diff options
| -rw-r--r-- | meta/recipes-devtools/file/file/CVE-2019-18218.patch | 55 | ||||
| -rw-r--r-- | meta/recipes-devtools/file/file_5.38.bb (renamed from meta/recipes-devtools/file/file_5.37.bb) | 5 |
2 files changed, 2 insertions, 58 deletions
diff --git a/meta/recipes-devtools/file/file/CVE-2019-18218.patch b/meta/recipes-devtools/file/file/CVE-2019-18218.patch deleted file mode 100644 index 3d02c5ad4b..0000000000 --- a/meta/recipes-devtools/file/file/CVE-2019-18218.patch +++ /dev/null | |||
| @@ -1,55 +0,0 @@ | |||
| 1 | cdf_read_property_info in cdf.c in file through 5.37 does not restrict the | ||
| 2 | number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte | ||
| 3 | out-of-bounds write). | ||
| 4 | |||
| 5 | CVE: CVE-2019-18218 | ||
| 6 | Upstream-Status: Backport | ||
| 7 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
| 8 | |||
| 9 | From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 | ||
| 10 | From: Christos Zoulas <christos@zoulas.com> | ||
| 11 | Date: Mon, 26 Aug 2019 14:31:39 +0000 | ||
| 12 | Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) | ||
| 13 | |||
| 14 | --- | ||
| 15 | src/cdf.c | 9 ++++----- | ||
| 16 | src/cdf.h | 1 + | ||
| 17 | 2 files changed, 5 insertions(+), 5 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/src/cdf.c b/src/cdf.c | ||
| 20 | index 9d6396742..bb81d6374 100644 | ||
| 21 | --- a/src/cdf.c | ||
| 22 | +++ b/src/cdf.c | ||
| 23 | @@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, | ||
| 24 | goto out; | ||
| 25 | } | ||
| 26 | nelements = CDF_GETUINT32(q, 1); | ||
| 27 | - if (nelements == 0) { | ||
| 28 | - DPRINTF(("CDF_VECTOR with nelements == 0\n")); | ||
| 29 | + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { | ||
| 30 | + DPRINTF(("CDF_VECTOR with nelements == %" | ||
| 31 | + SIZE_T_FORMAT "u\n", nelements)); | ||
| 32 | goto out; | ||
| 33 | } | ||
| 34 | slen = 2; | ||
| 35 | @@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, | ||
| 36 | goto out; | ||
| 37 | inp += nelem; | ||
| 38 | } | ||
| 39 | - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", | ||
| 40 | - nelements)); | ||
| 41 | for (j = 0; j < nelements && i < sh.sh_properties; | ||
| 42 | j++, i++) | ||
| 43 | { | ||
| 44 | diff --git a/src/cdf.h b/src/cdf.h | ||
| 45 | index 2f7e554b7..05056668f 100644 | ||
| 46 | --- a/src/cdf.h | ||
| 47 | +++ b/src/cdf.h | ||
| 48 | @@ -48,6 +48,7 @@ | ||
| 49 | typedef int32_t cdf_secid_t; | ||
| 50 | |||
| 51 | #define CDF_LOOP_LIMIT 10000 | ||
| 52 | +#define CDF_ELEMENT_LIMIT 100000 | ||
| 53 | |||
| 54 | #define CDF_SECID_NULL 0 | ||
| 55 | #define CDF_SECID_FREE -1 | ||
diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.38.bb index a96ccc0d39..99c75988c2 100644 --- a/meta/recipes-devtools/file/file_5.37.bb +++ b/meta/recipes-devtools/file/file_5.38.bb | |||
| @@ -11,10 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdd | |||
| 11 | DEPENDS = "zlib file-replacement-native" | 11 | DEPENDS = "zlib file-replacement-native" |
| 12 | DEPENDS_class-native = "zlib-native" | 12 | DEPENDS_class-native = "zlib-native" |
| 13 | 13 | ||
| 14 | SRC_URI = "git://github.com/file/file.git \ | 14 | SRC_URI = "git://github.com/file/file.git" |
| 15 | file://CVE-2019-18218.patch" | ||
| 16 | 15 | ||
| 17 | SRCREV = "a0d5b0e4e9f97d74a9911e95cedd579852e25398" | 16 | SRCREV = "ec41083645689a787cdd00cb3b5bf578aa79e46c" |
| 18 | S = "${WORKDIR}/git" | 17 | S = "${WORKDIR}/git" |
| 19 | 18 | ||
| 20 | inherit autotools update-alternatives | 19 | inherit autotools update-alternatives |