diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch new file mode 100644 index 0000000000..2af9dd6aa4 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch | |||
@@ -0,0 +1,170 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001 | ||
4 | From: Philip Withnall <pwithnall@endlessos.org> | ||
5 | Date: Thu, 4 Feb 2021 13:30:52 +0000 | ||
6 | Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=UTF-8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | This will replace the existing `g_memdup()` function for use within | ||
12 | GLib. It has an unavoidable security flaw of taking its `byte_size` | ||
13 | argument as a `guint` rather than as a `gsize`. Most callers will | ||
14 | expect it to be a `gsize`, and may pass in large values which could | ||
15 | silently be truncated, resulting in an undersize allocation compared | ||
16 | to what the caller expects. | ||
17 | |||
18 | This could lead to a classic buffer overflow vulnerability for many | ||
19 | callers of `g_memdup()`. | ||
20 | |||
21 | `g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`. | ||
22 | |||
23 | Spotted by Kevin Backhouse of GHSL. | ||
24 | |||
25 | In GLib 2.68, `g_memdup2()` will be a new public API. In this version | ||
26 | for backport to older stable releases, it’s a new `static inline` API | ||
27 | in a private header, so that use of `g_memdup()` within GLib can be | ||
28 | fixed without adding a new API in a stable release series. | ||
29 | |||
30 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
31 | Helps: GHSL-2021-045 | ||
32 | Helps: #2319 | ||
33 | |||
34 | Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] | ||
35 | CVE: CVE-2021-27219 | ||
36 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
37 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
38 | |||
39 | --- | ||
40 | docs/reference/glib/meson.build | 1 + | ||
41 | glib/gstrfuncsprivate.h | 55 +++++++++++++++++++++++++++++++++ | ||
42 | glib/meson.build | 1 + | ||
43 | glib/tests/strfuncs.c | 23 ++++++++++++++ | ||
44 | 4 files changed, 80 insertions(+) | ||
45 | create mode 100644 glib/gstrfuncsprivate.h | ||
46 | |||
47 | --- a/docs/reference/glib/meson.build | ||
48 | +++ b/docs/reference/glib/meson.build | ||
49 | @@ -22,6 +22,7 @@ if get_option('gtk_doc') | ||
50 | 'gprintfint.h', | ||
51 | 'gmirroringtable.h', | ||
52 | 'gscripttable.h', | ||
53 | + 'gstrfuncsprivate.h', | ||
54 | 'glib-mirroring-tab', | ||
55 | 'gnulib', | ||
56 | 'pcre', | ||
57 | --- /dev/null | ||
58 | +++ b/glib/gstrfuncsprivate.h | ||
59 | @@ -0,0 +1,55 @@ | ||
60 | +/* GLIB - Library of useful routines for C programming | ||
61 | + * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald | ||
62 | + * | ||
63 | + * This library is free software; you can redistribute it and/or | ||
64 | + * modify it under the terms of the GNU Lesser General Public | ||
65 | + * License as published by the Free Software Foundation; either | ||
66 | + * version 2.1 of the License, or (at your option) any later version. | ||
67 | + * | ||
68 | + * This library is distributed in the hope that it will be useful, | ||
69 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
70 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
71 | + * Lesser General Public License for more details. | ||
72 | + * | ||
73 | + * You should have received a copy of the GNU Lesser General Public | ||
74 | + * License along with this library; if not, see <http://www.gnu.org/licenses/>. | ||
75 | + */ | ||
76 | + | ||
77 | +#include <glib.h> | ||
78 | +#include <string.h> | ||
79 | + | ||
80 | +/* | ||
81 | + * g_memdup2: | ||
82 | + * @mem: (nullable): the memory to copy. | ||
83 | + * @byte_size: the number of bytes to copy. | ||
84 | + * | ||
85 | + * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it | ||
86 | + * from @mem. If @mem is %NULL it returns %NULL. | ||
87 | + * | ||
88 | + * This replaces g_memdup(), which was prone to integer overflows when | ||
89 | + * converting the argument from a #gsize to a #guint. | ||
90 | + * | ||
91 | + * This static inline version is a backport of the new public API from | ||
92 | + * GLib 2.68, kept internal to GLib for backport to older stable releases. | ||
93 | + * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. | ||
94 | + * | ||
95 | + * Returns: (nullable): a pointer to the newly-allocated copy of the memory, | ||
96 | + * or %NULL if @mem is %NULL. | ||
97 | + * Since: 2.68 | ||
98 | + */ | ||
99 | +static inline gpointer | ||
100 | +g_memdup2 (gconstpointer mem, | ||
101 | + gsize byte_size) | ||
102 | +{ | ||
103 | + gpointer new_mem; | ||
104 | + | ||
105 | + if (mem && byte_size != 0) | ||
106 | + { | ||
107 | + new_mem = g_malloc (byte_size); | ||
108 | + memcpy (new_mem, mem, byte_size); | ||
109 | + } | ||
110 | + else | ||
111 | + new_mem = NULL; | ||
112 | + | ||
113 | + return new_mem; | ||
114 | +} | ||
115 | --- a/glib/meson.build | ||
116 | +++ b/glib/meson.build | ||
117 | @@ -268,6 +268,7 @@ glib_sources = files( | ||
118 | 'gslist.c', | ||
119 | 'gstdio.c', | ||
120 | 'gstrfuncs.c', | ||
121 | + 'gstrfuncsprivate.h', | ||
122 | 'gstring.c', | ||
123 | 'gstringchunk.c', | ||
124 | 'gtestutils.c', | ||
125 | --- a/glib/tests/strfuncs.c | ||
126 | +++ b/glib/tests/strfuncs.c | ||
127 | @@ -32,6 +32,8 @@ | ||
128 | #include <string.h> | ||
129 | #include "glib.h" | ||
130 | |||
131 | +#include "gstrfuncsprivate.h" | ||
132 | + | ||
133 | #if defined (_MSC_VER) && (_MSC_VER <= 1800) | ||
134 | #define isnan(x) _isnan(x) | ||
135 | |||
136 | @@ -219,6 +221,26 @@ test_memdup (void) | ||
137 | g_free (str_dup); | ||
138 | } | ||
139 | |||
140 | +/* Testing g_memdup2() function with various positive and negative cases */ | ||
141 | +static void | ||
142 | +test_memdup2 (void) | ||
143 | +{ | ||
144 | + gchar *str_dup = NULL; | ||
145 | + const gchar *str = "The quick brown fox jumps over the lazy dog"; | ||
146 | + | ||
147 | + /* Testing negative cases */ | ||
148 | + g_assert_null (g_memdup2 (NULL, 1024)); | ||
149 | + g_assert_null (g_memdup2 (str, 0)); | ||
150 | + g_assert_null (g_memdup2 (NULL, 0)); | ||
151 | + | ||
152 | + /* Testing normal usage cases */ | ||
153 | + str_dup = g_memdup2 (str, strlen (str) + 1); | ||
154 | + g_assert_nonnull (str_dup); | ||
155 | + g_assert_cmpstr (str, ==, str_dup); | ||
156 | + | ||
157 | + g_free (str_dup); | ||
158 | +} | ||
159 | + | ||
160 | /* Testing g_strpcpy() function with various positive and negative cases */ | ||
161 | static void | ||
162 | test_stpcpy (void) | ||
163 | @@ -2523,6 +2545,7 @@ main (int argc, | ||
164 | g_test_add_func ("/strfuncs/has-prefix", test_has_prefix); | ||
165 | g_test_add_func ("/strfuncs/has-suffix", test_has_suffix); | ||
166 | g_test_add_func ("/strfuncs/memdup", test_memdup); | ||
167 | + g_test_add_func ("/strfuncs/memdup2", test_memdup2); | ||
168 | g_test_add_func ("/strfuncs/stpcpy", test_stpcpy); | ||
169 | g_test_add_func ("/strfuncs/str_match_string", test_str_match_string); | ||
170 | g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold); | ||