diff options
| author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-03-02 12:04:08 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-03-07 20:05:31 +0000 |
| commit | 2345af9b4829ed3eed5abf60f2483055649f8af7 (patch) | |
| tree | 96a9a31e4b1957b93c4fe3eb669117d2752caf0d /meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch | |
| parent | c4901328fe5cf912c0965e5b011b64a95a9bcb9d (diff) | |
| download | poky-uninative-1.5.tar.gz | |
recipes: Move out stale GPLv2 versions to a seperate layeruninative-1.5
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.
There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.
There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.
Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.
I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.
(From OE-Core rev: 19b7e950346fb1dde6505c45236eba6cd9b33b4b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch')
| -rw-r--r-- | meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch | 33 |
1 files changed, 0 insertions, 33 deletions
diff --git a/meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch b/meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch deleted file mode 100644 index a40a9f30bc..0000000000 --- a/meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch +++ /dev/null | |||
| @@ -1,33 +0,0 @@ | |||
| 1 | The patch to fix CVE-2012-5667 | ||
| 2 | Reference: https://bugzilla.redhat.com/attachment.cgi?id=686605&action=diff | ||
| 3 | |||
| 4 | Multiple integer overflows in GNU Grep before 2.11 might allow | ||
| 5 | context-dependent attackers to execute arbitrary code via vectors | ||
| 6 | involving a long input line that triggers a heap-based buffer overflow. | ||
| 7 | |||
| 8 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5667 | ||
| 9 | |||
| 10 | Upstream-Status: Inappropriate [other] | ||
| 11 | This version of GNU Grep has been abandoned upstream and they are no longer | ||
| 12 | accepting patches. This is not a backport. | ||
| 13 | CVE: CVE-2012-5667 | ||
| 14 | |||
| 15 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
| 16 | --- | ||
| 17 | grep.c | 7 +++---- | ||
| 18 | 1 file changed, 3 insertions(+), 4 deletions(-) | ||
| 19 | |||
| 20 | --- a/src/grep.c 2013-05-15 13:39:33.359191769 +0800 | ||
| 21 | +++ a/src/grep.c 2013-05-15 13:50:22.609191882 +0800 | ||
| 22 | @@ -306,6 +306,11 @@ fillbuf (size_t save, struct stats const | ||
| 23 | int cc = 1; | ||
| 24 | char *readbuf; | ||
| 25 | size_t readsize; | ||
| 26 | + const size_t max_save = INT_MAX / 2; | ||
| 27 | + | ||
| 28 | + /* Limit the amount of saved data to INT_MAX to fix CVE-2012-5667 */ | ||
| 29 | + if (save > max_save) | ||
| 30 | + error (2, 0, _("line too long")); | ||
| 31 | |||
| 32 | /* Offset from start of buffer to start of old stuff | ||
| 33 | that we want to save. */ | ||