[oe-commits] [openembedded-core] 05/17: cpio: fix crash

[git at git.openembedded.org]

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master-next
in repository openembedded-core.

commit e7b0e5f41d799aaeef8f92bdf58c8ff85857443c
Author: Ross Burton <ross.burton at intel.com>
AuthorDate: Wed Nov 28 17:27:17 2018 +0000

    cpio: fix crash
---
 .../cpio/cpio-2.12/cpio-segfault.patch             | 33 ++++++++++++++++++++++
 meta/recipes-extended/cpio/cpio_2.12.bb            |  1 +
 2 files changed, 34 insertions(+)

diff --git a/meta/recipes-extended/cpio/cpio-2.12/cpio-segfault.patch b/meta/recipes-extended/cpio/cpio-2.12/cpio-segfault.patch
new file mode 100644
index 0000000..3fffe1a
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.12/cpio-segfault.patch
@@ -0,0 +1,33 @@
+The fix in CVE-2016-2037 means that if a cpio archive is extended (as we do when generating cpio images) then cpio will segfault after attempting to use uninitialised data on the stack.
+
+This isn't a pretty fix, but it works.  I've mailed upstream about this.
+
+Upstream-Status: Pending [In discussion on bug-cpio]
+Signed-off-by: Ross Burton <ross.burton at intel.com>
+
+diff --git a/src/copyout.c b/src/copyout.c
+index 7532dac..d3de5e9 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -587,7 +587,7 @@ process_copy_out ()
+ {
+   dynamic_string input_name;	/* Name of file read from stdin.  */
+   struct stat file_stat;	/* Stat record for file.  */
+-  struct cpio_file_stat file_hdr; /* Output header information.  */
++  struct cpio_file_stat file_hdr = { 0, }; /* Output header information.  */
+   int in_file_des;		/* Source file descriptor.  */
+   int out_file_des;		/* Output file descriptor.  */
+   char *orig_file_name = NULL;
+diff --git a/src/util.c b/src/util.c
+index 10486dc..bee1e9f 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1416,7 +1416,7 @@ cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+   static size_t buflen = 0;
+   size_t len = strlen (name) + 1;
+ 
+-  if (buflen == 0)
++  if (buflen == 0 || !file_hdr->c_name)
+     {
+       buflen = len;
+       if (buflen < 32)
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb
index 69d3698..e29624f 100644
--- a/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-Fix-CVE-2015-1197.patch \
            file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
+           file://cpio-segfault.patch \
            "
 
 SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.