* [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 @ 2020-01-15 15:51 Saloni Jain 2020-01-15 16:02 ` ✗ patchtest: failure for bzip2: Fix CVE-2019-12900 (rev6) Patchwork 2020-01-15 17:06 ` [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Khem Raj 0 siblings, 2 replies; 4+ messages in thread From: Saloni Jain @ 2020-01-15 15:51 UTC (permalink / raw) To: openembedded-core@lists.openembedded.org, raj.khem@gmail.com Cc: Nisha Parrakat, Sana Kazi From: Sana Kazi <Sana.Kazi@kpit.com> Added patch for CVE-2019-12900 as backport from upstream. Fixes out of bound access discovered while fuzzying karchive. Tested by: Sana.Kazi@kpit.com Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com> --- .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch new file mode 100644 index 0000000..cab41e0 --- /dev/null +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch @@ -0,0 +1,34 @@ +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Tue, 28 May 2019 19:35:18 +0200 +Subject: [PATCH] Make sure nSelectors is not out of range + +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf +which is +UChar selectorMtf[BZ_MAX_SELECTORS]; +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory +access +Fixes out of bounds access discovered while fuzzying karchive + +Link: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch + +Upstream-Status: Backport +--- + decompress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/decompress.c b/decompress.c +index ab6a624..f3db91d 100644 +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { +-- +2.22.0 -- 2.7.4 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. ^ permalink raw reply related [flat|nested] 4+ messages in thread
* ✗ patchtest: failure for bzip2: Fix CVE-2019-12900 (rev6) 2020-01-15 15:51 [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Saloni Jain @ 2020-01-15 16:02 ` Patchwork 2020-01-15 17:06 ` [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Khem Raj 1 sibling, 0 replies; 4+ messages in thread From: Patchwork @ 2020-01-15 16:02 UTC (permalink / raw) To: anatol.oe; +Cc: openembedded-core == Series Details == Series: bzip2: Fix CVE-2019-12900 (rev6) Revision: 6 URL : https://patchwork.openembedded.org/series/18434/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Patch [poky,zeus] bzip2: Fix CVE-2019-12900 Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format] Suggested fix Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX" * Issue A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] Suggested fix Sign off the added patch file (meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 2020-01-15 15:51 [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Saloni Jain 2020-01-15 16:02 ` ✗ patchtest: failure for bzip2: Fix CVE-2019-12900 (rev6) Patchwork @ 2020-01-15 17:06 ` Khem Raj 2020-01-16 7:37 ` Saloni Jain 1 sibling, 1 reply; 4+ messages in thread From: Khem Raj @ 2020-01-15 17:06 UTC (permalink / raw) To: Saloni Jain Cc: Nisha Parrakat, Sana Kazi, openembedded-core@lists.openembedded.org On Wed, Jan 15, 2020 at 7:51 AM Saloni Jain <Saloni.Jain@kpit.com> wrote: > > From: Sana Kazi <Sana.Kazi@kpit.com> > > Added patch for CVE-2019-12900 as backport from upstream. > Fixes out of bound access discovered while fuzzying karchive. > is this fix already present in the bzip2 version we have in master ? > Tested by: Sana.Kazi@kpit.com > > Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com> > --- > .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > new file mode 100644 > index 0000000..cab41e0 > --- /dev/null > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > @@ -0,0 +1,34 @@ > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 > +From: Albert Astals Cid <aacid@kde.org> > +Date: Tue, 28 May 2019 19:35:18 +0200 > +Subject: [PATCH] Make sure nSelectors is not out of range > + > +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf > +which is > +UChar selectorMtf[BZ_MAX_SELECTORS]; > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory > +access > +Fixes out of bounds access discovered while fuzzying karchive > + > +Link: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch > + > +Upstream-Status: Backport > +--- > + decompress.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/decompress.c b/decompress.c > +index ab6a624..f3db91d 100644 > +--- a/decompress.c > ++++ b/decompress.c > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) > + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); > + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); > + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); > +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); > ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); > + for (i = 0; i < nSelectors; i++) { > + j = 0; > + while (True) { > +-- > +2.22.0 > -- > 2.7.4 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 2020-01-15 17:06 ` [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Khem Raj @ 2020-01-16 7:37 ` Saloni Jain 0 siblings, 0 replies; 4+ messages in thread From: Saloni Jain @ 2020-01-16 7:37 UTC (permalink / raw) To: Khem Raj Cc: Nisha Parrakat, Sana Kazi, openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 4266 bytes --] Hello Khem Raj, We have tested the applicability for this patch on master as well and as per analysis it is applicable. I've sent the same patch for master branch as well in a separate mail. Thanks & Regards, Saloni ________________________________ From: Khem Raj <raj.khem@gmail.com> Sent: Wednesday, January 15, 2020 10:36 PM To: Saloni Jain <Saloni.Jain@kpit.com> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Sana Kazi <Sana.Kazi@kpit.com> Subject: Re: [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 On Wed, Jan 15, 2020 at 7:51 AM Saloni Jain <Saloni.Jain@kpit.com> wrote: > > From: Sana Kazi <Sana.Kazi@kpit.com> > > Added patch for CVE-2019-12900 as backport from upstream. > Fixes out of bound access discovered while fuzzying karchive. > is this fix already present in the bzip2 version we have in master ? > Tested by: Sana.Kazi@kpit.com > > Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com> > --- > .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 34 ++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > new file mode 100644 > index 0000000..cab41e0 > --- /dev/null > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > @@ -0,0 +1,34 @@ > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 > +From: Albert Astals Cid <aacid@kde.org> > +Date: Tue, 28 May 2019 19:35:18 +0200 > +Subject: [PATCH] Make sure nSelectors is not out of range > + > +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf > +which is > +UChar selectorMtf[BZ_MAX_SELECTORS]; > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory > +access > +Fixes out of bounds access discovered while fuzzying karchive > + > +Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Ffedericomenaquintero%2Fbzip2%2Fcommit%2F74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch&data=02%7C01%7CSaloni.Jain%40kpit.com%7C370b10dc1f7a4288166208d799dd5023%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637147048150016848&sdata=m%2B9a%2FxYEqAA7JLjimmgLtLfvvBV2WtyInZf9a7DCfQg%3D&reserved=0 > + > +Upstream-Status: Backport > +--- > + decompress.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/decompress.c b/decompress.c > +index ab6a624..f3db91d 100644 > +--- a/decompress.c > ++++ b/decompress.c > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) > + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); > + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); > + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); > +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); > ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); > + for (i = 0; i < nSelectors; i++) { > + j = 0; > + while (True) { > +-- > +2.22.0 > -- > 2.7.4 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. [-- Attachment #2: Type: text/html, Size: 7055 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-01-16 7:37 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-01-15 15:51 [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Saloni Jain 2020-01-15 16:02 ` ✗ patchtest: failure for bzip2: Fix CVE-2019-12900 (rev6) Patchwork 2020-01-15 17:06 ` [poky][zeus][PATCH] bzip2: Fix CVE-2019-12900 Khem Raj 2020-01-16 7:37 ` Saloni Jain
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox