From 7b78e1b4de0421de9f876aeb4ff11d6d017a4b7b Mon Sep 17 00:00:00 2001 From: Oleksandr Kravchuk Date: Mon, 27 Jul 2020 11:00:35 +0200 Subject: json-c: update to 0.15 Remove upstreamed patch. (From OE-Core rev: 411f47cdcb74109a103166477d606c88db6175ee) Signed-off-by: Oleksandr Kravchuk Signed-off-by: Richard Purdie --- .../json-c/json-c/CVE-2020-12762.patch | 160 --------------------- meta/recipes-devtools/json-c/json-c_0.14.bb | 20 --- meta/recipes-devtools/json-c/json-c_0.15.bb | 18 +++ 3 files changed, 18 insertions(+), 180 deletions(-) delete mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch delete mode 100644 meta/recipes-devtools/json-c/json-c_0.14.bb create mode 100644 meta/recipes-devtools/json-c/json-c_0.15.bb (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch b/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch deleted file mode 100644 index a45cfb61bc..0000000000 --- a/meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:41:16 +0200 -Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow. - -If the assignment of stop overflows due to idx and count being -larger than SIZE_T_MAX in sum, out of boundary access could happen. - -It takes invalid usage of this function for this to happen, but -I decided to add this check so array_list_del_idx is as safe against -bad usage as the other arraylist functions. - -Upstream-Status: Backport [https://github.com/json-c/json-c/commit/31243e4d1204ef78be34b0fcae73221eee6b83be] -CVE: CVE-2020-12762 -Signed-off-by: Chee Yang Lee - ---- - arraylist.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arraylist.c b/arraylist.c -index 12ad8af6d3..e5524aca75 100644 ---- a/arraylist.c -+++ b/arraylist.c -@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count) - { - size_t i, stop; - -+ /* Avoid overflow in calculation with large indices. */ -+ if (idx > SIZE_T_MAX - count) -+ return -1; - stop = idx + count; - if (idx >= arr->length || stop > arr->length) - return -1; - -From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:46:45 +0200 -Subject: [PATCH 2/3] Prevent division by zero in linkhash. - -If a linkhash with a size of zero is created, then modulo operations -are prone to division by zero operations. - -Purely protective measure against bad usage. ---- - linkhash.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linkhash.c b/linkhash.c -index 7ea58c0abf..f05cc38030 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -12,6 +12,7 @@ - - #include "config.h" - -+#include - #include - #include - #include -@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h - int i; - struct lh_table *t; - -+ /* Allocate space for elements to avoid divisions by zero. */ -+ assert(size > 0); - t = (struct lh_table *)calloc(1, sizeof(struct lh_table)); - if (!t) - return NULL; - -From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:47:25 +0200 -Subject: [PATCH 3/3] Fix integer overflows. - -The data structures linkhash and printbuf are limited to 2 GB in size -due to a signed integer being used to track their current size. - -If too much data is added, then size variable can overflow, which is -an undefined behaviour in C programming language. - -Assuming that a signed int overflow just leads to a negative value, -like it happens on many sytems (Linux i686/amd64 with gcc), then -printbuf is vulnerable to an out of boundary write on 64 bit systems. ---- - linkhash.c | 7 +++++-- - printbuf.c | 19 ++++++++++++++++--- - 2 files changed, 21 insertions(+), 5 deletions(-) - -diff --git a/linkhash.c b/linkhash.c -index f05cc38030..51e90b13a2 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con - { - unsigned long n; - -- if (t->count >= t->size * LH_LOAD_FACTOR) -- if (lh_table_resize(t, t->size * 2) != 0) -+ if (t->count >= t->size * LH_LOAD_FACTOR) { -+ /* Avoid signed integer overflow with large tables. */ -+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX; -+ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) - return -1; -+ } - - n = h % t->size; - -diff --git a/printbuf.c b/printbuf.c -index 976c12dde5..00822fac4f 100644 ---- a/printbuf.c -+++ b/printbuf.c -@@ -15,6 +15,7 @@ - - #include "config.h" - -+#include - #include - #include - #include -@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - if (p->size >= min_size) - return 0; -- -- new_size = p->size * 2; -- if (new_size < min_size + 8) -+ /* Prevent signed integer overflows with large buffers. */ -+ if (min_size > INT_MAX - 8) -+ return -1; -+ if (p->size > INT_MAX / 2) - new_size = min_size + 8; -+ else { -+ new_size = p->size * 2; -+ if (new_size < min_size + 8) -+ new_size = min_size + 8; -+ } - #ifdef PRINTBUF_DEBUG - MC_DEBUG("printbuf_memappend: realloc " - "bpos=%d min_size=%d old_size=%d new_size=%d\n", -@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) - - int printbuf_memappend(struct printbuf *p, const char *buf, int size) - { -+ /* Prevent signed integer overflows with large buffers. */ -+ if (size > INT_MAX - p->bpos - 1) -+ return -1; - if (p->size <= p->bpos + size + 1) - { - if (printbuf_extend(p, p->bpos + size + 1) < 0) -@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) - - if (offset == -1) - offset = pb->bpos; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (len > INT_MAX - offset) -+ return -1; - size_needed = offset + len; - if (pb->size < size_needed) - { diff --git a/meta/recipes-devtools/json-c/json-c_0.14.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb deleted file mode 100644 index 1d501d1294..0000000000 --- a/meta/recipes-devtools/json-c/json-c_0.14.bb +++ /dev/null @@ -1,20 +0,0 @@ -SUMMARY = "C bindings for apps which will manipulate JSON data" -DESCRIPTION = "JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C." -HOMEPAGE = "https://github.com/json-c/json-c/wiki" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" - -SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ - file://CVE-2020-12762.patch \ -" - -SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870" - -UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" -UPSTREAM_CHECK_REGEX = "json-c-(?P\d+(\.\d+)+)-\d+" - -RPROVIDES_${PN} = "libjson" - -inherit cmake - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb new file mode 100644 index 0000000000..2968590dd8 --- /dev/null +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb @@ -0,0 +1,18 @@ +SUMMARY = "C bindings for apps which will manipulate JSON data" +DESCRIPTION = "JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C." +HOMEPAGE = "https://github.com/json-c/json-c/wiki" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" + +SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz" + +SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6" + +UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" +UPSTREAM_CHECK_REGEX = "json-c-(?P\d+(\.\d+)+)-\d+" + +RPROVIDES_${PN} = "libjson" + +inherit cmake + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf