* [jethro][fido] libbsd: Secuirty fix CVE-2016-2090
@ 2016-02-12 0:20 Armin Kuster
2016-02-12 13:14 ` Martin Jansa
2016-02-12 22:19 ` Joshua G Lock
0 siblings, 2 replies; 3+ messages in thread
From: Armin Kuster @ 2016-02-12 0:20 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd
affects libbsd <= 0.8.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../libbsd/files/CVE-2016-2090.patch | 50 ++++++++++++++++++++++
meta/recipes-support/libbsd/libbsd_0.7.0.bb | 4 +-
2 files changed, 53 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libbsd/files/CVE-2016-2090.patch
diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
new file mode 100644
index 0000000..2eaae13
--- /dev/null
+++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
@@ -0,0 +1,50 @@
+From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
+From: Hanno Boeck <hanno@hboeck.de>
+Date: Wed, 27 Jan 2016 15:10:11 +0100
+Subject: [PATCH] Fix heap buffer overflow in fgetwln()
+
+In the function fgetwln() there's a 4 byte heap overflow.
+
+There is a while loop that has this check to see whether there's still
+enough space in the buffer:
+
+ if (!fb->len || wused > fb->len) {
+
+If this is true more memory gets allocated. However this test won't be
+true if wused == fb->len, but at that point wused already points out
+of the buffer. Some lines later there's a write to the buffer:
+
+ fb->wbuf[wused++] = wc;
+
+This bug was found with the help of address sanitizer.
+
+Warned-by: ASAN
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
+Signed-off-by: Guillem Jover <guillem@hadrons.org>
+
+Upstream-Status: Backport
+http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
+
+CVE: CVE-2016-2090
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/fgetwln.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fgetwln.c b/src/fgetwln.c
+index 9ee0776..aa3f927 100644
+--- a/src/fgetwln.c
++++ b/src/fgetwln.c
+@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
+ fb->fp = stream;
+
+ while ((wc = fgetwc(stream)) != WEOF) {
+- if (!fb->len || wused > fb->len) {
++ if (!fb->len || wused >= fb->len) {
+ wchar_t *wp;
+
+ if (fb->len)
+--
+2.3.5
+
diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
index 902666d..8d9a708 100644
--- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c"
SECTION = "libs"
DEPENDS = ""
-SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz"
+SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
+ file://CVE-2016-2090.patch \
+ "
SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"
SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"
--
2.3.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [jethro][fido] libbsd: Secuirty fix CVE-2016-2090
2016-02-12 0:20 [jethro][fido] libbsd: Secuirty fix CVE-2016-2090 Armin Kuster
@ 2016-02-12 13:14 ` Martin Jansa
2016-02-12 22:19 ` Joshua G Lock
1 sibling, 0 replies; 3+ messages in thread
From: Martin Jansa @ 2016-02-12 13:14 UTC (permalink / raw)
To: Armin Kuster; +Cc: akuster, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3506 bytes --]
On Thu, Feb 11, 2016 at 04:20:34PM -0800, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd
typo in subject
>
> affects libbsd <= 0.8.1
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> .../libbsd/files/CVE-2016-2090.patch | 50 ++++++++++++++++++++++
> meta/recipes-support/libbsd/libbsd_0.7.0.bb | 4 +-
> 2 files changed, 53 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/libbsd/files/CVE-2016-2090.patch
>
> diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
> new file mode 100644
> index 0000000..2eaae13
> --- /dev/null
> +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
> @@ -0,0 +1,50 @@
> +From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
> +From: Hanno Boeck <hanno@hboeck.de>
> +Date: Wed, 27 Jan 2016 15:10:11 +0100
> +Subject: [PATCH] Fix heap buffer overflow in fgetwln()
> +
> +In the function fgetwln() there's a 4 byte heap overflow.
> +
> +There is a while loop that has this check to see whether there's still
> +enough space in the buffer:
> +
> + if (!fb->len || wused > fb->len) {
> +
> +If this is true more memory gets allocated. However this test won't be
> +true if wused == fb->len, but at that point wused already points out
> +of the buffer. Some lines later there's a write to the buffer:
> +
> + fb->wbuf[wused++] = wc;
> +
> +This bug was found with the help of address sanitizer.
> +
> +Warned-by: ASAN
> +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
> +Signed-off-by: Guillem Jover <guillem@hadrons.org>
> +
> +Upstream-Status: Backport
> +http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
> +
> +CVE: CVE-2016-2090
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + src/fgetwln.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/fgetwln.c b/src/fgetwln.c
> +index 9ee0776..aa3f927 100644
> +--- a/src/fgetwln.c
> ++++ b/src/fgetwln.c
> +@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
> + fb->fp = stream;
> +
> + while ((wc = fgetwc(stream)) != WEOF) {
> +- if (!fb->len || wused > fb->len) {
> ++ if (!fb->len || wused >= fb->len) {
> + wchar_t *wp;
> +
> + if (fb->len)
> +--
> +2.3.5
> +
> diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> index 902666d..8d9a708 100644
> --- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> +++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aeaa1c5e2547cfd43905d8c"
> SECTION = "libs"
> DEPENDS = ""
>
> -SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz"
> +SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
> + file://CVE-2016-2090.patch \
> + "
>
> SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"
> SRC_URI[sha256sum] = "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"
> --
> 2.3.5
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [jethro][fido] libbsd: Secuirty fix CVE-2016-2090
2016-02-12 0:20 [jethro][fido] libbsd: Secuirty fix CVE-2016-2090 Armin Kuster
2016-02-12 13:14 ` Martin Jansa
@ 2016-02-12 22:19 ` Joshua G Lock
1 sibling, 0 replies; 3+ messages in thread
From: Joshua G Lock @ 2016-02-12 22:19 UTC (permalink / raw)
To: openembedded-core
On Thu, 2016-02-11 at 16:20 -0800, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd
>
> affects libbsd <= 0.8.1
and this not needed in master which has 0.8.2.
I plan to take this in fido once it's merged to jethro.
Regards,
Joshua
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> .../libbsd/files/CVE-2016-2090.patch | 50
> ++++++++++++++++++++++
> meta/recipes-support/libbsd/libbsd_0.7.0.bb | 4 +-
> 2 files changed, 53 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/libbsd/files/CVE-2016-
> 2090.patch
>
> diff --git a/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
> b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
> new file mode 100644
> index 0000000..2eaae13
> --- /dev/null
> +++ b/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
> @@ -0,0 +1,50 @@
> +From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00
> 2001
> +From: Hanno Boeck <hanno@hboeck.de>
> +Date: Wed, 27 Jan 2016 15:10:11 +0100
> +Subject: [PATCH] Fix heap buffer overflow in fgetwln()
> +
> +In the function fgetwln() there's a 4 byte heap overflow.
> +
> +There is a while loop that has this check to see whether there's
> still
> +enough space in the buffer:
> +
> + if (!fb->len || wused > fb->len) {
> +
> +If this is true more memory gets allocated. However this test won't
> be
> +true if wused == fb->len, but at that point wused already points out
> +of the buffer. Some lines later there's a write to the buffer:
> +
> + fb->wbuf[wused++] = wc;
> +
> +This bug was found with the help of address sanitizer.
> +
> +Warned-by: ASAN
> +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
> +Signed-off-by: Guillem Jover <guillem@hadrons.org>
> +
> +Upstream-Status: Backport
> +http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb
> 7c3e7976de726d7ff7
> +
> +CVE: CVE-2016-2090
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + src/fgetwln.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/fgetwln.c b/src/fgetwln.c
> +index 9ee0776..aa3f927 100644
> +--- a/src/fgetwln.c
> ++++ b/src/fgetwln.c
> +@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
> + fb->fp = stream;
> +
> + while ((wc = fgetwc(stream)) != WEOF) {
> +- if (!fb->len || wused > fb->len) {
> ++ if (!fb->len || wused >= fb->len) {
> + wchar_t *wp;
> +
> + if (fb->len)
> +--
> +2.3.5
> +
> diff --git a/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> index 902666d..8d9a708 100644
> --- a/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> +++ b/meta/recipes-support/libbsd/libbsd_0.7.0.bb
> @@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f1530ea92aea
> a1c5e2547cfd43905d8c"
> SECTION = "libs"
> DEPENDS = ""
>
> -SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.x
> z"
> +SRC_URI = "http://libbsd.freedesktop.org/releases/${BPN}-${PV}.tar.x
> z \
> + file://CVE-2016-2090.patch \
> + "
>
> SRC_URI[md5sum] = "fcceb4e66fd448ca4ed42ba22a8babb0"
> SRC_URI[sha256sum] =
> "0f3b0e17e5c34c038126e0a04351b11e23c6101a7d0ce3beeab29bb6415c10bb"
> --
> 2.3.5
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-12 22:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-12 0:20 [jethro][fido] libbsd: Secuirty fix CVE-2016-2090 Armin Kuster
2016-02-12 13:14 ` Martin Jansa
2016-02-12 22:19 ` Joshua G Lock
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox