2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch
new file mode 100644
index 0000000000..c6ec7c94e1
--- /dev/null
+++ b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch
@@ -0,0 +1,75 @@
+From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Wed, 15 Mar 2023 16:12:43 +0800
+Subject: [PATCH] tuple: test for, and stop string processing, on truncation
+otherwise a buffer overflow occurs.
+this has been a bug in pkgconf since the beginning, it seems.
+instead of disclosing the bug correctly, a "hotshot" developer
+decided to blog about it instead.  sigh.
+https://nullprogram.com/blog/2023/01/18/
+Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059]
+CVE: CVE-2023-24056
+Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
+---
+ libpkgconf/tuple.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
+index 2d550d8..b831070 100644
+--- a/libpkgconf/tuple.c
+++ b/libpkgconf/tuple.c
+@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+                                }
+                        }
+ 
+                       size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
+                        ptr += (pptr - ptr);
+                        kv = pkgconf_tuple_find_global(client, varname);
+                        if (kv != NULL)
+                        {
+-                               strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
+-                               bptr += strlen(kv);
+                               size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
+                               if (nlen > remain)
+                               {
+                                       pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+
+                                       bptr = buf + (PKGCONF_BUFSIZE - 1);
+                                       break;
+                               }
+
+                               bptr += nlen;
+                        }
+                        else
+                        {
+@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+ 
+                                if (kv != NULL)
+                                {
+                                       size_t nlen;
+
+                                        parsekv = pkgconf_tuple_parse(client, vars, kv);
+                                       nlen = pkgconf_strlcpy(bptr, parsekv, remain);
+                                       free(parsekv);
+ 
+-                                       strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
+-                                       bptr += strlen(parsekv);
+                                       if (nlen > remain)
+                                       {
+                                               pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+ 
+-                                       free(parsekv);
+                                               bptr = buf + (PKGCONF_BUFSIZE - 1);
+                                               break;
+                                       }
+
+                                       bptr += nlen;
+                                }
+                        }
+                }
+-- 
+2.27.0
diff --git a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
index 887e15e28c..cad0a0fa4f 100644
--- a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
+++ b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0"
 SRC_URI = "\
    https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \
+    file://0001-tuple-test-for-and-stop-string-processing-on-truncat.patch \
    file://pkg-config-wrapper \
    file://pkg-config-native.in \
    file://pkg-config-esdk.in \

diff --git a/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch new file mode 100644 index 0000000000..c6ec7c94e1 --- /dev/null +++ b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch
@@ -0,0 +1,75 @@
		1	From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001
		2	From: Ariadne Conill <ariadne@dereferenced.org>
		3	Date: Wed, 15 Mar 2023 16:12:43 +0800
		4	Subject: [PATCH] tuple: test for, and stop string processing, on truncation
		5
		6	otherwise a buffer overflow occurs.
		7	this has been a bug in pkgconf since the beginning, it seems.
		8	instead of disclosing the bug correctly, a "hotshot" developer
		9	decided to blog about it instead. sigh.
		10
		11	https://nullprogram.com/blog/2023/01/18/
		12
		13	Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059]
		14	CVE: CVE-2023-24056
		15	Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
		16	---
		17	libpkgconf/tuple.c \| 28 +++++++++++++++++++++++-----
		18	1 file changed, 23 insertions(+), 5 deletions(-)
		19
		20	diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
		21	index 2d550d8..b831070 100644
		22	--- a/libpkgconf/tuple.c
		23	+++ b/libpkgconf/tuple.c
		24	@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t client, pkgconf_list_t vars, const
		25	}
		26	}
		27
		28	+ size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
		29	ptr += (pptr - ptr);
		30	kv = pkgconf_tuple_find_global(client, varname);
		31	if (kv != NULL)
		32	{
		33	- strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
		34	- bptr += strlen(kv);
		35	+ size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
		36	+ if (nlen > remain)
		37	+ {
		38	+ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
		39	+
		40	+ bptr = buf + (PKGCONF_BUFSIZE - 1);
		41	+ break;
		42	+ }
		43	+
		44	+ bptr += nlen;
		45	}
		46	else
		47	{
		48	@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t client, pkgconf_list_t vars, const
		49
		50	if (kv != NULL)
		51	{
		52	+ size_t nlen;
		53	+
		54	parsekv = pkgconf_tuple_parse(client, vars, kv);
		55	+ nlen = pkgconf_strlcpy(bptr, parsekv, remain);
		56	+ free(parsekv);
		57
		58	- strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
		59	- bptr += strlen(parsekv);
		60	+ if (nlen > remain)
		61	+ {
		62	+ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
		63
		64	- free(parsekv);
		65	+ bptr = buf + (PKGCONF_BUFSIZE - 1);
		66	+ break;
		67	+ }
		68	+
		69	+ bptr += nlen;
		70	}
		71	}
		72	}
		73	--
		74	2.27.0
		75


diff --git a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb index 887e15e28c..cad0a0fa4f 100644 --- a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb +++ b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0"
16		16
17	SRC_URI = "\	17	SRC_URI = "\
18	https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \	18	https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \
		19	file://0001-tuple-test-for-and-stop-string-processing-on-truncat.patch \
19	file://pkg-config-wrapper \	20	file://pkg-config-wrapper \
20	file://pkg-config-native.in \	21	file://pkg-config-native.in \
21	file://pkg-config-esdk.in \	22	file://pkg-config-esdk.in \