diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-10-13 21:09:20 +0200 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-10-17 10:51:27 +0200 |
| commit | f4adc003e46f9b2ad9f8fd1e33f3a533e16355f4 (patch) | |
| tree | 918722db61b30a5b256cf62decb405f51673245b /meta-oe | |
| parent | ed6bb390fe80f640c87790a82722950caecfb6c8 (diff) | |
| download | meta-openembedded-f4adc003e46f9b2ad9f8fd1e33f3a533e16355f4.tar.gz | |
zchunk: patch CVE-2023-46228
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46228
Pick the patch that's mentioned in the nvd report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-support/zchunk/zchunk/0001-Handle-overflow-errors-in-malformed-zchunk-files.patch | 105 | ||||
| -rw-r--r-- | meta-oe/recipes-support/zchunk/zchunk_1.2.0.bb | 4 |
2 files changed, 108 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/zchunk/zchunk/0001-Handle-overflow-errors-in-malformed-zchunk-files.patch b/meta-oe/recipes-support/zchunk/zchunk/0001-Handle-overflow-errors-in-malformed-zchunk-files.patch new file mode 100644 index 0000000000..6a356c8855 --- /dev/null +++ b/meta-oe/recipes-support/zchunk/zchunk/0001-Handle-overflow-errors-in-malformed-zchunk-files.patch | |||
| @@ -0,0 +1,105 @@ | |||
| 1 | From de832945bb88372d6007770328e9d2534aa9bbc1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jonathan Dieter <jdieter@gmail.com> | ||
| 3 | Date: Thu, 5 Oct 2023 19:52:18 +0100 | ||
| 4 | Subject: [PATCH] Handle overflow errors in malformed zchunk files | ||
| 5 | |||
| 6 | Thanks to Agostino Sarubbo of Gentoo for the heads up! | ||
| 7 | |||
| 8 | CVE: CVE-2023-46228 | ||
| 9 | Upstream-Status: Backport [https://github.com/zchunk/zchunk/commit/08aec2b4dfd7f709b6e3d511411ffcc83ed4efbe] | ||
| 10 | |||
| 11 | Signed-off-by: Jonathan Dieter <jdieter@gmail.com> | ||
| 12 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 13 | --- | ||
| 14 | src/lib/comp/comp.c | 6 ++++++ | ||
| 15 | src/lib/comp/zstd/zstd.c | 6 ++++++ | ||
| 16 | src/lib/dl/multipart.c | 6 ++++++ | ||
| 17 | src/lib/header.c | 13 ++++++++++++- | ||
| 18 | 4 files changed, 30 insertions(+), 1 deletion(-) | ||
| 19 | |||
| 20 | diff --git a/src/lib/comp/comp.c b/src/lib/comp/comp.c | ||
| 21 | index 4786e41..38dea9d 100644 | ||
| 22 | --- a/src/lib/comp/comp.c | ||
| 23 | +++ b/src/lib/comp/comp.c | ||
| 24 | @@ -115,6 +115,12 @@ static bool comp_add_to_data(zckCtx *zck, zckComp *comp, const char *src, | ||
| 25 | ALLOCD_BOOL(zck, comp); | ||
| 26 | ALLOCD_BOOL(zck, src); | ||
| 27 | |||
| 28 | + if((comp->data_size > comp->data_size + src_size) || | ||
| 29 | + (src_size > comp->data_size + src_size)) { | ||
| 30 | + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading data"); | ||
| 31 | + return false; | ||
| 32 | + } | ||
| 33 | + | ||
| 34 | comp->data = zrealloc(comp->data, comp->data_size + src_size); | ||
| 35 | if (!comp->data) { | ||
| 36 | zck_log(ZCK_LOG_ERROR, "OOM in %s", __func__); | ||
| 37 | diff --git a/src/lib/comp/zstd/zstd.c b/src/lib/comp/zstd/zstd.c | ||
| 38 | index a12ddfe..5b68b6a 100644 | ||
| 39 | --- a/src/lib/comp/zstd/zstd.c | ||
| 40 | +++ b/src/lib/comp/zstd/zstd.c | ||
| 41 | @@ -117,6 +117,12 @@ static ssize_t compress(zckCtx *zck, zckComp *comp, const char *src, | ||
| 42 | ALLOCD_INT(zck, dst_size); | ||
| 43 | ALLOCD_INT(zck, comp); | ||
| 44 | |||
| 45 | + if((comp->dc_data_size > comp->dc_data_size + src_size) || | ||
| 46 | + (src_size > comp->dc_data_size + src_size)) { | ||
| 47 | + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading decompressed data"); | ||
| 48 | + return false; | ||
| 49 | + } | ||
| 50 | + | ||
| 51 | comp->dc_data = zrealloc(comp->dc_data, comp->dc_data_size + src_size); | ||
| 52 | if (!comp->dc_data) { | ||
| 53 | zck_log(ZCK_LOG_ERROR, "OOM in %s", __func__); | ||
| 54 | diff --git a/src/lib/dl/multipart.c b/src/lib/dl/multipart.c | ||
| 55 | index d0cbd5a..f4855de 100644 | ||
| 56 | --- a/src/lib/dl/multipart.c | ||
| 57 | +++ b/src/lib/dl/multipart.c | ||
| 58 | @@ -119,6 +119,12 @@ size_t multipart_extract(zckDL *dl, char *b, size_t l) { | ||
| 59 | |||
| 60 | /* Add new data to stored buffer */ | ||
| 61 | if(mp->buffer) { | ||
| 62 | + if((mp->buffer_len > mp->buffer_len + l) || | ||
| 63 | + (l > mp->buffer_len + l)) { | ||
| 64 | + zck_log(ZCK_LOG_ERROR, "Integer overflow when extracting multipart data"); | ||
| 65 | + return 0; | ||
| 66 | + } | ||
| 67 | + | ||
| 68 | buf = zrealloc(mp->buffer, mp->buffer_len + l); | ||
| 69 | if (!buf) { | ||
| 70 | zck_log(ZCK_LOG_ERROR, "OOM in %s", __func__); | ||
| 71 | diff --git a/src/lib/header.c b/src/lib/header.c | ||
| 72 | index 16ea3e8..f46ed10 100644 | ||
| 73 | --- a/src/lib/header.c | ||
| 74 | +++ b/src/lib/header.c | ||
| 75 | @@ -74,11 +74,16 @@ static bool read_optional_element(zckCtx *zck, size_t id, size_t data_size, | ||
| 76 | } | ||
| 77 | |||
| 78 | static bool read_header_from_file(zckCtx *zck) { | ||
| 79 | - /* Verify that lead_size and header_length have been set */ | ||
| 80 | + /* Verify that lead_size and header_length have been set and are legit */ | ||
| 81 | if(zck->lead_size == 0 || zck->header_length == 0) { | ||
| 82 | set_error(zck, "Lead and header sizes are both 0. Have you run zck_read_lead() yet?"); | ||
| 83 | return false; | ||
| 84 | } | ||
| 85 | + if((zck->lead_size > zck->lead_size + zck->header_length) || | ||
| 86 | + (zck->header_length > zck->lead_size + zck->header_length)) { | ||
| 87 | + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading header"); | ||
| 88 | + return false; | ||
| 89 | + } | ||
| 90 | |||
| 91 | /* Allocate header and store any extra bytes at beginning of header */ | ||
| 92 | zck->header = zrealloc(zck->header, zck->lead_size + zck->header_length); | ||
| 93 | @@ -525,6 +530,12 @@ static bool read_lead(zckCtx *zck) { | ||
| 94 | /* Set header digest location */ | ||
| 95 | zck->hdr_digest_loc = length; | ||
| 96 | |||
| 97 | + /* Verify that we're not going to overflow */ | ||
| 98 | + if(length > length + zck->hash_type.digest_size) { | ||
| 99 | + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading lead"); | ||
| 100 | + return false; | ||
| 101 | + } | ||
| 102 | + | ||
| 103 | /* Read header digest */ | ||
| 104 | zck_log(ZCK_LOG_DEBUG, "Reading header digest"); | ||
| 105 | header = zrealloc(header, length + zck->hash_type.digest_size); | ||
diff --git a/meta-oe/recipes-support/zchunk/zchunk_1.2.0.bb b/meta-oe/recipes-support/zchunk/zchunk_1.2.0.bb index 0baea5032a..5eb2741b1f 100644 --- a/meta-oe/recipes-support/zchunk/zchunk_1.2.0.bb +++ b/meta-oe/recipes-support/zchunk/zchunk_1.2.0.bb | |||
| @@ -4,7 +4,9 @@ AUTHOR = "Jonathan Dieter" | |||
| 4 | LICENSE = "BSD-2-Clause" | 4 | LICENSE = "BSD-2-Clause" |
| 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=daf6e68539f564601a5a5869c31e5242" | 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=daf6e68539f564601a5a5869c31e5242" |
| 6 | 6 | ||
| 7 | SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=main" | 7 | SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=main \ |
| 8 | file://0001-Handle-overflow-errors-in-malformed-zchunk-files.patch \ | ||
| 9 | " | ||
| 8 | 10 | ||
| 9 | SRCREV = "dd6a30a1e4e8b738b0cafc682f3c00e7706134e5" | 11 | SRCREV = "dd6a30a1e4e8b738b0cafc682f3c00e7706134e5" |
| 10 | S = "${WORKDIR}/git" | 12 | S = "${WORKDIR}/git" |
