mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 03:47:03 +00:00
libsolv: fix CVE-2026-9150
Backport patch to fix CVE-2026-9150. https://nvd.nist.gov/vuln/detail/CVE-2026-9150 Upstream fix: https://github.com/openSUSE/libsolv/pull/616 (From OE-Core rev: 42214e12ad205e1da59cb839849e8bfb5c300de5) Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
09f201c834
commit
44408c481b
@@ -0,0 +1,68 @@
|
||||
From bea261fd0924ecd5c7e5579f460133ec023c6def Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Wed, 22 Apr 2026 09:18:29 +0200
|
||||
Subject: [PATCH] Fix a buffer overflow when copying SHA-384/512 checksum from
|
||||
a Debian repository
|
||||
|
||||
When parsing Debian repository, control2solvable() copies a package
|
||||
checksum string from the repository into a stack-allocated "char
|
||||
checksum[32 * 2 + 1]" array.
|
||||
|
||||
If the repository defined a SHA384 or SHA512 tag, a buffer overflow
|
||||
occured (as can be seen when compiling libsolv with CFLAGS='-O0 -g
|
||||
-fsanitize=address') because those tag values are longer:
|
||||
|
||||
$ cat /tmp/Packages
|
||||
Package: p
|
||||
Version: 1
|
||||
Architecture: all
|
||||
SHA512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||
|
||||
$ /tmp/b/tools/deb2solv -r /tmp/Packages
|
||||
=================================================================
|
||||
==3695==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7b685ecf0071 at pc 0x7f6861683722 b
|
||||
p 0x7fff37e3e7a0 sp 0x7fff37e3df60
|
||||
WRITE of size 129 at 0x7b685ecf0071 thread T0
|
||||
#0 0x7f6861683721 in strcpy.part.0 (/lib64/libasan.so.8+0x83721) (BuildId: 80bfc4ae44fdec6ef5fecfb01e2b57d28660991c)
|
||||
#1 0x7f6861d7f34d in control2solvable /home/test/libsolv/ext/repo_deb.c:491
|
||||
#2 0x7f6861d804ea in repo_add_debpackages /home/test/libsolv/ext/repo_deb.c:622
|
||||
#3 0x000000400fd5 in main /home/test/libsolv/tools/deb2solv.c:134
|
||||
#4 0x7f686123c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
|
||||
#5 0x7f686123c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9)
|
||||
#6 0x000000400694 in _start (/tmp/b/tools/deb2solv+0x400694) (BuildId: a3350337819a51edd0c75293970d3458b5033bc9)
|
||||
|
||||
Address 0x7b685ecf0071 is located in stack of thread T0 at offset 113 in frame
|
||||
#0 0x7f6861d7de2a in control2solvable /home/test/libsolv/ext/repo_deb.c:365
|
||||
|
||||
This frame has 1 object(s):
|
||||
[48, 113) 'checksum' (line 371) <== Memory access at offset 113 overflows this variable
|
||||
|
||||
This patch fixes it by enlarging the buffer to accomodate the longest
|
||||
supported digest string.
|
||||
|
||||
This flaw was introduced with c8164bfecf2ba8bcf4c24329534d3104f19da73c
|
||||
commit ("[ABI BREAKAGE] add support for SHA224/384/512").
|
||||
|
||||
Reported by Aisle Research.
|
||||
|
||||
CVE: CVE-2026-9150
|
||||
Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d]
|
||||
|
||||
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
|
||||
---
|
||||
ext/repo_deb.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ext/repo_deb.c b/ext/repo_deb.c
|
||||
index d400f959..25eaf8cb 100644
|
||||
--- a/ext/repo_deb.c
|
||||
+++ b/ext/repo_deb.c
|
||||
@@ -368,7 +368,7 @@ control2solvable(Solvable *s, Repodata *data, char *control)
|
||||
char *p, *q, *end, *tag;
|
||||
int x, l;
|
||||
int havesource = 0;
|
||||
- char checksum[32 * 2 + 1];
|
||||
+ char checksum[64 * 2 + 1];
|
||||
Id checksumtype = 0;
|
||||
Id newtype;
|
||||
|
||||
@@ -10,6 +10,7 @@ DEPENDS = "expat zlib zstd"
|
||||
|
||||
SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \
|
||||
file://0001-utils-Conside-musl-when-wrapping-qsort_r.patch \
|
||||
file://CVE-2026-9150.patch \
|
||||
"
|
||||
|
||||
SRCREV = "c8dbb3a77c86600ce09d4f80a504cf4e78a3c359"
|
||||
|
||||
Reference in New Issue
Block a user