1 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
new file mode 100644
index 0000000000..ffafc35c07
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
@@ -0,0 +1,101 @@
+From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:58:32 +0000
+Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when
+ converting paths
+Previously, the code in `convert_path()` could not handle keys longer
+than `G_MAXINT`, and would overflow if that was exceeded.
+Convert the code to use `gsize` and `g_memdup2()` throughout, and
+change from identifying the position of the final slash in the string
+using a signed offset `i`, to using a pointer to the character (and
+`strrchr()`). This allows the slash to be at any position in a
+`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
+indicating whether a slash was found.
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ gio/gkeyfilesettingsbackend.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index cd5765afd..25b057672 100644
+--- a/gio/gkeyfilesettingsbackend.c
+++ b/gio/gkeyfilesettingsbackend.c
+@@ -33,6 +33,7 @@
+ #include "gfilemonitor.h"
+ #include "gsimplepermission.h"
+ #include "gsettingsbackendinternal.h"
+#include "gstrfuncsprivate.h"
+ #include "giomodule-priv.h"
+ #include "gportalsupport.h"
+ 
+@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+               gchar                   **group,
+               gchar                   **basename)
+ {
+-  gint key_len = strlen (key);
+-  gint i;
+  gsize key_len = strlen (key);
+  const gchar *last_slash;
+ 
+   if (key_len < kfsb->prefix_len ||
+       memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
+@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+   key_len -= kfsb->prefix_len;
+   key += kfsb->prefix_len;
+ 
+-  for (i = key_len; i >= 0; i--)
+-    if (key[i] == '/')
+-      break;
+  last_slash = strrchr (key, '/');
+ 
+   if (kfsb->root_group)
+     {
+       /* if a root_group was specified, make sure the user hasn't given
+        * a path that ghosts that group name
+        */
+-      if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0)
+      if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0)
+         return FALSE;
+     }
+   else
+     {
+       /* if no root_group was given, ensure that the user gave a path */
+-      if (i == -1)
+      if (last_slash == NULL)
+         return FALSE;
+     }
+ 
+   if (group)
+     {
+-      if (i >= 0)
+      if (last_slash != NULL)
+         {
+-          *group = g_memdup (key, i + 1);
+-          (*group)[i] = '\0';
+          *group = g_memdup2 (key, (last_slash - key) + 1);
+          (*group)[(last_slash - key)] = '\0';
+         }
+       else
+         *group = g_strdup (kfsb->root_group);
+     }
+ 
+   if (basename)
+-    *basename = g_memdup (key + i + 1, key_len - i);
+    *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
+ 
+   return TRUE;
+ }
+-- 
+GitLab

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch new file mode 100644 index 0000000000..ffafc35c07 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
@@ -0,0 +1,101 @@
	1	From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001
	2	From: Philip Withnall <pwithnall@endlessos.org>
	3	Date: Thu, 4 Feb 2021 13:58:32 +0000
	4	Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when
	5	converting paths
	6
	7	Previously, the code in `convert_path()` could not handle keys longer
	8	than `G_MAXINT`, and would overflow if that was exceeded.
	9
	10	Convert the code to use `gsize` and `g_memdup2()` throughout, and
	11	change from identifying the position of the final slash in the string
	12	using a signed offset `i`, to using a pointer to the character (and
	13	`strrchr()`). This allows the slash to be at any position in a
	14	`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
	15	indicating whether a slash was found.
	16
	17	Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
	18	Helps: #2319
	19
	20	Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
	21	CVE: CVE-2021-27219
	22	Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
	23	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
	24
	25	---
	26	gio/gkeyfilesettingsbackend.c \| 21 ++++++++++-----------
	27	1 file changed, 10 insertions(+), 11 deletions(-)
	28
	29	diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
	30	index cd5765afd..25b057672 100644
	31	--- a/gio/gkeyfilesettingsbackend.c
	32	+++ b/gio/gkeyfilesettingsbackend.c
	33	@@ -33,6 +33,7 @@
	34	#include "gfilemonitor.h"
	35	#include "gsimplepermission.h"
	36	#include "gsettingsbackendinternal.h"
	37	+#include "gstrfuncsprivate.h"
	38	#include "giomodule-priv.h"
	39	#include "gportalsupport.h"
	40
	41	@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb,
	42	gchar **group,
	43	gchar **basename)
	44	{
	45	- gint key_len = strlen (key);
	46	- gint i;
	47	+ gsize key_len = strlen (key);
	48	+ const gchar *last_slash;
	49
	50	if (key_len < kfsb->prefix_len \|\|
	51	memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
	52	@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend *kfsb,
	53	key_len -= kfsb->prefix_len;
	54	key += kfsb->prefix_len;
	55
	56	- for (i = key_len; i >= 0; i--)
	57	- if (key[i] == '/')
	58	- break;
	59	+ last_slash = strrchr (key, '/');
	60
	61	if (kfsb->root_group)
	62	{
	63	/* if a root_group was specified, make sure the user hasn't given
	64	* a path that ghosts that group name
	65	*/
	66	- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0)
	67	+ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0)
	68	return FALSE;
	69	}
	70	else
	71	{
	72	/* if no root_group was given, ensure that the user gave a path */
	73	- if (i == -1)
	74	+ if (last_slash == NULL)
	75	return FALSE;
	76	}
	77
	78	if (group)
	79	{
	80	- if (i >= 0)
	81	+ if (last_slash != NULL)
	82	{
	83	- *group = g_memdup (key, i + 1);
	84	- (*group)[i] = '\0';
	85	+ *group = g_memdup2 (key, (last_slash - key) + 1);
	86	+ (*group)[(last_slash - key)] = '\0';
	87	}
	88	else
	89	*group = g_strdup (kfsb->root_group);
	90	}
	91
	92	if (basename)
	93	- *basename = g_memdup (key + i + 1, key_len - i);
	94	+ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
	95
	96	return TRUE;
	97	}
	98	--
	99	GitLab
	100
	101