busybox: CVE-2017-15874

* CVE-2017-15874 busybox: Integer underflow in archival/libarchive/decompress_unlzma.c (cherry picked from 9ac42c500586fa5f10a1f6d22c3f797df11b1f6b) Affects busybox <= 1.27.2 CVE: CVE-2017-15874 Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15874 (From OE-Core rev: c35a0355a3561cd17703ece3a66c3389ceb224bf) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sinan Kaya <okaya@kernel.org> 2018-09-22 02:16:48 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-09-27 12:17:46 +0100
commit: d39e43f17fe76e15dc84adfd225ee80c75e2df7d (patch)
tree: 42761c8cb73edcd17eb7112066da244fc55e743a
parent: af42d0cae434c8f95c2d6c543e54c7d2b9bd65a5 (diff)
download: poky-d39e43f17fe76e15dc84adfd225ee80c75e2df7d.tar.gz
2 files changed, 31 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
new file mode 100644
index 0000000000..67b4ed7e11
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
@@ -0,0 +1,30 @@
+From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 27 Oct 2017 15:37:03 +0200
+Subject: [PATCH] unlzma: fix SEGV, closes 10436
+Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ archival/libarchive/decompress_unlzma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 29eee2a..41e492f 100644
+--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
+@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+                                                pos = buffer_pos - rep0;
+                                                if ((int32_t)pos < 0) {
+                                                        pos += header.dict_size;
+                                                       /* bug 10436 has an example file where this triggers: */
+                                                       if ((int32_t)pos < 0)
+                                                               goto bad;
+
+                                                        /* see unzip_bad_lzma_2.zip: */
+                                                        if (pos >= buffer_size)
+                                                                goto bad;
+-- 
+2.19.0
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 1ce4823d47..bab29728ee 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://busybox-CVE-2017-16544.patch \
           file://busybox-fix-lzma-segfaults.patch \
           file://umount-ignore-c.patch \
+           file://CVE-2017-15874.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
author	Sinan Kaya <okaya@kernel.org>	2018-09-22 02:16:48 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-09-27 12:17:46 +0100
commit	d39e43f17fe76e15dc84adfd225ee80c75e2df7d (patch)
tree	42761c8cb73edcd17eb7112066da244fc55e743a
parent	af42d0cae434c8f95c2d6c543e54c7d2b9bd65a5 (diff)
download	poky-d39e43f17fe76e15dc84adfd225ee80c75e2df7d.tar.gz

diff --git a/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch new file mode 100644 index 0000000000..67b4ed7e11 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
@@ -0,0 +1,30 @@
		1	From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
		2	From: Denys Vlasenko <vda.linux@googlemail.com>
		3	Date: Fri, 27 Oct 2017 15:37:03 +0200
		4	Subject: [PATCH] unlzma: fix SEGV, closes 10436
		5
		6	Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
		7	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
		8	Signed-off-by: Sinan Kaya <okaya@kernel.org>
		9	---
		10	archival/libarchive/decompress_unlzma.c \| 4 ++++
		11	1 file changed, 4 insertions(+)
		12
		13	diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
		14	index 29eee2a..41e492f 100644
		15	--- a/archival/libarchive/decompress_unlzma.c
		16	+++ b/archival/libarchive/decompress_unlzma.c
		17	@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
		18	pos = buffer_pos - rep0;
		19	if ((int32_t)pos < 0) {
		20	pos += header.dict_size;
		21	+ /* bug 10436 has an example file where this triggers: */
		22	+ if ((int32_t)pos < 0)
		23	+ goto bad;
		24	+
		25	/* see unzip_bad_lzma_2.zip: */
		26	if (pos >= buffer_size)
		27	goto bad;
		28	--
		29	2.19.0
		30


diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 1ce4823d47..bab29728ee 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
47	file://busybox-CVE-2017-16544.patch \	47	file://busybox-CVE-2017-16544.patch \
48	file://busybox-fix-lzma-segfaults.patch \	48	file://busybox-fix-lzma-segfaults.patch \
49	file://umount-ignore-c.patch \	49	file://umount-ignore-c.patch \
		50	file://CVE-2017-15874.patch \
50	"	51	"
51	SRC_URI_append_libc-musl = " file://musl.cfg "	52	SRC_URI_append_libc-musl = " file://musl.cfg "
52		53