gpgme: fix CVE-2014-3564

Backport patch to fix CVE-2014-3564. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f (From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2015-05-28 09:26:14 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-05-30 22:26:12 +0100
commit: fb0da9e6f34b65bbadd7aefa79705fc6f22778aa (patch)
tree: 91fe215ebeea17e303b71dbdad7325eccb3d3ea2 /meta
parent: 1c5e37acb9c091f533534d6e31d2b17599ef2d78 (diff)
download: poky-fb0da9e6f34b65bbadd7aefa79705fc6f22778aa.tar.gz
2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
new file mode 100644
index 0000000000..c728f58658
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2014-3564.
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 30 Jul 2014 11:04:55 +0200
+Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
+ engines.
+After a realloc (realloc is also used for initial alloc) the allocated
+size if the buffer is not correctly recorded.  Thus an overflow can be
+introduced by receiving data with different line lengths in a specific
+order.  This is not easy exploitable because libassuan constructs the
+line.  However a crash has been reported and thus it might be possible
+to constructs an exploit.
+CVE-id: CVE-2014-3564
+Reported-by: TomÃ¡Å¡ Trnka
+---
+ src/engine-gpgsm.c    | 2 +-
+ src/engine-uiserver.c | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
+index 8ec1598..3a83757 100644
+--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
+@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 gpgsm->colon.attic.linesize += linelen + 1;
+                 gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
+index 2738c36..a7184b7 100644
+--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
+@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 uiserver->colon.attic.linesize += linelen + 1;
+                 uiserver->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+-- 
+2.1.4
diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
index cba358984c..f80457842b 100644
--- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
 SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
           file://gpgme.pc \
-           file://pkgconfig.patch"
+           file://pkgconfig.patch \
+           file://gpgme-fix-CVE-2014-3564.patch \
+          "
 SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
 SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"
author	Kai Kang <kai.kang@windriver.com>	2015-05-28 09:26:14 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-05-30 22:26:12 +0100
commit	fb0da9e6f34b65bbadd7aefa79705fc6f22778aa (patch)
tree	91fe215ebeea17e303b71dbdad7325eccb3d3ea2 /meta
parent	1c5e37acb9c091f533534d6e31d2b17599ef2d78 (diff)
download	poky-fb0da9e6f34b65bbadd7aefa79705fc6f22778aa.tar.gz

diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch new file mode 100644 index 0000000000..c728f58658 --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2014-3564.
		4
		5	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8	---
		9	From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
		10	From: Werner Koch <wk@gnupg.org>
		11	Date: Wed, 30 Jul 2014 11:04:55 +0200
		12	Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
		13	engines.
		14
		15	After a realloc (realloc is also used for initial alloc) the allocated
		16	size if the buffer is not correctly recorded. Thus an overflow can be
		17	introduced by receiving data with different line lengths in a specific
		18	order. This is not easy exploitable because libassuan constructs the
		19	line. However a crash has been reported and thus it might be possible
		20	to constructs an exploit.
		21
		22	CVE-id: CVE-2014-3564
		23	Reported-by: TomÃ¡Å¡ Trnka
		24	---
		25	src/engine-gpgsm.c \| 2 +-
		26	src/engine-uiserver.c \| 2 +-
		27	3 files changed, 5 insertions(+), 2 deletions(-)
		28
		29	diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
		30	index 8ec1598..3a83757 100644
		31	--- a/src/engine-gpgsm.c
		32	+++ b/src/engine-gpgsm.c
		33	@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
		34	else
		35	{
		36	*aline = newline;
		37	- gpgsm->colon.attic.linesize += linelen + 1;
		38	+ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
		39	}
		40	}
		41	if (!err)
		42	diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
		43	index 2738c36..a7184b7 100644
		44	--- a/src/engine-uiserver.c
		45	+++ b/src/engine-uiserver.c
		46	@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
		47	else
		48	{
		49	*aline = newline;
		50	- uiserver->colon.attic.linesize += linelen + 1;
		51	+ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
		52	}
		53	}
		54	if (!err)
		55	--
		56	2.1.4


diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb index cba358984c..f80457842b 100644 --- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb +++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
11		11
12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \	12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
13	file://gpgme.pc \	13	file://gpgme.pc \
14	file://pkgconfig.patch"	14	file://pkgconfig.patch \
		15	file://gpgme-fix-CVE-2014-3564.patch \
		16	"
15		17
16	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"	18	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
17	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"	19	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"