* [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320
@ 2022-09-18 10:13 Fabrice Fontaine
2022-09-18 19:50 ` Yann E. MORIN
2022-09-29 15:13 ` Peter Korsgaard
0 siblings, 2 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2022-09-18 10:13 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer
over-read.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...rminated-username-used-with-getpwnam.patch | 43 +++++++++++++++++++
package/libconfuse/libconfuse.mk | 3 ++
2 files changed, 46 insertions(+)
create mode 100644 package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
diff --git a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
new file mode 100644
index 0000000000..9ff3f5ec1c
--- /dev/null
+++ b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
@@ -0,0 +1,43 @@
+From d73777c2c3566fb2647727bb56d9a2295b81669b Mon Sep 17 00:00:00 2001
+From: Joachim Wiberg <troglobit@gmail.com>
+Date: Fri, 2 Sep 2022 16:12:46 +0200
+Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
+
+Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
+
+[Retrieved (and backported) from:
+https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/confuse.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/confuse.c b/src/confuse.c
+index 6d1fdbd..05566b5 100644
+--- a/src/confuse.c
++++ b/src/confuse.c
+@@ -1894,18 +1894,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+ passwd = getpwuid(geteuid());
+ file = filename + 1;
+ } else {
+- /* ~user or ~user/path */
+- char *user;
++ char *user; /* ~user or ~user/path */
++ size_t len;
+
+ file = strchr(filename, '/');
+ if (file == 0)
+ file = filename + strlen(filename);
+
+- user = malloc(file - filename);
++ len = file - filename - 1;
++ user = malloc(len + 1);
+ if (!user)
+ return NULL;
+
+- strncpy(user, filename + 1, file - filename - 1);
++ strncpy(user, &filename[1], len);
++ user[len] = 0;
+ passwd = getpwnam(user);
+ free(user);
+ }
diff --git a/package/libconfuse/libconfuse.mk b/package/libconfuse/libconfuse.mk
index 2beb0e4fbf..e7c2ef0a84 100644
--- a/package/libconfuse/libconfuse.mk
+++ b/package/libconfuse/libconfuse.mk
@@ -14,5 +14,8 @@ LIBCONFUSE_LICENSE_FILES = LICENSE
LIBCONFUSE_CPE_ID_VENDOR = libconfuse_project
LIBCONFUSE_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
+# 0001-Fix-163-unterminated-username-used-with-getpwnam.patch
+LIBCONFUSE_IGNORE_CVES += CVE-2022-40320
+
$(eval $(autotools-package))
$(eval $(host-autotools-package))
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320
2022-09-18 10:13 [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320 Fabrice Fontaine
@ 2022-09-18 19:50 ` Yann E. MORIN
2022-09-19 3:36 ` Joachim Wiberg
2022-09-29 15:13 ` Peter Korsgaard
1 sibling, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2022-09-18 19:50 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Joachim Wiberg, buildroot
Fabrice, All,
+Joachim, which I understand is now handling maintenance upstream
On 2022-09-18 12:13 +0200, Fabrice Fontaine spake thusly:
> cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer
> over-read.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Joachim, do you want to extend your entry in DEVELOPPERS with
libconfuse?
Regards,
Yann E. MORIN.
> ---
> ...rminated-username-used-with-getpwnam.patch | 43 +++++++++++++++++++
> package/libconfuse/libconfuse.mk | 3 ++
> 2 files changed, 46 insertions(+)
> create mode 100644 package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>
> diff --git a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
> new file mode 100644
> index 0000000000..9ff3f5ec1c
> --- /dev/null
> +++ b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
> @@ -0,0 +1,43 @@
> +From d73777c2c3566fb2647727bb56d9a2295b81669b Mon Sep 17 00:00:00 2001
> +From: Joachim Wiberg <troglobit@gmail.com>
> +Date: Fri, 2 Sep 2022 16:12:46 +0200
> +Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
> +
> +Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
> +
> +[Retrieved (and backported) from:
> +https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/confuse.c | 10 ++++++----
> + 1 file changed, 6 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/confuse.c b/src/confuse.c
> +index 6d1fdbd..05566b5 100644
> +--- a/src/confuse.c
> ++++ b/src/confuse.c
> +@@ -1894,18 +1894,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
> + passwd = getpwuid(geteuid());
> + file = filename + 1;
> + } else {
> +- /* ~user or ~user/path */
> +- char *user;
> ++ char *user; /* ~user or ~user/path */
> ++ size_t len;
> +
> + file = strchr(filename, '/');
> + if (file == 0)
> + file = filename + strlen(filename);
> +
> +- user = malloc(file - filename);
> ++ len = file - filename - 1;
> ++ user = malloc(len + 1);
> + if (!user)
> + return NULL;
> +
> +- strncpy(user, filename + 1, file - filename - 1);
> ++ strncpy(user, &filename[1], len);
> ++ user[len] = 0;
> + passwd = getpwnam(user);
> + free(user);
> + }
> diff --git a/package/libconfuse/libconfuse.mk b/package/libconfuse/libconfuse.mk
> index 2beb0e4fbf..e7c2ef0a84 100644
> --- a/package/libconfuse/libconfuse.mk
> +++ b/package/libconfuse/libconfuse.mk
> @@ -14,5 +14,8 @@ LIBCONFUSE_LICENSE_FILES = LICENSE
> LIBCONFUSE_CPE_ID_VENDOR = libconfuse_project
> LIBCONFUSE_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
>
> +# 0001-Fix-163-unterminated-username-used-with-getpwnam.patch
> +LIBCONFUSE_IGNORE_CVES += CVE-2022-40320
> +
> $(eval $(autotools-package))
> $(eval $(host-autotools-package))
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320
2022-09-18 19:50 ` Yann E. MORIN
@ 2022-09-19 3:36 ` Joachim Wiberg
0 siblings, 0 replies; 4+ messages in thread
From: Joachim Wiberg @ 2022-09-19 3:36 UTC (permalink / raw)
To: Yann E. MORIN, Fabrice Fontaine; +Cc: buildroot
On Sun, Sep 18, 2022 at 21:50, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
> On 2022-09-18 12:13 +0200, Fabrice Fontaine spake thusly:
>> cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer
>> over-read.
> Applied to master, thanks.
> Joachim, do you want to extend your entry in DEVELOPPERS with
> libconfuse?
Yes, thanks for noticing! Just realizing I'm involved in a few other
projects as well ... :-)
... also, I'll see about getting a proper libConfuse release out.
Best regards
/Joachim
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320
2022-09-18 10:13 [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320 Fabrice Fontaine
2022-09-18 19:50 ` Yann E. MORIN
@ 2022-09-29 15:13 ` Peter Korsgaard
1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2022-09-29 15:13 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer
> over-read.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.02.x, 2022.05.x and 2022.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-29 15:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-18 10:13 [Buildroot] [PATCH 1/1] package/libconfuse: fix CVE-2022-40320 Fabrice Fontaine
2022-09-18 19:50 ` Yann E. MORIN
2022-09-19 3:36 ` Joachim Wiberg
2022-09-29 15:13 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox