mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
dbus-broker: patch CVE-2022-31212
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-31212 A detailed writeup[1] is referenced by the nvd report, which describes that the vulnerability itself is not in the application, rather in a dependency of it, in c-shutil, which is pulled in as a submodule. Pick the patch from this submodule that fixes a stack overflow, and adds a test explictly verifying the described vulnerability. [1]: https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/ Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,70 @@
|
|||||||
|
From 2dfb73805571bd48e92b2d09962bc99f3bc4f86b Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||||
|
Date: Tue, 19 Apr 2022 13:11:02 +0200
|
||||||
|
Subject: [PATCH] strnspn: fix buffer overflow
|
||||||
|
|
||||||
|
Fix the strnspn and strncspn functions to use a properly sized buffer.
|
||||||
|
It used to be 1 byte too short. Checking for `0xff` in a string will
|
||||||
|
thus write `0xff` once byte beyond the stack space of the local buffer.
|
||||||
|
|
||||||
|
Note that the public API does not allow to pass `0xff` to those
|
||||||
|
functions. Therefore, this is a read-only buffer overrun, possibly
|
||||||
|
causing bogus reports from the parser, but still well-defined.
|
||||||
|
|
||||||
|
Reported-by: Steffen Robertz
|
||||||
|
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
||||||
|
|
||||||
|
CVE: CVE-2022-31212
|
||||||
|
Upstream-Status: Backport [https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
subprojects/c-shquote/src/c-shquote.c | 4 ++--
|
||||||
|
subprojects/c-shquote/src/test-private.c | 6 ++++++
|
||||||
|
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/subprojects/c-shquote/src/c-shquote.c b/subprojects/c-shquote/src/c-shquote.c
|
||||||
|
index b268906..abb55d6 100644
|
||||||
|
--- a/subprojects/c-shquote/src/c-shquote.c
|
||||||
|
+++ b/subprojects/c-shquote/src/c-shquote.c
|
||||||
|
@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
|
||||||
|
size_t c_shquote_strnspn(const char *string,
|
||||||
|
size_t n_string,
|
||||||
|
const char *accept) {
|
||||||
|
- bool buffer[UCHAR_MAX] = {};
|
||||||
|
+ bool buffer[UCHAR_MAX + 1] = {};
|
||||||
|
|
||||||
|
for ( ; *accept; ++accept)
|
||||||
|
buffer[(unsigned char)*accept] = true;
|
||||||
|
@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
|
||||||
|
size_t c_shquote_strncspn(const char *string,
|
||||||
|
size_t n_string,
|
||||||
|
const char *reject) {
|
||||||
|
- bool buffer[UCHAR_MAX] = {};
|
||||||
|
+ bool buffer[UCHAR_MAX + 1] = {};
|
||||||
|
|
||||||
|
if (strlen(reject) == 1) {
|
||||||
|
const char *p;
|
||||||
|
diff --git a/subprojects/c-shquote/src/test-private.c b/subprojects/c-shquote/src/test-private.c
|
||||||
|
index 57a7250..c6afe40 100644
|
||||||
|
--- a/subprojects/c-shquote/src/test-private.c
|
||||||
|
+++ b/subprojects/c-shquote/src/test-private.c
|
||||||
|
@@ -148,6 +148,9 @@ static void test_strnspn(void) {
|
||||||
|
|
||||||
|
len = c_shquote_strnspn("ab", 2, "bc");
|
||||||
|
c_assert(len == 0);
|
||||||
|
+
|
||||||
|
+ len = c_shquote_strnspn("ab", 2, "\xff");
|
||||||
|
+ c_assert(len == 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_strncspn(void) {
|
||||||
|
@@ -167,6 +170,9 @@ static void test_strncspn(void) {
|
||||||
|
|
||||||
|
len = c_shquote_strncspn("ab", 2, "cd");
|
||||||
|
c_assert(len == 2);
|
||||||
|
+
|
||||||
|
+ len = c_shquote_strncspn("ab", 2, "\xff");
|
||||||
|
+ c_assert(len == 2);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_discard_comment(void) {
|
||||||
@@ -6,7 +6,9 @@ SECTION = "base"
|
|||||||
LICENSE = "Apache-2.0"
|
LICENSE = "Apache-2.0"
|
||||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=7b486c2338d225a1405d979ed2c15ce8"
|
LIC_FILES_CHKSUM = "file://LICENSE;md5=7b486c2338d225a1405d979ed2c15ce8"
|
||||||
|
|
||||||
SRC_URI = "https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz"
|
SRC_URI = "https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz \
|
||||||
|
file://CVE-2022-31212.patch \
|
||||||
|
"
|
||||||
SRC_URI[sha256sum] = "4eca425db52b7ab1027153e93fea9b3f11759db9e93ffbf88759b73ddfb8026a"
|
SRC_URI[sha256sum] = "4eca425db52b7ab1027153e93fea9b3f11759db9e93ffbf88759b73ddfb8026a"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://github.com/bus1/${BPN}/releases"
|
UPSTREAM_CHECK_URI = "https://github.com/bus1/${BPN}/releases"
|
||||||
|
|||||||
Reference in New Issue
Block a user