200 | ||
| 7 | Subject: [PATCH] lzop: add overflow check | ||
| 8 | |||
| 9 | See CVE-2014-4607 | ||
| 10 | http://www.openwall.com/lists/oss-security/2014/06/26/20 | ||
| 11 | |||
| 12 | function old new delta | ||
| 13 | lzo1x_decompress_safe 1010 1031 +21 | ||
| 14 | |||
| 15 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
| 16 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
| 17 | (cherry picked from commit a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3) | ||
| 18 | --- | ||
| 19 | archival/libarchive/liblzo.h | 2 ++ | ||
| 20 | archival/libarchive/lzo1x_d.c | 3 +++ | ||
| 21 | 2 files changed, 5 insertions(+) | ||
| 22 | |||
| 23 | diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h | ||
| 24 | index 843997c..4596620 100644 | ||
| 25 | --- a/archival/libarchive/liblzo.h | ||
| 26 | +++ b/archival/libarchive/liblzo.h | ||
| 27 | @@ -76,11 +76,13 @@ | ||
| 28 | # define TEST_IP (ip < ip_end) | ||
| 29 | # define NEED_IP(x) \ | ||
| 30 | if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun | ||
| 31 | +# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun | ||
| 32 | |||
| 33 | # undef TEST_OP /* don't need both of the tests here */ | ||
| 34 | # define TEST_OP 1 | ||
| 35 | # define NEED_OP(x) \ | ||
| 36 | if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun | ||
| 37 | +# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun | ||
| 38 | |||
| 39 | #define HAVE_ANY_OP 1 | ||
| 40 | |||
| 41 | diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c | ||
| 42 | index 9bc1270..40b167e 100644 | ||
| 43 | --- a/archival/libarchive/lzo1x_d.c | ||
| 44 | +++ b/archival/libarchive/lzo1x_d.c | ||
| 45 | @@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, | ||
| 46 | ip++; | ||
| 47 | NEED_IP(1); | ||
| 48 | } | ||
| 49 | + TEST_IV(t); | ||
| 50 | t += 15 + *ip++; | ||
| 51 | } | ||
| 52 | /* copy literals */ | ||
| 53 | @@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, | ||
| 54 | ip++; | ||
| 55 | NEED_IP(1); | ||
| 56 | } | ||
| 57 | + TEST_IV(t); | ||
| 58 | t += 31 + *ip++; | ||
| 59 | } | ||
| 60 | #if defined(COPY_DICT) | ||
| 61 | @@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, | ||
| 62 | ip++; | ||
| 63 | NEED_IP(1); | ||
| 64 | } | ||
| 65 | + TEST_IV(t); | ||
| 66 | t += 7 + *ip++; | ||
| 67 | } | ||
| 68 | #if defined(COPY_DICT) | ||
| 69 | -- | ||
| 70 | 1.9.1 | ||
| 71 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.22.1.bb b/meta/recipes-core/busybox/busybox_1.22.1.bb index 77365201b5..3934278328 100644 --- a/meta/recipes-core/busybox/busybox_1.22.1.bb +++ b/meta/recipes-core/busybox/busybox_1.22.1.bb | |||
| @@ -33,6 +33,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
| 33 | file://recognize_connmand.patch \ | 33 | file://recognize_connmand.patch \ |
| 34 | file://busybox-cross-menuconfig.patch \ | 34 | file://busybox-cross-menuconfig.patch \ |
| 35 | file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \ | 35 | file://CVE-2014-9645_busybox_reject_module_names_with_slashes.patch \ |
| 36 | file://lzop-add-overflow-check.patch \ | ||
| 36 | " | 37 | " |
| 37 | 38 | ||
| 38 | SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e" | 39 | SRC_URI[tarball.md5sum] = "337d1a15ab1cb1d4ed423168b1eb7d7e" |