diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2025-12-16 12:43:29 +0530 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2025-12-17 11:45:21 +0530 |
| commit | 1c7b69ee0b6beb5f08c445af63ea5a3b4af77268 (patch) | |
| tree | da1b18d7df618f3ca5b9ac4dee41afe3effdb41a /meta-oe/recipes-devtools | |
| parent | d9148434adfec89f0aa6cf61b150995940cc40f3 (diff) | |
| download | meta-openembedded-1c7b69ee0b6beb5f08c445af63ea5a3b4af77268.tar.gz | |
editorconfig-core-c: patch CVE-2024-53849
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe/recipes-devtools')
3 files changed, 106 insertions, 1 deletions
diff --git a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb index 976120b515..2d99ca50ca 100644 --- a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb +++ b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb | |||
| @@ -4,7 +4,10 @@ SECTION = "libs" | |||
| 4 | LICENSE = "BSD-2-Clause" | 4 | LICENSE = "BSD-2-Clause" |
| 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f515fff3ea0a2b9797eda60d83c0e5ca" | 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=f515fff3ea0a2b9797eda60d83c0e5ca" |
| 6 | 6 | ||
| 7 | SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master" | 7 | SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master \ |
| 8 | file://CVE-2024-53849_1.patch \ | ||
| 9 | file://CVE-2024-53849_2.patch \ | ||
| 10 | " | ||
| 8 | 11 | ||
| 9 | S = "${WORKDIR}/git" | 12 | S = "${WORKDIR}/git" |
| 10 | SRCREV = "b7837029494c03af5ea70ed9d265e8c2123bff53" | 13 | SRCREV = "b7837029494c03af5ea70ed9d265e8c2123bff53" |
diff --git a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch new file mode 100644 index 0000000000..b3b6c30e5e --- /dev/null +++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From d47a37a6186d98c6db308d467f822c438972bdbc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Christopher Wellons <wellons@nullprogram.com> | ||
| 3 | Date: Sat, 17 Feb 2024 15:32:25 -0500 | ||
| 4 | Subject: [PATCH] Fix a few more stack buffer overflows | ||
| 5 | |||
| 6 | Several overflows may occur in switch case '[' when the input pattern | ||
| 7 | contains many escaped characters. The added backslashes leave too little | ||
| 8 | space in the output pattern when processing nested brackets such that | ||
| 9 | the remaining input length exceeds the output capacity. Therefore all | ||
| 10 | these concatenations must also be checked. | ||
| 11 | |||
| 12 | The ADD_CHAR was missed in 41281ea (#87). The switch can exit exactly at | ||
| 13 | capacity, leaving no room for the finishing '$', causing an overflow. | ||
| 14 | |||
| 15 | These overflows were discovered through fuzz testing with afl. | ||
| 16 | |||
| 17 | CVE: CVE-2024-53849 | ||
| 18 | Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5] | ||
| 19 | (cherry picked from commit fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5) | ||
| 20 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 21 | --- | ||
| 22 | src/lib/ec_glob.c | 10 +++++++--- | ||
| 23 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c | ||
| 26 | index ea62aee..e62af1f 100644 | ||
| 27 | --- a/src/lib/ec_glob.c | ||
| 28 | +++ b/src/lib/ec_glob.c | ||
| 29 | @@ -192,10 +192,14 @@ int ec_glob(const char *pattern, const char *string) | ||
| 30 | if (!right_bracket) /* The right bracket may not exist */ | ||
| 31 | right_bracket = c + strlen(c); | ||
| 32 | |||
| 33 | - strcat(p_pcre, "\\"); | ||
| 34 | + STRING_CAT(p_pcre, "\\", pcre_str_end); | ||
| 35 | + /* Boundary check for strncat below. */ | ||
| 36 | + if (pcre_str_end - p_pcre <= right_bracket - c) { | ||
| 37 | + return -1; | ||
| 38 | + } | ||
| 39 | strncat(p_pcre, c, right_bracket - c); | ||
| 40 | if (*right_bracket) /* right_bracket is a bracket */ | ||
| 41 | - strcat(p_pcre, "\\]"); | ||
| 42 | + STRING_CAT(p_pcre, "\\]", pcre_str_end); | ||
| 43 | p_pcre += strlen(p_pcre); | ||
| 44 | c = right_bracket; | ||
| 45 | if (!*c) | ||
| 46 | @@ -339,7 +343,7 @@ int ec_glob(const char *pattern, const char *string) | ||
| 47 | } | ||
| 48 | } | ||
| 49 | |||
| 50 | - *(p_pcre ++) = '$'; | ||
| 51 | + ADD_CHAR(p_pcre, '$', pcre_str_end); | ||
| 52 | |||
| 53 | pcre2_code_free(re); /* ^\\d+\\.\\.\\d+$ */ | ||
| 54 | |||
diff --git a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch new file mode 100644 index 0000000000..304c8acd9d --- /dev/null +++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch | |||
| @@ -0,0 +1,48 @@ | |||
| 1 | From 8ac5af4bc4b6344442f11f35fdc48177ce570a13 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Christopher Wellons <wellons@nullprogram.com> | ||
| 3 | Date: Sat, 17 Feb 2024 16:01:57 -0500 | ||
| 4 | Subject: [PATCH] Fix pointer overflow in STRING_CAT | ||
| 5 | |||
| 6 | The end pointer is positioned one past the end of the destination, and | ||
| 7 | it is undefined behavior to compute an address beyond the end pointer, | ||
| 8 | including for comparisons, even temporarily. The UB occurs exactly when | ||
| 9 | buffer overflow would have occurred, so the buffer overflow check could | ||
| 10 | be optimized away by compilers. Even if this wasn't the case, the check | ||
| 11 | could produce a false negative if the computed address overflowed the | ||
| 12 | address space, which is, after all, why the C standard doesn't define | ||
| 13 | behavior in the first place. | ||
| 14 | |||
| 15 | The fix is simple: Check using sizes, not addresses. The explicit cast | ||
| 16 | suppresses warnings about signed-unsigned comparisons, and the assertion | ||
| 17 | checks the cast. | ||
| 18 | |||
| 19 | CVE: CVE-2024-53849 | ||
| 20 | Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782] | ||
| 21 | (cherry picked from commit 4d5518a0a4e4910c37281ab13a048d0d86999782) | ||
| 22 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 23 | --- | ||
| 24 | src/lib/ec_glob.c | 4 +++- | ||
| 25 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
| 26 | |||
| 27 | diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c | ||
| 28 | index e62af1f..c2b83cf 100644 | ||
| 29 | --- a/src/lib/ec_glob.c | ||
| 30 | +++ b/src/lib/ec_glob.c | ||
| 31 | @@ -27,6 +27,7 @@ | ||
| 32 | |||
| 33 | #include "global.h" | ||
| 34 | |||
| 35 | +#include <assert.h> | ||
| 36 | #include <ctype.h> | ||
| 37 | #include <string.h> | ||
| 38 | #include <pcre2.h> | ||
| 39 | @@ -51,7 +52,8 @@ static const UT_icd ut_int_pair_icd = {sizeof(int_pair),NULL,NULL,NULL}; | ||
| 40 | /* concatenate the string then move the pointer to the end */ | ||
| 41 | #define STRING_CAT(p, string, end) do { \ | ||
| 42 | size_t string_len = strlen(string); \ | ||
| 43 | - if (p + string_len >= end) \ | ||
| 44 | + assert(end > p); \ | ||
| 45 | + if (string_len >= (size_t)(end - p)) \ | ||
| 46 | return -1; \ | ||
| 47 | strcat(p, string); \ | ||
| 48 | p += string_len; \ | ||
