Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 1a4b7ee28bf7413af6513fb45ad0d0736048f866^! / . / meta-openembedded / meta-oe / recipes-support / sharutils / sharutils / CVE-2018-1000097.patch
commit1a4b7ee28bf7413af6513fb45ad0d0736048f866[log] [tgz]
authorBrad Bishop <bradleyb@fuzziesquirrel.com>Sun Dec 16 17:11:34 2018 -0800
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Tue Jan 08 18:21:44 2019 -0500
tree79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce
parent5b9ede0403237c7dace972affa65cf64a1aadd0e [diff] [blame]
reset upstream subtrees to yocto 2.6

Reset the following subtrees on thud HEAD:

  poky: 87e3a9739d
  meta-openembedded: 6094ae18c8
  meta-security: 31dc4e7532
  meta-raspberrypi: a48743dc36
  meta-xilinx: c42016e2e6

Also re-apply backports that didn't make it into thud:
  poky:
    17726d0 systemd-systemctl-native: handle Install wildcards

  meta-openembedded:
    4321a5d libtinyxml2: update to 7.0.1
    042f0a3 libcereal: Add native and nativesdk classes
    e23284f libcereal: Allow empty package
    030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
    179a1b9 gtest: update to 1.8.1

Squashed OpenBMC subtree compatibility updates:
  meta-aspeed:
    Brad Bishop (1):
          aspeed: add yocto 2.6 compatibility

  meta-ibm:
    Brad Bishop (1):
          ibm: prepare for yocto 2.6

  meta-ingrasys:
    Brad Bishop (1):
          ingrasys: set layer compatibility to yocto 2.6

  meta-openpower:
    Brad Bishop (1):
          openpower: set layer compatibility to yocto 2.6

  meta-phosphor:
    Brad Bishop (3):
          phosphor: set layer compatibility to thud
          phosphor: libgpg-error: drop patches
          phosphor: react to fitimage artifact rename

    Ed Tanous (4):
          Dropbear: upgrade options for latest upgrade
          yocto2.6: update openssl options
          busybox: remove upstream watchdog patch
          systemd: Rebase CONFIG_CGROUP_BPF patch

Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/meta-openembedded/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch b/meta-openembedded/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
new file mode 100644
index 0000000..99dc4e3
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch

@@ -0,0 +1,61 @@
+From bd68ae1271598e8fdc72f2adb457e6882604582d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 22 Feb 2018 16:39:43 +0100
+Subject: [PATCH] Fix a heap-buffer-overflow in find_archive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in
+find_archive() reads up-to BUFSIZ bytes.
+
+On my system, BUFSIZ is 8192. rw_base_size is usually equaled to
+a memory page size, 4096 on my system. Thus find_archive() can write
+beyonded allocated memmory for rw_buffer array:
+
+$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4
+==30582== Memcheck, a memory error detector
+==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
+==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4
+==30582==
+==30582== Invalid write of size 1
+==30582==    at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x10BF60: fgets_unlocked (stdio2.h:320)
+==30582==    by 0x10BF60: find_archive (unshar.c:243)
+==30582==    by 0x10BF60: unshar_file (unshar.c:379)
+==30582==    by 0x10BCCC: validate_fname (unshar-opts.c:604)
+==30582==    by 0x10BCCC: main (unshar-opts.c:639)
+==30582==  Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd
+==30582==    at 0x4C2DBBB: malloc (vg_replace_malloc.c:299)
+==30582==    by 0x10C670: init_unshar (unshar.c:450)
+==30582==    by 0x10BC55: main (unshar-opts.c:630)
+
+This was reported in
+<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>.
+
+CVE: CVE-2018-1000097
+Upstream-Status: no upstream [http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html]
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ src/unshar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+ 	{
+ 	  if (!start)
+ 	    error (0, 0, _("Found no shell commands in %s"), name);
+-- 
+2.19.0
+