summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2019-25013.patch137
-rw-r--r--meta/recipes-core/glibc/glibc_2.32.bb1
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
new file mode 100644
index 0000000000..987e959db2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
@@ -0,0 +1,137 @@
1From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@suse.de>
3Date: Mon, 21 Dec 2020 08:56:43 +0530
4Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
5
6The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
7area and is not allowed. The from_euc_kr function used to skip two bytes
8when told to skip over the unknown designation, potentially running over
9the buffer end.
10
11Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
12CVE: CVE-2019-25013
13Signed-off-by: Scott Murray <scott.murray@konsulko.com>
14---
15 iconvdata/Makefile | 3 ++-
16 iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
17 iconvdata/euc-kr.c | 6 +----
18 iconvdata/ksc5601.h | 6 ++---
19 4 files changed, 59 insertions(+), 9 deletions(-)
20 create mode 100644 iconvdata/bug-iconv13.c
21
22diff --git a/iconvdata/Makefile b/iconvdata/Makefile
23index 4ec2741cdc..85009f3390 100644
24--- a/iconvdata/Makefile
25+++ b/iconvdata/Makefile
26@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules))
27 ifeq (yes,$(build-shared))
28 tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
29 tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
30- bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4
31+ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
32+ bug-iconv13
33 ifeq ($(have-thread-library),yes)
34 tests += bug-iconv3
35 endif
36diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c
37new file mode 100644
38index 0000000000..87aaff398e
39--- /dev/null
40+++ b/iconvdata/bug-iconv13.c
41@@ -0,0 +1,53 @@
42+/* bug 24973: Test EUC-KR module
43+ Copyright (C) 2020 Free Software Foundation, Inc.
44+ This file is part of the GNU C Library.
45+
46+ The GNU C Library is free software; you can redistribute it and/or
47+ modify it under the terms of the GNU Lesser General Public
48+ License as published by the Free Software Foundation; either
49+ version 2.1 of the License, or (at your option) any later version.
50+
51+ The GNU C Library is distributed in the hope that it will be useful,
52+ but WITHOUT ANY WARRANTY; without even the implied warranty of
53+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
54+ Lesser General Public License for more details.
55+
56+ You should have received a copy of the GNU Lesser General Public
57+ License along with the GNU C Library; if not, see
58+ <https://www.gnu.org/licenses/>. */
59+
60+#include <errno.h>
61+#include <iconv.h>
62+#include <stdio.h>
63+#include <support/check.h>
64+
65+static int
66+do_test (void)
67+{
68+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
69+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
70+
71+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
72+ areas, which are not allowed and should be skipped over due to
73+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
74+ should be checked first. */
75+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
76+ char *inptr = input;
77+ size_t insize = sizeof (input);
78+ char output[4];
79+ char *outptr = output;
80+ size_t outsize = sizeof (output);
81+
82+ /* This used to crash due to buffer overrun. */
83+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
84+ TEST_VERIFY (errno == EINVAL);
85+ /* The conversion should produce one character, the converted null
86+ character. */
87+ TEST_VERIFY (sizeof (output) - outsize == 1);
88+
89+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
90+
91+ return 0;
92+}
93+
94+#include <support/test-driver.c>
95diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
96index b0d56cf3ee..1045bae926 100644
97--- a/iconvdata/euc-kr.c
98+++ b/iconvdata/euc-kr.c
99@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
100 \
101 if (ch <= 0x9f) \
102 ++inptr; \
103- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
104- user-defined areas. */ \
105- else if (__builtin_expect (ch == 0xa0, 0) \
106- || __builtin_expect (ch > 0xfe, 0) \
107- || __builtin_expect (ch == 0xc9, 0)) \
108+ else if (__glibc_unlikely (ch == 0xa0)) \
109 { \
110 /* This is illegal. */ \
111 STANDARD_FROM_LOOP_ERR_HANDLER (1); \
112diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h
113index d3eb3a4ff8..f5cdc72797 100644
114--- a/iconvdata/ksc5601.h
115+++ b/iconvdata/ksc5601.h
116@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset)
117 unsigned char ch2;
118 int idx;
119
120+ if (avail < 2)
121+ return 0;
122+
123 /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
124
125 if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
126 || (ch - offset) == 0x49)
127 return __UNKNOWN_10646_CHAR;
128
129- if (avail < 2)
130- return 0;
131-
132 ch2 = (*s)[1];
133 if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
134 return __UNKNOWN_10646_CHAR;
135--
1362.27.0
137
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index b850c28c78..d43c8c56cb 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
46 file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \ 46 file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \
47 file://CVE-2020-29562.patch \ 47 file://CVE-2020-29562.patch \
48 file://CVE-2020-29573.patch \ 48 file://CVE-2020-29573.patch \
49 file://CVE-2019-25013.patch \
49 " 50 "
50S = "${WORKDIR}/git" 51S = "${WORKDIR}/git"
51B = "${WORKDIR}/build-${TARGET_SYS}" 52B = "${WORKDIR}/build-${TARGET_SYS}"