summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-11 16:20:34 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-18 10:57:11 +0000
commitae57ea03c6a41f2e3b61e0c157e32ca7df7b3c4b (patch)
tree81df74e315a28ae380e8a0d5d9720e8fb9f1574e /meta
parenteb9666a3e2ee659fc47cd137205299eb6b6d817a (diff)
downloadpoky-ae57ea03c6a41f2e3b61e0c157e32ca7df7b3c4b.tar.gz
libbsd: Security fix CVE-2016-2090
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) (From OE-Core rev: e56aba3a822f072f8ed2062a691762a4a970a3f0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/libbsd/files/CVE-2016-2090.patch50
-rw-r--r--meta/recipes-support/libbsd/libbsd_0.7.0.bb4
2 files changed, 53 insertions, 1 deletions
diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
new file mode 100644
index 0000000000..2eaae1386d
--- /dev/null
+++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
@@ -0,0 +1,50 @@
1From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
2From: Hanno Boeck <hanno@hboeck.de>
3Date: Wed, 27 Jan 2016 15:10:11 +0100
4Subject: [PATCH] Fix heap buffer overflow in fgetwln()
5
6In the function fgetwln() there's a 4 byte heap overflow.
7
8There is a while loop that has this check to see whether there's still
9enough space in the buffer:
10
11 if (!fb->len || wused > fb->len) {
12
13If this is true more memory gets allocated. However this test won't be
14true if wused == fb->len, but at that point wused already points out
15of the buffer. Some lines later there's a write to the buffer:
16
17 fb->wbuf[wused++] = wc;
18
19This bug was found with the help of address sanitizer.
20
21Warned-by: ASAN
22Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
23Signed-off-by: Guillem Jover <guillem@hadrons.org>
24
25Upstream-Status: Backport
26http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
27
28CVE: CVE-2016-2090
29Signed-off-by: Armin Kuster <akuster@mvista.com>
30
31---
32 src/fgetwln.c | 2 +-
33 1 file changed, 1 insertion(+), 1 deletion(-)
34
35diff --git a/src/fgetwln.c b/src/fgetwln.c
36index 9ee0776..aa3f927 100644
37--- a/src/fgetwln.c
38+++ b/src/fgetwln.c
39@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
40 fb->fp = stream;
41
42 while ((wc = fgetwc(stream)) != WEOF) {
43- if (!fb->len || wused > fb->len) {
44+ if (!fb->len || wused >= fb->len) {
45 wchar_t *wp;
46
47 if (fb->len)
48--
492.3.5
50
diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
index 902666da7f..8d9a708a15 100644
--- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c"
13SECTION = "libs" 13SECTION = "libs"
14DEPENDS = "" 14DEPENDS = ""
15 15
16SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz" 16SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
17 file://CVE-2016-2090.patch \
18 "
17 19
18SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0" 20SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"
19SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb" 21SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"