Re: [oe-core][PATCH 1/1] re2c: advance to version 1.3

Khem Raj Fri, 24 Apr 2020 18:53:40 -0700


On 4/23/20 12:43 PM, Joe Slater wrote:
> The locations of release archives has changed.  We change to pulling
> source from the git repo.
> 
> Fix CVE-2020-11958 which applies to versions 1.2 and 1.3.
> 
> Signed-off-by: Joe Slater <joe.sla...@windriver.com>
> ---
>  .../recipes-support/re2c/re2c/cve-2020-11958.patch | 48 
> ++++++++++++++++++++++
>  meta/recipes-support/re2c/re2c_1.0.1.bb            | 14 -------
>  meta/recipes-support/re2c/re2c_git.bb              | 23 +++++++++++
>  3 files changed, 71 insertions(+), 14 deletions(-)
>  create mode 100644 meta/recipes-support/re2c/re2c/cve-2020-11958.patch
>  delete mode 100644 meta/recipes-support/re2c/re2c_1.0.1.bb
>  create mode 100644 meta/recipes-support/re2c/re2c_git.bb
> 
> diff --git a/meta/recipes-support/re2c/re2c/cve-2020-11958.patch 
> b/meta/recipes-support/re2c/re2c/cve-2020-11958.patch
> new file mode 100644
> index 0000000..95a1cb9
> --- /dev/null
> +++ b/meta/recipes-support/re2c/re2c/cve-2020-11958.patch
> @@ -0,0 +1,48 @@
> +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
> +From: Ulya Trofimovich <skvad...@gmail.com>
> +Date: Fri, 17 Apr 2020 22:47:14 +0100
> +Subject: [oe-core][PATCH 1/1] Fix crash in lexer refill (reported by Agostino
> + Sarubbo).
> +
> +The crash happened in a rare case of a very long lexeme that doen't fit
> +into the buffer, forcing buffer reallocation.
> +
> +The crash was caused by an incorrect calculation of the shift offset
> +(it was smaller than necessary). As a consequence, the data from buffer
> +start and up to the beginning of the current lexeme was not discarded
> +(as it should have been), resulting in less free space for new data than
> +expected.
> +---
> + src/parse/scanner.cc | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +---
> +
> +CVE: CVE-2020-11958
> +
> +Upstream-Status: Backport [github.com/skvadrik/re2c.git]
> +
> +Signed-off-by: Joe Slater <jsla...@windriver.com>
> +
> +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc
> +index 1d6e9ef..bd65131 100644
> +--- a/src/parse/scanner.cc
> ++++ b/src/parse/scanner.cc
> +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
> +         if (!buf) fatal("out of memory");
> + 
> +         memmove(buf, tok, copy);
> +-        shift_ptrs_and_fpos(buf - bot);
> ++        shift_ptrs_and_fpos(buf - tok);
> +         delete [] bot;
> +         bot = buf;
> + 
> +         free = BSIZE - copy;
> +     }
> + 
> ++    DASSERT(lim + free <= bot + BSIZE);
> +     if (!read(free)) {
> +         eof = lim;
> +         memset(lim, 0, YYMAXFILL);
> +-- 
> +2.7.4
> +
> diff --git a/meta/recipes-support/re2c/re2c_1.0.1.bb 
> b/meta/recipes-support/re2c/re2c_1.0.1.bb
> deleted file mode 100644
> index 4ed8d25..0000000
> --- a/meta/recipes-support/re2c/re2c_1.0.1.bb
> +++ /dev/null
> @@ -1,14 +0,0 @@
> -SUMMARY = "Tool for writing very fast and very flexible scanners"
> -HOMEPAGE = "http://re2c.sourceforge.net/";
> -AUTHOR = "Marcus Börger <he...@users.sourceforge.net>"
> -SECTION = "devel"
> -LICENSE = "PD"
> -LIC_FILES_CHKSUM = 
> "file://README;beginline=146;md5=881056c9add17f8019ccd8c382ba963a"
> -
> -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz"
> -SRC_URI[md5sum] = "e2c6cf52fc6a21595f21bc82db5324f8"
> -SRC_URI[sha256sum] = 
> "605058d18a00e01bfc32aebf83af35ed5b13180b4e9f279c90843afab2c66c7c"
> -
> -BBCLASSEXTEND = "native"
> -
> -inherit autotools
> diff --git a/meta/recipes-support/re2c/re2c_git.bb 
> b/meta/recipes-support/re2c/re2c_git.bb
> new file mode 100644
> index 0000000..06242ce
> --- /dev/null
> +++ b/meta/recipes-support/re2c/re2c_git.bb
> @@ -0,0 +1,23 @@
> +SUMMARY = "Tool for writing very fast and very flexible scanners"
> +HOMEPAGE = "http://re2c.sourceforge.net/";
> +AUTHOR = "Marcus Börger <he...@users.sourceforge.net>"
> +SECTION = "devel"
> +LICENSE = "PD"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d"
> +
> +SRC_URI =  "git://github.com/skvadrik/re2c.git \
> +            file://cve-2020-11958.patch \
> +           "
> +
> +# rev of 1.3 tag
> +#
> +SRCREV = "e1901b71c6414c510f10f4cc30c0a05600e55ed1"
> +PV = "1.3+git"


if it is release tag then just set PV = "1.3"

> +
> +# override the default S
> +#
> +S = "${WORKDIR}/git"
> +
> +BBCLASSEXTEND = "native"
> +
> +inherit autotools

Usually inherit should go above BBCLASSEXTEND
> 
> 
> 
>

signature.asc
Description: OpenPGP digital signature

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#137454): 
https://lists.openembedded.org/g/openembedded-core/message/137454
Mute This Topic: https://lists.openembedded.org/mt/73226332/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][PATCH 1/1] re2c: advance to version 1.3

Reply via email to