1 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
new file mode 100644
index 0000000000..2af9dd6aa4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
@@ -0,0 +1,170 @@
+Backport of:
+From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:30:52 +0000
+Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+This will replace the existing `g_memdup()` function for use within
+GLib. It has an unavoidable security flaw of taking its `byte_size`
+argument as a `guint` rather than as a `gsize`. Most callers will
+expect it to be a `gsize`, and may pass in large values which could
+silently be truncated, resulting in an undersize allocation compared
+to what the caller expects.
+This could lead to a classic buffer overflow vulnerability for many
+callers of `g_memdup()`.
+`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.
+Spotted by Kevin Backhouse of GHSL.
+In GLib 2.68, `g_memdup2()` will be a new public API. In this version
+for backport to older stable releases, it’s a new `static inline` API
+in a private header, so that use of `g_memdup()` within GLib can be
+fixed without adding a new API in a stable release series.
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: GHSL-2021-045
+Helps: #2319
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ docs/reference/glib/meson.build |  1 +
+ glib/gstrfuncsprivate.h         | 55 +++++++++++++++++++++++++++++++++
+ glib/meson.build                |  1 +
+ glib/tests/strfuncs.c           | 23 ++++++++++++++
+ 4 files changed, 80 insertions(+)
+ create mode 100644 glib/gstrfuncsprivate.h
+--- a/docs/reference/glib/meson.build
+++ b/docs/reference/glib/meson.build
+@@ -22,6 +22,7 @@ if get_option('gtk_doc')
+     'gprintfint.h',
+     'gmirroringtable.h',
+     'gscripttable.h',
+    'gstrfuncsprivate.h',
+     'glib-mirroring-tab',
+     'gnulib',
+     'pcre',
+--- /dev/null
+++ b/glib/gstrfuncsprivate.h
+@@ -0,0 +1,55 @@
+/* GLIB - Library of useful routines for C programming
+ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <glib.h>
+#include <string.h>
+
+/*
+ * g_memdup2:
+ * @mem: (nullable): the memory to copy.
+ * @byte_size: the number of bytes to copy.
+ *
+ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it
+ * from @mem. If @mem is %NULL it returns %NULL.
+ *
+ * This replaces g_memdup(), which was prone to integer overflows when
+ * converting the argument from a #gsize to a #guint.
+ *
+ * This static inline version is a backport of the new public API from
+ * GLib 2.68, kept internal to GLib for backport to older stable releases.
+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
+ *
+ * Returns: (nullable): a pointer to the newly-allocated copy of the memory,
+ *    or %NULL if @mem is %NULL.
+ * Since: 2.68
+ */
+static inline gpointer
+g_memdup2 (gconstpointer mem,
+           gsize         byte_size)
+{
+  gpointer new_mem;
+
+  if (mem && byte_size != 0)
+    {
+      new_mem = g_malloc (byte_size);
+      memcpy (new_mem, mem, byte_size);
+    }
+  else
+    new_mem = NULL;
+
+  return new_mem;
+}
+--- a/glib/meson.build
+++ b/glib/meson.build
+@@ -268,6 +268,7 @@ glib_sources = files(
+   'gslist.c',
+   'gstdio.c',
+   'gstrfuncs.c',
+  'gstrfuncsprivate.h',
+   'gstring.c',
+   'gstringchunk.c',
+   'gtestutils.c',
+--- a/glib/tests/strfuncs.c
+++ b/glib/tests/strfuncs.c
+@@ -32,6 +32,8 @@
+ #include <string.h>
+ #include "glib.h"
+ 
+#include "gstrfuncsprivate.h"
+
+ #if defined (_MSC_VER) && (_MSC_VER <= 1800)
+ #define isnan(x) _isnan(x)
+ 
+@@ -219,6 +221,26 @@ test_memdup (void)
+   g_free (str_dup);
+ }
+ 
+/* Testing g_memdup2() function with various positive and negative cases */
+static void
+test_memdup2 (void)
+{
+  gchar *str_dup = NULL;
+  const gchar *str = "The quick brown fox jumps over the lazy dog";
+
+  /* Testing negative cases */
+  g_assert_null (g_memdup2 (NULL, 1024));
+  g_assert_null (g_memdup2 (str, 0));
+  g_assert_null (g_memdup2 (NULL, 0));
+
+  /* Testing normal usage cases */
+  str_dup = g_memdup2 (str, strlen (str) + 1);
+  g_assert_nonnull (str_dup);
+  g_assert_cmpstr (str, ==, str_dup);
+
+  g_free (str_dup);
+}
+
+ /* Testing g_strpcpy() function with various positive and negative cases */
+ static void
+ test_stpcpy (void)
+@@ -2523,6 +2545,7 @@ main (int   argc,
+   g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
+   g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
+   g_test_add_func ("/strfuncs/memdup", test_memdup);
+  g_test_add_func ("/strfuncs/memdup2", test_memdup2);
+   g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
+   g_test_add_func ("/strfuncs/str_match_string", test_str_match_string);
+   g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold);

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch new file mode 100644 index 0000000000..2af9dd6aa4 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
@@ -0,0 +1,170 @@
	1	Backport of:
	2
	3	From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001
	4	From: Philip Withnall <pwithnall@endlessos.org>
	5	Date: Thu, 4 Feb 2021 13:30:52 +0000
	6	Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function
	7	MIME-Version: 1.0
	8	Content-Type: text/plain; charset=UTF-8
	9	Content-Transfer-Encoding: 8bit
	10
	11	This will replace the existing `g_memdup()` function for use within
	12	GLib. It has an unavoidable security flaw of taking its `byte_size`
	13	argument as a `guint` rather than as a `gsize`. Most callers will
	14	expect it to be a `gsize`, and may pass in large values which could
	15	silently be truncated, resulting in an undersize allocation compared
	16	to what the caller expects.
	17
	18	This could lead to a classic buffer overflow vulnerability for many
	19	callers of `g_memdup()`.
	20
	21	`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.
	22
	23	Spotted by Kevin Backhouse of GHSL.
	24
	25	In GLib 2.68, `g_memdup2()` will be a new public API. In this version
	26	for backport to older stable releases, it’s a new `static inline` API
	27	in a private header, so that use of `g_memdup()` within GLib can be
	28	fixed without adding a new API in a stable release series.
	29
	30	Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
	31	Helps: GHSL-2021-045
	32	Helps: #2319
	33
	34	Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
	35	CVE: CVE-2021-27219
	36	Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
	37	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
	38
	39	---
	40	docs/reference/glib/meson.build \| 1 +
	41	glib/gstrfuncsprivate.h \| 55 +++++++++++++++++++++++++++++++++
	42	glib/meson.build \| 1 +
	43	glib/tests/strfuncs.c \| 23 ++++++++++++++
	44	4 files changed, 80 insertions(+)
	45	create mode 100644 glib/gstrfuncsprivate.h
	46
	47	--- a/docs/reference/glib/meson.build
	48	+++ b/docs/reference/glib/meson.build
	49	@@ -22,6 +22,7 @@ if get_option('gtk_doc')
	50	'gprintfint.h',
	51	'gmirroringtable.h',
	52	'gscripttable.h',
	53	+ 'gstrfuncsprivate.h',
	54	'glib-mirroring-tab',
	55	'gnulib',
	56	'pcre',
	57	--- /dev/null
	58	+++ b/glib/gstrfuncsprivate.h
	59	@@ -0,0 +1,55 @@
	60	+/* GLIB - Library of useful routines for C programming
	61	+ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald
	62	+ *
	63	+ * This library is free software; you can redistribute it and/or
	64	+ * modify it under the terms of the GNU Lesser General Public
	65	+ * License as published by the Free Software Foundation; either
	66	+ * version 2.1 of the License, or (at your option) any later version.
	67	+ *
	68	+ * This library is distributed in the hope that it will be useful,
	69	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	70	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	71	+ * Lesser General Public License for more details.
	72	+ *
	73	+ * You should have received a copy of the GNU Lesser General Public
	74	+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
	75	+ */
	76	+
	77	+#include <glib.h>
	78	+#include <string.h>
	79	+
	80	+/*
	81	+ * g_memdup2:
	82	+ * @mem: (nullable): the memory to copy.
	83	+ * @byte_size: the number of bytes to copy.
	84	+ *
	85	+ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it
	86	+ * from @mem. If @mem is %NULL it returns %NULL.
	87	+ *
	88	+ * This replaces g_memdup(), which was prone to integer overflows when
	89	+ * converting the argument from a #gsize to a #guint.
	90	+ *
	91	+ * This static inline version is a backport of the new public API from
	92	+ * GLib 2.68, kept internal to GLib for backport to older stable releases.
	93	+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
	94	+ *
	95	+ * Returns: (nullable): a pointer to the newly-allocated copy of the memory,
	96	+ * or %NULL if @mem is %NULL.
	97	+ * Since: 2.68
	98	+ */
	99	+static inline gpointer
	100	+g_memdup2 (gconstpointer mem,
	101	+ gsize byte_size)
	102	+{
	103	+ gpointer new_mem;
	104	+
	105	+ if (mem && byte_size != 0)
	106	+ {
	107	+ new_mem = g_malloc (byte_size);
	108	+ memcpy (new_mem, mem, byte_size);
	109	+ }
	110	+ else
	111	+ new_mem = NULL;
	112	+
	113	+ return new_mem;
	114	+}
	115	--- a/glib/meson.build
	116	+++ b/glib/meson.build
	117	@@ -268,6 +268,7 @@ glib_sources = files(
	118	'gslist.c',
	119	'gstdio.c',
	120	'gstrfuncs.c',
	121	+ 'gstrfuncsprivate.h',
	122	'gstring.c',
	123	'gstringchunk.c',
	124	'gtestutils.c',
	125	--- a/glib/tests/strfuncs.c
	126	+++ b/glib/tests/strfuncs.c
	127	@@ -32,6 +32,8 @@
	128	#include <string.h>
	129	#include "glib.h"
	130
	131	+#include "gstrfuncsprivate.h"
	132	+
	133	#if defined (_MSC_VER) && (_MSC_VER <= 1800)
	134	#define isnan(x) _isnan(x)
	135
	136	@@ -219,6 +221,26 @@ test_memdup (void)
	137	g_free (str_dup);
	138	}
	139
	140	+/* Testing g_memdup2() function with various positive and negative cases */
	141	+static void
	142	+test_memdup2 (void)
	143	+{
	144	+ gchar *str_dup = NULL;
	145	+ const gchar *str = "The quick brown fox jumps over the lazy dog";
	146	+
	147	+ /* Testing negative cases */
	148	+ g_assert_null (g_memdup2 (NULL, 1024));
	149	+ g_assert_null (g_memdup2 (str, 0));
	150	+ g_assert_null (g_memdup2 (NULL, 0));
	151	+
	152	+ /* Testing normal usage cases */
	153	+ str_dup = g_memdup2 (str, strlen (str) + 1);
	154	+ g_assert_nonnull (str_dup);
	155	+ g_assert_cmpstr (str, ==, str_dup);
	156	+
	157	+ g_free (str_dup);
	158	+}
	159	+
	160	/* Testing g_strpcpy() function with various positive and negative cases */
	161	static void
	162	test_stpcpy (void)
	163	@@ -2523,6 +2545,7 @@ main (int argc,
	164	g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
	165	g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
	166	g_test_add_func ("/strfuncs/memdup", test_memdup);
	167	+ g_test_add_func ("/strfuncs/memdup2", test_memdup2);
	168	g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
	169	g_test_add_func ("/strfuncs/str_match_string", test_str_match_string);
	170	g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold);