diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch new file mode 100644 index 0000000000..ffafc35c07 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Philip Withnall <pwithnall@endlessos.org> | ||
3 | Date: Thu, 4 Feb 2021 13:58:32 +0000 | ||
4 | Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when | ||
5 | converting paths | ||
6 | |||
7 | Previously, the code in `convert_path()` could not handle keys longer | ||
8 | than `G_MAXINT`, and would overflow if that was exceeded. | ||
9 | |||
10 | Convert the code to use `gsize` and `g_memdup2()` throughout, and | ||
11 | change from identifying the position of the final slash in the string | ||
12 | using a signed offset `i`, to using a pointer to the character (and | ||
13 | `strrchr()`). This allows the slash to be at any position in a | ||
14 | `G_MAXSIZE`-long string, without sacrificing a bit of the offset for | ||
15 | indicating whether a slash was found. | ||
16 | |||
17 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
18 | Helps: #2319 | ||
19 | |||
20 | Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] | ||
21 | CVE: CVE-2021-27219 | ||
22 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
23 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
24 | |||
25 | --- | ||
26 | gio/gkeyfilesettingsbackend.c | 21 ++++++++++----------- | ||
27 | 1 file changed, 10 insertions(+), 11 deletions(-) | ||
28 | |||
29 | diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c | ||
30 | index cd5765afd..25b057672 100644 | ||
31 | --- a/gio/gkeyfilesettingsbackend.c | ||
32 | +++ b/gio/gkeyfilesettingsbackend.c | ||
33 | @@ -33,6 +33,7 @@ | ||
34 | #include "gfilemonitor.h" | ||
35 | #include "gsimplepermission.h" | ||
36 | #include "gsettingsbackendinternal.h" | ||
37 | +#include "gstrfuncsprivate.h" | ||
38 | #include "giomodule-priv.h" | ||
39 | #include "gportalsupport.h" | ||
40 | |||
41 | @@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb, | ||
42 | gchar **group, | ||
43 | gchar **basename) | ||
44 | { | ||
45 | - gint key_len = strlen (key); | ||
46 | - gint i; | ||
47 | + gsize key_len = strlen (key); | ||
48 | + const gchar *last_slash; | ||
49 | |||
50 | if (key_len < kfsb->prefix_len || | ||
51 | memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0) | ||
52 | @@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend *kfsb, | ||
53 | key_len -= kfsb->prefix_len; | ||
54 | key += kfsb->prefix_len; | ||
55 | |||
56 | - for (i = key_len; i >= 0; i--) | ||
57 | - if (key[i] == '/') | ||
58 | - break; | ||
59 | + last_slash = strrchr (key, '/'); | ||
60 | |||
61 | if (kfsb->root_group) | ||
62 | { | ||
63 | /* if a root_group was specified, make sure the user hasn't given | ||
64 | * a path that ghosts that group name | ||
65 | */ | ||
66 | - if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0) | ||
67 | + if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0) | ||
68 | return FALSE; | ||
69 | } | ||
70 | else | ||
71 | { | ||
72 | /* if no root_group was given, ensure that the user gave a path */ | ||
73 | - if (i == -1) | ||
74 | + if (last_slash == NULL) | ||
75 | return FALSE; | ||
76 | } | ||
77 | |||
78 | if (group) | ||
79 | { | ||
80 | - if (i >= 0) | ||
81 | + if (last_slash != NULL) | ||
82 | { | ||
83 | - *group = g_memdup (key, i + 1); | ||
84 | - (*group)[i] = '\0'; | ||
85 | + *group = g_memdup2 (key, (last_slash - key) + 1); | ||
86 | + (*group)[(last_slash - key)] = '\0'; | ||
87 | } | ||
88 | else | ||
89 | *group = g_strdup (kfsb->root_group); | ||
90 | } | ||
91 | |||
92 | if (basename) | ||
93 | - *basename = g_memdup (key + i + 1, key_len - i); | ||
94 | + *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); | ||
95 | |||
96 | return TRUE; | ||
97 | } | ||
98 | -- | ||
99 | GitLab | ||
100 | |||
101 | |||