On Thu, 2016-02-11 at 16:20 -0800, Armin Kuster wrote: > From: Armin Kuster <akus...@mvista.com> > > CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd > > affects libbsd <= 0.8.1
and this not needed in master which has 0.8.2. I plan to take this in fido once it's merged to jethro. Regards, Joshua > > Signed-off-by: Armin Kuster <akus...@mvista.com> > --- > .../libbsd/files/CVE-2016-2090.patch | 50 > ++++++++++++++++++++++ > meta/recipes-support/libbsd/libbsd_0.7.0.bb | 4 +- > 2 files changed, 53 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-support/libbsd/files/CVE-2016- > 2090.patch > > diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch > b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch > new file mode 100644 > index 0000000..2eaae13 > --- /dev/null > +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch > @@ -0,0 +1,50 @@ > +From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 > 2001 > +From: Hanno Boeck <ha...@hboeck.de> > +Date: Wed, 27 Jan 2016 15:10:11 +0100 > +Subject: [PATCH] Fix heap buffer overflow in fgetwln() > + > +In the function fgetwln() there's a 4 byte heap overflow. > + > +There is a while loop that has this check to see whether there's > still > +enough space in the buffer: > + > + if (!fb->len || wused > fb->len) { > + > +If this is true more memory gets allocated. However this test won't > be > +true if wused == fb->len, but at that point wused already points out > +of the buffer. Some lines later there's a write to the buffer: > + > + fb->wbuf[wused++] = wc; > + > +This bug was found with the help of address sanitizer. > + > +Warned-by: ASAN > +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 > +Signed-off-by: Guillem Jover <guil...@hadrons.org> > + > +Upstream-Status: Backport > +http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb > 7c3e7976de726d7ff7 > + > +CVE: CVE-2016-2090 > +Signed-off-by: Armin Kuster <akus...@mvista.com> > + > +--- > + src/fgetwln.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/fgetwln.c b/src/fgetwln.c > +index 9ee0776..aa3f927 100644 > +--- a/src/fgetwln.c > ++++ b/src/fgetwln.c > +@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) > + fb->fp = stream; > + > + while ((wc = fgetwc(stream)) != WEOF) { > +- if (!fb->len || wused > fb->len) { > ++ if (!fb->len || wused >= fb->len) { > + wchar_t *wp; > + > + if (fb->len) > +-- > +2.3.5 > + > diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb > b/meta/recipes-support/libbsd/libbsd_0.7.0.bb > index 902666d..8d9a708 100644 > --- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb > +++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb > @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aea > a1c5e2547cfd43905d8c" > SECTION = "libs" > DEPENDS = "" > > -SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.x > z" > +SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.x > z \ > + file://CVE-2016-2090.patch \ > + " > > SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0" > SRC_URI[sha256sum] = > "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb" > -- > 2.3.5 > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core