[oe] [meta-oe][PATCH 2/3] libtomcrypt: backport a fix for CVE-2019-17362

[Martin Jansa]

Signed-off-by: Martin Jansa <martin.ja...@gmail.com>
---
 .../libtomcrypt/CVE-2019-17362.patch          | 25 +++++++++++++++++++
 .../libtomcrypt/libtomcrypt_1.18.2.bb         |  4 ++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 
meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch

diff --git 
a/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch 
b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch
new file mode 100644
index 0000000000..8b7348a11f
--- /dev/null
+++ b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch
@@ -0,0 +1,25 @@
+From 25c26a3b7a9ad8192ccc923e15cf62bf0108ef94 Mon Sep 17 00:00:00 2001
+From: werew <we...@ret2libc.com>
+Date: Thu, 3 Oct 2019 19:57:10 +0200
+Subject: [PATCH] Fixes #507
+
+Signed-off-by: Martin Jansa <martin.ja...@gmail.com>
+---
+Upstream-Status: Backport 
[https://github.com/libtom/libtomcrypt/commit/64d1153e5a515740ab56f39c46baf4cf6991a9d3]
+
+ src/pk/asn1/der/utf8/der_decode_utf8_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pk/asn1/der/utf8/der_decode_utf8_string.c 
b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+index 94555b99f..d3ed82bea 100644
+--- a/src/pk/asn1/der/utf8/der_decode_utf8_string.c
++++ b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+@@ -65,7 +65,7 @@ int der_decode_utf8_string(const unsigned char *in,  
unsigned long inlen,
+       /* count number of bytes */
+       for (z = 0; (tmp & 0x80) && (z <= 4); z++, tmp = (tmp << 1) & 0xFF);
+ 
+-      if (z > 4 || (x + (z - 1) > inlen)) {
++      if (z == 1 || z > 4 || (x + (z - 1) > inlen)) {
+          return CRYPT_INVALID_PACKET;
+       }
+ 
diff --git a/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb 
b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb
index b144338921..8b73cdda85 100644
--- a/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb
+++ b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb
@@ -6,7 +6,9 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=71baacc459522324ef3e2b9e052e8180"
 
 DEPENDS += "libtool-cross"
 
-SRC_URI = 
"git://github.com/libtom/libtomcrypt.git;protocol=https;branch=master"
+SRC_URI = 
"git://github.com/libtom/libtomcrypt.git;protocol=https;branch=master \
+   file://CVE-2019-17362.patch \
+"
 
 SRCREV = "7e7eb695d581782f04b24dc444cbfde86af59853"
 
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103941): 
https://lists.openembedded.org/g/openembedded-devel/message/103941
Mute This Topic: https://lists.openembedded.org/mt/100213967/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-