* [PATCH 1/6][dora] libtiff: fix CVE-2013-1960
2013-12-05 23:01 [PATCH 0/6][dora] Fix various CVE Mark Hatle
@ 2013-12-05 23:01 ` Mark Hatle
2013-12-05 23:01 ` [PATCH 2/6][dora] libtiff: CVE-2013-4232 Mark Hatle
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Mark Hatle @ 2013-12-05 23:01 UTC (permalink / raw)
To: openembedded-core
From: Ming Liu <ming.liu@windriver.com>
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1960
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
---
.../libtiff/files/libtiff-CVE-2013-1960.patch | 151 +++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
2 files changed, 153 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
new file mode 100644
index 0000000..e4348f1
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,151 @@
+This patch comes from: http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-1960.patch
+
+Upstream-Status: Pending
+
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+
+diff -Naur a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+--- a/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
++++ b/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ uint32 height){
+
+ tsize_t i=0;
+- uint16 ri =0;
+- uint16 v_samp=1;
+- uint16 h_samp=1;
+- int j=0;
+-
+- i++;
+-
+- while(i<(*striplength)){
++
++ while (i < *striplength) {
++ tsize_t datalen;
++ uint16 ri;
++ uint16 v_samp;
++ uint16 h_samp;
++ int j;
++ int ncomp;
++
++ /* marker header: one or more FFs */
++ if (strip[i] != 0xff)
++ return(0);
++ i++;
++ while (i < *striplength && strip[i] == 0xff)
++ i++;
++ if (i >= *striplength)
++ return(0);
++ /* SOI is the only pre-SOS marker without a length word */
++ if (strip[i] == 0xd8)
++ datalen = 0;
++ else {
++ if ((*striplength - i) <= 2)
++ return(0);
++ datalen = (strip[i+1] << 8) | strip[i+2];
++ if (datalen < 2 || datalen >= (*striplength - i))
++ return(0);
++ }
+ switch( strip[i] ){
+- case 0xd8:
+- /* SOI - start of image */
++ case 0xd8: /* SOI - start of image */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+- i+=2;
+ break;
+- case 0xc0:
+- case 0xc1:
+- case 0xc3:
+- case 0xc9:
+- case 0xca:
++ case 0xc0: /* SOF0 */
++ case 0xc1: /* SOF1 */
++ case 0xc3: /* SOF3 */
++ case 0xc9: /* SOF9 */
++ case 0xca: /* SOF10 */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- for(j=0;j<buffer[*bufferoffset+9];j++){
+- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
+- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
+- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ ncomp = buffer[*bufferoffset+9];
++ if (ncomp < 1 || ncomp > 4)
++ return(0);
++ v_samp=1;
++ h_samp=1;
++ for(j=0;j<ncomp;j++){
++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
++ if( (samp>>4) > h_samp)
++ h_samp = (samp>>4);
++ if( (samp & 0x0f) > v_samp)
++ v_samp = (samp & 0x0f);
+ }
+ v_samp*=8;
+ h_samp*=8;
+@@ -3381,45 +3404,43 @@
+ (unsigned char) ((height>>8) & 0xff);
+ buffer[*bufferoffset+6]=
+ (unsigned char) (height & 0xff);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
+-
++ *bufferoffset+=datalen+2;
++ /* insert a DRI marker */
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=0xdd;
+ buffer[(*bufferoffset)++]=0x00;
+ buffer[(*bufferoffset)++]=0x04;
+ buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ buffer[(*bufferoffset)++]= ri & 0xff;
+- } else {
+- i+=strip[i+2]+2;
+ }
+ break;
+- case 0xc4:
+- case 0xdb:
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ case 0xc4: /* DHT */
++ case 0xdb: /* DQT */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ break;
+- case 0xda:
++ case 0xda: /* SOS */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ } else {
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+- i+=strip[i+2]+2;
+ }
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+- *bufferoffset+=(*striplength)-i-1;
++ i += datalen + 1;
++ /* copy remainder of strip */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++ *bufferoffset+= *striplength - i;
+ return(1);
+ default:
+- i+=strip[i+2]+2;
++ /* ignore any other marker */
++ break;
+ }
++ i += datalen + 1;
+ }
+-
+
++ /* failed to find SOS marker */
+ return(0);
+ }
+ #endif
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index 256e75e..8e450df 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz"
PR = "r0"
SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
- file://libtool2.patch"
+ file://libtool2.patch \
+ file://libtiff-CVE-2013-1960.patch"
SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH 2/6][dora] libtiff: CVE-2013-4232
2013-12-05 23:01 [PATCH 0/6][dora] Fix various CVE Mark Hatle
2013-12-05 23:01 ` [PATCH 1/6][dora] libtiff: fix CVE-2013-1960 Mark Hatle
@ 2013-12-05 23:01 ` Mark Hatle
2013-12-05 23:01 ` [PATCH 3/6][dora] libtiff: CVE-2013-4243 Mark Hatle
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Mark Hatle @ 2013-12-05 23:01 UTC (permalink / raw)
To: openembedded-core
From: Baogen Shang <baogen.shang@windriver.com>
cve description:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function
in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause
a denial of service (crash) or possible execute arbitrary code via a
crafted TIFF image.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4232
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
.../libtiff/files/libtiff-CVE-2013-4232.patch | 15 +++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 ++-
2 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch
new file mode 100644
index 0000000..9ebf8f9a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4232.patch
@@ -0,0 +1,15 @@
+This patch comes from: http://bugzilla.maptools.org/attachment.cgi?id=513&action=diff
+
+Upstream-Status: Pending
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+--- a/tools/tiff2pdf.c 2013-10-21 10:36:38.214170346 +0800
++++ b/tools/tiff2pdf.c 2013-10-21 10:38:58.246170329 +0800
+@@ -2387,6 +2387,7 @@
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ _TIFFfree(buffer);
++ return(0);
+ } else {
+ buffer=samplebuffer;
+ t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index 8e450df..f05682b 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -7,7 +7,8 @@ PR = "r0"
SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
- file://libtiff-CVE-2013-1960.patch"
+ file://libtiff-CVE-2013-1960.patch \
+ file://libtiff-CVE-2013-4232.patch"
SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH 3/6][dora] libtiff: CVE-2013-4243
2013-12-05 23:01 [PATCH 0/6][dora] Fix various CVE Mark Hatle
2013-12-05 23:01 ` [PATCH 1/6][dora] libtiff: fix CVE-2013-1960 Mark Hatle
2013-12-05 23:01 ` [PATCH 2/6][dora] libtiff: CVE-2013-4232 Mark Hatle
@ 2013-12-05 23:01 ` Mark Hatle
2013-12-05 23:01 ` [PATCH 4/6][dora] xinetd: CVE-2013-4342 Mark Hatle
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Mark Hatle @ 2013-12-05 23:01 UTC (permalink / raw)
To: openembedded-core
From: Baogen Shang <baogen.shang@windriver.com>
cve description:
Heap-based buffer overflow in the readgifimage function in the gif2tiff
tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a crafted height
and width values in a GIF image.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4243
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
.../libtiff/files/libtiff-CVE-2013-4243.patch | 40 ++++++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.3.bb | 3 +-
2 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch
diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch
new file mode 100644
index 0000000..642a117
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4243.patch
@@ -0,0 +1,40 @@
+This patch comes from: http://bugzilla.maptools.org/attachment.cgi?id=518&action=diff#tools/gif2tiff.c_sec2
+
+Upstream-Status: Pending
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+--- a/tools/gif2tiff.c 2013-10-14 17:08:43.966239709 +0800
++++ b/tools/gif2tiff.c 2013-10-14 17:18:22.994239638 +0800
+@@ -280,6 +280,10 @@
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
++ if (width == 0 || height == 0) {
++ fprintf(stderr, "Invalid value of width or height\n");
++ return(0);
++ }
+ if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+@@ -397,6 +401,10 @@
+ return 1;
+ }
+
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ if (oldcode == -1) {
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+@@ -428,6 +436,10 @@
+ }
+ oldcode = incode;
+ do {
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = *--stackp;
+ } while (stackp > stack);
+ return 1;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index f05682b..4a63920 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -8,7 +8,8 @@ PR = "r0"
SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
file://libtool2.patch \
file://libtiff-CVE-2013-1960.patch \
- file://libtiff-CVE-2013-4232.patch"
+ file://libtiff-CVE-2013-4232.patch \
+ file://libtiff-CVE-2013-4243.patch"
SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH 4/6][dora] xinetd: CVE-2013-4342
2013-12-05 23:01 [PATCH 0/6][dora] Fix various CVE Mark Hatle
` (2 preceding siblings ...)
2013-12-05 23:01 ` [PATCH 3/6][dora] libtiff: CVE-2013-4243 Mark Hatle
@ 2013-12-05 23:01 ` Mark Hatle
2013-12-05 23:01 ` [PATCH 5/6][dora] acpid: CVE-2011-1159 Mark Hatle
2013-12-05 23:01 ` [PATCH 6/6][dora] icu: CVE-2013-2924 Mark Hatle
5 siblings, 0 replies; 7+ messages in thread
From: Mark Hatle @ 2013-12-05 23:01 UTC (permalink / raw)
To: openembedded-core
From: Li Wang <li.wang@windriver.com>
xinetd does not enforce the user and group configuration directives
for TCPMUX services, which causes these services to be run as root
and makes it easier for remote attackers to gain privileges by
leveraging another vulnerability in a service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342
the patch come from:
https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
.../xinetd/xinetd/xinetd-CVE-2013-4342.patch | 32 ++++++++++++++++++++++
meta/recipes-extended/xinetd/xinetd_2.3.15.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
diff --git a/meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch b/meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000..0542dbe
--- /dev/null
+++ b/meta/recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,32 @@
+xinetd: CVE-2013-4342
+
+xinetd does not enforce the user and group configuration directives
+for TCPMUX services, which causes these services to be run as root
+and makes it easier for remote attackers to gain privileges by
+leveraging another vulnerability in a service.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342
+
+the patch come from:
+https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+ if( SC_IS_INTERNAL( scp ) ) {
+ SC_INTERNAL(scp, nserp);
+ } else {
+- exec_server(nserp);
++ child_process(nserp);
+ }
+ }
+
+--
+1.7.9.5
+
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
index 7976570..0e28172 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://www.xinetd.org/xinetd-${PV}.tar.gz \
file://Various-fixes-from-the-previous-maintainer.patch \
file://Disable-services-from-inetd.conf-if-a-service-with-t.patch \
file://xinetd-should-be-able-to-listen-on-IPv6-even-in-ine.patch \
+ file://xinetd-CVE-2013-4342.patch \
"
SRC_URI[md5sum] = "77358478fd58efa6366accae99b8b04c"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH 5/6][dora] acpid: CVE-2011-1159
2013-12-05 23:01 [PATCH 0/6][dora] Fix various CVE Mark Hatle
` (3 preceding siblings ...)
2013-12-05 23:01 ` [PATCH 4/6][dora] xinetd: CVE-2013-4342 Mark Hatle
@ 2013-12-05 23:01 ` Mark Hatle
2013-12-05 23:01 ` [PATCH 6/6][dora] icu: CVE-2013-2924 Mark Hatle
5 siblings, 0 replies; 7+ messages in thread
From: Mark Hatle @ 2013-12-05 23:01 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <yue.tao@windriver.com>
acpid.c in acpid before 2.0.9 does not properly handle a situation in which
a process has connected to acpid.socket but is not reading any data, which
allows local users to cause a denial of service (daemon hang) via a crafted
application that performs a connect system call but no read system calls.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1159
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
meta/recipes-bsp/acpid/acpid.inc | 3 ++-
meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch | 10 ++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch
diff --git a/meta/recipes-bsp/acpid/acpid.inc b/meta/recipes-bsp/acpid/acpid.inc
index 40293c5..a384265 100644
--- a/meta/recipes-bsp/acpid/acpid.inc
+++ b/meta/recipes-bsp/acpid/acpid.inc
@@ -6,7 +6,8 @@ LICENSE="GPLv2+"
SECTION = "base"
SRC_URI = "${SOURCEFORGE_MIRROR}/acpid/acpid-${PV}.tar.gz \
- file://init"
+ file://init \
+ file://set_socket_noblock.patch "
inherit update-rc.d
diff --git a/meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch b/meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch
new file mode 100644
index 0000000..54d6435
--- /dev/null
+++ b/meta/recipes-bsp/acpid/acpid/set_socket_noblock.patch
@@ -0,0 +1,10 @@
+--- a/acpid.c
++++ b/acpid.c
+@@ -307,6 +307,7 @@ main(int argc, char **argv)
+ non_root_clients++;
+ }
+ fcntl(cli_fd, F_SETFD, FD_CLOEXEC);
++ fcntl(cli_fd, F_SETFL, O_NONBLOCK);
+ snprintf(buf, sizeof(buf)-1, "%d[%d:%d]",
+ creds.pid, creds.uid, creds.gid);
+ acpid_add_client(cli_fd, buf);
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH 6/6][dora] icu: CVE-2013-2924
2013-12-05 23:01 [PATCH 0/6][dora] Fix various CVE Mark Hatle
` (4 preceding siblings ...)
2013-12-05 23:01 ` [PATCH 5/6][dora] acpid: CVE-2011-1159 Mark Hatle
@ 2013-12-05 23:01 ` Mark Hatle
5 siblings, 0 replies; 7+ messages in thread
From: Mark Hatle @ 2013-12-05 23:01 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
Use-after-free vulnerability in International Components for Unicode (ICU),
as used in Google Chrome before 30.0.1599.66 and other products, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2924
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
...fer_length_check_to_UTF_16_or_32_detector.patch | 33 ++++++++++++++++++++++
meta/recipes-support/icu/icu_51.2.bb | 1 +
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
diff --git a/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
new file mode 100644
index 0000000..ad4d61c
--- /dev/null
+++ b/meta/recipes-support/icu/icu-51.2/add_buffer_length_check_to_UTF_16_or_32_detector.patch
@@ -0,0 +1,33 @@
+--- source/i18n/csrucode.cpp
++++ source/i18n/csrucode.cpp
+@@ -33,8 +33,9 @@ UBool CharsetRecog_UTF_16_BE::match(Inpu
+ {
+ const uint8_t *input = textIn->fRawInput;
+ int32_t confidence = 0;
++ int32_t length = textIn->fRawLength;
+
+- if (input[0] == 0xFE && input[1] == 0xFF) {
++ if (length >=2 && input[0] == 0xFE && input[1] == 0xFF) {
+ confidence = 100;
+ }
+
+@@ -57,8 +58,9 @@ UBool CharsetRecog_UTF_16_LE::match(Inpu
+ {
+ const uint8_t *input = textIn->fRawInput;
+ int32_t confidence = 0;
++ int32_t length = textIn->fRawLength;
+
+- if (input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
++ if (length >= 4 && input[0] == 0xFF && input[1] == 0xFE && (input[2] != 0x00 || input[3] != 0x00)) {
+ confidence = 100;
+ }
+
+@@ -81,7 +83,7 @@ UBool CharsetRecog_UTF_32::match(InputTe
+ bool hasBOM = FALSE;
+ int32_t confidence = 0;
+
+- if (getChar(input, 0) == 0x0000FEFFUL) {
++ if (limit > 0 && getChar(input, 0) == 0x0000FEFFUL) {
+ hasBOM = TRUE;
+ }
+
diff --git a/meta/recipes-support/icu/icu_51.2.bb b/meta/recipes-support/icu/icu_51.2.bb
index 1278d22..7c7d214 100644
--- a/meta/recipes-support/icu/icu_51.2.bb
+++ b/meta/recipes-support/icu/icu_51.2.bb
@@ -7,6 +7,7 @@ PR = "r0"
BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-51_2-src.tgz"
SRC_URI = "${BASE_SRC_URI} \
file://icu-pkgdata-large-cmd.patch \
+ file://add_buffer_length_check_to_UTF_16_or_32_detector.patch \
"
SRC_URI[md5sum] = "072e501b87065f3a0ca888f1b5165709"
--
1.8.1.2.545.g2f19ada
^ permalink raw reply related [flat|nested] 7+ messages in thread