From d693d371a64b47c35f2849b9bb5ca79b6e2eac1f Mon Sep 17 00:00:00 2001
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Mon, 28 Jan 2019 13:57:44 +0000
Subject: systemd: Update recent CVE patches

* Added CVE tag, Upstream-Status tag and Sign-off-by tags.
* Removed the verification of the entry length in the header
* Squashed CVE-2018-16865 patches into one
* CVE-2018-16866 patch now taken from systemd-stable and includes
  an additional heap buffer overflow fix.

(From OE-Core rev: bc79395e2fcb886f224a4ad837fd93c779d2c53d)

(From OE-Core rev: 554a65619c45fec24f1790792de2db12a098bd80)

Signed-off-by: Marcus Cooper <marcusc@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 ++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch

(limited to 'meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch')

diff --git a/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
new file mode 100644
index 0000000000..3925a4abbb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
@@ -0,0 +1,49 @@
+From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
+From: Filipe Brandenburger <filbranden@google.com>
+Date: Thu, 10 Jan 2019 14:53:33 -0800
+Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
+
+The original code didn't account for the fact that strchr() would match on the
+'\0' character, making it read past the end of the buffer if no non-whitespace
+character was present.
+
+This bug was introduced in commit ec5ff4445cca6a which was first released in
+systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
+v240, so versions in the range [v221, v240) are affected.
+
+Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
+also includes a change from systemd master which removes a heap buffer overflow
+a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
+
+CVE: CVE-2018-16866
+Upstream-Status: Backport
+Signed-off-by: Marcus Cooper <marcusc@axis.com>
+---
+ src/journal/journald-syslog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
+index 9dea116722..809b318c06 100644
+--- a/src/journal/journald-syslog.c
++++ b/src/journal/journald-syslog.c
+@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
+         e = l;
+         l--;
+ 
+-        if (p[l-1] == ']') {
++        if (l > 0 && p[l-1] == ']') {
+                 size_t k = l-1;
+ 
+                 for (;;) {
+@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
+         if (t)
+                 *identifier = t;
+ 
+-        if (strchr(WHITESPACE, p[e]))
++        if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
+                 e++;
+         *buf = p + e;
+         return e;
+-- 
+2.11.0
+
-- 
cgit v1.2.3-54-g00ecf