1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch
new file mode 100644
index 0000000000..362e6cf319
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch
@@ -0,0 +1,82 @@
+From 212f3ed7ac3931c9e0e9167a0bdc16eeb3c76af4 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 3 Jul 2019 01:28:11 +0200
+Subject: [PATCH] Accept as many selectors as the file format allows.
+But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS.
+The theoretical maximum number of selectors depends on the maximum
+blocksize (900000 bytes) and the number of symbols (50) that can be
+encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002.
+But the bzip2 file format allows the number of selectors to be encoded
+with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in
+14 bits). So the file format maximum is 32767 selectors.
+Some bzip2 encoders might actually have written out more selectors
+than the theoretical maximum because they rounded up the number of
+selectors to some convenient factor of 8.
+The extra 14766 selectors can never be validly used by the decompression
+algorithm. So we can read them, but then discard them.
+This is effectively what was done (by accident) before we added a
+check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate
+CVE-2019-12900.
+The extra selectors were written out after the array inside the
+EState struct. But the struct has extra space allocated after the
+selector arrays of 18060 bytes (which is larger than 14766).
+All of which will be initialized later (so the overwrite of that
+space with extra selector values would have been harmless).
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ compress.c   |  2 +-
+ decompress.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+diff --git a/compress.c b/compress.c
+index caf7696..19b662b 100644
+--- a/compress.c
+++ b/compress.c
+@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s )
+ 
+    AssertH( nGroups < 8, 3002 );
+    AssertH( nSelectors < 32768 &&
+-            nSelectors <= (2 + (900000 / BZ_G_SIZE)),
+            nSelectors <= BZ_MAX_SELECTORS,
+             3003 );
+ 
+ 
+diff --git a/decompress.c b/decompress.c
+index b6e0a29..78060c9 100644
+--- a/decompress.c
+++ b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+-      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+       for (i = 0; i < nSelectors; i++) {
+          j = 0;
+          while (True) {
+@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s )
+             j++;
+             if (j >= nGroups) RETURN(BZ_DATA_ERROR);
+          }
+-         s->selectorMtf[i] = j;
+         /* Having more than BZ_MAX_SELECTORS doesn't make much sense
+            since they will never be used, but some implementations might
+            "round up" the number of selectors, so just ignore those. */
+         if (i < BZ_MAX_SELECTORS)
+           s->selectorMtf[i] = j;
+       }
+      if (nSelectors > BZ_MAX_SELECTORS)
+        nSelectors = BZ_MAX_SELECTORS;
+ 
+       /*--- Undo the MTF values for the selectors. ---*/
+       {

diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch new file mode 100644 index 0000000000..362e6cf319 --- /dev/null +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch
@@ -0,0 +1,82 @@
	1	From 212f3ed7ac3931c9e0e9167a0bdc16eeb3c76af4 Mon Sep 17 00:00:00 2001
	2	From: Mark Wielaard <mark@klomp.org>
	3	Date: Wed, 3 Jul 2019 01:28:11 +0200
	4	Subject: [PATCH] Accept as many selectors as the file format allows.
	5
	6	But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS.
	7
	8	The theoretical maximum number of selectors depends on the maximum
	9	blocksize (900000 bytes) and the number of symbols (50) that can be
	10	encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002.
	11
	12	But the bzip2 file format allows the number of selectors to be encoded
	13	with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in
	14	14 bits). So the file format maximum is 32767 selectors.
	15
	16	Some bzip2 encoders might actually have written out more selectors
	17	than the theoretical maximum because they rounded up the number of
	18	selectors to some convenient factor of 8.
	19
	20	The extra 14766 selectors can never be validly used by the decompression
	21	algorithm. So we can read them, but then discard them.
	22
	23	This is effectively what was done (by accident) before we added a
	24	check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate
	25	CVE-2019-12900.
	26
	27	The extra selectors were written out after the array inside the
	28	EState struct. But the struct has extra space allocated after the
	29	selector arrays of 18060 bytes (which is larger than 14766).
	30	All of which will be initialized later (so the overwrite of that
	31	space with extra selector values would have been harmless).
	32
	33	Upstream-Status: Backport
	34	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	35
	36	---
	37	compress.c \| 2 +-
	38	decompress.c \| 10 ++++++++--
	39	2 files changed, 9 insertions(+), 3 deletions(-)
	40
	41	diff --git a/compress.c b/compress.c
	42	index caf7696..19b662b 100644
	43	--- a/compress.c
	44	+++ b/compress.c
	45	@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s )
	46
	47	AssertH( nGroups < 8, 3002 );
	48	AssertH( nSelectors < 32768 &&
	49	- nSelectors <= (2 + (900000 / BZ_G_SIZE)),
	50	+ nSelectors <= BZ_MAX_SELECTORS,
	51	3003 );
	52
	53
	54	diff --git a/decompress.c b/decompress.c
	55	index b6e0a29..78060c9 100644
	56	--- a/decompress.c
	57	+++ b/decompress.c
	58	@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
	59	GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
	60	if (nGroups < 2 \|\| nGroups > 6) RETURN(BZ_DATA_ERROR);
	61	GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
	62	- if (nSelectors < 1 \|\| nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
	63	+ if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
	64	for (i = 0; i < nSelectors; i++) {
	65	j = 0;
	66	while (True) {
	67	@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s )
	68	j++;
	69	if (j >= nGroups) RETURN(BZ_DATA_ERROR);
	70	}
	71	- s->selectorMtf[i] = j;
	72	+ /* Having more than BZ_MAX_SELECTORS doesn't make much sense
	73	+ since they will never be used, but some implementations might
	74	+ "round up" the number of selectors, so just ignore those. */
	75	+ if (i < BZ_MAX_SELECTORS)
	76	+ s->selectorMtf[i] = j;
	77	}
	78	+ if (nSelectors > BZ_MAX_SELECTORS)
	79	+ nSelectors = BZ_MAX_SELECTORS;
	80
	81	/--- Undo the MTF values for the selectors. ---/
	82	{