On Wed, Jan 15, 2020 at 7:51 AM Saloni Jain <saloni.j...@kpit.com> wrote: > > From: Sana Kazi <sana.k...@kpit.com> > > Added patch for CVE-2019-12900 as backport from upstream. > Fixes out of bound access discovered while fuzzying karchive. >
is this fix already present in the bzip2 version we have in master ? > Tested by: sana.k...@kpit.com > > Signed-off-by: Saloni Jain <saloni.j...@kpit.com> > --- > .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 > ++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > create mode 100644 > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > new file mode 100644 > index 0000000..cab41e0 > --- /dev/null > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > @@ -0,0 +1,34 @@ > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 > +From: Albert Astals Cid <aa...@kde.org> > +Date: Tue, 28 May 2019 19:35:18 +0200 > +Subject: [PATCH] Make sure nSelectors is not out of range > + > +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf > +which is > +UChar selectorMtf[BZ_MAX_SELECTORS]; > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory > +access > +Fixes out of bounds access discovered while fuzzying karchive > + > +Link: > https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch > + > +Upstream-Status: Backport > +--- > + decompress.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/decompress.c b/decompress.c > +index ab6a624..f3db91d 100644 > +--- a/decompress.c > ++++ b/decompress.c > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) > + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); > + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); > + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); > +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); > ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) > RETURN(BZ_DATA_ERROR); > + for (i = 0; i < nSelectors; i++) { > + j = 0; > + while (True) { > +-- > +2.22.0 > -- > 2.7.4 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
