summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-devtools
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2025-12-16 12:43:29 +0530
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2025-12-17 11:45:21 +0530
commit1c7b69ee0b6beb5f08c445af63ea5a3b4af77268 (patch)
treeda1b18d7df618f3ca5b9ac4dee41afe3effdb41a /meta-oe/recipes-devtools
parentd9148434adfec89f0aa6cf61b150995940cc40f3 (diff)
downloadmeta-openembedded-1c7b69ee0b6beb5f08c445af63ea5a3b4af77268.tar.gz
editorconfig-core-c: patch CVE-2024-53849
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe/recipes-devtools')
-rw-r--r--meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb5
-rw-r--r--meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch54
-rw-r--r--meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch48
3 files changed, 106 insertions, 1 deletions
diff --git a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb
index 976120b515..2d99ca50ca 100644
--- a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb
+++ b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb
@@ -4,7 +4,10 @@ SECTION = "libs"
4LICENSE = "BSD-2-Clause" 4LICENSE = "BSD-2-Clause"
5LIC_FILES_CHKSUM = "file://LICENSE;md5=f515fff3ea0a2b9797eda60d83c0e5ca" 5LIC_FILES_CHKSUM = "file://LICENSE;md5=f515fff3ea0a2b9797eda60d83c0e5ca"
6 6
7SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master" 7SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master \
8 file://CVE-2024-53849_1.patch \
9 file://CVE-2024-53849_2.patch \
10"
8 11
9S = "${WORKDIR}/git" 12S = "${WORKDIR}/git"
10SRCREV = "b7837029494c03af5ea70ed9d265e8c2123bff53" 13SRCREV = "b7837029494c03af5ea70ed9d265e8c2123bff53"
diff --git a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch
new file mode 100644
index 0000000000..b3b6c30e5e
--- /dev/null
+++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch
@@ -0,0 +1,54 @@
1From d47a37a6186d98c6db308d467f822c438972bdbc Mon Sep 17 00:00:00 2001
2From: Christopher Wellons <wellons@nullprogram.com>
3Date: Sat, 17 Feb 2024 15:32:25 -0500
4Subject: [PATCH] Fix a few more stack buffer overflows
5
6Several overflows may occur in switch case '[' when the input pattern
7contains many escaped characters. The added backslashes leave too little
8space in the output pattern when processing nested brackets such that
9the remaining input length exceeds the output capacity. Therefore all
10these concatenations must also be checked.
11
12The ADD_CHAR was missed in 41281ea (#87). The switch can exit exactly at
13capacity, leaving no room for the finishing '$', causing an overflow.
14
15These overflows were discovered through fuzz testing with afl.
16
17CVE: CVE-2024-53849
18Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5]
19(cherry picked from commit fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5)
20Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
21---
22 src/lib/ec_glob.c | 10 +++++++---
23 1 file changed, 7 insertions(+), 3 deletions(-)
24
25diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
26index ea62aee..e62af1f 100644
27--- a/src/lib/ec_glob.c
28+++ b/src/lib/ec_glob.c
29@@ -192,10 +192,14 @@ int ec_glob(const char *pattern, const char *string)
30 if (!right_bracket) /* The right bracket may not exist */
31 right_bracket = c + strlen(c);
32
33- strcat(p_pcre, "\\");
34+ STRING_CAT(p_pcre, "\\", pcre_str_end);
35+ /* Boundary check for strncat below. */
36+ if (pcre_str_end - p_pcre <= right_bracket - c) {
37+ return -1;
38+ }
39 strncat(p_pcre, c, right_bracket - c);
40 if (*right_bracket) /* right_bracket is a bracket */
41- strcat(p_pcre, "\\]");
42+ STRING_CAT(p_pcre, "\\]", pcre_str_end);
43 p_pcre += strlen(p_pcre);
44 c = right_bracket;
45 if (!*c)
46@@ -339,7 +343,7 @@ int ec_glob(const char *pattern, const char *string)
47 }
48 }
49
50- *(p_pcre ++) = '$';
51+ ADD_CHAR(p_pcre, '$', pcre_str_end);
52
53 pcre2_code_free(re); /* ^\\d+\\.\\.\\d+$ */
54
diff --git a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch
new file mode 100644
index 0000000000..304c8acd9d
--- /dev/null
+++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch
@@ -0,0 +1,48 @@
1From 8ac5af4bc4b6344442f11f35fdc48177ce570a13 Mon Sep 17 00:00:00 2001
2From: Christopher Wellons <wellons@nullprogram.com>
3Date: Sat, 17 Feb 2024 16:01:57 -0500
4Subject: [PATCH] Fix pointer overflow in STRING_CAT
5
6The end pointer is positioned one past the end of the destination, and
7it is undefined behavior to compute an address beyond the end pointer,
8including for comparisons, even temporarily. The UB occurs exactly when
9buffer overflow would have occurred, so the buffer overflow check could
10be optimized away by compilers. Even if this wasn't the case, the check
11could produce a false negative if the computed address overflowed the
12address space, which is, after all, why the C standard doesn't define
13behavior in the first place.
14
15The fix is simple: Check using sizes, not addresses. The explicit cast
16suppresses warnings about signed-unsigned comparisons, and the assertion
17checks the cast.
18
19CVE: CVE-2024-53849
20Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782]
21(cherry picked from commit 4d5518a0a4e4910c37281ab13a048d0d86999782)
22Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
23---
24 src/lib/ec_glob.c | 4 +++-
25 1 file changed, 3 insertions(+), 1 deletion(-)
26
27diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
28index e62af1f..c2b83cf 100644
29--- a/src/lib/ec_glob.c
30+++ b/src/lib/ec_glob.c
31@@ -27,6 +27,7 @@
32
33 #include "global.h"
34
35+#include <assert.h>
36 #include <ctype.h>
37 #include <string.h>
38 #include <pcre2.h>
39@@ -51,7 +52,8 @@ static const UT_icd ut_int_pair_icd = {sizeof(int_pair),NULL,NULL,NULL};
40 /* concatenate the string then move the pointer to the end */
41 #define STRING_CAT(p, string, end) do { \
42 size_t string_len = strlen(string); \
43- if (p + string_len >= end) \
44+ assert(end > p); \
45+ if (string_len >= (size_t)(end - p)) \
46 return -1; \
47 strcat(p, string); \
48 p += string_len; \