summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2019-25013.patch135
-rw-r--r--meta/recipes-core/glibc/glibc_2.31.bb1
2 files changed, 136 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
new file mode 100644
index 0000000000..73df1da868
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
@@ -0,0 +1,135 @@
1From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@suse.de>
3Date: Mon, 21 Dec 2020 08:56:43 +0530
4Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
5
6The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
7area and is not allowed. The from_euc_kr function used to skip two bytes
8when told to skip over the unknown designation, potentially running over
9the buffer end.
10
11Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
12CVE: CVE-2019-25013
13Signed-off-by: Scott Murray <scott.murray@konsulko.com>
14[Refreshed for Dundell context; Makefile changes]
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 iconvdata/Makefile | 3 ++-
19 iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
20 iconvdata/euc-kr.c | 6 +----
21 iconvdata/ksc5601.h | 6 ++---
22 4 files changed, 59 insertions(+), 9 deletions(-)
23 create mode 100644 iconvdata/bug-iconv13.c
24
25Index: git/iconvdata/Makefile
26===================================================================
27--- git.orig/iconvdata/Makefile
28+++ git/iconvdata/Makefile
29@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules
30 ifeq (yes,$(build-shared))
31 tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
32 tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
33- bug-iconv10 bug-iconv11 bug-iconv12
34+ bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
35 ifeq ($(have-thread-library),yes)
36 tests += bug-iconv3
37 endif
38Index: git/iconvdata/bug-iconv13.c
39===================================================================
40--- /dev/null
41+++ git/iconvdata/bug-iconv13.c
42@@ -0,0 +1,53 @@
43+/* bug 24973: Test EUC-KR module
44+ Copyright (C) 2020 Free Software Foundation, Inc.
45+ This file is part of the GNU C Library.
46+
47+ The GNU C Library is free software; you can redistribute it and/or
48+ modify it under the terms of the GNU Lesser General Public
49+ License as published by the Free Software Foundation; either
50+ version 2.1 of the License, or (at your option) any later version.
51+
52+ The GNU C Library is distributed in the hope that it will be useful,
53+ but WITHOUT ANY WARRANTY; without even the implied warranty of
54+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
55+ Lesser General Public License for more details.
56+
57+ You should have received a copy of the GNU Lesser General Public
58+ License along with the GNU C Library; if not, see
59+ <https://www.gnu.org/licenses/>. */
60+
61+#include <errno.h>
62+#include <iconv.h>
63+#include <stdio.h>
64+#include <support/check.h>
65+
66+static int
67+do_test (void)
68+{
69+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
70+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
71+
72+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
73+ areas, which are not allowed and should be skipped over due to
74+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
75+ should be checked first. */
76+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
77+ char *inptr = input;
78+ size_t insize = sizeof (input);
79+ char output[4];
80+ char *outptr = output;
81+ size_t outsize = sizeof (output);
82+
83+ /* This used to crash due to buffer overrun. */
84+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
85+ TEST_VERIFY (errno == EINVAL);
86+ /* The conversion should produce one character, the converted null
87+ character. */
88+ TEST_VERIFY (sizeof (output) - outsize == 1);
89+
90+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
91+
92+ return 0;
93+}
94+
95+#include <support/test-driver.c>
96Index: git/iconvdata/euc-kr.c
97===================================================================
98--- git.orig/iconvdata/euc-kr.c
99+++ git/iconvdata/euc-kr.c
100@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
101 \
102 if (ch <= 0x9f) \
103 ++inptr; \
104- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
105- user-defined areas. */ \
106- else if (__builtin_expect (ch == 0xa0, 0) \
107- || __builtin_expect (ch > 0xfe, 0) \
108- || __builtin_expect (ch == 0xc9, 0)) \
109+ else if (__glibc_unlikely (ch == 0xa0)) \
110 { \
111 /* This is illegal. */ \
112 STANDARD_FROM_LOOP_ERR_HANDLER (1); \
113Index: git/iconvdata/ksc5601.h
114===================================================================
115--- git.orig/iconvdata/ksc5601.h
116+++ git/iconvdata/ksc5601.h
117@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
118 unsigned char ch2;
119 int idx;
120
121+ if (avail < 2)
122+ return 0;
123+
124 /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
125
126 if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
127 || (ch - offset) == 0x49)
128 return __UNKNOWN_10646_CHAR;
129
130- if (avail < 2)
131- return 0;
132-
133 ch2 = (*s)[1];
134 if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
135 return __UNKNOWN_10646_CHAR;
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 067d4de64a..b75bbb4196 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
43 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ 43 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
44 file://CVE-2020-29562.patch \ 44 file://CVE-2020-29562.patch \
45 file://CVE-2020-29573.patch \ 45 file://CVE-2020-29573.patch \
46 file://CVE-2019-25013.patch \
46 " 47 "
47S = "${WORKDIR}/git" 48S = "${WORKDIR}/git"
48B = "${WORKDIR}/build-${TARGET_SYS}" 49B = "${WORKDIR}/build-${TARGET_SYS}"