diff options
author | Ross Burton <ross.burton@intel.com> | 2019-06-24 19:13:08 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | 45e662b445970d6f57b8787c0c61b903cdfaa238 (patch) | |
tree | 00f44ca721eaa0ff40ca96127f8a4defb9cd254f /meta | |
parent | f749c69115dcc3918d1fd0acd379852288193345 (diff) | |
download | poky-45e662b445970d6f57b8787c0c61b903cdfaa238.tar.gz |
glibc: backport CVE fixes
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591
(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)
Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | 232 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2018-19591.patch | 48 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.28.bb | 2 |
3 files changed, 282 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch new file mode 100644 index 0000000000..7eb55d6663 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | |||
@@ -0,0 +1,232 @@ | |||
1 | CVE: CVE-2016-10739 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001 | ||
6 | From: Florian Weimer <fweimer@redhat.com> | ||
7 | Date: Mon, 21 Jan 2019 08:59:42 +0100 | ||
8 | Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style | ||
9 | |||
10 | (cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0) | ||
11 | --- | ||
12 | ChangeLog | 5 ++ | ||
13 | resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++------------------------- | ||
14 | 2 files changed, 106 insertions(+), 91 deletions(-) | ||
15 | |||
16 | diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c | ||
17 | index 022f7ea084..32f58b0e13 100644 | ||
18 | --- a/resolv/inet_addr.c | ||
19 | +++ b/resolv/inet_addr.c | ||
20 | @@ -1,3 +1,21 @@ | ||
21 | +/* Legacy IPv4 text-to-address functions. | ||
22 | + Copyright (C) 2019 Free Software Foundation, Inc. | ||
23 | + This file is part of the GNU C Library. | ||
24 | + | ||
25 | + The GNU C Library is free software; you can redistribute it and/or | ||
26 | + modify it under the terms of the GNU Lesser General Public | ||
27 | + License as published by the Free Software Foundation; either | ||
28 | + version 2.1 of the License, or (at your option) any later version. | ||
29 | + | ||
30 | + The GNU C Library is distributed in the hope that it will be useful, | ||
31 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
32 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
33 | + Lesser General Public License for more details. | ||
34 | + | ||
35 | + You should have received a copy of the GNU Lesser General Public | ||
36 | + License along with the GNU C Library; if not, see | ||
37 | + <http://www.gnu.org/licenses/>. */ | ||
38 | + | ||
39 | /* | ||
40 | * Copyright (c) 1983, 1990, 1993 | ||
41 | * The Regents of the University of California. All rights reserved. | ||
42 | @@ -78,105 +96,97 @@ | ||
43 | #include <limits.h> | ||
44 | #include <errno.h> | ||
45 | |||
46 | -/* | ||
47 | - * Ascii internet address interpretation routine. | ||
48 | - * The value returned is in network order. | ||
49 | - */ | ||
50 | +/* ASCII IPv4 Internet address interpretation routine. The value | ||
51 | + returned is in network order. */ | ||
52 | in_addr_t | ||
53 | -__inet_addr(const char *cp) { | ||
54 | - struct in_addr val; | ||
55 | +__inet_addr (const char *cp) | ||
56 | +{ | ||
57 | + struct in_addr val; | ||
58 | |||
59 | - if (__inet_aton(cp, &val)) | ||
60 | - return (val.s_addr); | ||
61 | - return (INADDR_NONE); | ||
62 | + if (__inet_aton (cp, &val)) | ||
63 | + return val.s_addr; | ||
64 | + return INADDR_NONE; | ||
65 | } | ||
66 | weak_alias (__inet_addr, inet_addr) | ||
67 | |||
68 | -/* | ||
69 | - * Check whether "cp" is a valid ascii representation | ||
70 | - * of an Internet address and convert to a binary address. | ||
71 | - * Returns 1 if the address is valid, 0 if not. | ||
72 | - * This replaces inet_addr, the return value from which | ||
73 | - * cannot distinguish between failure and a local broadcast address. | ||
74 | - */ | ||
75 | +/* Check whether "cp" is a valid ASCII representation of an IPv4 | ||
76 | + Internet address and convert it to a binary address. Returns 1 if | ||
77 | + the address is valid, 0 if not. This replaces inet_addr, the | ||
78 | + return value from which cannot distinguish between failure and a | ||
79 | + local broadcast address. */ | ||
80 | int | ||
81 | -__inet_aton(const char *cp, struct in_addr *addr) | ||
82 | +__inet_aton (const char *cp, struct in_addr *addr) | ||
83 | { | ||
84 | - static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; | ||
85 | - in_addr_t val; | ||
86 | - char c; | ||
87 | - union iaddr { | ||
88 | - uint8_t bytes[4]; | ||
89 | - uint32_t word; | ||
90 | - } res; | ||
91 | - uint8_t *pp = res.bytes; | ||
92 | - int digit; | ||
93 | - | ||
94 | - int saved_errno = errno; | ||
95 | - __set_errno (0); | ||
96 | - | ||
97 | - res.word = 0; | ||
98 | - | ||
99 | - c = *cp; | ||
100 | - for (;;) { | ||
101 | - /* | ||
102 | - * Collect number up to ``.''. | ||
103 | - * Values are specified as for C: | ||
104 | - * 0x=hex, 0=octal, isdigit=decimal. | ||
105 | - */ | ||
106 | - if (!isdigit(c)) | ||
107 | - goto ret_0; | ||
108 | - { | ||
109 | - char *endp; | ||
110 | - unsigned long ul = strtoul (cp, (char **) &endp, 0); | ||
111 | - if (ul == ULONG_MAX && errno == ERANGE) | ||
112 | - goto ret_0; | ||
113 | - if (ul > 0xfffffffful) | ||
114 | - goto ret_0; | ||
115 | - val = ul; | ||
116 | - digit = cp != endp; | ||
117 | - cp = endp; | ||
118 | - } | ||
119 | - c = *cp; | ||
120 | - if (c == '.') { | ||
121 | - /* | ||
122 | - * Internet format: | ||
123 | - * a.b.c.d | ||
124 | - * a.b.c (with c treated as 16 bits) | ||
125 | - * a.b (with b treated as 24 bits) | ||
126 | - */ | ||
127 | - if (pp > res.bytes + 2 || val > 0xff) | ||
128 | - goto ret_0; | ||
129 | - *pp++ = val; | ||
130 | - c = *++cp; | ||
131 | - } else | ||
132 | - break; | ||
133 | - } | ||
134 | - /* | ||
135 | - * Check for trailing characters. | ||
136 | - */ | ||
137 | - if (c != '\0' && (!isascii(c) || !isspace(c))) | ||
138 | - goto ret_0; | ||
139 | - /* | ||
140 | - * Did we get a valid digit? | ||
141 | - */ | ||
142 | - if (!digit) | ||
143 | - goto ret_0; | ||
144 | - | ||
145 | - /* Check whether the last part is in its limits depending on | ||
146 | - the number of parts in total. */ | ||
147 | - if (val > max[pp - res.bytes]) | ||
148 | + static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff }; | ||
149 | + in_addr_t val; | ||
150 | + char c; | ||
151 | + union iaddr | ||
152 | + { | ||
153 | + uint8_t bytes[4]; | ||
154 | + uint32_t word; | ||
155 | + } res; | ||
156 | + uint8_t *pp = res.bytes; | ||
157 | + int digit; | ||
158 | + | ||
159 | + int saved_errno = errno; | ||
160 | + __set_errno (0); | ||
161 | + | ||
162 | + res.word = 0; | ||
163 | + | ||
164 | + c = *cp; | ||
165 | + for (;;) | ||
166 | + { | ||
167 | + /* Collect number up to ``.''. Values are specified as for C: | ||
168 | + 0x=hex, 0=octal, isdigit=decimal. */ | ||
169 | + if (!isdigit (c)) | ||
170 | + goto ret_0; | ||
171 | + { | ||
172 | + char *endp; | ||
173 | + unsigned long ul = strtoul (cp, &endp, 0); | ||
174 | + if (ul == ULONG_MAX && errno == ERANGE) | ||
175 | goto ret_0; | ||
176 | - | ||
177 | - if (addr != NULL) | ||
178 | - addr->s_addr = res.word | htonl (val); | ||
179 | - | ||
180 | - __set_errno (saved_errno); | ||
181 | - return (1); | ||
182 | - | ||
183 | -ret_0: | ||
184 | - __set_errno (saved_errno); | ||
185 | - return (0); | ||
186 | + if (ul > 0xfffffffful) | ||
187 | + goto ret_0; | ||
188 | + val = ul; | ||
189 | + digit = cp != endp; | ||
190 | + cp = endp; | ||
191 | + } | ||
192 | + c = *cp; | ||
193 | + if (c == '.') | ||
194 | + { | ||
195 | + /* Internet format: | ||
196 | + a.b.c.d | ||
197 | + a.b.c (with c treated as 16 bits) | ||
198 | + a.b (with b treated as 24 bits). */ | ||
199 | + if (pp > res.bytes + 2 || val > 0xff) | ||
200 | + goto ret_0; | ||
201 | + *pp++ = val; | ||
202 | + c = *++cp; | ||
203 | + } | ||
204 | + else | ||
205 | + break; | ||
206 | + } | ||
207 | + /* Check for trailing characters. */ | ||
208 | + if (c != '\0' && (!isascii (c) || !isspace (c))) | ||
209 | + goto ret_0; | ||
210 | + /* Did we get a valid digit? */ | ||
211 | + if (!digit) | ||
212 | + goto ret_0; | ||
213 | + | ||
214 | + /* Check whether the last part is in its limits depending on the | ||
215 | + number of parts in total. */ | ||
216 | + if (val > max[pp - res.bytes]) | ||
217 | + goto ret_0; | ||
218 | + | ||
219 | + if (addr != NULL) | ||
220 | + addr->s_addr = res.word | htonl (val); | ||
221 | + | ||
222 | + __set_errno (saved_errno); | ||
223 | + return 1; | ||
224 | + | ||
225 | + ret_0: | ||
226 | + __set_errno (saved_errno); | ||
227 | + return 0; | ||
228 | } | ||
229 | weak_alias (__inet_aton, inet_aton) | ||
230 | libc_hidden_def (__inet_aton) | ||
231 | -- | ||
232 | 2.11.0 | ||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch new file mode 100644 index 0000000000..9c78a3dfa0 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | CVE: CVE-2018-19591 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From ce6ba630dbc96f49eb1f30366aa62261df4792f9 Mon Sep 17 00:00:00 2001 | ||
6 | From: Florian Weimer <fweimer@redhat.com> | ||
7 | Date: Tue, 27 Nov 2018 16:12:43 +0100 | ||
8 | Subject: [PATCH] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong | ||
9 | name [BZ #23927] | ||
10 | |||
11 | (cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408) | ||
12 | --- | ||
13 | ChangeLog | 7 +++++++ | ||
14 | NEWS | 6 ++++++ | ||
15 | sysdeps/unix/sysv/linux/if_index.c | 11 ++++++----- | ||
16 | 3 files changed, 19 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c | ||
19 | index e3d08982d9..782fc5e175 100644 | ||
20 | --- a/sysdeps/unix/sysv/linux/if_index.c | ||
21 | +++ b/sysdeps/unix/sysv/linux/if_index.c | ||
22 | @@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname) | ||
23 | return 0; | ||
24 | #else | ||
25 | struct ifreq ifr; | ||
26 | - int fd = __opensock (); | ||
27 | - | ||
28 | - if (fd < 0) | ||
29 | - return 0; | ||
30 | - | ||
31 | if (strlen (ifname) >= IFNAMSIZ) | ||
32 | { | ||
33 | __set_errno (ENODEV); | ||
34 | @@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname) | ||
35 | } | ||
36 | |||
37 | strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); | ||
38 | + | ||
39 | + int fd = __opensock (); | ||
40 | + | ||
41 | + if (fd < 0) | ||
42 | + return 0; | ||
43 | + | ||
44 | if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0) | ||
45 | { | ||
46 | int saved_errno = errno; | ||
47 | -- | ||
48 | 2.11.0 | ||
diff --git a/meta/recipes-core/glibc/glibc_2.28.bb b/meta/recipes-core/glibc/glibc_2.28.bb index 1bcec3ecb1..0839fa126d 100644 --- a/meta/recipes-core/glibc/glibc_2.28.bb +++ b/meta/recipes-core/glibc/glibc_2.28.bb | |||
@@ -48,6 +48,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
48 | file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ | 48 | file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ |
49 | file://0034-inject-file-assembly-directives.patch \ | 49 | file://0034-inject-file-assembly-directives.patch \ |
50 | file://CVE-2019-9169.patch \ | 50 | file://CVE-2019-9169.patch \ |
51 | file://CVE-2016-10739.patch \ | ||
52 | file://CVE-2018-19591.patch \ | ||
51 | " | 53 | " |
52 | 54 | ||
53 | NATIVESDKFIXES ?= "" | 55 | NATIVESDKFIXES ?= "" |