diff options
author | Marcus Cooper <marcus.cooper@axis.com> | 2019-02-25 10:37:11 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-03-24 16:49:54 +0000 |
commit | d4e0f9252852ebfe5677d2bf0e6d70aacd7a984a (patch) | |
tree | 36b5ce6d3db87b817657709b2374f4d0601671c0 /meta | |
parent | 7be61780af1fd1c0a63a41880ece124e874610fa (diff) | |
download | poky-d4e0f9252852ebfe5677d2bf0e6d70aacd7a984a.tar.gz |
systemd: Security fix CVE-2018-16866
Affects < v240
(From OE-Core rev: 10fa35a75617e82650b12d3e353a554f05f036dd)
Signed-off-by: Marcus Cooper <marcusc@axis.com>
>From v2 patch on openembedded-core@lists.openembedded.org
Incresed file name number from 0026 to 0027.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd_237.bb | 1 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 0000000000..3925a4abbb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filipe Brandenburger <filbranden@google.com> | ||
3 | Date: Thu, 10 Jan 2019 14:53:33 -0800 | ||
4 | Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 | ||
5 | |||
6 | The original code didn't account for the fact that strchr() would match on the | ||
7 | '\0' character, making it read past the end of the buffer if no non-whitespace | ||
8 | character was present. | ||
9 | |||
10 | This bug was introduced in commit ec5ff4445cca6a which was first released in | ||
11 | systemd v221 and later fixed in commit 8595102d3ddde6 which was released in | ||
12 | v240, so versions in the range [v221, v240) are affected. | ||
13 | |||
14 | Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b | ||
15 | also includes a change from systemd master which removes a heap buffer overflow | ||
16 | a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. | ||
17 | |||
18 | CVE: CVE-2018-16866 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Marcus Cooper <marcusc@axis.com> | ||
21 | --- | ||
22 | src/journal/journald-syslog.c | 4 ++-- | ||
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c | ||
26 | index 9dea116722..809b318c06 100644 | ||
27 | --- a/src/journal/journald-syslog.c | ||
28 | +++ b/src/journal/journald-syslog.c | ||
29 | @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
30 | e = l; | ||
31 | l--; | ||
32 | |||
33 | - if (p[l-1] == ']') { | ||
34 | + if (l > 0 && p[l-1] == ']') { | ||
35 | size_t k = l-1; | ||
36 | |||
37 | for (;;) { | ||
38 | @@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
39 | if (t) | ||
40 | *identifier = t; | ||
41 | |||
42 | - if (strchr(WHITESPACE, p[e])) | ||
43 | + if (p[e] != '\0' && strchr(WHITESPACE, p[e])) | ||
44 | e++; | ||
45 | *buf = p + e; | ||
46 | return e; | ||
47 | -- | ||
48 | 2.11.0 | ||
49 | |||
diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index fd110a8340..96f419a7f9 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb | |||
@@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \ | |||
60 | file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ | 60 | file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ |
61 | file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ | 61 | file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ |
62 | file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ | 62 | file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ |
63 | file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \ | ||
63 | " | 64 | " |
64 | SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" | 65 | SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" |
65 | 66 | ||