Hi, On Tue, Dec 01, 2020 at 10:00:55PM +0100, Gianfranco wrote: > More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228 > | A buffer overflow in the dlt_filter_load function in dlt_common.c in > | dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary > | code execution because fscanf is misused (no limit on the number of > | characters to be read in a format argument). > > Signed-off-by: Gianfranco Costamagna <costamagnagianfra...@yahoo.it> > Signed-off-by: Gianfranco Costamagna <locutusofb...@debian.org> > --- > .../dlt-daemon/dlt-daemon/275.patch | 36 +++++++++++++++++++ > .../dlt-daemon/dlt-daemon_2.18.5.bb | 1 + > 2 files changed, 37 insertions(+) > create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch > > diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch > b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch > new file mode 100644 > index 000000000..4edb62b30 > --- /dev/null > +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch > @@ -0,0 +1,36 @@ > +From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001 > +From: GwanYeong Kim <gy741....@gmail.com> > +Date: Sat, 28 Nov 2020 12:24:46 +0900 > +Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load > + > +A buffer overflow in the dlt_filter_load function in dlt_common.c in > dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, > because it does not limit the number of characters to be read in a format > argument. > + > +Fixed: #274 > + > +Signed-off-by: GwanYeong Kim <gy741....@gmail.com> > +--- > + src/shared/dlt_common.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-)
Please add patch metadata: Upstream-status: Backport CVE: CVE-2020-29394 https://wiki.yoctoproject.org/wiki/Security#Patch_name_convention_and_commit_message https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Patch_Header_Recommendations:_Upstream-Status Cheers, -Mikko > + > +diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c > +index 254f4ce4..d15b1cec 100644 > +--- a/src/shared/dlt_common.c > ++++ b/src/shared/dlt_common.c > +@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const > char *filename, int verb > + while (!feof(handle)) { > + str1[0] = 0; > + > +- if (fscanf(handle, "%s", str1) != 1) > ++ if (fscanf(handle, "%254s", str1) != 1) > + break; > + > + if (str1[0] == 0) > +@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const > char *filename, int verb > + > + str1[0] = 0; > + > +- if (fscanf(handle, "%s", str1) != 1) > ++ if (fscanf(handle, "%254s", str1) != 1) > + break; > + > + if (str1[0] == 0) > diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb > b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb > index f3fcee4d2..5066e76d3 100644 > --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb > +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb > @@ -19,6 +19,7 @@ SRC_URI = > "git://github.com/GENIVI/${BPN}.git;protocol=https \ > file://0004-Modify-systemd-config-directory.patch \ > file://241.patch \ > file://245.patch \ > + file://275.patch \ > " > SRCREV = "f1ac087c766827b1d0ed9c3a814b3cc052e948f2" > > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#88195): https://lists.openembedded.org/g/openembedded-devel/message/88195 Mute This Topic: https://lists.openembedded.org/mt/78644671/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-