From: "Anuj Mittal" <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [hardknott][PATCH 12/23] aspell: fix CVE-2019-25051
Date: Mon, 9 Aug 2021 23:35:44 +0800 [thread overview]
Message-ID: <b415b0bc39dfae329e845569a122bcd301c326cc.1628522214.git.anuj.mittal@intel.com> (raw)
In-Reply-To: <cover.1628522214.git.anuj.mittal@intel.com>
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 297f8c4eb4ff209b5ea69910902d216d86dbe2bf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-support/aspell/aspell_0.60.8.bb | 4 +-
.../aspell/files/CVE-2019-25051.patch | 101 ++++++++++++++++++
2 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/aspell/files/CVE-2019-25051.patch
diff --git a/meta/recipes-support/aspell/aspell_0.60.8.bb b/meta/recipes-support/aspell/aspell_0.60.8.bb
index 6548c54b64..9147c820e7 100644
--- a/meta/recipes-support/aspell/aspell_0.60.8.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.8.bb
@@ -13,7 +13,9 @@ HOMEPAGE = "http://aspell.net/"
LICENSE = "LGPLv2 | LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
-SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
+ file://CVE-2019-25051.patch \
+"
SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3"
SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2"
diff --git a/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
new file mode 100644
index 0000000000..8513f6de79
--- /dev/null
+++ b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
@@ -0,0 +1,101 @@
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+
+Upstream-Status: Backport
+[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a]
+CVE: CVE-2019-25051
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+
+ namespace acommon {
+
+@@ -26,6 +27,12 @@ class ObjStack
+ byte * temp_end;
+ void setup_chunk();
+ void new_chunk();
++ bool will_overflow(size_t sz) const {
++ return offsetof(Node,data) + sz > chunk_size;
++ }
++ void check_size(size_t sz) {
++ assert(!will_overflow(sz));
++ }
+
+ ObjStack(const ObjStack &);
+ void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ class ObjStack
+ void * alloc_bottom(size_t size) {
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+ return tmp;
+ }
+ // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ class ObjStack
+ align_bottom(align);
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); goto loop;}
++ if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+ return tmp;
+ }
+ char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ class ObjStack
+ // always be aligned as such.
+ void * alloc_top(size_t size) {
+ top -= size;
+- if (top < bottom) {new_chunk(); top -= size;}
++ if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+ return top;
+ }
+ // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ class ObjStack
+ {loop:
+ top -= size;
+ align_top(align);
+- if (top < bottom) {new_chunk(); goto loop;}
++ if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+ return top;
+ }
+ char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ class ObjStack
+ void * alloc_temp(size_t size) {
+ temp_end = bottom + size;
+ if (temp_end > top) {
++ check_size(size);
+ new_chunk();
+ temp_end = bottom + size;
+ }
+@@ -131,6 +139,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
+@@ -150,6 +159,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
--
2.31.1
next prev parent reply other threads:[~2021-08-09 15:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-09 15:35 [hardknott][PATCH 00/23] review request Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 01/23] stress-ng: Drop defining daddr_t Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 02/23] parselogs.py: qemuarm should be qemuarmv5 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 03/23] devtool: print a warning on upgrades if PREFERRED_VERSION is set Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 04/23] zstd: fix CVE_PRODUCT Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 05/23] linux-yocto/5.10: update to v5.10.53 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 06/23] linux-yocto/5.4: update to v5.4.135 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 07/23] linux-yocto-rt/5.10: update to -rt47 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 08/23] linux-yocto/5.10: enable TYPEC_TCPCI in usbc fragment Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 09/23] sstate: Fix rebuilds when changing layer config Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 10/23] license: Exclude COPYING.MIT from pseudo Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 11/23] runqemu: Fix typo in error message Anuj Mittal
2021-08-09 15:35 ` Anuj Mittal [this message]
2021-08-09 15:35 ` [hardknott][PATCH 13/23] createrepo-c: fix createrepo-c failed in nativesdk Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 14/23] oeqa/runtime/cases/ptest: Increase test timeout from 300s to 450s Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 15/23] cve-check: fix comments Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 16/23] cve-check: update link to NVD website for CVE details Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 17/23] cve-check: improve comment about CVE patch file names Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 18/23] curl: fix CVE-2021-22925 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 19/23] curl: fix CVES Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 20/23] util-linux: fix CVE 2021-37600 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 21/23] qemu: fix virtio vhost-user-gpu CVEs Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 22/23] qemu: fix CVE-2021-3527 Anuj Mittal
2021-08-09 15:35 ` [hardknott][PATCH 23/23] nettle: update 3.7.2 -> 3.7.3 Anuj Mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b415b0bc39dfae329e845569a122bcd301c326cc.1628522214.git.anuj.mittal@intel.com \
--to=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox