[oe-commits] Junling Zheng : less: fix CVE-2014-9488

git at git.openembedded.org git at git.openembedded.org
Fri May 15 17:14:24 UTC 2015 

Module: openembedded-core.git
Branch: fido
Commit: 7195d219f7af2b94dffb87a94077ec98dacdcdb0
URL:    http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=7195d219f7af2b94dffb87a94077ec98dacdcdb0

Author: Junling Zheng <zhengjunling at huawei.com>
Date:   Fri Apr 24 13:58:59 2015 +0800

less: fix CVE-2014-9488

An out of bounds read access in the UTF-8 decoding can be triggered with
a malformed file in the tool less. The access happens in the function
is_utf8_well_formed due to a truncated multibyte character in the sample
file.

The bug does not crash less, it can only be made visible by running less
with valgrind or compiling it with Address Sanitizer.

Version 475 of less contains a fix for this issue. The file version.c
contains some entry mentioning this issue (without any credit):

 - v475 3/2/15 Fix possible buffer overrun with invalid UTF-8

The fix is in the file line.c. We derive this patch from:

https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html

Thank Claire Robinson for validating it on Mageia 4 i586. Refer to:

https://bugs.mageia.org/show_bug.cgi?id=15567

(From OE-Core master rev: 68994284f3c059b737bfc5afc2600ebd09bdf47f)

Signed-off-by: Junling Zheng <zhengjunling at huawei.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

---

 ...ossible-buffer-overrun-with-invalid-UTF-8.patch | 49 ++++++++++++++++++++++
 meta/recipes-extended/less/less_471.bb             |  4 +-
 2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
new file mode 100644
index 0000000..455eafc
--- /dev/null
+++ b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
@@ -0,0 +1,49 @@
+From e0a1add063a657b98611c94debb3631b8ffa36fe Mon Sep 17 00:00:00 2001
+From: Junling Zheng <zhengjunling at huawei.com>
+Date: Fri, 24 Apr 2015 11:24:04 +0800
+Subject: [PATCH] Fix possible buffer overrun with invalid UTF-8
+
+An out of bounds read access in the UTF-8 decoding can be triggered with
+a malformed file in the tool less. The access happens in the function
+is_utf8_well_formed due to a truncated multibyte character in the sample
+file.
+
+The bug does not crash less, it can only be made visible by running less
+with valgrind or compiling it with Address Sanitizer.
+
+Version 475 of less contains a fix for this issue. The file version.c
+contains some entry mentioning this issue (without any credit):
+
+ - v475 3/2/15 Fix possible buffer overrun with invalid UTF-8
+
+The fix is in the file line.c. We derive this patch from:
+
+https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
+
+Thank Claire Robinson for validating it on Mageia 4 i586. Refer to:
+
+https://bugs.mageia.org/show_bug.cgi?id=15567
+
+Upstream Status: Backported
+
+Signed-off-by: Junling Zheng <zhengjunling at huawei.com>
+---
+ line.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/line.c b/line.c
+index 89495a3..474be2c 100644
+--- a/line.c
++++ b/line.c
+@@ -807,7 +807,7 @@ pappend(c, pos)
+ 			mbc_buf[mbc_buf_index++] = c;
+ 			if (mbc_buf_index < mbc_buf_len)
+ 				return (0);
+-			if (is_utf8_well_formed(mbc_buf))
++			if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
+ 				r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
+ 			else
+ 				/* Complete, but not shortest form, sequence. */
+-- 
+1.9.1
+
diff --git a/meta/recipes-extended/less/less_471.bb b/meta/recipes-extended/less/less_471.bb
index 81d354c..72d2562 100644
--- a/meta/recipes-extended/less/less_471.bb
+++ b/meta/recipes-extended/less/less_471.bb
@@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
                     file://LICENSE;md5=866cc220f330b04ae4661fc3cdfedea7"
 DEPENDS = "ncurses"
 
-SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz"
+SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
+	   file://0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch \
+	  "
 
 SRC_URI[md5sum] = "9a40d29a2d84b41f9f36d7dd90b4f950"
 SRC_URI[sha256sum] = "37f613fa9a526378788d790a92217d59b523574cf7159f6538da8564b3fb27f8"

More information about the Openembedded-commits mailing list