From c679c1cac2af2ad1f1a2f8b2c75f3c5fde2b5ea2 Mon Sep 17 00:00:00 2001 From: Yi Fan Yu Date: Thu, 28 Jan 2021 17:23:31 -0500 Subject: glibc: fix CVE-2020-27618 iconv: Accept redundant shift sequences in IBM1364 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1893708 (From OE-Core rev: 78a381ec75e48283397a7fe9eaad2afbb070c235) Signed-off-by: Yi Fan Yu Signed-off-by: Richard Purdie --- meta/recipes-core/glibc/glibc/CVE-2020-27618.patch | 91 ++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-27618.patch (limited to 'meta/recipes-core/glibc/glibc/CVE-2020-27618.patch') diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-27618.patch b/meta/recipes-core/glibc/glibc/CVE-2020-27618.patch new file mode 100644 index 0000000000..bf32238357 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2020-27618.patch @@ -0,0 +1,91 @@ +From 20e6c868c29f5a6121cbb88f3387bb9b884a4206 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Wed, 4 Nov 2020 12:19:38 +0100 +Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ + #26224] + +The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets +share converter logic (iconvdata/ibm1364.c) which would reject +redundant shift sequences when processing input in these character +sets. This led to a hang in the iconv program (CVE-2020-27618). + +This commit adjusts the converter to ignore redundant shift sequences +and adds test cases for iconv_prog hangs that would be triggered upon +their rejection. This brings the implementation in line with other +converters that also ignore redundant shift sequences (e.g. IBM930 +etc., fixed in commit 692de4b3960d). + +Reviewed-by: Carlos O'Donell + +Upstream-Status: Backport +[https://sourceware.org/git/?p=glibc.git;a=commit; +h=9a99c682144bdbd40792ebf822fe9264e0376fb5] + +CVE: CVE-2020-27618 +Signed-off-by: Yi Fan Yu +--- + iconv/tst-iconv_prog.sh | 16 ++++++++++------ + iconvdata/ibm1364.c | 14 ++------------ + 2 files changed, 12 insertions(+), 18 deletions(-) + +diff --git a/iconv/tst-iconv_prog.sh b/iconv/tst-iconv_prog.sh +index 8298136b7f..d8db7b335c 100644 +--- a/iconv/tst-iconv_prog.sh ++++ b/iconv/tst-iconv_prog.sh +@@ -102,12 +102,16 @@ hangarray=( + "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE" + "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE" + "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE" +-# These are known hangs that are yet to be fixed: +-# "\x00\x0f;-c;IBM1364;UTF-8" +-# "\x00\x0f;-c;IBM1371;UTF-8" +-# "\x00\x0f;-c;IBM1388;UTF-8" +-# "\x00\x0f;-c;IBM1390;UTF-8" +-# "\x00\x0f;-c;IBM1399;UTF-8" ++"\x00\x0f;-c;IBM1364;UTF-8" ++"\x0e\x0e;-c;IBM1364;UTF-8" ++"\x00\x0f;-c;IBM1371;UTF-8" ++"\x0e\x0e;-c;IBM1371;UTF-8" ++"\x00\x0f;-c;IBM1388;UTF-8" ++"\x0e\x0e;-c;IBM1388;UTF-8" ++"\x00\x0f;-c;IBM1390;UTF-8" ++"\x0e\x0e;-c;IBM1390;UTF-8" ++"\x00\x0f;-c;IBM1399;UTF-8" ++"\x0e\x0e;-c;IBM1399;UTF-8" + "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE" + "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE" + "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE" +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 49e7267ab4..521f0825b7 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -158,24 +158,14 @@ enum + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +- /* Shift OUT, change to DBCS converter. */ \ +- if (curcs == db) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ + curcs = db; \ + ++inptr; \ + continue; \ + } \ + if (__builtin_expect (ch, 0) == SI) \ + { \ +- /* Shift IN, change to SBCS converter. */ \ +- if (curcs == sb) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift IN, change to SBCS converter (redundant escape okay). */ \ + curcs = sb; \ + ++inptr; \ + continue; \ +-- +2.29.2 + -- cgit v1.2.3-54-g00ecf