diff options
| author | Meenali Gupta <meenali.gupta@windriver.com> | 2024-02-13 11:13:03 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-02-28 08:18:18 -0500 |
| commit | ab7c9bea36833c439321272a2bdf98e15483672b (patch) | |
| tree | d16a964820df1f4d80ff762d673a2f49a5faba22 | |
| parent | 5800571ad7adb79186a79d96b89de2f43b86a21d (diff) | |
| download | meta-openembedded-ab7c9bea36833c439321272a2bdf98e15483672b.tar.gz | |
graphviz: fix CVE-2023-46045
Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a crafted config6a file.
NOTE: exploitability may be uncommon because this file is typically owned by root.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
4 files changed, 111 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch new file mode 100644 index 0000000000..a48f8aa06a --- /dev/null +++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From 361f274ca901c3c476697a6404662d95f4dd43cb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matthew Fernandez <matthew.fernandez@gmail.com> | ||
| 3 | Date: Fri, 12 Jan 2024 17:06:17 +1100 | ||
| 4 | Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope | ||
| 5 | 'gv_api' | ||
| 6 | |||
| 7 | Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb] | ||
| 8 | CVE: CVE-2023-46045 | ||
| 9 | |||
| 10 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 11 | --- | ||
| 12 | lib/gvc/gvconfig.c | 3 +-- | ||
| 13 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c | ||
| 16 | index 2d86321..f9d1dcc 100644 | ||
| 17 | --- a/lib/gvc/gvconfig.c | ||
| 18 | +++ b/lib/gvc/gvconfig.c | ||
| 19 | @@ -173,7 +173,6 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) | ||
| 20 | { | ||
| 21 | char *package_path, *name, *api; | ||
| 22 | const char *type; | ||
| 23 | - api_t gv_api; | ||
| 24 | int quality, rc; | ||
| 25 | int nest = 0; | ||
| 26 | gvplugin_package_t *package; | ||
| 27 | @@ -188,7 +187,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) | ||
| 28 | package = gvplugin_package_record(gvc, package_path, name); | ||
| 29 | do { | ||
| 30 | api = token(&nest, &s); | ||
| 31 | - gv_api = gvplugin_api(api); | ||
| 32 | + const api_t gv_api = gvplugin_api(api); | ||
| 33 | do { | ||
| 34 | if (nest == 2) { | ||
| 35 | type = token(&nest, &s); | ||
| 36 | -- | ||
| 37 | 2.40.0 | ||
| 38 | |||
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch new file mode 100644 index 0000000000..4c70b1a877 --- /dev/null +++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch | |||
| @@ -0,0 +1,39 @@ | |||
| 1 | From 3f31704cafd7da3e86bb2861accf5e90c973e62a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matthew Fernandez <matthew.fernandez@gmail.com> | ||
| 3 | Date: Fri, 12 Jan 2024 17:06:17 +1100 | ||
| 4 | Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope | ||
| 5 | 'api' | ||
| 6 | |||
| 7 | Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a] | ||
| 8 | CVE: CVE-2023-46045 | ||
| 9 | |||
| 10 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 11 | --- | ||
| 12 | lib/gvc/gvconfig.c | 4 ++-- | ||
| 13 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c | ||
| 16 | index f9d1dcc..95e8c6c 100644 | ||
| 17 | --- a/lib/gvc/gvconfig.c | ||
| 18 | +++ b/lib/gvc/gvconfig.c | ||
| 19 | @@ -171,7 +171,7 @@ static char *token(int *nest, char **tokens) | ||
| 20 | |||
| 21 | static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) | ||
| 22 | { | ||
| 23 | - char *package_path, *name, *api; | ||
| 24 | + char *package_path, *name; | ||
| 25 | const char *type; | ||
| 26 | int quality, rc; | ||
| 27 | int nest = 0; | ||
| 28 | @@ -186,7 +186,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) | ||
| 29 | name = "x"; | ||
| 30 | package = gvplugin_package_record(gvc, package_path, name); | ||
| 31 | do { | ||
| 32 | - api = token(&nest, &s); | ||
| 33 | + const char *api = token(&nest, &s); | ||
| 34 | const api_t gv_api = gvplugin_api(api); | ||
| 35 | do { | ||
| 36 | if (nest == 2) { | ||
| 37 | -- | ||
| 38 | 2.40.0 | ||
| 39 | |||
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch new file mode 100644 index 0000000000..4746265eeb --- /dev/null +++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | From a95f977f5d809915ec4b14836d2b5b7f5e74881e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matthew Fernandez <matthew.fernandez@gmail.com> | ||
| 3 | Date: Fri, 12 Jan 2024 17:06:17 +1100 | ||
| 4 | Subject: [PATCH] gvc: detect plugin installation failure and display an error | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e] | ||
| 7 | CVE: CVE-2023-46045 | ||
| 8 | |||
| 9 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
| 10 | --- | ||
| 11 | lib/gvc/gvconfig.c | 4 ++++ | ||
| 12 | 1 file changed, 4 insertions(+) | ||
| 13 | |||
| 14 | diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c | ||
| 15 | index 95e8c6c..77d0865 100644 | ||
| 16 | --- a/lib/gvc/gvconfig.c | ||
| 17 | +++ b/lib/gvc/gvconfig.c | ||
| 18 | @@ -188,6 +188,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s) | ||
| 19 | do { | ||
| 20 | const char *api = token(&nest, &s); | ||
| 21 | const api_t gv_api = gvplugin_api(api); | ||
| 22 | + if (gv_api == (api_t)-1) { | ||
| 23 | + agerr(AGERR, "config error: %s %s not found\n", package_path, api); | ||
| 24 | + return 0; | ||
| 25 | + } | ||
| 26 | do { | ||
| 27 | if (nest == 2) { | ||
| 28 | type = token(&nest, &s); | ||
| 29 | -- | ||
| 30 | 2.40.0 | ||
| 31 | |||
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb index 4c51af669c..f06e2adb02 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb | |||
| @@ -20,6 +20,9 @@ DEPENDS:append:class-nativesdk = " ${BPN}-native" | |||
| 20 | inherit autotools-brokensep pkgconfig gettext qemu | 20 | inherit autotools-brokensep pkgconfig gettext qemu |
| 21 | 21 | ||
| 22 | SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \ | 22 | SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \ |
| 23 | file://CVE-2023-46045-1.patch \ | ||
| 24 | file://CVE-2023-46045-2.patch \ | ||
| 25 | file://CVE-2023-46045-3.patch \ | ||
| 23 | " | 26 | " |
| 24 | # Use native mkdefs | 27 | # Use native mkdefs |
| 25 | SRC_URI:append:class-target = "\ | 28 | SRC_URI:append:class-target = "\ |
