diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch | 298 |
1 files changed, 298 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch new file mode 100644 index 0000000000..6a3ac6b552 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch | |||
@@ -0,0 +1,298 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa Mon Sep 17 00:00:00 2001 | ||
4 | From: Philip Withnall <pwithnall@endlessos.org> | ||
5 | Date: Thu, 4 Feb 2021 13:41:21 +0000 | ||
6 | Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in obvious | ||
7 | places | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=UTF-8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | Convert all the call sites which use `g_memdup()`’s length argument | ||
13 | trivially (for example, by passing a `sizeof()` or an existing `gsize` | ||
14 | variable), so that they use `g_memdup2()` instead. | ||
15 | |||
16 | In almost all of these cases the use of `g_memdup()` would not have | ||
17 | caused problems, but it will soon be deprecated, so best port away from | ||
18 | it | ||
19 | |||
20 | In particular, this fixes an overflow within `g_bytes_new()`, identified | ||
21 | as GHSL-2021-045 by GHSL team member Kevin Backhouse. | ||
22 | |||
23 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
24 | Fixes: GHSL-2021-045 | ||
25 | Helps: #2319 | ||
26 | |||
27 | Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] | ||
28 | CVE: CVE-2021-27219 | ||
29 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
30 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
31 | |||
32 | --- | ||
33 | glib/gbytes.c | 6 ++++-- | ||
34 | glib/gdir.c | 3 ++- | ||
35 | glib/ghash.c | 7 ++++--- | ||
36 | glib/giochannel.c | 5 +++-- | ||
37 | glib/gslice.c | 3 ++- | ||
38 | glib/gtestutils.c | 3 ++- | ||
39 | glib/gvariant.c | 7 ++++--- | ||
40 | glib/gvarianttype.c | 3 ++- | ||
41 | glib/tests/array-test.c | 4 +++- | ||
42 | glib/tests/option-context.c | 6 ++++-- | ||
43 | glib/tests/uri.c | 8 +++++--- | ||
44 | 11 files changed, 35 insertions(+), 20 deletions(-) | ||
45 | |||
46 | --- a/glib/gbytes.c | ||
47 | +++ b/glib/gbytes.c | ||
48 | @@ -34,6 +34,8 @@ | ||
49 | |||
50 | #include <string.h> | ||
51 | |||
52 | +#include "gstrfuncsprivate.h" | ||
53 | + | ||
54 | /** | ||
55 | * GBytes: | ||
56 | * | ||
57 | @@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data, | ||
58 | { | ||
59 | g_return_val_if_fail (data != NULL || size == 0, NULL); | ||
60 | |||
61 | - return g_bytes_new_take (g_memdup (data, size), size); | ||
62 | + return g_bytes_new_take (g_memdup2 (data, size), size); | ||
63 | } | ||
64 | |||
65 | /** | ||
66 | @@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes, | ||
67 | * Copy: Non g_malloc (or compatible) allocator, or static memory, | ||
68 | * so we have to copy, and then unref. | ||
69 | */ | ||
70 | - result = g_memdup (bytes->data, bytes->size); | ||
71 | + result = g_memdup2 (bytes->data, bytes->size); | ||
72 | *size = bytes->size; | ||
73 | g_bytes_unref (bytes); | ||
74 | } | ||
75 | --- a/glib/gdir.c | ||
76 | +++ b/glib/gdir.c | ||
77 | @@ -37,6 +37,7 @@ | ||
78 | #include "gconvert.h" | ||
79 | #include "gfileutils.h" | ||
80 | #include "gstrfuncs.h" | ||
81 | +#include "gstrfuncsprivate.h" | ||
82 | #include "gtestutils.h" | ||
83 | #include "glibintl.h" | ||
84 | |||
85 | @@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path | ||
86 | return NULL; | ||
87 | #endif | ||
88 | |||
89 | - return g_memdup (&dir, sizeof dir); | ||
90 | + return g_memdup2 (&dir, sizeof dir); | ||
91 | } | ||
92 | |||
93 | /** | ||
94 | --- a/glib/ghash.c | ||
95 | +++ b/glib/ghash.c | ||
96 | @@ -34,6 +34,7 @@ | ||
97 | #include "gmacros.h" | ||
98 | #include "glib-private.h" | ||
99 | #include "gstrfuncs.h" | ||
100 | +#include "gstrfuncsprivate.h" | ||
101 | #include "gatomic.h" | ||
102 | #include "gtestutils.h" | ||
103 | #include "gslice.h" | ||
104 | @@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTa | ||
105 | if (hash_table->have_big_keys) | ||
106 | { | ||
107 | if (key != value) | ||
108 | - hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); | ||
109 | + hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); | ||
110 | /* Keys and values are both big now, so no need for further checks */ | ||
111 | return; | ||
112 | } | ||
113 | @@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTa | ||
114 | { | ||
115 | if (key != value) | ||
116 | { | ||
117 | - hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size); | ||
118 | + hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size); | ||
119 | is_a_set = FALSE; | ||
120 | } | ||
121 | } | ||
122 | @@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTa | ||
123 | |||
124 | /* Just split if necessary */ | ||
125 | if (is_a_set && key != value) | ||
126 | - hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); | ||
127 | + hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); | ||
128 | |||
129 | #endif | ||
130 | } | ||
131 | --- a/glib/giochannel.c | ||
132 | +++ b/glib/giochannel.c | ||
133 | @@ -35,7 +35,7 @@ | ||
134 | #include <errno.h> | ||
135 | |||
136 | #include "giochannel.h" | ||
137 | - | ||
138 | +#include "gstrfuncsprivate.h" | ||
139 | #include "gstrfuncs.h" | ||
140 | #include "gtestutils.h" | ||
141 | #include "glibintl.h" | ||
142 | |||
143 | @@ -1673,10 +1674,10 @@ g_io_channel_read_line (GIOChannel *cha | ||
144 | |||
145 | /* Copy the read bytes (including any embedded nuls) and nul-terminate. | ||
146 | * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a | ||
147 | - * #GString, so it’s safe to call g_memdup() with +1 length to allocate | ||
148 | + * #GString, so it’s safe to call g_memdup2() with +1 length to allocate | ||
149 | * a nul-terminator. */ | ||
150 | g_assert (USE_BUF (channel)); | ||
151 | - line = g_memdup (USE_BUF (channel)->str, got_length + 1); | ||
152 | + line = g_memdup2 (USE_BUF (channel)->str, got_length + 1); | ||
153 | line[got_length] = '\0'; | ||
154 | *str_return = g_steal_pointer (&line); | ||
155 | g_string_erase (USE_BUF (channel), 0, got_length); | ||
156 | --- a/glib/gslice.c | ||
157 | +++ b/glib/gslice.c | ||
158 | @@ -41,6 +41,7 @@ | ||
159 | #include "gmain.h" | ||
160 | #include "gmem.h" /* gslice.h */ | ||
161 | #include "gstrfuncs.h" | ||
162 | +#include "gstrfuncsprivate.h" | ||
163 | #include "gutils.h" | ||
164 | #include "gtrashstack.h" | ||
165 | #include "gtestutils.h" | ||
166 | @@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig c | ||
167 | array[i++] = allocator->contention_counters[address]; | ||
168 | array[i++] = allocator_get_magazine_threshold (allocator, address); | ||
169 | *n_values = i; | ||
170 | - return g_memdup (array, sizeof (array[0]) * *n_values); | ||
171 | + return g_memdup2 (array, sizeof (array[0]) * *n_values); | ||
172 | default: | ||
173 | return NULL; | ||
174 | } | ||
175 | --- a/glib/gtestutils.c | ||
176 | +++ b/glib/gtestutils.c | ||
177 | @@ -49,6 +49,7 @@ | ||
178 | #include "gpattern.h" | ||
179 | #include "grand.h" | ||
180 | #include "gstrfuncs.h" | ||
181 | +#include "gstrfuncsprivate.h" | ||
182 | #include "gtimer.h" | ||
183 | #include "gslice.h" | ||
184 | #include "gspawn.h" | ||
185 | @@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuf | ||
186 | if (p <= tbuffer->data->str + mlength) | ||
187 | { | ||
188 | g_string_erase (tbuffer->data, 0, mlength); | ||
189 | - tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); | ||
190 | + tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); | ||
191 | return TRUE; | ||
192 | } | ||
193 | |||
194 | --- a/glib/gvariant.c | ||
195 | +++ b/glib/gvariant.c | ||
196 | @@ -33,6 +33,7 @@ | ||
197 | |||
198 | #include <string.h> | ||
199 | |||
200 | +#include "gstrfuncsprivate.h" | ||
201 | |||
202 | /** | ||
203 | * SECTION:gvariant | ||
204 | @@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value) | ||
205 | g_variant_ref_sink (value); | ||
206 | |||
207 | return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, | ||
208 | - g_memdup (&value, sizeof value), | ||
209 | + g_memdup2 (&value, sizeof value), | ||
210 | 1, g_variant_is_trusted (value)); | ||
211 | } | ||
212 | |||
213 | @@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVarian | ||
214 | return NULL; | ||
215 | } | ||
216 | |||
217 | - data = g_memdup (elements, n_elements * element_size); | ||
218 | + data = g_memdup2 (elements, n_elements * element_size); | ||
219 | value = g_variant_new_from_data (array_type, data, | ||
220 | n_elements * element_size, | ||
221 | FALSE, g_free, data); | ||
222 | @@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *valu | ||
223 | if (length) | ||
224 | *length = size; | ||
225 | |||
226 | - return g_memdup (original, size + 1); | ||
227 | + return g_memdup2 (original, size + 1); | ||
228 | } | ||
229 | |||
230 | /** | ||
231 | --- a/glib/gvarianttype.c | ||
232 | +++ b/glib/gvarianttype.c | ||
233 | @@ -28,6 +28,7 @@ | ||
234 | |||
235 | #include <string.h> | ||
236 | |||
237 | +#include "gstrfuncsprivate.h" | ||
238 | |||
239 | /** | ||
240 | * SECTION:gvarianttype | ||
241 | @@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariant | ||
242 | g_assert (offset < sizeof buffer); | ||
243 | buffer[offset++] = ')'; | ||
244 | |||
245 | - return (GVariantType *) g_memdup (buffer, offset); | ||
246 | + return (GVariantType *) g_memdup2 (buffer, offset); | ||
247 | } | ||
248 | |||
249 | /** | ||
250 | --- a/glib/tests/array-test.c | ||
251 | +++ b/glib/tests/array-test.c | ||
252 | @@ -29,6 +29,8 @@ | ||
253 | #include <string.h> | ||
254 | #include "glib.h" | ||
255 | |||
256 | +#include "gstrfuncsprivate.h" | ||
257 | + | ||
258 | /* Test data to be passed to any function which calls g_array_new(), providing | ||
259 | * the parameters for that call. Most #GArray tests should be repeated for all | ||
260 | * possible values of #ArrayTestData. */ | ||
261 | @@ -1917,7 +1919,7 @@ byte_array_new_take (void) | ||
262 | GByteArray *gbarray; | ||
263 | guint8 *data; | ||
264 | |||
265 | - data = g_memdup ("woooweeewow", 11); | ||
266 | + data = g_memdup2 ("woooweeewow", 11); | ||
267 | gbarray = g_byte_array_new_take (data, 11); | ||
268 | g_assert (gbarray->data == data); | ||
269 | g_assert_cmpuint (gbarray->len, ==, 11); | ||
270 | --- a/glib/tests/option-context.c | ||
271 | +++ b/glib/tests/option-context.c | ||
272 | @@ -27,6 +27,8 @@ | ||
273 | #include <string.h> | ||
274 | #include <locale.h> | ||
275 | |||
276 | +#include "gstrfuncsprivate.h" | ||
277 | + | ||
278 | static GOptionEntry main_entries[] = { | ||
279 | { "main-switch", 0, 0, | ||
280 | G_OPTION_ARG_NONE, NULL, | ||
281 | @@ -256,7 +258,7 @@ join_stringv (int argc, char **argv) | ||
282 | static char ** | ||
283 | copy_stringv (char **argv, int argc) | ||
284 | { | ||
285 | - return g_memdup (argv, sizeof (char *) * (argc + 1)); | ||
286 | + return g_memdup2 (argv, sizeof (char *) * (argc + 1)); | ||
287 | } | ||
288 | |||
289 | static void | ||
290 | @@ -2323,7 +2325,7 @@ test_group_parse (void) | ||
291 | g_option_context_add_group (context, group); | ||
292 | |||
293 | argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc); | ||
294 | - orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *)); | ||
295 | + orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *)); | ||
296 | |||
297 | retval = g_option_context_parse (context, &argc, &argv, &error); | ||
298 | |||