2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc
index dcb616d0d2..d3fb2a8a8e 100644
--- a/meta/recipes-core/uclibc/uclibc-git.inc
+++ b/meta/recipes-core/uclibc/uclibc-git.inc
@@ -19,5 +19,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \
        file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \
        file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \
        file://0001-wire-in-syncfs.patch \
+        file://CVE-2016-2224.patch \
 "
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
new file mode 100644
index 0000000000..218b60a85c
--- /dev/null
+++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
@@ -0,0 +1,49 @@
+From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Sun, 17 Jan 2016 15:47:22 +0100
+Subject: [PATCH] Do not follow compressed items forever.
+It is possible to get stuck in an infinite loop when receiving a
+specially crafted DNS reply. Exit the loop after a number of iteration
+and consider the packet invalid.
+Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+Upstream-status: Backport
+http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
+CVE: CVE-2016-2224
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libc/inet/resolv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+Index: git/libc/inet/resolv.c
+===================================================================
+--- git.orig/libc/inet/resolv.c
+++ git/libc/inet/resolv.c
+@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
+        bool measure = 1;
+        unsigned total = 0;
+        unsigned used = 0;
+       unsigned maxiter = 256;
+ 
+        if (!packet)
+                return -1;
+ 
+-       while (1) {
+       while (--maxiter) {
+                if (offset >= packet_len)
+                        return -1;
+                b = packet[offset++];
+@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
+                else
+                        dest[used++] = '\0';
+        }
+       if (!maxiter)
+               return -1;
+ 
+        /* The null byte must be counted too */
+        if (measure)

diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc index dcb616d0d2..d3fb2a8a8e 100644 --- a/meta/recipes-core/uclibc/uclibc-git.inc +++ b/meta/recipes-core/uclibc/uclibc-git.inc
@@ -19,5 +19,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \
19	file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \	19	file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \
20	file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \	20	file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \
21	file://0001-wire-in-syncfs.patch \	21	file://0001-wire-in-syncfs.patch \
		22	file://CVE-2016-2224.patch \
22	"	23	"
23	S = "${WORKDIR}/git"	24	S = "${WORKDIR}/git"


diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch new file mode 100644 index 0000000000..218b60a85c --- /dev/null +++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
@@ -0,0 +1,49 @@
		1	From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
		2	From: Waldemar Brodkorb <wbx@openadk.org>
		3	Date: Sun, 17 Jan 2016 15:47:22 +0100
		4	Subject: [PATCH] Do not follow compressed items forever.
		5
		6	It is possible to get stuck in an infinite loop when receiving a
		7	specially crafted DNS reply. Exit the loop after a number of iteration
		8	and consider the packet invalid.
		9
		10	Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
		11	Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
		12
		13	Upstream-status: Backport
		14	http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
		15
		16	CVE: CVE-2016-2224
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	libc/inet/resolv.c \| 5 ++++-
		21	1 file changed, 4 insertions(+), 1 deletion(-)
		22
		23	Index: git/libc/inet/resolv.c
		24	===================================================================
		25	--- git.orig/libc/inet/resolv.c
		26	+++ git/libc/inet/resolv.c
		27	@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
		28	bool measure = 1;
		29	unsigned total = 0;
		30	unsigned used = 0;
		31	+ unsigned maxiter = 256;
		32
		33	if (!packet)
		34	return -1;
		35
		36	- while (1) {
		37	+ while (--maxiter) {
		38	if (offset >= packet_len)
		39	return -1;
		40	b = packet[offset++];
		41	@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
		42	else
		43	dest[used++] = '\0';
		44	}
		45	+ if (!maxiter)
		46	+ return -1;
		47
		48	/* The null byte must be counted too */
		49	if (measure)