gpgme: fix CVE-2014-3564

Backport patch to fix CVE-2014-3564. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f (From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74) (From OE-Core rev: 204f24855a00f595ddfa040ae149b4184721603f) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2015-05-28 09:26:14 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-06-28 09:44:13 +0100
commit: c4987449456a04ee315300f29028cd075913e84c (patch)
tree: 6cdb573b67e13f503526ed85de1dbba1a6c1e077
parent: bf28314e59f6d3087f308885a2a49163cca56c40 (diff)
download: poky-c4987449456a04ee315300f29028cd075913e84c.tar.gz
2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
new file mode 100644
index 0000000000..c728f58658
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2014-3564.
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 30 Jul 2014 11:04:55 +0200
+Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
+ engines.
+After a realloc (realloc is also used for initial alloc) the allocated
+size if the buffer is not correctly recorded.  Thus an overflow can be
+introduced by receiving data with different line lengths in a specific
+order.  This is not easy exploitable because libassuan constructs the
+line.  However a crash has been reported and thus it might be possible
+to constructs an exploit.
+CVE-id: CVE-2014-3564
+Reported-by: TomÃ¡Å¡ Trnka
+---
+ src/engine-gpgsm.c    | 2 +-
+ src/engine-uiserver.c | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
+index 8ec1598..3a83757 100644
+--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
+@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 gpgsm->colon.attic.linesize += linelen + 1;
+                 gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
+index 2738c36..a7184b7 100644
+--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
+@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 uiserver->colon.attic.linesize += linelen + 1;
+                 uiserver->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+-- 
+2.1.4
diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
index 98fd68b837..61213efcbf 100644
--- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -10,7 +10,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
                    file://src/engine.h;endline=22;md5=4b6d8ba313d9b564cc4d4cfb1640af9d"
 SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
-           file://gpgme.pc"
+           file://gpgme.pc \
+           file://gpgme-fix-CVE-2014-3564.patch \
+          "
 SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
 SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"
author	Kai Kang <kai.kang@windriver.com>	2015-05-28 09:26:14 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-06-28 09:44:13 +0100
commit	c4987449456a04ee315300f29028cd075913e84c (patch)
tree	6cdb573b67e13f503526ed85de1dbba1a6c1e077
parent	bf28314e59f6d3087f308885a2a49163cca56c40 (diff)
download	poky-c4987449456a04ee315300f29028cd075913e84c.tar.gz

diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch new file mode 100644 index 0000000000..c728f58658 --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2014-3564.
		4
		5	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8	---
		9	From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
		10	From: Werner Koch <wk@gnupg.org>
		11	Date: Wed, 30 Jul 2014 11:04:55 +0200
		12	Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
		13	engines.
		14
		15	After a realloc (realloc is also used for initial alloc) the allocated
		16	size if the buffer is not correctly recorded. Thus an overflow can be
		17	introduced by receiving data with different line lengths in a specific
		18	order. This is not easy exploitable because libassuan constructs the
		19	line. However a crash has been reported and thus it might be possible
		20	to constructs an exploit.
		21
		22	CVE-id: CVE-2014-3564
		23	Reported-by: TomÃ¡Å¡ Trnka
		24	---
		25	src/engine-gpgsm.c \| 2 +-
		26	src/engine-uiserver.c \| 2 +-
		27	3 files changed, 5 insertions(+), 2 deletions(-)
		28
		29	diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
		30	index 8ec1598..3a83757 100644
		31	--- a/src/engine-gpgsm.c
		32	+++ b/src/engine-gpgsm.c
		33	@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
		34	else
		35	{
		36	*aline = newline;
		37	- gpgsm->colon.attic.linesize += linelen + 1;
		38	+ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
		39	}
		40	}
		41	if (!err)
		42	diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
		43	index 2738c36..a7184b7 100644
		44	--- a/src/engine-uiserver.c
		45	+++ b/src/engine-uiserver.c
		46	@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
		47	else
		48	{
		49	*aline = newline;
		50	- uiserver->colon.attic.linesize += linelen + 1;
		51	+ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
		52	}
		53	}
		54	if (!err)
		55	--
		56	2.1.4


diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb index 98fd68b837..61213efcbf 100644 --- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb +++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -10,7 +10,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
10	file://src/engine.h;endline=22;md5=4b6d8ba313d9b564cc4d4cfb1640af9d"	10	file://src/engine.h;endline=22;md5=4b6d8ba313d9b564cc4d4cfb1640af9d"
11		11
12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \	12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
13	file://gpgme.pc"	13	file://gpgme.pc \
		14	file://gpgme-fix-CVE-2014-3564.patch \
		15	"
14		16
15	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"	17	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
16	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"	18	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"