From: Sinan Kaya <okaya@kernel.org>
To: openembedded-core@lists.openembedded.org
Subject: [sumo] [PATCH v2 1/3] busybox: CVE-2017-15874
Date: Sat, 22 Sep 2018 01:40:01 +0000 [thread overview]
Message-ID: <20180922014003.31866-1-okaya@kernel.org> (raw)
* CVE-2017-15874
busybox: Integer underflow in archival/libarchive/decompress_unlzma.c
(cherry picked from 9ac42c500586fa5f10a1f6d22c3f797df11b1f6b)
Affects busybox <= 1.27.2
CVE: CVE-2017-15874
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15874
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
.../busybox/busybox/CVE-2017-15874.patch | 30 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.27.2.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
new file mode 100644
index 0000000000..67b4ed7e11
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
@@ -0,0 +1,30 @@
+From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Fri, 27 Oct 2017 15:37:03 +0200
+Subject: [PATCH] unlzma: fix SEGV, closes 10436
+
+Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ archival/libarchive/decompress_unlzma.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 29eee2a..41e492f 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ pos = buffer_pos - rep0;
+ if ((int32_t)pos < 0) {
+ pos += header.dict_size;
++ /* bug 10436 has an example file where this triggers: */
++ if ((int32_t)pos < 0)
++ goto bad;
++
+ /* see unzip_bad_lzma_2.zip: */
+ if (pos >= buffer_size)
+ goto bad;
+--
+2.19.0
+
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 1ce4823d47..bab29728ee 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://busybox-CVE-2017-16544.patch \
file://busybox-fix-lzma-segfaults.patch \
file://umount-ignore-c.patch \
+ file://CVE-2017-15874.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
--
2.19.0
next reply other threads:[~2018-09-22 1:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-22 1:40 Sinan Kaya [this message]
2018-09-22 1:40 ` [sumo] [PATCH v2 2/3] libpng: CVE-2018-13785 Sinan Kaya
2018-09-22 1:40 ` [sumo] [PATCH v2 3/3] sqlite3: CVE-2018-8740 Sinan Kaya
2018-09-22 2:04 ` ✗ patchtest: failure for "[sumo,v2] busybox: CVE-2017-15..." and 2 more Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180922014003.31866-1-okaya@kernel.org \
--to=okaya@kernel.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox