* [PATCH 0/1] webkitgtk: fix CVEs @ 2018-08-30 2:46 kai.kang 2018-08-30 2:46 ` [PATCH 1/1] " kai.kang 0 siblings, 1 reply; 4+ messages in thread From: kai.kang @ 2018-08-30 2:46 UTC (permalink / raw) To: openembedded-core From: Kai Kang <kai.kang@windriver.com> The following changes since commit a8368651ffed1bd6c4715a37dfe9f40c48ca23c4: bitbake: fetcher: Fixed remote removal not throwing exception. (2018-08-28 10:32:08 +0100) are available in the Git repository at: git://git.pokylinux.org/poky-contrib kangkai/cves http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/cves Kai Kang (1): webkitgtk: fix CVEs .../webkitgtk/0001-Fix-CVE-2017-17821.patch | 44 ++++++++++ .../webkitgtk/0002-Fix-CVE-2018-12911.patch | 82 +++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.20.3.bb | 2 + 3 files changed, 128 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch create mode 100644 meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch -- 2.18.0 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] webkitgtk: fix CVEs 2018-08-30 2:46 [PATCH 0/1] webkitgtk: fix CVEs kai.kang @ 2018-08-30 2:46 ` kai.kang 2018-08-30 9:29 ` Alexander Kanavin 0 siblings, 1 reply; 4+ messages in thread From: kai.kang @ 2018-08-30 2:46 UTC (permalink / raw) To: openembedded-core From: Kai Kang <kai.kang@windriver.com> Backport patches to fix CVE-2017-17821 and CVE-2018-12911 for webkitgtk. Signed-off-by: Kai Kang <kai.kang@windriver.com> --- .../webkitgtk/0001-Fix-CVE-2017-17821.patch | 44 ++++++++++ .../webkitgtk/0002-Fix-CVE-2018-12911.patch | 82 +++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.20.3.bb | 2 + 3 files changed, 128 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch create mode 100644 meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch b/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch new file mode 100644 index 0000000000..a3f7599276 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch @@ -0,0 +1,44 @@ +Backport patch to fix CVE-2017-17821. Refer to +https://security-tracker.debian.org/tracker/CVE-2017-17821. + +Upstream-Status: Backport [https://trac.webkit.org/changeset/232119/webkit] +CVE: CVE-2017-17821 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 2a17b15297eb886b0bfb7d098ef607cfad6c3da0 Mon Sep 17 00:00:00 2001 +From: "mcatanzaro@igalia.com" + <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> +Date: Wed, 23 May 2018 17:54:01 +0000 +Subject: [PATCH] Prohibit shrinking the FastBitVector + https://bugs.webkit.org/show_bug.cgi?id=181020 + +Reviewed by Oliver Hunt. + +Prohibit shrinking the FastBitVector. It's not prepared for this and the current usage does +not require it. + +* wtf/FastBitVector.cpp: +(WTF::FastBitVectorWordOwner::resizeSlow): + +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@232119 268f45cc-cd09-0410-ab3c-d52691b4dbfc +--- + Source/WTF/wtf/FastBitVector.cpp | 2 ++ + 2 files changed, 15 insertions(+) + +diff --git a/Source/WTF/wtf/FastBitVector.cpp b/Source/WTF/wtf/FastBitVector.cpp +index eed316975f4..8b019aaa3ed 100644 +--- a/Source/WTF/wtf/FastBitVector.cpp ++++ b/Source/WTF/wtf/FastBitVector.cpp +@@ -42,6 +42,8 @@ void FastBitVectorWordOwner::setEqualsSlow(const FastBitVectorWordOwner& other) + void FastBitVectorWordOwner::resizeSlow(size_t numBits) + { + size_t newLength = fastBitVectorArrayLength(numBits); ++ ++ RELEASE_ASSERT(newLength >= arrayLength()); + + // Use fastCalloc instead of fastRealloc because we expect the common + // use case for this method to be initializing the size of the bitvector. +-- +2.17.0 + diff --git a/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch b/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch new file mode 100644 index 0000000000..37a43ae95a --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch @@ -0,0 +1,82 @@ +Backport upstream patch to fix CVE-2018-12911. + +Upstream-Status: Backport [https://trac.webkit.org/changeset/233404/webkit] +CVE: CVE-2018-12911 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 6a3897a790ff38184aca8032abcd89e8339fdcef Mon Sep 17 00:00:00 2001 +From: "mcatanzaro@igalia.com" + <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> +Date: Sun, 1 Jul 2018 01:15:38 +0000 +Subject: [PATCH] Fix off-by-one error in xdg_mime_get_simple_globs + https://bugs.webkit.org/show_bug.cgi?id=186554 + +Reviewed by Daniel Bates. + +We have an off-by-one error here in some code that was added for WebKit. (This is not an +issue with upstream xdgmime.) + +No new tests. This problem is caught by TestDownloads, but only when running with ASan +enabled. + +* xdgmime/src/xdgmimecache.c: +(get_simple_globs): +* xdgmime/src/xdgmimeglob.c: +(get_simple_globs): + +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@233404 268f45cc-cd09-0410-ab3c-d52691b4dbfc +--- + Source/ThirdParty/xdgmime/src/xdgmimecache.c | 5 ++++- + Source/ThirdParty/xdgmime/src/xdgmimeglob.c | 5 ++++- + 3 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/Source/ThirdParty/xdgmime/src/xdgmimecache.c b/Source/ThirdParty/xdgmime/src/xdgmimecache.c +index 9600b9019e2..bdc1973b872 100644 +--- a/Source/ThirdParty/xdgmime/src/xdgmimecache.c ++++ b/Source/ThirdParty/xdgmime/src/xdgmimecache.c +@@ -1047,6 +1047,9 @@ get_simple_globs (XdgMimeCache *cache, + xdg_uint32_t child_offset; + int i; + ++ assert (*n >= 0); ++ assert (depth >= 0); ++ + if (*n >= n_globs) + return FALSE; + +@@ -1055,7 +1058,7 @@ get_simple_globs (XdgMimeCache *cache, + xdg_uint32_t mime_offset = GET_UINT32 (cache->buffer, offset + 4); + + if (strcasecmp (cache->buffer + mime_offset, mime) == 0) { +- globs[*n] = malloc (depth * sizeof (char)); ++ globs[*n] = malloc ((depth + 1) * sizeof (char)); + for (i = 0; i < depth; i++) + globs[*n][depth - i - 1] = prefix[i]; + globs[*n][depth] = '\0'; +diff --git a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c +index 6fd90fc2fa3..ebe3a0de00c 100644 +--- a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c ++++ b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c +@@ -484,6 +484,9 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node, + xdg_unichar_t *prefix, + int depth) + { ++ assert (*n >= 0); ++ assert (depth >= 0); ++ + if (*n >= n_globs) + return FALSE; + +@@ -495,7 +498,7 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node, + { + int i; + +- globs[*n] = malloc (depth * sizeof (char)); ++ globs[*n] = malloc ((depth + 1) * sizeof (char)); + for (i = 0; i < depth; i++) + globs[*n][depth - i - 1] = prefix[i]; + globs[*n][depth] = '\0'; +-- +2.17.0 + diff --git a/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb b/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb index a528c5d891..be8d88fca8 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb @@ -22,6 +22,8 @@ SRC_URI = "http://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ file://detect-gstreamer-gl.patch \ file://0012-soup-Forward-declare-URL-class.patch \ file://0001-Fix-PaintingData-has-no-member-named-lightVector-on-.patch \ + file://0001-Fix-CVE-2017-17821.patch \ + file://0002-Fix-CVE-2018-12911.patch \ " SRC_URI[md5sum] = "efb69a0cc3cc67ef2647efec22e44c69" -- 2.18.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] webkitgtk: fix CVEs 2018-08-30 2:46 ` [PATCH 1/1] " kai.kang @ 2018-08-30 9:29 ` Alexander Kanavin 2018-08-31 1:43 ` Kang Kai 0 siblings, 1 reply; 4+ messages in thread From: Alexander Kanavin @ 2018-08-30 9:29 UTC (permalink / raw) To: Kai Kang; +Cc: OE-core Isn't it better - and simpler - to just update webkitgtk itself? 2.20.3 to 2.20.5. Alex 2018-08-30 4:46 GMT+02:00 <kai.kang@windriver.com>: > From: Kai Kang <kai.kang@windriver.com> > > Backport patches to fix CVE-2017-17821 and CVE-2018-12911 for webkitgtk. > > Signed-off-by: Kai Kang <kai.kang@windriver.com> > --- > .../webkitgtk/0001-Fix-CVE-2017-17821.patch | 44 ++++++++++ > .../webkitgtk/0002-Fix-CVE-2018-12911.patch | 82 +++++++++++++++++++ > meta/recipes-sato/webkit/webkitgtk_2.20.3.bb | 2 + > 3 files changed, 128 insertions(+) > create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch > create mode 100644 meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch > > diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch b/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch > new file mode 100644 > index 0000000000..a3f7599276 > --- /dev/null > +++ b/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch > @@ -0,0 +1,44 @@ > +Backport patch to fix CVE-2017-17821. Refer to > +https://security-tracker.debian.org/tracker/CVE-2017-17821. > + > +Upstream-Status: Backport [https://trac.webkit.org/changeset/232119/webkit] > +CVE: CVE-2017-17821 > + > +Signed-off-by: Kai Kang <kai.kang@windriver.com> > + > +From 2a17b15297eb886b0bfb7d098ef607cfad6c3da0 Mon Sep 17 00:00:00 2001 > +From: "mcatanzaro@igalia.com" > + <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> > +Date: Wed, 23 May 2018 17:54:01 +0000 > +Subject: [PATCH] Prohibit shrinking the FastBitVector > + https://bugs.webkit.org/show_bug.cgi?id=181020 > + > +Reviewed by Oliver Hunt. > + > +Prohibit shrinking the FastBitVector. It's not prepared for this and the current usage does > +not require it. > + > +* wtf/FastBitVector.cpp: > +(WTF::FastBitVectorWordOwner::resizeSlow): > + > +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@232119 268f45cc-cd09-0410-ab3c-d52691b4dbfc > +--- > + Source/WTF/wtf/FastBitVector.cpp | 2 ++ > + 2 files changed, 15 insertions(+) > + > +diff --git a/Source/WTF/wtf/FastBitVector.cpp b/Source/WTF/wtf/FastBitVector.cpp > +index eed316975f4..8b019aaa3ed 100644 > +--- a/Source/WTF/wtf/FastBitVector.cpp > ++++ b/Source/WTF/wtf/FastBitVector.cpp > +@@ -42,6 +42,8 @@ void FastBitVectorWordOwner::setEqualsSlow(const FastBitVectorWordOwner& other) > + void FastBitVectorWordOwner::resizeSlow(size_t numBits) > + { > + size_t newLength = fastBitVectorArrayLength(numBits); > ++ > ++ RELEASE_ASSERT(newLength >= arrayLength()); > + > + // Use fastCalloc instead of fastRealloc because we expect the common > + // use case for this method to be initializing the size of the bitvector. > +-- > +2.17.0 > + > diff --git a/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch b/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch > new file mode 100644 > index 0000000000..37a43ae95a > --- /dev/null > +++ b/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch > @@ -0,0 +1,82 @@ > +Backport upstream patch to fix CVE-2018-12911. > + > +Upstream-Status: Backport [https://trac.webkit.org/changeset/233404/webkit] > +CVE: CVE-2018-12911 > + > +Signed-off-by: Kai Kang <kai.kang@windriver.com> > + > +From 6a3897a790ff38184aca8032abcd89e8339fdcef Mon Sep 17 00:00:00 2001 > +From: "mcatanzaro@igalia.com" > + <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> > +Date: Sun, 1 Jul 2018 01:15:38 +0000 > +Subject: [PATCH] Fix off-by-one error in xdg_mime_get_simple_globs > + https://bugs.webkit.org/show_bug.cgi?id=186554 > + > +Reviewed by Daniel Bates. > + > +We have an off-by-one error here in some code that was added for WebKit. (This is not an > +issue with upstream xdgmime.) > + > +No new tests. This problem is caught by TestDownloads, but only when running with ASan > +enabled. > + > +* xdgmime/src/xdgmimecache.c: > +(get_simple_globs): > +* xdgmime/src/xdgmimeglob.c: > +(get_simple_globs): > + > +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@233404 268f45cc-cd09-0410-ab3c-d52691b4dbfc > +--- > + Source/ThirdParty/xdgmime/src/xdgmimecache.c | 5 ++++- > + Source/ThirdParty/xdgmime/src/xdgmimeglob.c | 5 ++++- > + 3 files changed, 26 insertions(+), 2 deletions(-) > + > +diff --git a/Source/ThirdParty/xdgmime/src/xdgmimecache.c b/Source/ThirdParty/xdgmime/src/xdgmimecache.c > +index 9600b9019e2..bdc1973b872 100644 > +--- a/Source/ThirdParty/xdgmime/src/xdgmimecache.c > ++++ b/Source/ThirdParty/xdgmime/src/xdgmimecache.c > +@@ -1047,6 +1047,9 @@ get_simple_globs (XdgMimeCache *cache, > + xdg_uint32_t child_offset; > + int i; > + > ++ assert (*n >= 0); > ++ assert (depth >= 0); > ++ > + if (*n >= n_globs) > + return FALSE; > + > +@@ -1055,7 +1058,7 @@ get_simple_globs (XdgMimeCache *cache, > + xdg_uint32_t mime_offset = GET_UINT32 (cache->buffer, offset + 4); > + > + if (strcasecmp (cache->buffer + mime_offset, mime) == 0) { > +- globs[*n] = malloc (depth * sizeof (char)); > ++ globs[*n] = malloc ((depth + 1) * sizeof (char)); > + for (i = 0; i < depth; i++) > + globs[*n][depth - i - 1] = prefix[i]; > + globs[*n][depth] = '\0'; > +diff --git a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c > +index 6fd90fc2fa3..ebe3a0de00c 100644 > +--- a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c > ++++ b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c > +@@ -484,6 +484,9 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node, > + xdg_unichar_t *prefix, > + int depth) > + { > ++ assert (*n >= 0); > ++ assert (depth >= 0); > ++ > + if (*n >= n_globs) > + return FALSE; > + > +@@ -495,7 +498,7 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node, > + { > + int i; > + > +- globs[*n] = malloc (depth * sizeof (char)); > ++ globs[*n] = malloc ((depth + 1) * sizeof (char)); > + for (i = 0; i < depth; i++) > + globs[*n][depth - i - 1] = prefix[i]; > + globs[*n][depth] = '\0'; > +-- > +2.17.0 > + > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb b/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb > index a528c5d891..be8d88fca8 100644 > --- a/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb > +++ b/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb > @@ -22,6 +22,8 @@ SRC_URI = "http://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ > file://detect-gstreamer-gl.patch \ > file://0012-soup-Forward-declare-URL-class.patch \ > file://0001-Fix-PaintingData-has-no-member-named-lightVector-on-.patch \ > + file://0001-Fix-CVE-2017-17821.patch \ > + file://0002-Fix-CVE-2018-12911.patch \ > " > > SRC_URI[md5sum] = "efb69a0cc3cc67ef2647efec22e44c69" > -- > 2.18.0 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] webkitgtk: fix CVEs 2018-08-30 9:29 ` Alexander Kanavin @ 2018-08-31 1:43 ` Kang Kai 0 siblings, 0 replies; 4+ messages in thread From: Kang Kai @ 2018-08-31 1:43 UTC (permalink / raw) To: Alexander Kanavin; +Cc: OE-core On 2018年08月30日 17:29, Alexander Kanavin wrote: > Isn't it better - and simpler - to just update webkitgtk itself? > 2.20.3 to 2.20.5. Upgrade to 2.20.5 is better but I am afraid whether the upgrade could be accepted after M3. And commit to fix CVE-2018-12911 is also not included in 2.20.5. Regards, Kai > > Alex > > 2018-08-30 4:46 GMT+02:00 <kai.kang@windriver.com>: >> From: Kai Kang <kai.kang@windriver.com> >> >> Backport patches to fix CVE-2017-17821 and CVE-2018-12911 for webkitgtk. >> >> Signed-off-by: Kai Kang <kai.kang@windriver.com> >> --- >> .../webkitgtk/0001-Fix-CVE-2017-17821.patch | 44 ++++++++++ >> .../webkitgtk/0002-Fix-CVE-2018-12911.patch | 82 +++++++++++++++++++ >> meta/recipes-sato/webkit/webkitgtk_2.20.3.bb | 2 + >> 3 files changed, 128 insertions(+) >> create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch >> create mode 100644 meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch >> >> diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch b/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch >> new file mode 100644 >> index 0000000000..a3f7599276 >> --- /dev/null >> +++ b/meta/recipes-sato/webkit/webkitgtk/0001-Fix-CVE-2017-17821.patch >> @@ -0,0 +1,44 @@ >> +Backport patch to fix CVE-2017-17821. Refer to >> +https://security-tracker.debian.org/tracker/CVE-2017-17821. >> + >> +Upstream-Status: Backport [https://trac.webkit.org/changeset/232119/webkit] >> +CVE: CVE-2017-17821 >> + >> +Signed-off-by: Kai Kang <kai.kang@windriver.com> >> + >> +From 2a17b15297eb886b0bfb7d098ef607cfad6c3da0 Mon Sep 17 00:00:00 2001 >> +From: "mcatanzaro@igalia.com" >> + <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> >> +Date: Wed, 23 May 2018 17:54:01 +0000 >> +Subject: [PATCH] Prohibit shrinking the FastBitVector >> + https://bugs.webkit.org/show_bug.cgi?id=181020 >> + >> +Reviewed by Oliver Hunt. >> + >> +Prohibit shrinking the FastBitVector. It's not prepared for this and the current usage does >> +not require it. >> + >> +* wtf/FastBitVector.cpp: >> +(WTF::FastBitVectorWordOwner::resizeSlow): >> + >> +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@232119 268f45cc-cd09-0410-ab3c-d52691b4dbfc >> +--- >> + Source/WTF/wtf/FastBitVector.cpp | 2 ++ >> + 2 files changed, 15 insertions(+) >> + >> +diff --git a/Source/WTF/wtf/FastBitVector.cpp b/Source/WTF/wtf/FastBitVector.cpp >> +index eed316975f4..8b019aaa3ed 100644 >> +--- a/Source/WTF/wtf/FastBitVector.cpp >> ++++ b/Source/WTF/wtf/FastBitVector.cpp >> +@@ -42,6 +42,8 @@ void FastBitVectorWordOwner::setEqualsSlow(const FastBitVectorWordOwner& other) >> + void FastBitVectorWordOwner::resizeSlow(size_t numBits) >> + { >> + size_t newLength = fastBitVectorArrayLength(numBits); >> ++ >> ++ RELEASE_ASSERT(newLength >= arrayLength()); >> + >> + // Use fastCalloc instead of fastRealloc because we expect the common >> + // use case for this method to be initializing the size of the bitvector. >> +-- >> +2.17.0 >> + >> diff --git a/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch b/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch >> new file mode 100644 >> index 0000000000..37a43ae95a >> --- /dev/null >> +++ b/meta/recipes-sato/webkit/webkitgtk/0002-Fix-CVE-2018-12911.patch >> @@ -0,0 +1,82 @@ >> +Backport upstream patch to fix CVE-2018-12911. >> + >> +Upstream-Status: Backport [https://trac.webkit.org/changeset/233404/webkit] >> +CVE: CVE-2018-12911 >> + >> +Signed-off-by: Kai Kang <kai.kang@windriver.com> >> + >> +From 6a3897a790ff38184aca8032abcd89e8339fdcef Mon Sep 17 00:00:00 2001 >> +From: "mcatanzaro@igalia.com" >> + <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> >> +Date: Sun, 1 Jul 2018 01:15:38 +0000 >> +Subject: [PATCH] Fix off-by-one error in xdg_mime_get_simple_globs >> + https://bugs.webkit.org/show_bug.cgi?id=186554 >> + >> +Reviewed by Daniel Bates. >> + >> +We have an off-by-one error here in some code that was added for WebKit. (This is not an >> +issue with upstream xdgmime.) >> + >> +No new tests. This problem is caught by TestDownloads, but only when running with ASan >> +enabled. >> + >> +* xdgmime/src/xdgmimecache.c: >> +(get_simple_globs): >> +* xdgmime/src/xdgmimeglob.c: >> +(get_simple_globs): >> + >> +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@233404 268f45cc-cd09-0410-ab3c-d52691b4dbfc >> +--- >> + Source/ThirdParty/xdgmime/src/xdgmimecache.c | 5 ++++- >> + Source/ThirdParty/xdgmime/src/xdgmimeglob.c | 5 ++++- >> + 3 files changed, 26 insertions(+), 2 deletions(-) >> + >> +diff --git a/Source/ThirdParty/xdgmime/src/xdgmimecache.c b/Source/ThirdParty/xdgmime/src/xdgmimecache.c >> +index 9600b9019e2..bdc1973b872 100644 >> +--- a/Source/ThirdParty/xdgmime/src/xdgmimecache.c >> ++++ b/Source/ThirdParty/xdgmime/src/xdgmimecache.c >> +@@ -1047,6 +1047,9 @@ get_simple_globs (XdgMimeCache *cache, >> + xdg_uint32_t child_offset; >> + int i; >> + >> ++ assert (*n >= 0); >> ++ assert (depth >= 0); >> ++ >> + if (*n >= n_globs) >> + return FALSE; >> + >> +@@ -1055,7 +1058,7 @@ get_simple_globs (XdgMimeCache *cache, >> + xdg_uint32_t mime_offset = GET_UINT32 (cache->buffer, offset + 4); >> + >> + if (strcasecmp (cache->buffer + mime_offset, mime) == 0) { >> +- globs[*n] = malloc (depth * sizeof (char)); >> ++ globs[*n] = malloc ((depth + 1) * sizeof (char)); >> + for (i = 0; i < depth; i++) >> + globs[*n][depth - i - 1] = prefix[i]; >> + globs[*n][depth] = '\0'; >> +diff --git a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c >> +index 6fd90fc2fa3..ebe3a0de00c 100644 >> +--- a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c >> ++++ b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c >> +@@ -484,6 +484,9 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node, >> + xdg_unichar_t *prefix, >> + int depth) >> + { >> ++ assert (*n >= 0); >> ++ assert (depth >= 0); >> ++ >> + if (*n >= n_globs) >> + return FALSE; >> + >> +@@ -495,7 +498,7 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node, >> + { >> + int i; >> + >> +- globs[*n] = malloc (depth * sizeof (char)); >> ++ globs[*n] = malloc ((depth + 1) * sizeof (char)); >> + for (i = 0; i < depth; i++) >> + globs[*n][depth - i - 1] = prefix[i]; >> + globs[*n][depth] = '\0'; >> +-- >> +2.17.0 >> + >> diff --git a/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb b/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb >> index a528c5d891..be8d88fca8 100644 >> --- a/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb >> +++ b/meta/recipes-sato/webkit/webkitgtk_2.20.3.bb >> @@ -22,6 +22,8 @@ SRC_URI = "http://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ >> file://detect-gstreamer-gl.patch \ >> file://0012-soup-Forward-declare-URL-class.patch \ >> file://0001-Fix-PaintingData-has-no-member-named-lightVector-on-.patch \ >> + file://0001-Fix-CVE-2017-17821.patch \ >> + file://0002-Fix-CVE-2018-12911.patch \ >> " >> >> SRC_URI[md5sum] = "efb69a0cc3cc67ef2647efec22e44c69" >> -- >> 2.18.0 >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core -- Regards, Neil | Kai Kang ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-08-31 1:44 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-08-30 2:46 [PATCH 0/1] webkitgtk: fix CVEs kai.kang 2018-08-30 2:46 ` [PATCH 1/1] " kai.kang 2018-08-30 9:29 ` Alexander Kanavin 2018-08-31 1:43 ` Kang Kai
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox