diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-12-25 13:51:39 +0100 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-12-25 13:57:04 +0100 |
| commit | 9af2a4a468a601feb94f3f7aefa273e8e168c670 (patch) | |
| tree | 5a0842744ab0595492b9e6c7e56d7e8a2ea1f2b3 | |
| parent | 5b7d15db187f79e168a5f25cdb1f14dd967811f3 (diff) | |
| download | meta-openembedded-9af2a4a468a601feb94f3f7aefa273e8e168c670.tar.gz | |
dbus-broker: patch CVE-2022-31212
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-31212
A detailed writeup[1] is referenced by the nvd report, which
describes that the vulnerability itself is not in the application,
rather in a dependency of it, in c-shutil, which is pulled in as
a submodule.
Pick the patch from this submodule that fixes a stack overflow, and
adds a test explictly verifying the described vulnerability.
[1]: https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
| -rw-r--r-- | meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch | 70 | ||||
| -rw-r--r-- | meta-oe/recipes-core/dbus/dbus-broker_29.bb | 4 |
2 files changed, 73 insertions, 1 deletions
diff --git a/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch b/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch new file mode 100644 index 0000000000..a173e88d34 --- /dev/null +++ b/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch | |||
| @@ -0,0 +1,70 @@ | |||
| 1 | From 2dfb73805571bd48e92b2d09962bc99f3bc4f86b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: David Rheinsberg <david.rheinsberg@gmail.com> | ||
| 3 | Date: Tue, 19 Apr 2022 13:11:02 +0200 | ||
| 4 | Subject: [PATCH] strnspn: fix buffer overflow | ||
| 5 | |||
| 6 | Fix the strnspn and strncspn functions to use a properly sized buffer. | ||
| 7 | It used to be 1 byte too short. Checking for `0xff` in a string will | ||
| 8 | thus write `0xff` once byte beyond the stack space of the local buffer. | ||
| 9 | |||
| 10 | Note that the public API does not allow to pass `0xff` to those | ||
| 11 | functions. Therefore, this is a read-only buffer overrun, possibly | ||
| 12 | causing bogus reports from the parser, but still well-defined. | ||
| 13 | |||
| 14 | Reported-by: Steffen Robertz | ||
| 15 | Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com> | ||
| 16 | |||
| 17 | CVE: CVE-2022-31212 | ||
| 18 | Upstream-Status: Backport [https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1] | ||
| 19 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 20 | --- | ||
| 21 | subprojects/c-shquote/src/c-shquote.c | 4 ++-- | ||
| 22 | subprojects/c-shquote/src/test-private.c | 6 ++++++ | ||
| 23 | 2 files changed, 8 insertions(+), 2 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/subprojects/c-shquote/src/c-shquote.c b/subprojects/c-shquote/src/c-shquote.c | ||
| 26 | index b268906..abb55d6 100644 | ||
| 27 | --- a/subprojects/c-shquote/src/c-shquote.c | ||
| 28 | +++ b/subprojects/c-shquote/src/c-shquote.c | ||
| 29 | @@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp, | ||
| 30 | size_t c_shquote_strnspn(const char *string, | ||
| 31 | size_t n_string, | ||
| 32 | const char *accept) { | ||
| 33 | - bool buffer[UCHAR_MAX] = {}; | ||
| 34 | + bool buffer[UCHAR_MAX + 1] = {}; | ||
| 35 | |||
| 36 | for ( ; *accept; ++accept) | ||
| 37 | buffer[(unsigned char)*accept] = true; | ||
| 38 | @@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string, | ||
| 39 | size_t c_shquote_strncspn(const char *string, | ||
| 40 | size_t n_string, | ||
| 41 | const char *reject) { | ||
| 42 | - bool buffer[UCHAR_MAX] = {}; | ||
| 43 | + bool buffer[UCHAR_MAX + 1] = {}; | ||
| 44 | |||
| 45 | if (strlen(reject) == 1) { | ||
| 46 | const char *p; | ||
| 47 | diff --git a/subprojects/c-shquote/src/test-private.c b/subprojects/c-shquote/src/test-private.c | ||
| 48 | index 57a7250..c6afe40 100644 | ||
| 49 | --- a/subprojects/c-shquote/src/test-private.c | ||
| 50 | +++ b/subprojects/c-shquote/src/test-private.c | ||
| 51 | @@ -148,6 +148,9 @@ static void test_strnspn(void) { | ||
| 52 | |||
| 53 | len = c_shquote_strnspn("ab", 2, "bc"); | ||
| 54 | c_assert(len == 0); | ||
| 55 | + | ||
| 56 | + len = c_shquote_strnspn("ab", 2, "\xff"); | ||
| 57 | + c_assert(len == 0); | ||
| 58 | } | ||
| 59 | |||
| 60 | static void test_strncspn(void) { | ||
| 61 | @@ -167,6 +170,9 @@ static void test_strncspn(void) { | ||
| 62 | |||
| 63 | len = c_shquote_strncspn("ab", 2, "cd"); | ||
| 64 | c_assert(len == 2); | ||
| 65 | + | ||
| 66 | + len = c_shquote_strncspn("ab", 2, "\xff"); | ||
| 67 | + c_assert(len == 2); | ||
| 68 | } | ||
| 69 | |||
| 70 | static void test_discard_comment(void) { | ||
diff --git a/meta-oe/recipes-core/dbus/dbus-broker_29.bb b/meta-oe/recipes-core/dbus/dbus-broker_29.bb index 525db345b0..aafeda206e 100644 --- a/meta-oe/recipes-core/dbus/dbus-broker_29.bb +++ b/meta-oe/recipes-core/dbus/dbus-broker_29.bb | |||
| @@ -6,7 +6,9 @@ SECTION = "base" | |||
| 6 | LICENSE = "Apache-2.0" | 6 | LICENSE = "Apache-2.0" |
| 7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=7b486c2338d225a1405d979ed2c15ce8" | 7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=7b486c2338d225a1405d979ed2c15ce8" |
| 8 | 8 | ||
| 9 | SRC_URI = "https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz" | 9 | SRC_URI = "https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz \ |
| 10 | file://CVE-2022-31212.patch \ | ||
| 11 | " | ||
| 10 | SRC_URI[sha256sum] = "4eca425db52b7ab1027153e93fea9b3f11759db9e93ffbf88759b73ddfb8026a" | 12 | SRC_URI[sha256sum] = "4eca425db52b7ab1027153e93fea9b3f11759db9e93ffbf88759b73ddfb8026a" |
| 11 | 13 | ||
| 12 | UPSTREAM_CHECK_URI = "https://github.com/bus1/${BPN}/releases" | 14 | UPSTREAM_CHECK_URI = "https://github.com/bus1/${BPN}/releases" |