mirror of
https://git.yoctoproject.org/poky
synced 2026-04-18 21:32:12 +02:00
glibc: CVE-2019-25013
Source: openembedded.org
MR: 107928
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-core/glibc?id=53d149df4d8832e34ace2470c31ddc688176faf7
ChangeID: 462441a4a91cb481401e170876c25dcdbd00f1e0
Description:
* CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2019-25013
* upstream tracking: https://sourceware.org/bugzilla/show_bug.cgi?id=24973
* patch from upstream:
https://sourceware.org/git/?p=glibc.git;a=patch;
h=ee7a3144c9922808181009b7b3e50e852fb4999b
(From OE-Core rev: 53d149df4d8832e34ace2470c31ddc688176faf7)
(From OE-Core rev: 104f36216f0be7278c1f03694ce8b7f72aca9952)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 164b3e6361)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Scott Murray
committed by
Richard Purdie
Richard Purdie
parent
267a3dea46
commit
3cc87ea759
135
meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
Normal file
135
meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
Normal file
@@ -0,0 +1,135 @@
|
||||
From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schwab <schwab@suse.de>
|
||||
Date: Mon, 21 Dec 2020 08:56:43 +0530
|
||||
Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
|
||||
|
||||
The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
|
||||
area and is not allowed. The from_euc_kr function used to skip two bytes
|
||||
when told to skip over the unknown designation, potentially running over
|
||||
the buffer end.
|
||||
|
||||
Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
|
||||
CVE: CVE-2019-25013
|
||||
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
||||
[Refreshed for Dundell context; Makefile changes]
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
iconvdata/Makefile | 3 ++-
|
||||
iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
|
||||
iconvdata/euc-kr.c | 6 +----
|
||||
iconvdata/ksc5601.h | 6 ++---
|
||||
4 files changed, 59 insertions(+), 9 deletions(-)
|
||||
create mode 100644 iconvdata/bug-iconv13.c
|
||||
|
||||
Index: git/iconvdata/Makefile
|
||||
===================================================================
|
||||
--- git.orig/iconvdata/Makefile
|
||||
+++ git/iconvdata/Makefile
|
||||
@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules
|
||||
ifeq (yes,$(build-shared))
|
||||
tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
|
||||
tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
|
||||
- bug-iconv10 bug-iconv11 bug-iconv12
|
||||
+ bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
|
||||
ifeq ($(have-thread-library),yes)
|
||||
tests += bug-iconv3
|
||||
endif
|
||||
Index: git/iconvdata/bug-iconv13.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ git/iconvdata/bug-iconv13.c
|
||||
@@ -0,0 +1,53 @@
|
||||
+/* bug 24973: Test EUC-KR module
|
||||
+ Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <iconv.h>
|
||||
+#include <stdio.h>
|
||||
+#include <support/check.h>
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
|
||||
+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
|
||||
+
|
||||
+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
|
||||
+ areas, which are not allowed and should be skipped over due to
|
||||
+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
|
||||
+ should be checked first. */
|
||||
+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
|
||||
+ char *inptr = input;
|
||||
+ size_t insize = sizeof (input);
|
||||
+ char output[4];
|
||||
+ char *outptr = output;
|
||||
+ size_t outsize = sizeof (output);
|
||||
+
|
||||
+ /* This used to crash due to buffer overrun. */
|
||||
+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
|
||||
+ TEST_VERIFY (errno == EINVAL);
|
||||
+ /* The conversion should produce one character, the converted null
|
||||
+ character. */
|
||||
+ TEST_VERIFY (sizeof (output) - outsize == 1);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#include <support/test-driver.c>
|
||||
Index: git/iconvdata/euc-kr.c
|
||||
===================================================================
|
||||
--- git.orig/iconvdata/euc-kr.c
|
||||
+++ git/iconvdata/euc-kr.c
|
||||
@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
|
||||
\
|
||||
if (ch <= 0x9f) \
|
||||
++inptr; \
|
||||
- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
|
||||
- user-defined areas. */ \
|
||||
- else if (__builtin_expect (ch == 0xa0, 0) \
|
||||
- || __builtin_expect (ch > 0xfe, 0) \
|
||||
- || __builtin_expect (ch == 0xc9, 0)) \
|
||||
+ else if (__glibc_unlikely (ch == 0xa0)) \
|
||||
{ \
|
||||
/* This is illegal. */ \
|
||||
STANDARD_FROM_LOOP_ERR_HANDLER (1); \
|
||||
Index: git/iconvdata/ksc5601.h
|
||||
===================================================================
|
||||
--- git.orig/iconvdata/ksc5601.h
|
||||
+++ git/iconvdata/ksc5601.h
|
||||
@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
|
||||
unsigned char ch2;
|
||||
int idx;
|
||||
|
||||
+ if (avail < 2)
|
||||
+ return 0;
|
||||
+
|
||||
/* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
|
||||
|
||||
if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
|
||||
|| (ch - offset) == 0x49)
|
||||
return __UNKNOWN_10646_CHAR;
|
||||
|
||||
- if (avail < 2)
|
||||
- return 0;
|
||||
-
|
||||
ch2 = (*s)[1];
|
||||
if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
|
||||
return __UNKNOWN_10646_CHAR;
|
||||
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
|
||||
file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
|
||||
file://CVE-2020-29562.patch \
|
||||
file://CVE-2020-29573.patch \
|
||||
file://CVE-2019-25013.patch \
|
||||
"
|
||||
S = "${WORKDIR}/git"
|
||||
B = "${WORKDIR}/build-${TARGET_SYS}"
|
||||
|
||||
Reference in New Issue
Block a user