gpgme: fix CVE-2014-3564

Backport patch to fix CVE-2014-3564. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f (From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74) (From OE-Core rev: 7643fe96bbce57995580162b5339674cc4a9c81f) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Conflicts: meta/recipes-support/gpgme/gpgme_1.4.3.bb Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2015-05-28 09:26:14 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 20:54:33 +0100
commit: ea2e7dbcd74c810ae67ae9cdf78c31700630e241 (patch)
tree: e5f8d752e56a48c956e71d6177fa42cc4f813eb8 /meta
parent: 215c4d948df8d480179e842781158bcee216d9d3 (diff)
download: poky-ea2e7dbcd74c810ae67ae9cdf78c31700630e241.tar.gz
2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
new file mode 100644
index 0000000000..c728f58658
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2014-3564.
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 30 Jul 2014 11:04:55 +0200
+Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
+ engines.
+After a realloc (realloc is also used for initial alloc) the allocated
+size if the buffer is not correctly recorded.  Thus an overflow can be
+introduced by receiving data with different line lengths in a specific
+order.  This is not easy exploitable because libassuan constructs the
+line.  However a crash has been reported and thus it might be possible
+to constructs an exploit.
+CVE-id: CVE-2014-3564
+Reported-by: TomÃ¡Å¡ Trnka
+---
+ src/engine-gpgsm.c    | 2 +-
+ src/engine-uiserver.c | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
+index 8ec1598..3a83757 100644
+--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
+@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 gpgsm->colon.attic.linesize += linelen + 1;
+                 gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
+index 2738c36..a7184b7 100644
+--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
+@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 uiserver->colon.attic.linesize += linelen + 1;
+                 uiserver->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+-- 
+2.1.4
diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
index ca1e5f9344..f16677e96e 100644
--- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
 SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
           file://disable_gpgconf_check.patch \
-           file://gpgme.pc"
+           file://gpgme.pc \
+           file://gpgme-fix-CVE-2014-3564.patch \
+          "
 SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
 SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"
author	Kai Kang <kai.kang@windriver.com>	2015-05-28 09:26:14 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 20:54:33 +0100
commit	ea2e7dbcd74c810ae67ae9cdf78c31700630e241 (patch)
tree	e5f8d752e56a48c956e71d6177fa42cc4f813eb8 /meta
parent	215c4d948df8d480179e842781158bcee216d9d3 (diff)
download	poky-ea2e7dbcd74c810ae67ae9cdf78c31700630e241.tar.gz

diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch new file mode 100644 index 0000000000..c728f58658 --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2014-3564.
		4
		5	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8	---
		9	From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
		10	From: Werner Koch <wk@gnupg.org>
		11	Date: Wed, 30 Jul 2014 11:04:55 +0200
		12	Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
		13	engines.
		14
		15	After a realloc (realloc is also used for initial alloc) the allocated
		16	size if the buffer is not correctly recorded. Thus an overflow can be
		17	introduced by receiving data with different line lengths in a specific
		18	order. This is not easy exploitable because libassuan constructs the
		19	line. However a crash has been reported and thus it might be possible
		20	to constructs an exploit.
		21
		22	CVE-id: CVE-2014-3564
		23	Reported-by: TomÃ¡Å¡ Trnka
		24	---
		25	src/engine-gpgsm.c \| 2 +-
		26	src/engine-uiserver.c \| 2 +-
		27	3 files changed, 5 insertions(+), 2 deletions(-)
		28
		29	diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
		30	index 8ec1598..3a83757 100644
		31	--- a/src/engine-gpgsm.c
		32	+++ b/src/engine-gpgsm.c
		33	@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
		34	else
		35	{
		36	*aline = newline;
		37	- gpgsm->colon.attic.linesize += linelen + 1;
		38	+ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
		39	}
		40	}
		41	if (!err)
		42	diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
		43	index 2738c36..a7184b7 100644
		44	--- a/src/engine-uiserver.c
		45	+++ b/src/engine-uiserver.c
		46	@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
		47	else
		48	{
		49	*aline = newline;
		50	- uiserver->colon.attic.linesize += linelen + 1;
		51	+ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
		52	}
		53	}
		54	if (!err)
		55	--
		56	2.1.4


diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb index ca1e5f9344..f16677e96e 100644 --- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb +++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
11		11
12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \	12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
13	file://disable_gpgconf_check.patch \	13	file://disable_gpgconf_check.patch \
14	file://gpgme.pc"	14	file://gpgme.pc \
		15	file://gpgme-fix-CVE-2014-3564.patch \
		16	"
15		17
16	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"	18	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
17	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"	19	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"