From patchwork Tue Mar 5 16:29:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 159669 Delivered-To: patch@linaro.org Received: by 2002:a02:5cc1:0:0:0:0:0 with SMTP id w62csp5162720jad; Tue, 5 Mar 2019 08:30:15 -0800 (PST) X-Google-Smtp-Source: APXvYqyiD93fPpWvPcIJGsRgMIF1wbGlmn9qdTRz5S6vY9ao2bvTom1fxl7RZb5q1MEyqo3KP/WA X-Received: by 2002:a63:f753:: with SMTP id f19mr2059798pgk.437.1551803414978; Tue, 05 Mar 2019 08:30:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551803414; cv=none; d=google.com; s=arc-20160816; b=QazZ1fOS9RDWBDjmAp0ufILhNI5NllCqQZNbsrBoAmGkJe1CmKNG2ZGmdOBTAU/46b UFiN1PwCvsLyGBgu5XawmN9BlSqUqowuss3guOinzk6/PJ6XiUtLltBy7nz0Hojg0o6S 4etxaOh5WRmwcldtP0E7L8qs3hFtypXHzMZpsE7LglEZbtBLJjm8DCUrFr8CQ9DZWiI1 BYGpvmyMPSuz8wVBz41oxyeoGcF8645Jg01mIotybdOQ2tzYBjFttwUq03iHN+zCOBpe 3QUDlqHe/BEPbIOo1ay4MdU2ghmlZCzpDRlDImexCmHhWvns8mkioIN2MbUfQPHGG6XS 14Qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=oCBM6R5lpL70t9dZmaX+sqigsb6cUE403EKGqaGJiuM=; b=ndIwXLAeLnp5EVhGmQhZ6+0Sn7xZivUqOIrsyMQvCc2ev1L1JcOLFMcLHkyRnEmxPz RZKjgPuaLjHKm9FsYUba1U+Kp+uCv7ndROsN0sWcc5dq+p5kbCOWE8e4JTg8lZCiNYiY gALEi0hhq3J/GfwHofus0cr8H4drqBcyy3jTQ1XMzMg3slf1t9V7i+K/i/p2Ec6PGnsS meteEk964SqrKMRxF+/zYLdoP9+FkOrSdA5s7l1nhUT6qcO8FTrtCyNKmzkVOsn3QqsO r2CgiD4YSRGx4Bfy+TLtegTIkHjw57aW+mfKnxtN5BrbpDAG20Nt4iBumUf43i1/1Ld7 +18Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=SDRn8Sc9; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i30si8152899pgb.413.2019.03.05.08.30.14; Tue, 05 Mar 2019 08:30:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=SDRn8Sc9; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id BB3987C719; Tue, 5 Mar 2019 16:30:10 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mail.openembedded.org (Postfix) with ESMTP id C677279D4A for ; Tue, 5 Mar 2019 16:30:08 +0000 (UTC) Received: by mail-wr1-f54.google.com with SMTP id d17so10167218wre.10 for ; Tue, 05 Mar 2019 08:30:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id; bh=AzjwfhS2LMbD7YDU/bKz46TSQIqAQXqPz6sZcUfCJPY=; b=SDRn8Sc9fUDrUFYPogTnJhiVPU74p5mYzIS5UOvck6swHK/kcROpEW4yls2OCixYAS wGgsnqxESw/GXU/YtkHDmvd6QrpYhwNm2rjjSOq6DuN6Rvp2Q3LbYUgPM8ffM5XoGvvd k7SIdnK6MaSbOTn4g+9X3zBMbIGznuJD1jmwVsfRAm9TQrc806n+KitocZQ48bLd2vab G9p5+F8Ofi+bYCgRGxhQ9fXWtBi8KNwlXsDHp4/gp3Z6XKlOtjZ1o1IZPe01dosXAqEp L/16olxj07C/N46y8ELfK3Ea3LpQqziXqJSpcTSVyYu6ksVjLZ+oB9D8xnKjoEOkE57a tZEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=AzjwfhS2LMbD7YDU/bKz46TSQIqAQXqPz6sZcUfCJPY=; b=Fd8YlA3CZEneRElDyl0fGFnXAn9WRziE5rToMc6AfoXa29rZVhgcLfH9IYUn0wjKWb S3re0z6PYzl3GTOugiUZHsUWKCCQe6nslM8DlvWGMF+bf/3x+ut0DiqDZ8uUPeUdZH8i zSD5gIjP14yrv09z53CaNgH8nqlbVzAxv7Kp/JCeKEE1jk23RPY3u00dbOIETIleUWvu h/D4RnuO9L0HeME4QZVcrqxaHmj0LcRBx5MRKFhIBojowLXe0Wbiv16geuFpT5jHRQB9 9DX+s4AXJN8CW02e7oWToh/VOmfEGhxM8n+JXUfiA8n8Jn6YYYXiOyfnLEtnuIz9aMfS J54Q== X-Gm-Message-State: APjAAAUxCbAK6QiraGn+/o64olTZ70txqeynJ516BbZI6IwEE5TlNrwa 1XMhTcq37Pn3rdtfwZDDkeSYNbhoTI4= X-Received: by 2002:adf:d08d:: with SMTP id y13mr15374957wrh.99.1551803408878; Tue, 05 Mar 2019 08:30:08 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id e6sm10511265wrt.14.2019.03.05.08.30.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2019 08:30:08 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 5 Mar 2019 16:29:59 +0000 Message-Id: <20190305163003.16745-1-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 Subject: [OE-core] [PATCH 1/5] libsndfile1: update security patches X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Remove CVE-2017-14245-14246.patch, fix rejected upstream as it doesn't solve the underlying issue. Instead 0001-a-ulaw-fix-multiple-buffer-overflows-432 also solves CVE-2017-14245 and CVE-2017-14246 properly. Add patches for CVE-2017-12562 and CVE-2018-19758. Refresh CVE-2018-13139.patch. Signed-off-by: Ross Burton --- ...-a-ulaw-fix-multiple-buffer-overflows-432.patch | 18 ++- .../libsndfile/libsndfile1/CVE-2017-12562.patch | 96 ++++++++++++++++ .../libsndfile1/CVE-2017-14245-14246.patch | 121 --------------------- .../libsndfile/libsndfile1/CVE-2018-13139.patch | 30 ++--- .../libsndfile/libsndfile1/CVE-2018-19758.patch | 34 ++++++ .../libsndfile/libsndfile1_1.0.28.bb | 3 +- 6 files changed, 160 insertions(+), 142 deletions(-) create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch delete mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch index c3f44ca235b..a4679cef2a0 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/0001-a-ulaw-fix-multiple-buffer-overflows-432.patch @@ -1,3 +1,15 @@ +This patch fixes #429 (CVE-2018-19661 CVE-2018-19662) and #344 (CVE-2017-17456 +CVE-2017-17457). As per +https://github.com/erikd/libsndfile/issues/344#issuecomment-448504425 it also +fixes #317 (CVE-2017-14245 CVE-2017-14246). + +CVE: CVE-2017-14245 CVE-2017-14246 +CVE: CVE-2017-17456 CVE-2017-17457 +CVE: CVE-2018-19661 CVE-2018-19662 + +Upstream-Status: Backport [8ddc442d539ca775d80cdbc7af17a718634a743f] +Signed-off-by: Ross Burton + From 39453899fe1bb39b2e041fdf51a85aecd177e9c7 Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 7 Jan 2019 15:55:03 +0800 @@ -17,12 +29,6 @@ In this case, arbitrarily set the buffer value to 0. This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and fixes #344 (CVE-2017-17456 and CVE-2017-17457). -Upstream-Status: Backport[https://github.com/erikd/libsndfile/ -commit/585cc28a93be27d6938f276af0011401b9f7c0ca] - -CVE: CVE-2017-17456 CVE-2017-17457 CVE-2018-19661 CVE-2018-19662 - -Signed-off-by: Changqing Li --- src/alaw.c | 9 +++++++-- src/ulaw.c | 9 +++++++-- diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch new file mode 100644 index 00000000000..491dae31148 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-12562.patch @@ -0,0 +1,96 @@ +Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in +libsndfile through 1.0.28 allows remote attackers to cause a denial of service +(application crash) or possibly have unspecified other impact. + +CVE: CVE-2017-12562 +Upstream-Status: Backport [cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8] +Signed-off-by: Ross Burton + +From b6a9d7e95888ffa77d8c75ce3f03e6c7165587cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rn=20Heusipp?= +Date: Wed, 14 Jun 2017 12:25:40 +0200 +Subject: [PATCH] src/common.c: Fix heap buffer overflows when writing strings + in binheader + +Fixes the following problems: + 1. Case 's' only enlarges the buffer by 16 bytes instead of size bytes. + 2. psf_binheader_writef() enlarges the header buffer (if needed) prior to the + big switch statement by an amount (16 bytes) which is enough for all cases + where only a single value gets added. Cases 's', 'S', 'p' however + additionally write an arbitrary length block of data and again enlarge the + buffer to the required amount. However, the required space calculation does + not take into account the size of the length field which gets output before + the data. + 3. Buffer size requirement calculation in case 'S' does not account for the + padding byte ("size += (size & 1) ;" happens after the calculation which + uses "size"). + 4. Case 'S' can overrun the header buffer by 1 byte when no padding is + involved + ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ;" while + the buffer is only guaranteed to have "size" space available). + 5. "psf->header.ptr [psf->header.indx] = 0 ;" in case 'S' always writes 1 byte + beyond the space which is guaranteed to be allocated in the header buffer. + 6. Case 's' can overrun the provided source string by 1 byte if padding is + involved ("memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ;" + where "size" is "strlen (strptr) + 1" (which includes the 0 terminator, + plus optionally another 1 which is padding and not guaranteed to be + readable via the source string pointer). + +Closes: https://github.com/erikd/libsndfile/issues/292 +--- + src/common.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/src/common.c b/src/common.c +index 1a6204ca..6b2a2ee9 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -681,16 +681,16 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + /* Write a C string (guaranteed to have a zero terminator). */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) + 1 ; +- size += (size & 1) ; + +- if (psf->header.indx + (sf_count_t) size >= psf->header.len && psf_bump_header_allocation (psf, 16)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + + if (psf->rwf_endian == SF_ENDIAN_BIG) +- header_put_be_int (psf, size) ; ++ header_put_be_int (psf, size + (size & 1)) ; + else +- header_put_le_int (psf, size) ; ++ header_put_le_int (psf, size + (size & 1)) ; + memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; ++ size += (size & 1) ; + psf->header.indx += size ; + psf->header.ptr [psf->header.indx - 1] = 0 ; + count += 4 + size ; +@@ -703,16 +703,15 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + */ + strptr = va_arg (argptr, char *) ; + size = strlen (strptr) ; +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 4 + (sf_count_t) size + (sf_count_t) (size & 1) > psf->header.len && psf_bump_header_allocation (psf, 4 + size + (size & 1))) + return count ; + if (psf->rwf_endian == SF_ENDIAN_BIG) + header_put_be_int (psf, size) ; + else + header_put_le_int (psf, size) ; +- memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; ++ memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + (size & 1)) ; + size += (size & 1) ; + psf->header.indx += size ; +- psf->header.ptr [psf->header.indx] = 0 ; + count += 4 + size ; + break ; + +@@ -724,7 +723,7 @@ psf_binheader_writef (SF_PRIVATE *psf, const char *format, ...) + size = (size & 1) ? size : size + 1 ; + size = (size > 254) ? 254 : size ; + +- if (psf->header.indx + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, size)) ++ if (psf->header.indx + 1 + (sf_count_t) size > psf->header.len && psf_bump_header_allocation (psf, 1 + size)) + return count ; + + header_put_byte (psf, size) ; diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch deleted file mode 100644 index a17ec21f986..00000000000 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001 -From: Fabian Greffrath -Date: Wed, 27 Sep 2017 14:46:17 +0200 -Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being - normal - -and check elements of the data[] array for being finite. - -Both checks use functions provided by the header as declared -by the C99 standard. - -Fixes #317 -CVE: CVE-2017-14245 -CVE: CVE-2017-14246 - -Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258] - -Signed-off-by: Fabian Greffrath -Signed-off-by: Jagadeesh Krishnanjanappa ---- - programs/common.c | 20 ++++++++++++++++---- - programs/common.h | 2 +- - programs/sndfile-convert.c | 6 +++++- - 3 files changed, 22 insertions(+), 6 deletions(-) - -diff --git a/programs/common.c b/programs/common.c -index a21e62c..a249a58 100644 ---- a/programs/common.c -+++ b/programs/common.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - - #include - -@@ -45,7 +46,7 @@ - - #define MIN(x, y) ((x) < (y) ? (x) : (y)) - --void -+int - sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) - { static double data [BUFFER_LEN], max ; - int frames, readcount, k ; -@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize - readcount = frames ; - - sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ; -+ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */ -+ return 1 ; - - if (!normalize && max < 1.0) - { while (readcount > 0) -@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize - while (readcount > 0) - { readcount = sf_readf_double (infile, data, frames) ; - for (k = 0 ; k < readcount * channels ; k++) -- data [k] /= max ; -+ { data [k] /= max ; -+ -+ if (!isfinite (data [k])) /* infinite or NaN */ -+ return 1; -+ } - sf_writef_double (outfile, data, readcount) ; - } ; - } ; - -- return ; -+ return 0 ; - } /* sfe_copy_data_fp */ - - void -@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in - - /* If the input file is not the same as the output file, copy the data. */ - if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)) -- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ; -+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0) -+ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ; -+ error_code = 1 ; -+ goto cleanup_exit ; -+ } ; -+ } - else - sfe_copy_data_int (outfile, infile, sfinfo.channels) ; - } ; -diff --git a/programs/common.h b/programs/common.h -index eda2d7d..986277e 100644 ---- a/programs/common.h -+++ b/programs/common.h -@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ; - - void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ; - --void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ; -+int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ; - - void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ; - -diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c -index dff7f79..e6de593 100644 ---- a/programs/sndfile-convert.c -+++ b/programs/sndfile-convert.c -@@ -335,7 +335,11 @@ main (int argc, char * argv []) - || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT) - || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT) - || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS)) -- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ; -+ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0) -+ { printf ("Error : Not able to decode input file %s.\n", infilename) ; -+ return 1 ; -+ } ; -+ } - else - sfe_copy_data_int (outfile, infile, sfinfo.channels) ; - --- -2.7.4 - diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch index 4ae3674df15..707373d4140 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch @@ -1,23 +1,25 @@ -From 5473aeef7875e54bd0f786fbdd259a35aaee875c Mon Sep 17 00:00:00 2001 -From: Changqing Li -Date: Wed, 10 Oct 2018 08:59:30 +0800 -Subject: [PATCH] libsndfile1: patch for CVE-2018-13139 +CVE: CVE-2018-13139 +Upstream-Status: Backport [9dc989eb89cd697e19897afa616d6ab0debe4822] +Signed-off-by: Ross Burton -Upstream-Status: Backport [https://github.com/bwarden/libsndfile/ -commit/df18323c622b54221ee7ace74b177cdcccc152d7] +From 9dc989eb89cd697e19897afa616d6ab0debe4822 Mon Sep 17 00:00:00 2001 +From: "Brett T. Warden" +Date: Tue, 28 Aug 2018 12:01:17 -0700 +Subject: [PATCH] Check MAX_CHANNELS in sndfile-deinterleave -CVE: CVE-2018-13139 +Allocated buffer has space for only 16 channels. Verify that input file +meets this limit. -Signed-off-by: Changqing Li +Fixes #397 --- - programs/sndfile-deinterleave.c | 6 ++++++ - 1 file changed, 6 insertions(+) + programs/sndfile-deinterleave.c | 7 +++++++ + 1 file changed, 7 insertions(+) diff --git a/programs/sndfile-deinterleave.c b/programs/sndfile-deinterleave.c -index e27593e..721bee7 100644 +index e27593e2..cb497e1f 100644 --- a/programs/sndfile-deinterleave.c +++ b/programs/sndfile-deinterleave.c -@@ -89,6 +89,12 @@ main (int argc, char **argv) +@@ -89,6 +89,13 @@ main (int argc, char **argv) exit (1) ; } ; @@ -27,9 +29,9 @@ index e27593e..721bee7 100644 + exit (1) ; + } ; + ++ state.channels = sfinfo.channels ; sfinfo.channels = 1 ; -- -2.7.4 - +2.11.0 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch new file mode 100644 index 00000000000..c3586f9dfc8 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19758.patch @@ -0,0 +1,34 @@ +There is a heap-based buffer over-read at wav.c in wav_write_header in +libsndfile 1.0.28 that will cause a denial of service. + +CVE: CVE-2018-19758 +Upstream-Status: Backport [42132c543358cee9f7c3e9e9b15bb6c1063a608e] +Signed-off-by: Ross Burton + +From c12173b0197dd0c5cfa2cd27977e982d2ae59486 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo +Date: Tue, 1 Jan 2019 20:11:46 +1100 +Subject: [PATCH] src/wav.c: Fix heap read overflow + +This is CVE-2018-19758. + +Closes: https://github.com/erikd/libsndfile/issues/435 +--- + src/wav.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/wav.c b/src/wav.c +index e8405b55..6fb94ae8 100644 +--- a/src/wav.c ++++ b/src/wav.c +@@ -1094,6 +1094,8 @@ wav_write_header (SF_PRIVATE *psf, int calc_length) + psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */ + psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ; + ++ /* Loop count is signed 16 bit number so we limit it range to something sensible. */ ++ psf->instrument->loop_count &= 0x7fff ; + for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++) + { int type ; + +-- +2.11.0 diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index 9700f4a6e75..eb2c719d8da 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -10,11 +10,12 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2017-8361-8365.patch \ file://CVE-2017-8362.patch \ file://CVE-2017-8363.patch \ - file://CVE-2017-14245-14246.patch \ file://CVE-2017-14634.patch \ file://CVE-2018-13139.patch \ file://0001-a-ulaw-fix-multiple-buffer-overflows-432.patch \ file://CVE-2018-19432.patch \ + file://CVE-2017-12562.patch \ + file://CVE-2018-19758.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" From patchwork Tue Mar 5 16:30:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 159670 Delivered-To: patch@linaro.org Received: by 2002:a02:5cc1:0:0:0:0:0 with SMTP id w62csp5163032jad; Tue, 5 Mar 2019 08:30:28 -0800 (PST) X-Google-Smtp-Source: APXvYqyrSRHHjrxkBHlIdzk0VgtxT4fBu2EwQPGKlvK0+kCmWTpiylthvvDZaekJ12uImcKs1tLb X-Received: by 2002:a17:902:7682:: with SMTP id m2mr2054965pll.311.1551803428838; Tue, 05 Mar 2019 08:30:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551803428; cv=none; d=google.com; s=arc-20160816; b=IDUeAd/8JBphAETUfzM4YbHUcKm1NwF4YFM2Xi+30ir0dpLODhSfWRu0YhIN/MB+ol 6pMryYseILXnWfTRBCVT13WE/URFvCEglNm5mj0nmFOx3SCWPfkdeRRulqmPUu9UElWE zRRkRDJNQ8o+kui6UKmcZgY0Z74E5CzzN+88Pt9pl5zz6pvL7dlve1bSdPDtE5vd2LNH 8gxoAQlazAtmWqoo1Yz+Dv2+RssqYs7m/+aQ5qWOf/g3Kj09f5jmzQn12qT0E2+0gIha rZ0gayp6Le/7x67wzYNm/RbNh7z2P7+8fm1QSb87YTwzfMniiJZJKAiHtxrFdVCZ+Myv Bc7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=7/ttE87AkDoO+IoI8cf93aJKRZHOFRGvt8QCeRAVOd8=; b=s/a57iuXwwgSQKyPlQfUo+5WQA9/AP2bxNqG8+gOTTyk/DOUF1g1LB4GHFrF3uU3vo Wur+2qPsw0aD/B/XqZRwQQlr+RS89tS+8mdQaU+KH94QOAnJsdbM99OlqVzgOZW41uIe 0IVrnts1SoiIgeCJBeiVCzQUxNL7SxG67WC5av76NsPOgcPu9sas+jaMm+1R4KIxGNey BHeIDVGAV4OeupaJ7BI93IgFdb4bJg3v/IV2qxXiP9fv/oNBg8Y85awjcsJKa15ug9Xe FN7L3m6WgXps8ybvvtLUqKdc/48fvl536PWxatd4D0RRQg18bAoUe/XDR/bExcW9NDWF PQdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sP910Eq7; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id 125si8844731pfz.148.2019.03.05.08.30.28; Tue, 05 Mar 2019 08:30:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sP910Eq7; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id C1F8C7C727; Tue, 5 Mar 2019 16:30:25 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mail.openembedded.org (Postfix) with ESMTP id 8002D79D4A for ; Tue, 5 Mar 2019 16:30:09 +0000 (UTC) Received: by mail-wm1-f50.google.com with SMTP id f3so3199165wmj.4 for ; Tue, 05 Mar 2019 08:30:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=fKD0wsXIyyG7h6OcAuY5I5MDRXCPqOd6HpwgUygawVs=; b=sP910Eq7ObryQR+qqy0HpET05MgOQkg41ds2iFtPqiVNe+3ySsympvk7xvDOFbaeHW Pf3eVtMCPuWUhuEmzhSMdiz2vl+kO/YkmD8SDlTTRJl5AqjWtYu0/ks/E2y27EGqiKlR 1iB/EW9D0PEnZueNVEfMttrX6tajBQ8srs9VYzROIKQmxv7mPtwt1/8kSML4owwXZkFP Ou/iBtGGur031bC4Z7bfcjQtILXBYcwD/k3N22mK8JYQoJ/Lq0+btU5b4JlchW3x/xZz IOMIeMui3nZ51jBmMEPJUpVXDhvzR0wV4cpUUC4kq2zxV117ZXW/sk6QgJteANgvm+5u 5yoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=fKD0wsXIyyG7h6OcAuY5I5MDRXCPqOd6HpwgUygawVs=; b=qE/ItOf8zrZn9Jl5Hhhp3rRpXk/u/P6ulimYdvZ6F8HDKL7VosQIqUiQDoWAtQahgG b0N+5SLpMGYVzVNXFbBbSmLREyQnrk+Rt5W2Bz2lvtfgMBin6zUG46uYgzAyd8bZiBVh iZBqY6elqw2onSOnx+rMCFBvdVGyXDrD6jkyLd09x2UmBilMUZEzuN7fChzvU8fIuRjp GZJPBesrBXKhDgGAoEu20DmYpbxg9ff4GZ+OXo3JMwsJOOy/kVOYtMEXsQ+AfcMbINoT +gTSAZcNNtvZE923n5RGRZ62I8aZxOP8HHdD+yZEjcTkXtsWzJREsIqTQrTNVrpXtwQ1 BrbQ== X-Gm-Message-State: APjAAAV6lUdU0GOGFO7JCboszpkWJBa2kjMXQsR+42DR++gQc2a2oRdY xp7y1qtWqtzrnJyQ8PyXBJD4HKMDx+s= X-Received: by 2002:a7b:c7da:: with SMTP id z26mr3329899wmk.151.1551803409758; Tue, 05 Mar 2019 08:30:09 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id e6sm10511265wrt.14.2019.03.05.08.30.08 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2019 08:30:09 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 5 Mar 2019 16:30:00 +0000 Message-Id: <20190305163003.16745-2-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190305163003.16745-1-ross.burton@intel.com> References: <20190305163003.16745-1-ross.burton@intel.com> Subject: [OE-core] [PATCH 2/5] icu: fix CVE-2018-18928 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Signed-off-by: Ross Burton --- meta/recipes-support/icu/icu/CVE-2018-18928.patch | 63 +++++++++++++++++++++++ meta/recipes-support/icu/icu_63.1.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-support/icu/icu/CVE-2018-18928.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-support/icu/icu/CVE-2018-18928.patch b/meta/recipes-support/icu/icu/CVE-2018-18928.patch new file mode 100644 index 00000000000..19c50e4e76a --- /dev/null +++ b/meta/recipes-support/icu/icu/CVE-2018-18928.patch @@ -0,0 +1,63 @@ +CVE: CVE-2018-18928 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 53d8c8f3d181d87a6aa925b449b51c4a2c922a51 Mon Sep 17 00:00:00 2001 +From: Shane Carr +Date: Mon, 29 Oct 2018 23:52:44 -0700 +Subject: [PATCH] ICU-20246 Fixing another integer overflow in number parsing. + +--- + i18n/fmtable.cpp | 2 +- + i18n/number_decimalquantity.cpp | 5 ++++- + test/intltest/numfmtst.cpp | 8 ++++++++ + 6 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/i18n/fmtable.cpp b/i18n/fmtable.cpp +index 45c7024fc29..8601d95f4a6 100644 +--- a/i18n/fmtable.cpp ++++ b/i18n/fmtable.cpp +@@ -734,7 +734,7 @@ CharString *Formattable::internalGetCharString(UErrorCode &status) { + // not print scientific notation for magnitudes greater than -5 and smaller than some amount (+5?). + if (fDecimalQuantity->isZero()) { + fDecimalStr->append("0", -1, status); +- } else if (std::abs(fDecimalQuantity->getMagnitude()) < 5) { ++ } else if (fDecimalQuantity->getMagnitude() != INT32_MIN && std::abs(fDecimalQuantity->getMagnitude()) < 5) { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toPlainString(), status); + } else { + fDecimalStr->appendInvariantChars(fDecimalQuantity->toScientificString(), status); +diff --git a/i18n/number_decimalquantity.cpp b/i18n/number_decimalquantity.cpp +index 47b930a564b..d5dd7ae694c 100644 +--- a/i18n/number_decimalquantity.cpp ++++ b/i18n/number_decimalquantity.cpp +@@ -898,7 +898,10 @@ UnicodeString DecimalQuantity::toScientificString() const { + } + result.append(u'E'); + int32_t _scale = upperPos + scale; +- if (_scale < 0) { ++ if (_scale == INT32_MIN) { ++ result.append({u"-2147483648", -1}); ++ return result; ++ } else if (_scale < 0) { + _scale *= -1; + result.append(u'-'); + } else { +diff --git a/test/intltest/numfmtst.cpp b/test/intltest/numfmtst.cpp +index 34355939113..8d52dc122bf 100644 +--- a/test/intltest/numfmtst.cpp ++++ b/test/intltest/numfmtst.cpp +@@ -9226,6 +9226,14 @@ void NumberFormatTest::Test20037_ScientificIntegerOverflow() { + assertEquals(u"Should not overflow and should parse only the first exponent", + u"1E-2147483647", + {sp.data(), sp.length(), US_INV}); ++ ++ // Test edge case overflow of exponent ++ result = Formattable(); ++ nf->parse(u".0003e-2147483644", result, status); ++ sp = result.getDecimalNumber(status); ++ assertEquals(u"Should not overflow", ++ u"3E-2147483648", ++ {sp.data(), sp.length(), US_INV}); + } + + void NumberFormatTest::Test13840_ParseLongStringCrash() { diff --git a/meta/recipes-support/icu/icu_63.1.bb b/meta/recipes-support/icu/icu_63.1.bb index e593dc1bdbd..961f022ad7a 100644 --- a/meta/recipes-support/icu/icu_63.1.bb +++ b/meta/recipes-support/icu/icu_63.1.bb @@ -17,6 +17,7 @@ SRC_URI = "${BASE_SRC_URI} \ file://icu-pkgdata-large-cmd.patch \ file://fix-install-manx.patch \ file://0002-Add-ARC-support.patch \ + file://CVE-2018-18928.patch \ " SRC_URI_append_class-target = "\ From patchwork Tue Mar 5 16:30:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 159671 Delivered-To: patch@linaro.org Received: by 2002:a02:5cc1:0:0:0:0:0 with SMTP id w62csp5163189jad; Tue, 5 Mar 2019 08:30:35 -0800 (PST) X-Google-Smtp-Source: APXvYqw9A2SO+Pskid1kDyHvCoJtnzNatMOrNJZkNrXoAO4SrXVgNxWlZu4XxuLRUJ5U8oPcS34L X-Received: by 2002:a17:902:8b82:: with SMTP id ay2mr2054228plb.64.1551803435433; Tue, 05 Mar 2019 08:30:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551803435; cv=none; d=google.com; s=arc-20160816; b=VPHdy+OdzYRR+4RTxIgQYYEobKDp4A6kfaUF1nLBcP0r6I0gTY+DX9UPJ3PEamVsMO bMpnQyz7O1kf8RnY6lhF4S8KFq0FotOPSNRz9PxSbCboU25aIJpmWIftjGDeSw4Tfv+l 23ULHPYB6svp+qxNDJmgIguCo5M1u45yg7PJFr4bOPWuenWdG7eEmYZw7NLWvvmlnJ/G s+dFgGxAeC9BBHWshRoJ4fEInkJ8t/KZrS9FCRzAqsW23d0Cel/LBTbsprpCgO18/azY uVIjeftTpkzlzQCJN9o8l0JklXY9NMRMZ28VlFrpfKbWvh3DlcgE/seOWbybhNW/8m8u XGvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=kVEhB8pbJKaULnFSuR4PcxTDl+DIbF20OTZ6zkMb7IM=; b=zv3CpxbehuNlb6P3DWMpCU43iHRsOwgx7EXJvqoC1aGX89nNTESYk5cLFcQzZ6+Mp7 +7XZ8zkfTSd4sJFYYelTZAEJDtLfwcZ1VVSpN+4fVjFNw21Kt5HbCX0wwwZgRTpLOxKr rtdMqlBdifSW9PA6z//MQIDFqeseEaCIvJjGbsTP/Z+TYmyUDizswCW8a8fNYoWCl5gO 2sy/S1YTCde+N5KbRMBAtM743WTMHow+rbN837ZzMVD8bGlTGd/MjDJtXJ6lW3EiBzbM eg1lSGjZzrBj603k4qeZe76/Q0nY+KrtUBNq/gFEnIOM+SyxRRgOWPZ7nWNcxc2Tj4DN HyOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=AprZyRmh; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id e13si7788378pgv.493.2019.03.05.08.30.34; Tue, 05 Mar 2019 08:30:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=AprZyRmh; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 118C67C731; Tue, 5 Mar 2019 16:30:27 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mail.openembedded.org (Postfix) with ESMTP id 65CF479D4A for ; Tue, 5 Mar 2019 16:30:10 +0000 (UTC) Received: by mail-wm1-f54.google.com with SMTP id z84so3173885wmg.4 for ; Tue, 05 Mar 2019 08:30:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=EsvLZ/DvA/8vDcDuFRri9/5GWmF+gmob8eIF0ghPbCA=; b=AprZyRmhIEXSir/r/W4bKwHHKgfQHSJiRO+53EfuLfkGGydvgo43WvF/F1hMs1Gxca T+a+cXySnU1w8E8fdFGMtQl/i2F5eqtOx3pCNypPylAvcQz+jnaK7M7rxRxMUSln9BZE 91eEEPcY86xlhTaDQAZ6Lx7I3elLmqq3M4vPyolOs4Mj4VJeyw+PySqQRAmVMRMmLKH/ 92+8rBEsSVpxsRE5Ev9s1DKNeP154OvUQmB14ayydbCLnv2VeOM3YnOIF3JVlXyq1HcT QzS/TUNdRKJGlZN6x5BO0U7sRYyUMo0L/TMg7WhQXqAyeaPDOvrq7pKK5ll4I9LnslNo bIEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=EsvLZ/DvA/8vDcDuFRri9/5GWmF+gmob8eIF0ghPbCA=; b=qhvwKoPYf2+7X48NvVw0KQGd6L3yU87lUDEVrjIpocH9QcLJBBYxIbPfV0zUUm9BkN 0SIH0TfqoHvMuxDH0ErzMHHWmBYMEWXJUy5U2xWwTFkMMh1pjX85TdCdTQTYzBhBce6X i88XmRqO45gXsM+GqbttWelqz8FOFttjqYqxOBDLjxFGwepJ1P6NJen54IY8nrRoTGsU 8TM5vvGsXzNgagjwyZLcVb7rGPKxQiiRdj7Z0IhiSL6J3TmfdUkBPW7UUa+hPH/ZdqU9 dUlEAtaYRPmYWPD7B0YJpREpnlAsLGgCXjVttIrX1n8ug+LwsyWPnvhjPCTLi5jdAnJO AJzQ== X-Gm-Message-State: APjAAAUCW+a5+WvMf+cHGbdGIbQg17heUyHesF/q3ErC9oIGW7I/pQQk SOIRRSvVHsLYeh8lac9n+aANp4G1RB0= X-Received: by 2002:a7b:cc93:: with SMTP id p19mr3338110wma.113.1551803410788; Tue, 05 Mar 2019 08:30:10 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id e6sm10511265wrt.14.2019.03.05.08.30.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2019 08:30:10 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 5 Mar 2019 16:30:01 +0000 Message-Id: <20190305163003.16745-3-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190305163003.16745-1-ross.burton@intel.com> References: <20190305163003.16745-1-ross.burton@intel.com> Subject: [OE-core] [PATCH 3/5] file: upgrade to 5.36 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Upgrade to 5.36. Drop debian-742262.patch, this appears to have been fixed properly upstream some releases ago. Signed-off-by: Ross Burton --- .../recipes-devtools/file/file/debian-742262.patch | 27 ---------------------- .../file/{file_5.35.bb => file_5.36.bb} | 6 ++--- 2 files changed, 2 insertions(+), 31 deletions(-) delete mode 100644 meta/recipes-devtools/file/file/debian-742262.patch rename meta/recipes-devtools/file/{file_5.35.bb => file_5.36.bb} (90%) -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-devtools/file/file/debian-742262.patch b/meta/recipes-devtools/file/file/debian-742262.patch deleted file mode 100644 index 319f9dbcf9b..00000000000 --- a/meta/recipes-devtools/file/file/debian-742262.patch +++ /dev/null @@ -1,27 +0,0 @@ -The awk pattern was checked *before* the Perl pattern, so the -perl script with BEGIN{...} would be reported as awk, this patch fixes it. - -Upstream-Status: Backport [debian] - -Signed-off-by: Christoph Biedl -Signed-off-by: Robert Yang - -Rebase on 5.31 - -Signed-off-by: Fan Xin ---- - magic/Magdir/commands | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/magic/Magdir/commands b/magic/Magdir/commands -index f6ad1c8..f79e7dd 100644 ---- a/magic/Magdir/commands -+++ b/magic/Magdir/commands -@@ -57,6 +57,7 @@ - 0 string/wt #!\ /usr/bin/awk awk script text executable - !:mime text/x-awk - 0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text -+!:strength - 12 - - # AT&T Bell Labs' Plan 9 shell - 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable diff --git a/meta/recipes-devtools/file/file_5.35.bb b/meta/recipes-devtools/file/file_5.36.bb similarity index 90% rename from meta/recipes-devtools/file/file_5.35.bb rename to meta/recipes-devtools/file/file_5.36.bb index 2f0589de686..1a81fde259d 100644 --- a/meta/recipes-devtools/file/file_5.35.bb +++ b/meta/recipes-devtools/file/file_5.36.bb @@ -14,11 +14,9 @@ DEPENDS_class-native = "zlib-native" # Blacklist a bogus tag in upstream check UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P(?!6_23).+)" -SRC_URI = "git://github.com/file/file.git \ - file://debian-742262.patch \ - " +SRC_URI = "git://github.com/file/file.git" -SRCREV = "d1ff3af7a2c6b38bdbdde7af26b59e3c50a48fff" +SRCREV = "f3a4b9ada3ca99e62c62b9aa78eee4935a8094fe" S = "${WORKDIR}/git" inherit autotools update-alternatives From patchwork Tue Mar 5 16:30:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 159672 Delivered-To: patch@linaro.org Received: by 2002:a02:5cc1:0:0:0:0:0 with SMTP id w62csp5163377jad; Tue, 5 Mar 2019 08:30:43 -0800 (PST) X-Google-Smtp-Source: APXvYqzckiss8cV/IgKOeJPpmnDfX7PQp1tkZSXooxiM0puzt8gSTKck6L03xcMHs6HuuLVepbcQ X-Received: by 2002:a63:f556:: with SMTP id e22mr2094249pgk.321.1551803443073; Tue, 05 Mar 2019 08:30:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551803443; cv=none; d=google.com; s=arc-20160816; b=qbZh30nQ43RNuU3GILYRPmxzDSLTVQ2Xu3e2YpegnYyi9lcNwyQM3C8Gjhuw+FrMm/ syUQc9hG8jS4gz4Lutb7uBdPYl5lkW8DopVUBTW9hNLy8oa8PO34MSFukF691HeP+1uE 0Rt0CgdQzM352bBX3DkMQoxZrUzFY41XFkiS76bZlct7C5pO59IFac7rfh0ussX6iSRx 1wcJAkv8gPVlQAUGw2dW96Ad4xqpTfRKwUa9IsMkDQSZSlhiW6I4LuRkTJyylYyMHelc PNOf2d8y0IxWkYhRBtuY82jjdPZPEKlZNRQe+NdNUq4JFRu1PKXoLIJ7D1GEcE/AT+eH DW2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=HAT3+75kf+sJMubQjziQTeTLGA8e6Tx1cWKjqQHmV/o=; b=JL/N/1ltcJrKZ5Suq2f+L1bbbJzFWIYfxIEX68XKrIGN7YHKGG8cQQ+iYG9HpLEl7Z DyTin509ZXcLnYhZPXYve4+zk+JbuRQZuiH8Y0bSpV/57sKZaIfiu1cecLdubUpDmha5 WKLuwOy70A+IXTk2JB+3BMYcn6brD65UuyMQnKcslBUUuRMPTLsbdi+1ExDAbj8z8P38 SZ78V4P5aSeMGJF5xIc3dOstkTvXcVzOSUThsEJ8VBvFAQdhTddCBeAE5ocgHsOnPlsc E4vFMutP3GuTfEVTGu+5NdZFRYz2dVtsnGrhf21pnYZwqzmojHS4stG2UEnA4oYrT3mQ rtiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sqFDSQ26; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id x64si8939054pfx.156.2019.03.05.08.30.42; Tue, 05 Mar 2019 08:30:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sqFDSQ26; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 65EF87C740; Tue, 5 Mar 2019 16:30:29 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mail.openembedded.org (Postfix) with ESMTP id 06EB77C726 for ; Tue, 5 Mar 2019 16:30:11 +0000 (UTC) Received: by mail-wr1-f52.google.com with SMTP id l5so10157471wrw.6 for ; Tue, 05 Mar 2019 08:30:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=AMxf+cBGQDlhEMTeSvD5ot3AYOmGg7PjwDlvRUuSeyU=; b=sqFDSQ26o4I/LODPUtRyZU8gEVDK5V9c7oSWEfdgXv5Faawyx+ucYIU9oySU4w8Ygj R6fOpjYU/j8xXqZYUNUEL1gVTaUOu0RYLPcX8x6PxiPBzrpJBRSjVy4jzAcCOZnwsmEp cnCJkoCmihX1eqb0FlMgLxeOeVi+2rbUyDNXBIFomyHLlWv7xhrH87QN9o6W8y+5tfLt ubD0KCP53073LodTRPFKbka/zZqdNBQd+BaE50UpjPgOkqo4vaSZbN8BKBbaTWDfQ1tQ c234lLSTofnIaSX1fvKNqNKIjw7Gx9iogtNTNQ7KuvoyFVdFrtiOKxbQ4hqfF5sacqfe AwLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=AMxf+cBGQDlhEMTeSvD5ot3AYOmGg7PjwDlvRUuSeyU=; b=VWa1sbl2F5PXSK0GQo6hP5zPipTLNsW252CdORc48j+Wvv4Ctdoaepuwul7fBERxH9 9wyhTO1eB6SbkHAK6cSaFkUyvs9t2v6/bkQbrBCo5oCF85LYQ4VCCZS0iE0CqDGrg4eb ERoy8Vv6cHxMSMZZZITU0d8prev6y794gficup9lAax39gQdu93HFc2DcWIW2tmZfVZu oDeI/ljsoMtL9uduyah+SJH2x8mpgwAWhSyf/v8+mKhP8mbwWVf92P7OONWtqI4vvBbC gl/g286PnciNR7Y1XI6q0wFu12G6DmjLT/RuZGK6aLqLyZvTYPsIkGFOxUgUHnX+JaRI GfuQ== X-Gm-Message-State: APjAAAUyuH5dqTzTqlElcdLAMRDiXqnhDZ0+RI3/5jPrA7ICqZmw63Wb 0njcKfVnfL5WKTTKsN2ErSR5OvPhRtg= X-Received: by 2002:adf:efc2:: with SMTP id i2mr16822451wrp.44.1551803412171; Tue, 05 Mar 2019 08:30:12 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id e6sm10511265wrt.14.2019.03.05.08.30.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2019 08:30:11 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 5 Mar 2019 16:30:02 +0000 Message-Id: <20190305163003.16745-4-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190305163003.16745-1-ross.burton@intel.com> References: <20190305163003.16745-1-ross.burton@intel.com> Subject: [OE-core] [PATCH 4/5] libarchive: integrate security fixes X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Fix the following CVEs by backporting patches from upstream: - CVE-2019-1000019 - CVE-2019-1000020 - CVE-2018-1000877 - CVE-2018-1000878 - CVE-2018-1000879 - CVE-2018-1000880 Signed-off-by: Ross Burton --- .../libarchive/libarchive/CVE-2018-1000877.patch | 38 +++++++++++ .../libarchive/libarchive/CVE-2018-1000878.patch | 79 ++++++++++++++++++++++ .../libarchive/libarchive/CVE-2018-1000879.patch | 50 ++++++++++++++ .../libarchive/libarchive/CVE-2018-1000880.patch | 44 ++++++++++++ .../libarchive/libarchive/CVE-2019-1000019.patch | 59 ++++++++++++++++ .../libarchive/libarchive/CVE-2019-1000020.patch | 61 +++++++++++++++++ .../libarchive/libarchive_3.3.3.bb | 6 ++ 7 files changed, 337 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch new file mode 100644 index 00000000000..ce638370bd4 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch @@ -0,0 +1,38 @@ +CVE: CVE-2018-1000877 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 20 Nov 2018 17:56:29 +1100 +Subject: [PATCH] Avoid a double-free when a window size of 0 is specified + +new_size can be 0 with a malicious or corrupted RAR archive. + +realloc(area, 0) is equivalent to free(area), so the region would +be free()d here and the free()d again in the cleanup function. + +Found with a setup running AFL, afl-rb, and qsym. +--- + libarchive/archive_read_support_format_rar.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 23452222..6f419c27 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a) + new_size = DICTIONARY_MAX_SIZE; + else + new_size = rar_fls((unsigned int)rar->unp_size) << 1; ++ if (new_size == 0) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Zero window size is invalid."); ++ return (ARCHIVE_FATAL); ++ } + new_window = realloc(rar->lzss.window, new_size); + if (new_window == NULL) { + archive_set_error(&a->archive, ENOMEM, +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch new file mode 100644 index 00000000000..7468fd3c935 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch @@ -0,0 +1,79 @@ +CVE: CVE-2018-1000878 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 4 Dec 2018 00:55:22 +1100 +Subject: [PATCH] rar: file split across multi-part archives must match + +Fuzzing uncovered some UAF and memory overrun bugs where a file in a +single file archive reported that it was split across multiple +volumes. This was caused by ppmd7 operations calling +rar_br_fillup. This would invoke rar_read_ahead, which would in some +situations invoke archive_read_format_rar_read_header. That would +check the new file name against the old file name, and if they didn't +match up it would free the ppmd7 buffer and allocate a new +one. However, because the ppmd7 decoder wasn't actually done with the +buffer, it would continue to used the freed buffer. Both reads and +writes to the freed region can be observed. + +This is quite tricky to solve: once the buffer has been freed it is +too late, as the ppmd7 decoder functions almost universally assume +success - there's no way for ppmd_read to signal error, nor are there +good ways for functions like Range_Normalise to propagate them. So we +can't detect after the fact that we're in an invalid state - e.g. by +checking rar->cursor, we have to prevent ourselves from ever ending up +there. So, when we are in the dangerous part or rar_read_ahead that +assumes a valid split, we set a flag force read_header to either go +down the path for split files or bail. This means that the ppmd7 +decoder keeps a valid buffer and just runs out of data. + +Found with a combination of AFL, afl-rb and qsym. +--- + libarchive/archive_read_support_format_rar.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 6f419c27..a8cc5c94 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -258,6 +258,7 @@ struct rar + struct data_block_offsets *dbo; + unsigned int cursor; + unsigned int nodes; ++ char filename_must_match; + + /* LZSS members */ + struct huffman_code maincode; +@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry, + } + return ret; + } ++ else if (rar->filename_must_match) ++ { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mismatch of file parts split across multi-volume archive"); ++ return (ARCHIVE_FATAL); ++ } + + rar->filename_save = (char*)realloc(rar->filename_save, + filename_size + 1); +@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail) + else if (*avail == 0 && rar->main_flags & MHD_VOLUME && + rar->file_flags & FHD_SPLIT_AFTER) + { ++ rar->filename_must_match = 1; + ret = archive_read_format_rar_read_header(a, a->entry); + if (ret == (ARCHIVE_EOF)) + { + rar->has_endarc_header = 1; + ret = archive_read_format_rar_read_header(a, a->entry); + } ++ rar->filename_must_match = 0; + if (ret != (ARCHIVE_OK)) + return NULL; + return rar_read_ahead(a, min, avail); +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch new file mode 100644 index 00000000000..9f25932a1ab --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch @@ -0,0 +1,50 @@ +CVE: CVE-2018-1000879 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 4 Dec 2018 14:29:42 +1100 +Subject: [PATCH] Skip 0-length ACL fields + +Currently, it is possible to create an archive that crashes bsdtar +with a malformed ACL: + +Program received signal SIGSEGV, Segmentation fault. +archive_acl_from_text_l (acl=, text=0x7e2e92 "", want_type=, sc=) at libarchive/archive_acl.c:1726 +1726 switch (*s) { +(gdb) p n +$1 = 1 +(gdb) p field[n] +$2 = {start = 0x0, end = 0x0} + +Stop this by checking that the length is not zero before beginning +the switch statement. + +I am pretty sure this is the bug mentioned in the qsym paper [1], +and I was able to replicate it with a qsym + AFL + afl-rb setup. + +[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun +--- + libarchive/archive_acl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c +index 512beee1..7beeee86 100644 +--- a/libarchive/archive_acl.c ++++ b/libarchive/archive_acl.c +@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, + st = field[n].start + 1; + len = field[n].end - field[n].start; + ++ if (len == 0) { ++ ret = ARCHIVE_WARN; ++ continue; ++ } ++ + switch (*s) { + case 'u': + if (len == 1 || (len == 4 +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch new file mode 100644 index 00000000000..bc264a12423 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch @@ -0,0 +1,44 @@ +CVE: CVE-2018-1000880 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 4 Dec 2018 16:33:42 +1100 +Subject: [PATCH] warc: consume data once read + +The warc decoder only used read ahead, it wouldn't actually consume +data that had previously been printed. This means that if you specify +an invalid content length, it will just reprint the same data over +and over and over again until it hits the desired length. + +This means that a WARC resource with e.g. +Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 +but only a few hundred bytes of data, causes a quasi-infinite loop. + +Consume data in subsequent calls to _warc_read. + +Found with an AFL + afl-rb + qsym setup. +--- + libarchive/archive_read_support_format_warc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c +index e8753853..e8fc8428 100644 +--- a/libarchive/archive_read_support_format_warc.c ++++ b/libarchive/archive_read_support_format_warc.c +@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off) + return (ARCHIVE_EOF); + } + ++ if (w->unconsumed) { ++ __archive_read_consume(a, w->unconsumed); ++ w->unconsumed = 0U; ++ } ++ + rab = __archive_read_ahead(a, 1U, &nrd); + if (nrd < 0) { + *bsz = 0U; +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch new file mode 100644 index 00000000000..f6f1add5e06 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch @@ -0,0 +1,59 @@ +CVE: CVE-2018-1000019 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 1 Jan 2019 16:01:40 +1100 +Subject: [PATCH 2/2] 7zip: fix crash when parsing certain archives + +Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data() +would sometimes fail to return at least 'minimum' bytes. This can cause +the crc32() invocation in header_bytes to read off into invalid memory. + +A specially crafted archive can use this to cause a crash. + +An ASAN trace is below, but ASAN is not required - an uninstrumented +binary will also crash. + +==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0) +==7719==The signal is caused by a READ memory access. + #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c) + #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb) + #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156) + #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134) + #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690) + #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7) + #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63) + #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd) + #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f) + #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be) + #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb) + #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 + #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09) + +This was primarly done with afl and FairFuzz. Some early corpus entries +may have been generated by qsym. +--- + libarchive/archive_read_support_format_7zip.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c +index bccbf8966..b6d1505d3 100644 +--- a/libarchive/archive_read_support_format_7zip.c ++++ b/libarchive/archive_read_support_format_7zip.c +@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size, + if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) { + /* Copy mode. */ + +- /* +- * Note: '1' here is a performance optimization. +- * Recall that the decompression layer returns a count of +- * available bytes; asking for more than that forces the +- * decompressor to combine reads by copying data. +- */ +- *buff = __archive_read_ahead(a, 1, &bytes_avail); ++ *buff = __archive_read_ahead(a, minimum, &bytes_avail); + if (bytes_avail <= 0) { + archive_set_error(&a->archive, + ARCHIVE_ERRNO_FILE_FORMAT, diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch new file mode 100644 index 00000000000..3e639213464 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch @@ -0,0 +1,61 @@ +CVE: CVE-2018-1000020 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 8312eaa576014cd9b965012af51bc1f967b12423 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 1 Jan 2019 17:10:49 +1100 +Subject: [PATCH 1/2] iso9660: Fail when expected Rockridge extensions is + missing + +A corrupted or malicious ISO9660 image can cause read_CE() to loop +forever. + +read_CE() calls parse_rockridge(), expecting a Rockridge extension +to be read. However, parse_rockridge() is structured as a while +loop starting with a sanity check, and if the sanity check fails +before the loop has run, the function returns ARCHIVE_OK without +advancing the position in the file. This causes read_CE() to retry +indefinitely. + +Make parse_rockridge() return ARCHIVE_WARN if it didn't read an +extension. As someone with no real knowledge of the format, this +seems more apt than ARCHIVE_FATAL, but both the call-sites escalate +it to a fatal error immediately anyway. + +Found with a combination of AFL, afl-rb (FairFuzz) and qsym. +--- + libarchive/archive_read_support_format_iso9660.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index 28acfefbb..bad8f1dfe 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file, + const unsigned char *p, const unsigned char *end) + { + struct iso9660 *iso9660; ++ int entry_seen = 0; + + iso9660 = (struct iso9660 *)(a->format->data); + +@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file, + } + + p += p[2]; ++ entry_seen = 1; ++ } ++ ++ if (entry_seen) ++ return (ARCHIVE_OK); ++ else { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Tried to parse Rockridge extensions, but none found"); ++ return (ARCHIVE_WARN); + } +- return (ARCHIVE_OK); + } + + static int + diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb index 46a3d437626..af5ca65297b 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb @@ -34,6 +34,12 @@ EXTRA_OECONF += "--enable-largefile" SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://non-recursive-extract-and-list.patch \ file://bug1066.patch \ + file://CVE-2018-1000877.patch \ + file://CVE-2018-1000878.patch \ + file://CVE-2018-1000879.patch \ + file://CVE-2018-1000880.patch \ + file://CVE-2019-1000019.patch \ + file://CVE-2019-1000020.patch \ " SRC_URI[md5sum] = "4038e366ca5b659dae3efcc744e72120" From patchwork Tue Mar 5 16:30:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 159673 Delivered-To: patch@linaro.org Received: by 2002:a02:5cc1:0:0:0:0:0 with SMTP id w62csp5163522jad; Tue, 5 Mar 2019 08:30:50 -0800 (PST) X-Google-Smtp-Source: APXvYqwDKqicSakKdQ7VeCn6EYifvoic9rTxFi8KjNgV8x+Q6SE/HZlV6PwpROof6cY9FGrKn8DI X-Received: by 2002:a17:902:728f:: with SMTP id d15mr2094922pll.156.1551803450078; Tue, 05 Mar 2019 08:30:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551803450; cv=none; d=google.com; s=arc-20160816; b=y0qsO+oOwv03Q0ymt+0AH/F+x8OFWOFIfSi1iSMinoOZavJti4JWbO0MxHTD1+Dn+2 nGyx2Um1tV018wIyZwisF+/R3GPGpMw6IJjtYl0OHEmNZhKSpFme0hx1vtENMEFZyaWZ 7QqGBGtnCNtw2wVMMrDOTcAMUzTZRoRoll5YZMFF4rg/xx2UOEEcjNfHsHvpzTPqvMxP DrPsWGQ/Oe47yfABLwJTUbLKWW/U677SdQnFi8BIDjr2WT0p/fE4dKaKODTzU4PccIJj hZM8FWJwGcvAlRLjSxx0rb8Ddt5BcGw1Kgm8lRPynGDCW6rJVlOAALQ/1xQ+H+4EzieH NIaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=4Js+yxRedeaYRffI6hjj6RHbGo1C0gCEQyU/mmy3JIY=; b=UM3d/Guz1RPHrv8imIpNLWPy7ON8e8uNvgnp0lAUVtZh0H9iIIKTamwBcxQ9BDanaE duvJWczhS8VsadjAaAwelMx3H05qsBD1Mk6lnZHA2AQlw21+lvv/4DHHZFBdg7LJ63ji TPY0766pYVRwYUgV5mG/fSiST1QLSJ5QjF8gpTYfD3RMuY1sN8KB8LYr4U3h0vEoU5df F5YDskAENjtWVaAh6tovxaTxeRHBsPfrbuftcx1lXGkiZeaQB8kDYqT1SVJeY43AQOkD XFI6uY3bDsbW6bVvr4TtHT9gI7TDd2goZ7VCLeZ5tVRkK9YqZNJX6wXNxM2TDb/f9a/d wuWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=PUbQHfF5; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id e13si7946242pgu.102.2019.03.05.08.30.49; Tue, 05 Mar 2019 08:30:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=PUbQHfF5; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 86B9D7C753; Tue, 5 Mar 2019 16:30:30 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mail.openembedded.org (Postfix) with ESMTP id 8C4A07C707 for ; Tue, 5 Mar 2019 16:30:12 +0000 (UTC) Received: by mail-wr1-f45.google.com with SMTP id d17so10167457wre.10 for ; Tue, 05 Mar 2019 08:30:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=QI01iJM05/Pn/RM2EjuNK+THl/mdDGYwnktYcGNUeQ4=; b=PUbQHfF5phrymyelB+uSscrKk9Qs5v4Vw8Td9ur01w3/NUDniOmcmKsrvbv/NCN/Az 34aMKEclAR50tL15eROZGt6mWTpNfmyP987ywGqyY09CIX45V3qqtuT3o322Px0Ayb6n sGFybyqJ3MonmQgWJHDUm1zVwrFOwfTENKaLBPAB9GisxBoZFzOU3UxsEodlqes7g0nP uBqPcSTWT8OaP/pYWTME7S/pX9dVRJtRoSEojCCNnVcg58nqm9II2S/UVyNeB21xJ5w1 7dF5/lfI0/7sM9ZwOsJE8A2ErbmqwDy3l10BtQld1TBjWemUTRLXvO3hxHw/ijvZ4x2P VYdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=QI01iJM05/Pn/RM2EjuNK+THl/mdDGYwnktYcGNUeQ4=; b=RnhF9uHlYJR+2aBdzSBFiJX8N6C2g2d4Lx2ni45cXh16f21EkaDPR91WolCcvIu0H0 xhwXuEJWLlHkhYwnNxv8mhp7lBbWaQiRcBY2RHJKOsZMzwtmvR5VHCaFKB7KTiXJ4Ze1 WbLtxIKb9Y3XOKNBfVc0brmuRRgik7XCwUp46OA7QdicZH5FzH+wkLtHMEOYWzeJt53Z BNerU5Te+CmvGfKWdKNVpdA2ra3mR6ejS7cpAhL5CwvY6k4Udv2C7XsqUV5Y0HTwBQbF 4eQn3vWFNBDAts4Yn9Hkb6coj8BCDe+IZch10S3XLoHU67WcGKmBfTXzHu97nkU0upqf O8Kg== X-Gm-Message-State: APjAAAWuPZs4LjX/yhvmwhHx41vhhy6se1dg6P2iUAanpKtUV9tKKUV+ dSmVoYIpo6KZg/0hwxyR3mytz7ym7/c= X-Received: by 2002:adf:f4c8:: with SMTP id h8mr18457861wrp.6.1551803413035; Tue, 05 Mar 2019 08:30:13 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id e6sm10511265wrt.14.2019.03.05.08.30.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2019 08:30:12 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 5 Mar 2019 16:30:03 +0000 Message-Id: <20190305163003.16745-5-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190305163003.16745-1-ross.burton@intel.com> References: <20190305163003.16745-1-ross.burton@intel.com> Subject: [OE-core] [PATCH 5/5] libpng: fix CVE-2019-7317 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Signed-off-by: Ross Burton --- .../libpng/libpng/CVE-2019-7317.patch | 20 ++++++++++++++++++++ meta/recipes-multimedia/libpng/libpng_1.6.36.bb | 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch b/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch new file mode 100644 index 00000000000..6ee1f8da303 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch @@ -0,0 +1,20 @@ +Use-after-free detected with static analysis. + +CVE: CVE-2019-7317 +Upstream-Status: Submitted [https://github.com/glennrp/libpng/issues/275] +Signed-off-by: Ross Burton + +diff --git a/png.c b/png.c +index 9d9926f638..efd1aecfbd 100644 +--- a/png.c ++++ b/png.c +@@ -4588,8 +4588,7 @@ png_image_free(png_imagep image) + if (image != NULL && image->opaque != NULL && + image->opaque->error_buf == NULL) + { +- /* Ignore errors here: */ +- (void)png_safe_execute(image, png_image_free_function, image); ++ png_image_free_function(image); + image->opaque = NULL; + } + } diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.36.bb b/meta/recipes-multimedia/libpng/libpng_1.6.36.bb index 3cf4f7249cb..a5862378884 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.36.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.36.bb @@ -9,7 +9,8 @@ DEPENDS = "zlib" LIBV = "16" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ + file://CVE-2019-7317.patch" SRC_URI[md5sum] = "df2be2d29c40937fe1f5349b16bc2826" SRC_URI[sha256sum] = "eceb924c1fa6b79172fdfd008d335f0e59172a86a66481e09d4089df872aa319"