mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-02 18:32:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

glibc: backport CVE fixes

Browse Source 
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591

(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)

Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
2019-06-24 19:13:08 +01:00
committed by Richard Purdie
parent f749c69115
commit 45e662b445
3 changed files with 282 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

232
meta/recipes-core/glibc/glibc/CVE-2016-10739.patch Normal file
View File

@@ -0,0 +1,232 @@
CVE: CVE-2016-10739
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 21 Jan 2019 08:59:42 +0100
Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style
(cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)
---
ChangeLog | 5 ++
resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++-------------------------
2 files changed, 106 insertions(+), 91 deletions(-)
diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
index 022f7ea084..32f58b0e13 100644
--- a/resolv/inet_addr.c
+++ b/resolv/inet_addr.c
@@ -1,3 +1,21 @@
+/* Legacy IPv4 text-to-address functions.
+ Copyright (C) 2019 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
/*
* Copyright (c) 1983, 1990, 1993
* The Regents of the University of California. All rights reserved.
@@ -78,105 +96,97 @@
#include <limits.h>
#include <errno.h>
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
+/* ASCII IPv4 Internet address interpretation routine. The value
+ returned is in network order. */
in_addr_t
-__inet_addr(const char *cp) {
- struct in_addr val;
+__inet_addr (const char *cp)
+{
+ struct in_addr val;
- if (__inet_aton(cp, &val))
- return (val.s_addr);
- return (INADDR_NONE);
+ if (__inet_aton (cp, &val))
+ return val.s_addr;
+ return INADDR_NONE;
}
weak_alias (__inet_addr, inet_addr)
-/*
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
+/* Check whether "cp" is a valid ASCII representation of an IPv4
+ Internet address and convert it to a binary address. Returns 1 if
+ the address is valid, 0 if not. This replaces inet_addr, the
+ return value from which cannot distinguish between failure and a
+ local broadcast address. */
int
-__inet_aton(const char *cp, struct in_addr *addr)
+__inet_aton (const char *cp, struct in_addr *addr)
{
- static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
- in_addr_t val;
- char c;
- union iaddr {
- uint8_t bytes[4];
- uint32_t word;
- } res;
- uint8_t *pp = res.bytes;
- int digit;
-
- int saved_errno = errno;
- __set_errno (0);
-
- res.word = 0;
-
- c = *cp;
- for (;;) {
- /*
- * Collect number up to ``.''.
- * Values are specified as for C:
- * 0x=hex, 0=octal, isdigit=decimal.
- */
- if (!isdigit(c))
- goto ret_0;
- {
- char *endp;
- unsigned long ul = strtoul (cp, (char **) &endp, 0);
- if (ul == ULONG_MAX && errno == ERANGE)
- goto ret_0;
- if (ul > 0xfffffffful)
- goto ret_0;
- val = ul;
- digit = cp != endp;
- cp = endp;
- }
- c = *cp;
- if (c == '.') {
- /*
- * Internet format:
- * a.b.c.d
- * a.b.c (with c treated as 16 bits)
- * a.b (with b treated as 24 bits)
- */
- if (pp > res.bytes + 2 || val > 0xff)
- goto ret_0;
- *pp++ = val;
- c = *++cp;
- } else
- break;
- }
- /*
- * Check for trailing characters.
- */
- if (c != '\0' && (!isascii(c) || !isspace(c)))
- goto ret_0;
- /*
- * Did we get a valid digit?
- */
- if (!digit)
- goto ret_0;
-
- /* Check whether the last part is in its limits depending on
- the number of parts in total. */
- if (val > max[pp - res.bytes])
+ static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
+ in_addr_t val;
+ char c;
+ union iaddr
+ {
+ uint8_t bytes[4];
+ uint32_t word;
+ } res;
+ uint8_t *pp = res.bytes;
+ int digit;
+
+ int saved_errno = errno;
+ __set_errno (0);
+
+ res.word = 0;
+
+ c = *cp;
+ for (;;)
+ {
+ /* Collect number up to ``.''. Values are specified as for C:
+ 0x=hex, 0=octal, isdigit=decimal. */
+ if (!isdigit (c))
+ goto ret_0;
+ {
+ char *endp;
+ unsigned long ul = strtoul (cp, &endp, 0);
+ if (ul == ULONG_MAX && errno == ERANGE)
goto ret_0;
-
- if (addr != NULL)
- addr->s_addr = res.word | htonl (val);
-
- __set_errno (saved_errno);
- return (1);
-
-ret_0:
- __set_errno (saved_errno);
- return (0);
+ if (ul > 0xfffffffful)
+ goto ret_0;
+ val = ul;
+ digit = cp != endp;
+ cp = endp;
+ }
+ c = *cp;
+ if (c == '.')
+ {
+ /* Internet format:
+ a.b.c.d
+ a.b.c (with c treated as 16 bits)
+ a.b (with b treated as 24 bits). */
+ if (pp > res.bytes + 2 || val > 0xff)
+ goto ret_0;
+ *pp++ = val;
+ c = *++cp;
+ }
+ else
+ break;
+ }
+ /* Check for trailing characters. */
+ if (c != '\0' && (!isascii (c) || !isspace (c)))
+ goto ret_0;
+ /* Did we get a valid digit? */
+ if (!digit)
+ goto ret_0;
+
+ /* Check whether the last part is in its limits depending on the
+ number of parts in total. */
+ if (val > max[pp - res.bytes])
+ goto ret_0;
+
+ if (addr != NULL)
+ addr->s_addr = res.word | htonl (val);
+
+ __set_errno (saved_errno);
+ return 1;
+
+ ret_0:
+ __set_errno (saved_errno);
+ return 0;
}
weak_alias (__inet_aton, inet_aton)
libc_hidden_def (__inet_aton)
--
2.11.0

48
meta/recipes-core/glibc/glibc/CVE-2018-19591.patch Normal file
View File

@@ -0,0 +1,48 @@
CVE: CVE-2018-19591
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@intel.com>
From ce6ba630dbc96f49eb1f30366aa62261df4792f9 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 27 Nov 2018 16:12:43 +0100
Subject: [PATCH] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong
name [BZ #23927]
(cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408)
---
ChangeLog | 7 +++++++
NEWS | 6 ++++++
sysdeps/unix/sysv/linux/if_index.c | 11 ++++++-----
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c
index e3d08982d9..782fc5e175 100644
--- a/sysdeps/unix/sysv/linux/if_index.c
+++ b/sysdeps/unix/sysv/linux/if_index.c
@@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname)
return 0;
#else
struct ifreq ifr;
- int fd = __opensock ();
-
- if (fd < 0)
- return 0;
-
if (strlen (ifname) >= IFNAMSIZ)
{
__set_errno (ENODEV);
@@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname)
}
strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
+
+ int fd = __opensock ();
+
+ if (fd < 0)
+ return 0;
+
if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0)
{
int saved_errno = errno;
--
2.11.0

2
meta/recipes-core/glibc/glibc_2.28.bb
View File

@@ -48,6 +48,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
file://0034-inject-file-assembly-directives.patch \
file://CVE-2019-9169.patch \
file://CVE-2016-10739.patch \
file://CVE-2018-19591.patch \
"
NATIVESDKFIXES ?= ""