diff options
| author | Armin Kuster <akuster@mvista.com> | 2016-02-10 15:42:34 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-21 09:37:32 +0000 |
| commit | ef135112fde82f653e83f8f1ef473c38fda7119a (patch) | |
| tree | b8cfa3b7f979ff4932a10c3c08180c0b8b4f729d /meta | |
| parent | ae57ea03c6a41f2e3b61e0c157e32ca7df7b3c4b (diff) | |
| download | poky-ef135112fde82f653e83f8f1ef473c38fda7119a.tar.gz | |
uclibc: Security fix CVE-2016-2224
CVE-2016-2224 Do not follow compressed items forever.
This change is being provide to comply to Yocto compatiblity.
(From OE-Core rev: 4fe0654253d7444f2c445a30b06623cef036b2bb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-core/uclibc/uclibc-git.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch | 49 |
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc index dcb616d0d2..d3fb2a8a8e 100644 --- a/meta/recipes-core/uclibc/uclibc-git.inc +++ b/meta/recipes-core/uclibc/uclibc-git.inc | |||
| @@ -19,5 +19,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \ | |||
| 19 | file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \ | 19 | file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \ |
| 20 | file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \ | 20 | file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \ |
| 21 | file://0001-wire-in-syncfs.patch \ | 21 | file://0001-wire-in-syncfs.patch \ |
| 22 | file://CVE-2016-2224.patch \ | ||
| 22 | " | 23 | " |
| 23 | S = "${WORKDIR}/git" | 24 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch new file mode 100644 index 0000000000..218b60a85c --- /dev/null +++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Waldemar Brodkorb <wbx@openadk.org> | ||
| 3 | Date: Sun, 17 Jan 2016 15:47:22 +0100 | ||
| 4 | Subject: [PATCH] Do not follow compressed items forever. | ||
| 5 | |||
| 6 | It is possible to get stuck in an infinite loop when receiving a | ||
| 7 | specially crafted DNS reply. Exit the loop after a number of iteration | ||
| 8 | and consider the packet invalid. | ||
| 9 | |||
| 10 | Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se> | ||
| 11 | Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org> | ||
| 12 | |||
| 13 | Upstream-status: Backport | ||
| 14 | http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515 | ||
| 15 | |||
| 16 | CVE: CVE-2016-2224 | ||
| 17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 18 | |||
| 19 | --- | ||
| 20 | libc/inet/resolv.c | 5 ++++- | ||
| 21 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
| 22 | |||
| 23 | Index: git/libc/inet/resolv.c | ||
| 24 | =================================================================== | ||
| 25 | --- git.orig/libc/inet/resolv.c | ||
| 26 | +++ git/libc/inet/resolv.c | ||
| 27 | @@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char | ||
| 28 | bool measure = 1; | ||
| 29 | unsigned total = 0; | ||
| 30 | unsigned used = 0; | ||
| 31 | + unsigned maxiter = 256; | ||
| 32 | |||
| 33 | if (!packet) | ||
| 34 | return -1; | ||
| 35 | |||
| 36 | - while (1) { | ||
| 37 | + while (--maxiter) { | ||
| 38 | if (offset >= packet_len) | ||
| 39 | return -1; | ||
| 40 | b = packet[offset++]; | ||
| 41 | @@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char | ||
| 42 | else | ||
| 43 | dest[used++] = '\0'; | ||
| 44 | } | ||
| 45 | + if (!maxiter) | ||
| 46 | + return -1; | ||
| 47 | |||
| 48 | /* The null byte must be counted too */ | ||
| 49 | if (measure) | ||