zstd: patch CVE-2022-4899

Pick commits from [1] linked from [2] via [3]. [1] https://github.com/facebook/zstd/pull/3220 [2] https://nvd.nist.gov/vuln/detail/CVE-2022-4899 [3] https://github.com/facebook/zstd/issues/3200 (From OE-Core rev: eb9c9818088105f9bf20b7fdc04a380ce488a5e6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2024-11-03 13:54:05 +0100
committer: Steve Sakoman <steve@sakoman.com> 2024-11-11 06:19:18 -0800
commit: 249617857b17761b11a58b27caa336e0a0481e55 (patch)
tree: 8e14d280c5a63ad7434a0c8811d81bc4b75ecef4
parent: e4097c55d235a86c571239aa0ebc30d1a86f7f22 (diff)
download: poky-249617857b17761b11a58b27caa336e0a0481e55.tar.gz
3 files changed, 153 insertions, 1 deletions
diff --git a/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch
new file mode 100644
index 0000000000..c21aae7cb1
--- /dev/null
+++ b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch
@@ -0,0 +1,66 @@
+From e1873ad576cb478fff0e6e44ad99599cd5fd2846 Mon Sep 17 00:00:00 2001
+From: Elliot Gorokhovsky <embg@fb.com>
+Date: Fri, 29 Jul 2022 11:10:47 -0700
+Subject: [PATCH 1/2] Fix buffer underflow for null dir1
+CVE: CVE-2022-4899
+Upstream-Status: Backport [https://github.com/facebook/zstd/pull/3220/commits/e1873ad576cb478fff0e6e44ad99599cd5fd2846]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ programs/util.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+diff --git a/programs/util.c b/programs/util.c
+index f53eb03fbe..b874344c4d 100644
+--- a/programs/util.c
+++ b/programs/util.c
+@@ -870,30 +870,30 @@ static const char * trimPath(const char *pathname)
+ 
+ static char* mallocAndJoin2Dir(const char *dir1, const char *dir2)
+ {
+-    const size_t dir1Size = strlen(dir1);
+-    const size_t dir2Size = strlen(dir2);
+-    char *outDirBuffer, *buffer, trailingChar;
+-
+     assert(dir1 != NULL && dir2 != NULL);
+-    outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
+-    CONTROL(outDirBuffer != NULL);
+    {   const size_t dir1Size = strlen(dir1);
+        const size_t dir2Size = strlen(dir2);
+        char *outDirBuffer, *buffer;
+ 
+-    memcpy(outDirBuffer, dir1, dir1Size);
+-    outDirBuffer[dir1Size] = '\0';
+        outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
+        CONTROL(outDirBuffer != NULL);
+ 
+-    if (dir2[0] == '.')
+-        return outDirBuffer;
+        memcpy(outDirBuffer, dir1, dir1Size);
+        outDirBuffer[dir1Size] = '\0';
+ 
+-    buffer = outDirBuffer + dir1Size;
+-    trailingChar = *(buffer - 1);
+-    if (trailingChar != PATH_SEP) {
+-        *buffer = PATH_SEP;
+-        buffer++;
+-    }
+-    memcpy(buffer, dir2, dir2Size);
+-    buffer[dir2Size] = '\0';
+        if (dir2[0] == '.')
+            return outDirBuffer;
+ 
+-    return outDirBuffer;
+        buffer = outDirBuffer + dir1Size;
+        if (dir1Size > 0 && *(buffer - 1) != PATH_SEP) {
+            *buffer = PATH_SEP;
+            buffer++;
+        }
+        memcpy(buffer, dir2, dir2Size);
+        buffer[dir2Size] = '\0';
+
+        return outDirBuffer;
+    }
+ }
+ 
+ /* this function will return NULL if input srcFileName is not valid name for mirrored output path */
diff --git a/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch
new file mode 100644
index 0000000000..15dcda5ddc
--- /dev/null
+++ b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch
@@ -0,0 +1,83 @@
+From f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa Mon Sep 17 00:00:00 2001
+From: Elliot Gorokhovsky <embg@fb.com>
+Date: Fri, 29 Jul 2022 14:44:22 -0700
+Subject: [PATCH 2/2] Disallow empty output directory
+CVE: CVE-2022-4899
+Upstream-Status: Backport [https://github.com/facebook/zstd/pull/3220/commits/f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ programs/zstdcli.c                             | 18 ++++++++++++++++--
+ tests/cli-tests/basic/output_dir.sh            |  7 +++++++
+ .../cli-tests/basic/output_dir.sh.stderr.exact |  2 ++
+ .../cli-tests/basic/output_dir.sh.stdout.exact |  2 ++
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+ create mode 100755 tests/cli-tests/basic/output_dir.sh
+ create mode 100644 tests/cli-tests/basic/output_dir.sh.stderr.exact
+ create mode 100644 tests/cli-tests/basic/output_dir.sh.stdout.exact
+diff --git a/programs/zstdcli.c b/programs/zstdcli.c
+index fbacb908a9..1143ac3fe8 100644
+--- a/programs/zstdcli.c
+++ b/programs/zstdcli.c
+@@ -990,7 +990,14 @@ int main(int argCount, const char* argv[])
+                 if (longCommandWArg(&argument, "--stream-size=")) { streamSrcSize = readSizeTFromChar(&argument); continue; }
+                 if (longCommandWArg(&argument, "--target-compressed-block-size=")) { targetCBlockSize = readSizeTFromChar(&argument); continue; }
+                 if (longCommandWArg(&argument, "--size-hint=")) { srcSizeHint = readSizeTFromChar(&argument); continue; }
+-                if (longCommandWArg(&argument, "--output-dir-flat")) { NEXT_FIELD(outDirName); continue; }
+                if (longCommandWArg(&argument, "--output-dir-flat")) {
+                    NEXT_FIELD(outDirName);
+                    if (strlen(outDirName) == 0) {
+                        DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
+                        CLEAN_RETURN(1);
+                    }
+                    continue;
+                }
+ #ifdef ZSTD_MULTITHREAD
+                 if (longCommandWArg(&argument, "--auto-threads")) {
+                     const char* threadDefault = NULL;
+@@ -1001,7 +1008,14 @@ int main(int argCount, const char* argv[])
+                 }
+ #endif
+ #ifdef UTIL_HAS_MIRRORFILELIST
+-                if (longCommandWArg(&argument, "--output-dir-mirror")) { NEXT_FIELD(outMirroredDirName); continue; }
+                if (longCommandWArg(&argument, "--output-dir-mirror")) {
+                    NEXT_FIELD(outMirroredDirName);
+                    if (strlen(outMirroredDirName) == 0) {
+                        DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
+                        CLEAN_RETURN(1);
+                    }
+                    continue;
+                }
+ #endif
+ #ifndef ZSTD_NOTRACE
+                 if (longCommandWArg(&argument, "--trace")) { char const* traceFile; NEXT_FIELD(traceFile); TRACE_enable(traceFile); continue; }
+diff --git a/tests/cli-tests/basic/output_dir.sh b/tests/cli-tests/basic/output_dir.sh
+new file mode 100755
+index 0000000000..a8819d2926
+--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh
+@@ -0,0 +1,7 @@
+#!/bin/sh
+
+println "+ zstd -r * --output-dir-mirror=\"\""
+zstd -r * --output-dir-mirror="" && die "Should not allow empty output dir!"
+println "+ zstd -r * --output-dir-flat=\"\""
+zstd -r * --output-dir-flat="" && die "Should not allow empty output dir!"
+exit 0
+diff --git a/tests/cli-tests/basic/output_dir.sh.stderr.exact b/tests/cli-tests/basic/output_dir.sh.stderr.exact
+new file mode 100644
+index 0000000000..e12b50427c
+--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh.stderr.exact
+@@ -0,0 +1,2 @@
+error: output dir cannot be empty string (did you mean to pass '.' instead?)
+error: output dir cannot be empty string (did you mean to pass '.' instead?)
+diff --git a/tests/cli-tests/basic/output_dir.sh.stdout.exact b/tests/cli-tests/basic/output_dir.sh.stdout.exact
+new file mode 100644
+index 0000000000..1e478cd753
+--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh.stdout.exact
+@@ -0,0 +1,2 @@
++ zstd -r * --output-dir-mirror=""
++ zstd -r * --output-dir-flat=""
diff --git a/meta/recipes-extended/zstd/zstd_1.5.2.bb b/meta/recipes-extended/zstd/zstd_1.5.2.bb
index 591e823049..63bf0d3fb9 100644
--- a/meta/recipes-extended/zstd/zstd_1.5.2.bb
+++ b/meta/recipes-extended/zstd/zstd_1.5.2.bb
@@ -9,7 +9,10 @@ LICENSE = "BSD-3-Clause | GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \
                    file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"
-SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https"
+SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https \
+    file://CVE-2022-4899-1.patch \
+    file://CVE-2022-4899-2.patch \
+"
 SRCREV = "e47e674cd09583ff0503f0f6defd6d23d8b718d3"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
author	Peter Marko <peter.marko@siemens.com>	2024-11-03 13:54:05 +0100
committer	Steve Sakoman <steve@sakoman.com>	2024-11-11 06:19:18 -0800
commit	249617857b17761b11a58b27caa336e0a0481e55 (patch)
tree	8e14d280c5a63ad7434a0c8811d81bc4b75ecef4
parent	e4097c55d235a86c571239aa0ebc30d1a86f7f22 (diff)
download	poky-249617857b17761b11a58b27caa336e0a0481e55.tar.gz

diff --git a/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch new file mode 100644 index 0000000000..c21aae7cb1 --- /dev/null +++ b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch
@@ -0,0 +1,66 @@
		1	From e1873ad576cb478fff0e6e44ad99599cd5fd2846 Mon Sep 17 00:00:00 2001
		2	From: Elliot Gorokhovsky <embg@fb.com>
		3	Date: Fri, 29 Jul 2022 11:10:47 -0700
		4	Subject: [PATCH 1/2] Fix buffer underflow for null dir1
		5
		6	CVE: CVE-2022-4899
		7	Upstream-Status: Backport [https://github.com/facebook/zstd/pull/3220/commits/e1873ad576cb478fff0e6e44ad99599cd5fd2846]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	programs/util.c \| 38 +++++++++++++++++++-------------------
		11	1 file changed, 19 insertions(+), 19 deletions(-)
		12
		13	diff --git a/programs/util.c b/programs/util.c
		14	index f53eb03fbe..b874344c4d 100644
		15	--- a/programs/util.c
		16	+++ b/programs/util.c
		17	@@ -870,30 +870,30 @@ static const char * trimPath(const char *pathname)
		18
		19	static char* mallocAndJoin2Dir(const char dir1, const char dir2)
		20	{
		21	- const size_t dir1Size = strlen(dir1);
		22	- const size_t dir2Size = strlen(dir2);
		23	- char outDirBuffer, buffer, trailingChar;
		24	-
		25	assert(dir1 != NULL && dir2 != NULL);
		26	- outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
		27	- CONTROL(outDirBuffer != NULL);
		28	+ { const size_t dir1Size = strlen(dir1);
		29	+ const size_t dir2Size = strlen(dir2);
		30	+ char outDirBuffer, buffer;
		31
		32	- memcpy(outDirBuffer, dir1, dir1Size);
		33	- outDirBuffer[dir1Size] = '\0';
		34	+ outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
		35	+ CONTROL(outDirBuffer != NULL);
		36
		37	- if (dir2[0] == '.')
		38	- return outDirBuffer;
		39	+ memcpy(outDirBuffer, dir1, dir1Size);
		40	+ outDirBuffer[dir1Size] = '\0';
		41
		42	- buffer = outDirBuffer + dir1Size;
		43	- trailingChar = *(buffer - 1);
		44	- if (trailingChar != PATH_SEP) {
		45	- *buffer = PATH_SEP;
		46	- buffer++;
		47	- }
		48	- memcpy(buffer, dir2, dir2Size);
		49	- buffer[dir2Size] = '\0';
		50	+ if (dir2[0] == '.')
		51	+ return outDirBuffer;
		52
		53	- return outDirBuffer;
		54	+ buffer = outDirBuffer + dir1Size;
		55	+ if (dir1Size > 0 && *(buffer - 1) != PATH_SEP) {
		56	+ *buffer = PATH_SEP;
		57	+ buffer++;
		58	+ }
		59	+ memcpy(buffer, dir2, dir2Size);
		60	+ buffer[dir2Size] = '\0';
		61	+
		62	+ return outDirBuffer;
		63	+ }
		64	}
		65
		66	/* this function will return NULL if input srcFileName is not valid name for mirrored output path */


diff --git a/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch new file mode 100644 index 0000000000..15dcda5ddc --- /dev/null +++ b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch
@@ -0,0 +1,83 @@
		1	From f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa Mon Sep 17 00:00:00 2001
		2	From: Elliot Gorokhovsky <embg@fb.com>
		3	Date: Fri, 29 Jul 2022 14:44:22 -0700
		4	Subject: [PATCH 2/2] Disallow empty output directory
		5
		6	CVE: CVE-2022-4899
		7	Upstream-Status: Backport [https://github.com/facebook/zstd/pull/3220/commits/f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	programs/zstdcli.c \| 18 ++++++++++++++++--
		11	tests/cli-tests/basic/output_dir.sh \| 7 +++++++
		12	.../cli-tests/basic/output_dir.sh.stderr.exact \| 2 ++
		13	.../cli-tests/basic/output_dir.sh.stdout.exact \| 2 ++
		14	4 files changed, 27 insertions(+), 2 deletions(-)
		15	create mode 100755 tests/cli-tests/basic/output_dir.sh
		16	create mode 100644 tests/cli-tests/basic/output_dir.sh.stderr.exact
		17	create mode 100644 tests/cli-tests/basic/output_dir.sh.stdout.exact
		18
		19	diff --git a/programs/zstdcli.c b/programs/zstdcli.c
		20	index fbacb908a9..1143ac3fe8 100644
		21	--- a/programs/zstdcli.c
		22	+++ b/programs/zstdcli.c
		23	@@ -990,7 +990,14 @@ int main(int argCount, const char* argv[])
		24	if (longCommandWArg(&argument, "--stream-size=")) { streamSrcSize = readSizeTFromChar(&argument); continue; }
		25	if (longCommandWArg(&argument, "--target-compressed-block-size=")) { targetCBlockSize = readSizeTFromChar(&argument); continue; }
		26	if (longCommandWArg(&argument, "--size-hint=")) { srcSizeHint = readSizeTFromChar(&argument); continue; }
		27	- if (longCommandWArg(&argument, "--output-dir-flat")) { NEXT_FIELD(outDirName); continue; }
		28	+ if (longCommandWArg(&argument, "--output-dir-flat")) {
		29	+ NEXT_FIELD(outDirName);
		30	+ if (strlen(outDirName) == 0) {
		31	+ DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
		32	+ CLEAN_RETURN(1);
		33	+ }
		34	+ continue;
		35	+ }
		36	#ifdef ZSTD_MULTITHREAD
		37	if (longCommandWArg(&argument, "--auto-threads")) {
		38	const char* threadDefault = NULL;
		39	@@ -1001,7 +1008,14 @@ int main(int argCount, const char* argv[])
		40	}
		41	#endif
		42	#ifdef UTIL_HAS_MIRRORFILELIST
		43	- if (longCommandWArg(&argument, "--output-dir-mirror")) { NEXT_FIELD(outMirroredDirName); continue; }
		44	+ if (longCommandWArg(&argument, "--output-dir-mirror")) {
		45	+ NEXT_FIELD(outMirroredDirName);
		46	+ if (strlen(outMirroredDirName) == 0) {
		47	+ DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
		48	+ CLEAN_RETURN(1);
		49	+ }
		50	+ continue;
		51	+ }
		52	#endif
		53	#ifndef ZSTD_NOTRACE
		54	if (longCommandWArg(&argument, "--trace")) { char const* traceFile; NEXT_FIELD(traceFile); TRACE_enable(traceFile); continue; }
		55	diff --git a/tests/cli-tests/basic/output_dir.sh b/tests/cli-tests/basic/output_dir.sh
		56	new file mode 100755
		57	index 0000000000..a8819d2926
		58	--- /dev/null
		59	+++ b/tests/cli-tests/basic/output_dir.sh
		60	@@ -0,0 +1,7 @@
		61	+#!/bin/sh
		62	+
		63	+println "+ zstd -r * --output-dir-mirror=\"\""
		64	+zstd -r * --output-dir-mirror="" && die "Should not allow empty output dir!"
		65	+println "+ zstd -r * --output-dir-flat=\"\""
		66	+zstd -r * --output-dir-flat="" && die "Should not allow empty output dir!"
		67	+exit 0
		68	diff --git a/tests/cli-tests/basic/output_dir.sh.stderr.exact b/tests/cli-tests/basic/output_dir.sh.stderr.exact
		69	new file mode 100644
		70	index 0000000000..e12b50427c
		71	--- /dev/null
		72	+++ b/tests/cli-tests/basic/output_dir.sh.stderr.exact
		73	@@ -0,0 +1,2 @@
		74	+error: output dir cannot be empty string (did you mean to pass '.' instead?)
		75	+error: output dir cannot be empty string (did you mean to pass '.' instead?)
		76	diff --git a/tests/cli-tests/basic/output_dir.sh.stdout.exact b/tests/cli-tests/basic/output_dir.sh.stdout.exact
		77	new file mode 100644
		78	index 0000000000..1e478cd753
		79	--- /dev/null
		80	+++ b/tests/cli-tests/basic/output_dir.sh.stdout.exact
		81	@@ -0,0 +1,2 @@
		82	++ zstd -r * --output-dir-mirror=""
		83	++ zstd -r * --output-dir-flat=""


diff --git a/meta/recipes-extended/zstd/zstd_1.5.2.bb b/meta/recipes-extended/zstd/zstd_1.5.2.bb index 591e823049..63bf0d3fb9 100644 --- a/meta/recipes-extended/zstd/zstd_1.5.2.bb +++ b/meta/recipes-extended/zstd/zstd_1.5.2.bb
@@ -9,7 +9,10 @@ LICENSE = "BSD-3-Clause \| GPL-2.0-only"
9	LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \	9	LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \
10	file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"	10	file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"
11		11
12	SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https"	12	SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https \
		13	file://CVE-2022-4899-1.patch \
		14	file://CVE-2022-4899-2.patch \
		15	"
13		16
14	SRCREV = "e47e674cd09583ff0503f0f6defd6d23d8b718d3"	17	SRCREV = "e47e674cd09583ff0503f0f6defd6d23d8b718d3"
15	UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"	18	UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"