mirror of
https://git.yoctoproject.org/poky
synced 2026-06-01 00:59:48 +00:00
systemd: Security fix CVE-2018-16866
Affects < v240 (From OE-Core rev: 10fa35a75617e82650b12d3e353a554f05f036dd) Signed-off-by: Marcus Cooper <marcusc@axis.com> >From v2 patch on openembedded-core@lists.openembedded.org Incresed file name number from 0026 to 0027. Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Marcus Cooper
committed by
Richard Purdie
Richard Purdie
parent
7be61780af
commit
d4e0f92528
+49
@@ -0,0 +1,49 @@
|
|||||||
|
From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Filipe Brandenburger <filbranden@google.com>
|
||||||
|
Date: Thu, 10 Jan 2019 14:53:33 -0800
|
||||||
|
Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
|
||||||
|
|
||||||
|
The original code didn't account for the fact that strchr() would match on the
|
||||||
|
'\0' character, making it read past the end of the buffer if no non-whitespace
|
||||||
|
character was present.
|
||||||
|
|
||||||
|
This bug was introduced in commit ec5ff4445cca6a which was first released in
|
||||||
|
systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
|
||||||
|
v240, so versions in the range [v221, v240) are affected.
|
||||||
|
|
||||||
|
Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
|
||||||
|
also includes a change from systemd master which removes a heap buffer overflow
|
||||||
|
a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
|
||||||
|
|
||||||
|
CVE: CVE-2018-16866
|
||||||
|
Upstream-Status: Backport
|
||||||
|
Signed-off-by: Marcus Cooper <marcusc@axis.com>
|
||||||
|
---
|
||||||
|
src/journal/journald-syslog.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
|
||||||
|
index 9dea116722..809b318c06 100644
|
||||||
|
--- a/src/journal/journald-syslog.c
|
||||||
|
+++ b/src/journal/journald-syslog.c
|
||||||
|
@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
|
||||||
|
e = l;
|
||||||
|
l--;
|
||||||
|
|
||||||
|
- if (p[l-1] == ']') {
|
||||||
|
+ if (l > 0 && p[l-1] == ']') {
|
||||||
|
size_t k = l-1;
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
|
||||||
|
if (t)
|
||||||
|
*identifier = t;
|
||||||
|
|
||||||
|
- if (strchr(WHITESPACE, p[e]))
|
||||||
|
+ if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
|
||||||
|
e++;
|
||||||
|
*buf = p + e;
|
||||||
|
return e;
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
||||||
@@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \
|
|||||||
file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
|
file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
|
||||||
file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \
|
file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \
|
||||||
file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
|
file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
|
||||||
|
file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
|
||||||
"
|
"
|
||||||
SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
|
SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user