diff options
author | Kai Kang <kai.kang@windriver.com> | 2015-05-28 09:26:14 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-30 22:26:12 +0100 |
commit | fb0da9e6f34b65bbadd7aefa79705fc6f22778aa (patch) | |
tree | 91fe215ebeea17e303b71dbdad7325eccb3d3ea2 /meta/recipes-support/gpgme/gpgme-1.4.3 | |
parent | 1c5e37acb9c091f533534d6e31d2b17599ef2d78 (diff) | |
download | poky-fb0da9e6f34b65bbadd7aefa79705fc6f22778aa.tar.gz |
gpgme: fix CVE-2014-3564
Backport patch to fix CVE-2014-3564.
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f
(From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/gpgme/gpgme-1.4.3')
-rw-r--r-- | meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch new file mode 100644 index 0000000000..c728f58658 --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Backport patch to fix CVE-2014-3564. | ||
4 | |||
5 | http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77 | ||
6 | |||
7 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
8 | --- | ||
9 | From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001 | ||
10 | From: Werner Koch <wk@gnupg.org> | ||
11 | Date: Wed, 30 Jul 2014 11:04:55 +0200 | ||
12 | Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver | ||
13 | engines. | ||
14 | |||
15 | After a realloc (realloc is also used for initial alloc) the allocated | ||
16 | size if the buffer is not correctly recorded. Thus an overflow can be | ||
17 | introduced by receiving data with different line lengths in a specific | ||
18 | order. This is not easy exploitable because libassuan constructs the | ||
19 | line. However a crash has been reported and thus it might be possible | ||
20 | to constructs an exploit. | ||
21 | |||
22 | CVE-id: CVE-2014-3564 | ||
23 | Reported-by: Tomáš Trnka | ||
24 | --- | ||
25 | src/engine-gpgsm.c | 2 +- | ||
26 | src/engine-uiserver.c | 2 +- | ||
27 | 3 files changed, 5 insertions(+), 2 deletions(-) | ||
28 | |||
29 | diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c | ||
30 | index 8ec1598..3a83757 100644 | ||
31 | --- a/src/engine-gpgsm.c | ||
32 | +++ b/src/engine-gpgsm.c | ||
33 | @@ -836,7 +836,7 @@ status_handler (void *opaque, int fd) | ||
34 | else | ||
35 | { | ||
36 | *aline = newline; | ||
37 | - gpgsm->colon.attic.linesize += linelen + 1; | ||
38 | + gpgsm->colon.attic.linesize = *alinelen + linelen + 1; | ||
39 | } | ||
40 | } | ||
41 | if (!err) | ||
42 | diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c | ||
43 | index 2738c36..a7184b7 100644 | ||
44 | --- a/src/engine-uiserver.c | ||
45 | +++ b/src/engine-uiserver.c | ||
46 | @@ -698,7 +698,7 @@ status_handler (void *opaque, int fd) | ||
47 | else | ||
48 | { | ||
49 | *aline = newline; | ||
50 | - uiserver->colon.attic.linesize += linelen + 1; | ||
51 | + uiserver->colon.attic.linesize = *alinelen + linelen + 1; | ||
52 | } | ||
53 | } | ||
54 | if (!err) | ||
55 | -- | ||
56 | 2.1.4 | ||