* [sumo] [PATCH v3 2/3] libpng: CVE-2018-13785
2018-09-22 2:16 [sumo] [PATCH v3 1/3] busybox: CVE-2017-15874 Sinan Kaya
@ 2018-09-22 2:16 ` Sinan Kaya
2018-09-22 2:16 ` [sumo] [PATCH v3 3/3] sqlite3: CVE-2018-8740 Sinan Kaya
2018-09-22 5:48 ` [sumo] [PATCH v3 1/3] busybox: CVE-2017-15874 akuster808
2 siblings, 0 replies; 4+ messages in thread
From: Sinan Kaya @ 2018-09-22 2:16 UTC (permalink / raw)
To: openembedded-core
* CVE-2018-13785
In libpng 1.6.34, a wrong calculation of row_factor in the
png_check_chunk_length function (pngrutil.c) may trigger an
integer overflow and resultant divide-by-zero while processing
a crafted PNG file, leading to a denial of service.
(cherry picked from 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2)
Affects libpng <= 1.6.34
CVE: CVE-2018-13785
Ref: https://access.redhat.com/security/cve/cve-2018-13785
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
.../libpng/files/CVE-2018-13785.patch | 37 +++++++++++++++++++
.../libpng/libpng_1.6.34.bb | 4 +-
2 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 0000000000..84b1af1fbf
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b517..5ba995abf 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+ {
+ png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+ size_t row_factor =
+- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+- + 1 + (png_ptr->interlaced? 6: 0));
++ (size_t)png_ptr->width
++ * (size_t)png_ptr->channels
++ * (png_ptr->bit_depth > 8? 2: 1)
++ + 1
++ + (png_ptr->interlaced? 6: 0);
+ if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+- idat_limit=PNG_UINT_31_MAX;
++ idat_limit = PNG_UINT_31_MAX;
+ else
+ idat_limit = png_ptr->height * row_factor;
+ row_factor = row_factor > 32566? 32566 : row_factor;
+--
+2.19.0
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d032289..3877d6cbf0 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
LIBV = "16"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+ file://CVE-2018-13785.patch \
+"
SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
--
2.19.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [sumo] [PATCH v3 3/3] sqlite3: CVE-2018-8740
2018-09-22 2:16 [sumo] [PATCH v3 1/3] busybox: CVE-2017-15874 Sinan Kaya
2018-09-22 2:16 ` [sumo] [PATCH v3 2/3] libpng: CVE-2018-13785 Sinan Kaya
@ 2018-09-22 2:16 ` Sinan Kaya
2018-09-22 5:48 ` [sumo] [PATCH v3 1/3] busybox: CVE-2017-15874 akuster808
2 siblings, 0 replies; 4+ messages in thread
From: Sinan Kaya @ 2018-09-22 2:16 UTC (permalink / raw)
To: openembedded-core
* CVE-2018-8740
In SQLite through 3.22.0, databases whose schema is corrupted
using a CREATE TABLE AS statement could cause a NULL pointer dereference,
related to build.c and prepare.c.
Affects sqlite3 <= 3.22.0
CVE: CVE-2018-8740
Ref: https://access.redhat.com/security/cve/cve-2018-8740
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
.../sqlite/files/CVE-2018-8740.patch | 47 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.22.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2018-8740.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
new file mode 100644
index 0000000000..5d95e37afe
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-8740.patch
@@ -0,0 +1,47 @@
+From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Fri, 21 Sep 2018 16:22:01 +0000
+Subject: [PATCH] Detect databases whose schema is corrupted using a CREATE TABLE AS statement and issue an appropriate error message
+
+Upstream-Status: Backport [ https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ sqlite3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 73c69ef..6863bc6 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable(
+ p = pParse->pNewTable;
+ if( p==0 ) return;
+
+- assert( !db->init.busy || !pSelect );
+-
+ /* If the db->init.busy is 1 it means we are reading the SQL off the
+ ** "sqlite_master" or "sqlite_temp_master" table on the disk.
+ ** So do not write to the disk again. Extract the root page number
+@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable(
+ ** table itself. So mark it read-only.
+ */
+ if( db->init.busy ){
++ if( pSelect ){
++ sqlite3ErrorMsg(pParse, "");
++ return;
++ }
+ p->tnum = db->init.newTnum;
+ if( p->tnum==1 ) p->tabFlags |= TF_Readonly;
+ }
+@@ -117813,7 +117815,7 @@ static void corruptSchema(
+ char *z;
+ if( zObj==0 ) zObj = "?";
+ z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj);
+- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra);
+ sqlite3DbFree(db, *pData->pzErrMsg);
+ *pData->pzErrMsg = z;
+ }
+--
+2.19.0
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
index ef88659e97..b90f89886a 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.22.0.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "\
http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+ file://CVE-2018-8740.patch \
"
SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d"
SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612"
--
2.19.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [sumo] [PATCH v3 1/3] busybox: CVE-2017-15874
2018-09-22 2:16 [sumo] [PATCH v3 1/3] busybox: CVE-2017-15874 Sinan Kaya
2018-09-22 2:16 ` [sumo] [PATCH v3 2/3] libpng: CVE-2018-13785 Sinan Kaya
2018-09-22 2:16 ` [sumo] [PATCH v3 3/3] sqlite3: CVE-2018-8740 Sinan Kaya
@ 2018-09-22 5:48 ` akuster808
2 siblings, 0 replies; 4+ messages in thread
From: akuster808 @ 2018-09-22 5:48 UTC (permalink / raw)
To: Sinan Kaya, openembedded-core
Sanan,
On 09/21/2018 07:16 PM, Sinan Kaya wrote:
> * CVE-2017-15874
> busybox: Integer underflow in archival/libarchive/decompress_unlzma.c
>
> (cherry picked from 9ac42c500586fa5f10a1f6d22c3f797df11b1f6b)
>
> Affects busybox <= 1.27.2
this series in sumo-nmut
thanks,
Armin
> CVE: CVE-2017-15874
> Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15874
> Signed-off-by: Sinan Kaya <okaya@kernel.org>
> ---
> .../busybox/busybox/CVE-2017-15874.patch | 30 +++++++++++++++++++
> meta/recipes-core/busybox/busybox_1.27.2.bb | 1 +
> 2 files changed, 31 insertions(+)
> create mode 100644 meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
> new file mode 100644
> index 0000000000..67b4ed7e11
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
> @@ -0,0 +1,30 @@
> +From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
> +From: Denys Vlasenko <vda.linux@googlemail.com>
> +Date: Fri, 27 Oct 2017 15:37:03 +0200
> +Subject: [PATCH] unlzma: fix SEGV, closes 10436
> +
> +Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +Signed-off-by: Sinan Kaya <okaya@kernel.org>
> +---
> + archival/libarchive/decompress_unlzma.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
> +index 29eee2a..41e492f 100644
> +--- a/archival/libarchive/decompress_unlzma.c
> ++++ b/archival/libarchive/decompress_unlzma.c
> +@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + pos = buffer_pos - rep0;
> + if ((int32_t)pos < 0) {
> + pos += header.dict_size;
> ++ /* bug 10436 has an example file where this triggers: */
> ++ if ((int32_t)pos < 0)
> ++ goto bad;
> ++
> + /* see unzip_bad_lzma_2.zip: */
> + if (pos >= buffer_size)
> + goto bad;
> +--
> +2.19.0
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
> index 1ce4823d47..bab29728ee 100644
> --- a/meta/recipes-core/busybox/busybox_1.27.2.bb
> +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
> @@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
> file://busybox-CVE-2017-16544.patch \
> file://busybox-fix-lzma-segfaults.patch \
> file://umount-ignore-c.patch \
> + file://CVE-2017-15874.patch \
> "
> SRC_URI_append_libc-musl = " file://musl.cfg "
>
^ permalink raw reply [flat|nested] 4+ messages in thread