less: fix CVE-2014-9488

An out of bounds read access in the UTF-8 decoding can be triggered with a malformed file in the tool less. The access happens in the function is_utf8_well_formed due to a truncated multibyte character in the sample file. The bug does not crash less, it can only be made visible by running less with valgrind or compiling it with Address Sanitizer. Version 475 of less contains a fix for this issue. The file version.c contains some entry mentioning this issue (without any credit): - v475 3/2/15 Fix possible buffer overrun with invalid UTF-8 The fix is in the file line.c. We derive this patch from: https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html Thank Claire Robinson for validating it on Mageia 4 i586. Refer to: https://bugs.mageia.org/show_bug.cgi?id=15567 (From OE-Core master rev: 68994284f3c059b737bfc5afc2600ebd09bdf47f) (From OE-Core rev: 7195d219f7af2b94dffb87a94077ec98dacdcdb0) Signed-off-by: Junling Zheng <zhengjunling@huawei.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Junling Zheng <zhengjunling@huawei.com> 2015-04-24 13:58:59 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-05-15 18:12:47 +0100
commit: 8d07cacde34419f4dd124bd89b0cb24544d8a704 (patch)
tree: bd4b02e0fe8e483c155fa78e83c531d7dc5d5771 /meta/recipes-extended
parent: 205e9ed8969cfa2d2d6e6448f873b86876c699d2 (diff)
download: poky-8d07cacde34419f4dd124bd89b0cb24544d8a704.tar.gz
2 files changed, 52 insertions, 1 deletions
diff --git a/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
new file mode 100644
index 0000000000..455eafc492
--- /dev/null
+++ b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
@@ -0,0 +1,49 @@
+From e0a1add063a657b98611c94debb3631b8ffa36fe Mon Sep 17 00:00:00 2001
+From: Junling Zheng <zhengjunling@huawei.com>
+Date: Fri, 24 Apr 2015 11:24:04 +0800
+Subject: [PATCH] Fix possible buffer overrun with invalid UTF-8
+An out of bounds read access in the UTF-8 decoding can be triggered with
+a malformed file in the tool less. The access happens in the function
+is_utf8_well_formed due to a truncated multibyte character in the sample
+file.
+The bug does not crash less, it can only be made visible by running less
+with valgrind or compiling it with Address Sanitizer.
+Version 475 of less contains a fix for this issue. The file version.c
+contains some entry mentioning this issue (without any credit):
+ - v475 3/2/15 Fix possible buffer overrun with invalid UTF-8
+The fix is in the file line.c. We derive this patch from:
+https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
+Thank Claire Robinson for validating it on Mageia 4 i586. Refer to:
+https://bugs.mageia.org/show_bug.cgi?id=15567
+Upstream Status: Backported
+Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
+---
+ line.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/line.c b/line.c
+index 89495a3..474be2c 100644
+--- a/line.c
+++ b/line.c
+@@ -807,7 +807,7 @@ pappend(c, pos)
+                        mbc_buf[mbc_buf_index++] = c;
+                        if (mbc_buf_index < mbc_buf_len)
+                                return (0);
+-                       if (is_utf8_well_formed(mbc_buf))
+                       if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
+                                r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
+                        else
+                                /* Complete, but not shortest form, sequence. */
+-- 
+1.9.1
diff --git a/meta/recipes-extended/less/less_471.bb b/meta/recipes-extended/less/less_471.bb
index 81d354ccf0..72d256276b 100644
--- a/meta/recipes-extended/less/less_471.bb
+++ b/meta/recipes-extended/less/less_471.bb
@@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
                    file://LICENSE;md5=866cc220f330b04ae4661fc3cdfedea7"
 DEPENDS = "ncurses"
-SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz"
+SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
+           file://0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch \
+          "
 SRC_URI[md5sum] = "9a40d29a2d84b41f9f36d7dd90b4f950"
 SRC_URI[sha256sum] = "37f613fa9a526378788d790a92217d59b523574cf7159f6538da8564b3fb27f8"
author	Junling Zheng <zhengjunling@huawei.com>	2015-04-24 13:58:59 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-05-15 18:12:47 +0100
commit	8d07cacde34419f4dd124bd89b0cb24544d8a704 (patch)
tree	bd4b02e0fe8e483c155fa78e83c531d7dc5d5771 /meta/recipes-extended
parent	205e9ed8969cfa2d2d6e6448f873b86876c699d2 (diff)
download	poky-8d07cacde34419f4dd124bd89b0cb24544d8a704.tar.gz

diff --git a/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch new file mode 100644 index 0000000000..455eafc492 --- /dev/null +++ b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
@@ -0,0 +1,49 @@
		1	From e0a1add063a657b98611c94debb3631b8ffa36fe Mon Sep 17 00:00:00 2001
		2	From: Junling Zheng <zhengjunling@huawei.com>
		3	Date: Fri, 24 Apr 2015 11:24:04 +0800
		4	Subject: [PATCH] Fix possible buffer overrun with invalid UTF-8
		5
		6	An out of bounds read access in the UTF-8 decoding can be triggered with
		7	a malformed file in the tool less. The access happens in the function
		8	is_utf8_well_formed due to a truncated multibyte character in the sample
		9	file.
		10
		11	The bug does not crash less, it can only be made visible by running less
		12	with valgrind or compiling it with Address Sanitizer.
		13
		14	Version 475 of less contains a fix for this issue. The file version.c
		15	contains some entry mentioning this issue (without any credit):
		16
		17	- v475 3/2/15 Fix possible buffer overrun with invalid UTF-8
		18
		19	The fix is in the file line.c. We derive this patch from:
		20
		21	https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
		22
		23	Thank Claire Robinson for validating it on Mageia 4 i586. Refer to:
		24
		25	https://bugs.mageia.org/show_bug.cgi?id=15567
		26
		27	Upstream Status: Backported
		28
		29	Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
		30	---
		31	line.c \| 2 +-
		32	1 file changed, 1 insertion(+), 1 deletion(-)
		33
		34	diff --git a/line.c b/line.c
		35	index 89495a3..474be2c 100644
		36	--- a/line.c
		37	+++ b/line.c
		38	@@ -807,7 +807,7 @@ pappend(c, pos)
		39	mbc_buf[mbc_buf_index++] = c;
		40	if (mbc_buf_index < mbc_buf_len)
		41	return (0);
		42	- if (is_utf8_well_formed(mbc_buf))
		43	+ if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
		44	r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
		45	else
		46	/* Complete, but not shortest form, sequence. */
		47	--
		48	1.9.1
		49


diff --git a/meta/recipes-extended/less/less_471.bb b/meta/recipes-extended/less/less_471.bb index 81d354ccf0..72d256276b 100644 --- a/meta/recipes-extended/less/less_471.bb +++ b/meta/recipes-extended/less/less_471.bb
@@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
24	file://LICENSE;md5=866cc220f330b04ae4661fc3cdfedea7"	24	file://LICENSE;md5=866cc220f330b04ae4661fc3cdfedea7"
25	DEPENDS = "ncurses"	25	DEPENDS = "ncurses"
26		26
27	SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz"	27	SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
		28	file://0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch \
		29	"
28		30
29	SRC_URI[md5sum] = "9a40d29a2d84b41f9f36d7dd90b4f950"	31	SRC_URI[md5sum] = "9a40d29a2d84b41f9f36d7dd90b4f950"
30	SRC_URI[sha256sum] = "37f613fa9a526378788d790a92217d59b523574cf7159f6538da8564b3fb27f8"	32	SRC_URI[sha256sum] = "37f613fa9a526378788d790a92217d59b523574cf7159f6538da8564b3fb27f8"