diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2019-25013.patch | 137 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.32.bb | 1 |
2 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch new file mode 100644 index 0000000000..987e959db2 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch | |||
@@ -0,0 +1,137 @@ | |||
1 | From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@suse.de> | ||
3 | Date: Mon, 21 Dec 2020 08:56:43 +0530 | ||
4 | Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973) | ||
5 | |||
6 | The byte 0xfe as input to the EUC-KR conversion denotes a user-defined | ||
7 | area and is not allowed. The from_euc_kr function used to skip two bytes | ||
8 | when told to skip over the unknown designation, potentially running over | ||
9 | the buffer end. | ||
10 | |||
11 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b] | ||
12 | CVE: CVE-2019-25013 | ||
13 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
14 | --- | ||
15 | iconvdata/Makefile | 3 ++- | ||
16 | iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ | ||
17 | iconvdata/euc-kr.c | 6 +---- | ||
18 | iconvdata/ksc5601.h | 6 ++--- | ||
19 | 4 files changed, 59 insertions(+), 9 deletions(-) | ||
20 | create mode 100644 iconvdata/bug-iconv13.c | ||
21 | |||
22 | diff --git a/iconvdata/Makefile b/iconvdata/Makefile | ||
23 | index 4ec2741cdc..85009f3390 100644 | ||
24 | --- a/iconvdata/Makefile | ||
25 | +++ b/iconvdata/Makefile | ||
26 | @@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules)) | ||
27 | ifeq (yes,$(build-shared)) | ||
28 | tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ | ||
29 | tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ | ||
30 | - bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 | ||
31 | + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ | ||
32 | + bug-iconv13 | ||
33 | ifeq ($(have-thread-library),yes) | ||
34 | tests += bug-iconv3 | ||
35 | endif | ||
36 | diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c | ||
37 | new file mode 100644 | ||
38 | index 0000000000..87aaff398e | ||
39 | --- /dev/null | ||
40 | +++ b/iconvdata/bug-iconv13.c | ||
41 | @@ -0,0 +1,53 @@ | ||
42 | +/* bug 24973: Test EUC-KR module | ||
43 | + Copyright (C) 2020 Free Software Foundation, Inc. | ||
44 | + This file is part of the GNU C Library. | ||
45 | + | ||
46 | + The GNU C Library is free software; you can redistribute it and/or | ||
47 | + modify it under the terms of the GNU Lesser General Public | ||
48 | + License as published by the Free Software Foundation; either | ||
49 | + version 2.1 of the License, or (at your option) any later version. | ||
50 | + | ||
51 | + The GNU C Library is distributed in the hope that it will be useful, | ||
52 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
53 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
54 | + Lesser General Public License for more details. | ||
55 | + | ||
56 | + You should have received a copy of the GNU Lesser General Public | ||
57 | + License along with the GNU C Library; if not, see | ||
58 | + <https://www.gnu.org/licenses/>. */ | ||
59 | + | ||
60 | +#include <errno.h> | ||
61 | +#include <iconv.h> | ||
62 | +#include <stdio.h> | ||
63 | +#include <support/check.h> | ||
64 | + | ||
65 | +static int | ||
66 | +do_test (void) | ||
67 | +{ | ||
68 | + iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR"); | ||
69 | + TEST_VERIFY_EXIT (cd != (iconv_t) -1); | ||
70 | + | ||
71 | + /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined | ||
72 | + areas, which are not allowed and should be skipped over due to | ||
73 | + //IGNORE. The trailing 0xfe also is an incomplete sequence, which | ||
74 | + should be checked first. */ | ||
75 | + char input[4] = { '\xc9', '\xa1', '\0', '\xfe' }; | ||
76 | + char *inptr = input; | ||
77 | + size_t insize = sizeof (input); | ||
78 | + char output[4]; | ||
79 | + char *outptr = output; | ||
80 | + size_t outsize = sizeof (output); | ||
81 | + | ||
82 | + /* This used to crash due to buffer overrun. */ | ||
83 | + TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1); | ||
84 | + TEST_VERIFY (errno == EINVAL); | ||
85 | + /* The conversion should produce one character, the converted null | ||
86 | + character. */ | ||
87 | + TEST_VERIFY (sizeof (output) - outsize == 1); | ||
88 | + | ||
89 | + TEST_VERIFY_EXIT (iconv_close (cd) != -1); | ||
90 | + | ||
91 | + return 0; | ||
92 | +} | ||
93 | + | ||
94 | +#include <support/test-driver.c> | ||
95 | diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c | ||
96 | index b0d56cf3ee..1045bae926 100644 | ||
97 | --- a/iconvdata/euc-kr.c | ||
98 | +++ b/iconvdata/euc-kr.c | ||
99 | @@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp) | ||
100 | \ | ||
101 | if (ch <= 0x9f) \ | ||
102 | ++inptr; \ | ||
103 | - /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ | ||
104 | - user-defined areas. */ \ | ||
105 | - else if (__builtin_expect (ch == 0xa0, 0) \ | ||
106 | - || __builtin_expect (ch > 0xfe, 0) \ | ||
107 | - || __builtin_expect (ch == 0xc9, 0)) \ | ||
108 | + else if (__glibc_unlikely (ch == 0xa0)) \ | ||
109 | { \ | ||
110 | /* This is illegal. */ \ | ||
111 | STANDARD_FROM_LOOP_ERR_HANDLER (1); \ | ||
112 | diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h | ||
113 | index d3eb3a4ff8..f5cdc72797 100644 | ||
114 | --- a/iconvdata/ksc5601.h | ||
115 | +++ b/iconvdata/ksc5601.h | ||
116 | @@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset) | ||
117 | unsigned char ch2; | ||
118 | int idx; | ||
119 | |||
120 | + if (avail < 2) | ||
121 | + return 0; | ||
122 | + | ||
123 | /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ | ||
124 | |||
125 | if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e | ||
126 | || (ch - offset) == 0x49) | ||
127 | return __UNKNOWN_10646_CHAR; | ||
128 | |||
129 | - if (avail < 2) | ||
130 | - return 0; | ||
131 | - | ||
132 | ch2 = (*s)[1]; | ||
133 | if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f) | ||
134 | return __UNKNOWN_10646_CHAR; | ||
135 | -- | ||
136 | 2.27.0 | ||
137 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb index b850c28c78..d43c8c56cb 100644 --- a/meta/recipes-core/glibc/glibc_2.32.bb +++ b/meta/recipes-core/glibc/glibc_2.32.bb | |||
@@ -46,6 +46,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
46 | file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \ | 46 | file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \ |
47 | file://CVE-2020-29562.patch \ | 47 | file://CVE-2020-29562.patch \ |
48 | file://CVE-2020-29573.patch \ | 48 | file://CVE-2020-29573.patch \ |
49 | file://CVE-2019-25013.patch \ | ||
49 | " | 50 | " |
50 | S = "${WORKDIR}/git" | 51 | S = "${WORKDIR}/git" |
51 | B = "${WORKDIR}/build-${TARGET_SYS}" | 52 | B = "${WORKDIR}/build-${TARGET_SYS}" |