diff options
Diffstat (limited to 'meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch')
-rw-r--r-- | meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch index 0dabfba663..a5cdecf95b 100644 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4025.patch | |||
@@ -1,7 +1,11 @@ | |||
1 | From fef997df2a1d6609af55e30eb67b65c786588fcb Mon Sep 17 00:00:00 2001 | ||
2 | From: "yanjun.zhu" <yanjun.zhu@windriver.com> | ||
3 | Date: Wed, 20 May 2015 18:18:47 +0200 | ||
4 | Subject: [PATCH 4/4] Fix CVE-2012-4025 | ||
5 | |||
1 | Upstream-Status: Backport | 6 | Upstream-Status: Backport |
2 | 7 | ||
3 | Reference: http://squashfs.git.sourceforge.net/git/gitweb.cgi? | 8 | Reference: https://github.com/plougher/squashfs-tools/commit/8515b3d420f502c5c0236b86e2d6d7e3b23c190e |
4 | p=squashfs/squashfs;a=patch;h=8515b3d420f502c5c0236b86e2d6d7e3b23c190e | ||
5 | 9 | ||
6 | Integer overflow in the queue_init function in unsquashfs.c in | 10 | Integer overflow in the queue_init function in unsquashfs.c in |
7 | unsquashfs in Squashfs 4.2 and earlier allows remote attackers | 11 | unsquashfs in Squashfs 4.2 and earlier allows remote attackers |
@@ -10,10 +14,29 @@ superblock of a .sqsh file, leading to a heap-based buffer overflow. | |||
10 | 14 | ||
11 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025 | 15 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4025 |
12 | 16 | ||
13 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | 17 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> |
18 | Signed-off-by: Martin Jansa <martin.jansa@lge.com> | ||
19 | --- | ||
20 | squashfs-tools/squashfs_fs.h | 1 + | ||
21 | squashfs-tools/unsquashfs.c | 110 +++++++++++++++++++++++++++++++++++++++---- | ||
22 | 2 files changed, 103 insertions(+), 8 deletions(-) | ||
14 | 23 | ||
15 | --- a/unsquashfs.c 2012-11-30 17:57:57.000000000 +0800 | 24 | diff --git a/squashfs_fs.h b/squashfs_fs.h |
16 | +++ b/unsquashfs.c 2012-11-30 17:58:09.000000000 +0800 | 25 | index d4fba1b..6227be2 100644 |
26 | --- a/squashfs_fs.h | ||
27 | +++ b/squashfs_fs.h | ||
28 | @@ -39,6 +39,7 @@ | ||
29 | #define SQUASHFS_FILE_LOG 17 | ||
30 | |||
31 | #define SQUASHFS_FILE_MAX_SIZE 1048576 | ||
32 | +#define SQUASHFS_FILE_MAX_LOG 20 | ||
33 | |||
34 | /* Max number of uids and gids */ | ||
35 | #define SQUASHFS_IDS 65536 | ||
36 | diff --git a/unsquashfs.c b/unsquashfs.c | ||
37 | index 4fc04e8..078d6ca 100644 | ||
38 | --- a/unsquashfs.c | ||
39 | +++ b/unsquashfs.c | ||
17 | @@ -33,6 +33,7 @@ | 40 | @@ -33,6 +33,7 @@ |
18 | #include <sys/types.h> | 41 | #include <sys/types.h> |
19 | #include <sys/time.h> | 42 | #include <sys/time.h> |
@@ -58,7 +81,7 @@ Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | |||
58 | queue->data = malloc(sizeof(void *) * (size + 1)); | 81 | queue->data = malloc(sizeof(void *) * (size + 1)); |
59 | if(queue->data == NULL) | 82 | if(queue->data == NULL) |
60 | EXIT_UNSQUASH("Out of memory in queue_init\n"); | 83 | EXIT_UNSQUASH("Out of memory in queue_init\n"); |
61 | @@ -1948,13 +1971,30 @@ void initialise_threads(int fragment_buf | 84 | @@ -1948,13 +1971,30 @@ void initialise_threads(int fragment_buffer_size, int data_buffer_size) |
62 | * allocate to_reader, to_deflate and to_writer queues. Set based on | 85 | * allocate to_reader, to_deflate and to_writer queues. Set based on |
63 | * open file limit and cache size, unless open file limit is unlimited, | 86 | * open file limit and cache size, unless open file limit is unlimited, |
64 | * in which case set purely based on cache limits | 87 | * in which case set purely based on cache limits |
@@ -90,7 +113,7 @@ Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | |||
90 | 113 | ||
91 | to_reader = queue_init(all_buffers_size); | 114 | to_reader = queue_init(all_buffers_size); |
92 | to_deflate = queue_init(all_buffers_size); | 115 | to_deflate = queue_init(all_buffers_size); |
93 | @@ -2059,6 +2099,32 @@ void progress_bar(long long current, lon | 116 | @@ -2059,6 +2099,32 @@ void progress_bar(long long current, long long max, int columns) |
94 | } | 117 | } |
95 | 118 | ||
96 | 119 | ||
@@ -188,3 +211,6 @@ Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | |||
188 | initialise_threads(fragment_buffer_size, data_buffer_size); | 211 | initialise_threads(fragment_buffer_size, data_buffer_size); |
189 | 212 | ||
190 | fragment_data = malloc(block_size); | 213 | fragment_data = malloc(block_size); |
214 | -- | ||
215 | 2.1.4 | ||
216 | |||