[oe-commits] [meta-openembedded] 03/13: sharutils: CVE-2018-1000097

git at git.openembedded.org git at git.openembedded.org
Wed Oct 17 16:20:15 UTC 2018 

This is an automated email from the git hooks/post-receive script.

khem pushed a commit to branch master-next
in repository meta-openembedded.

commit bc14dcccfd7d048fbd826e571949a521d45fd86c
Author: Sinan Kaya <okaya at kernel.org>
AuthorDate: Tue Oct 16 22:18:45 2018 +0000

    sharutils: CVE-2018-1000097
    
    *CVE
    Sharutils (unshar command) version 4.15.2 contains a Buffer Overflow
    vulnerability in Affected component on the file unshar.c at line 75,
    function looks_like_c_code. Failure to perform checking of the buffer
    containing input line. that can result in Could lead to code execution.
    This attack appear to be exploitable via Victim have to run unshar command
    on a specially crafted file..
    
    Affects = 4.15.2
    
    CVE: CVE-2018-1000097
    Ref: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000097.html?_ga=2.104716162.363845622.1539703460-954328166.1533363715
    Signed-off-by: Sinan Kaya <okaya at kernel.org>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
 .../sharutils/sharutils/CVE-2018-1000097.patch     | 61 ++++++++++++++++++++++
 .../recipes-support/sharutils/sharutils_4.15.2.bb  |  1 +
 2 files changed, 62 insertions(+)

diff --git a/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
new file mode 100644
index 0000000..99dc4e3
--- /dev/null
+++ b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
@@ -0,0 +1,61 @@
+From bd68ae1271598e8fdc72f2adb457e6882604582d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 22 Feb 2018 16:39:43 +0100
+Subject: [PATCH] Fix a heap-buffer-overflow in find_archive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in
+find_archive() reads up-to BUFSIZ bytes.
+
+On my system, BUFSIZ is 8192. rw_base_size is usually equaled to
+a memory page size, 4096 on my system. Thus find_archive() can write
+beyonded allocated memmory for rw_buffer array:
+
+$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4
+==30582== Memcheck, a memory error detector
+==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
+==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4
+==30582==
+==30582== Invalid write of size 1
+==30582==    at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x10BF60: fgets_unlocked (stdio2.h:320)
+==30582==    by 0x10BF60: find_archive (unshar.c:243)
+==30582==    by 0x10BF60: unshar_file (unshar.c:379)
+==30582==    by 0x10BCCC: validate_fname (unshar-opts.c:604)
+==30582==    by 0x10BCCC: main (unshar-opts.c:639)
+==30582==  Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd
+==30582==    at 0x4C2DBBB: malloc (vg_replace_malloc.c:299)
+==30582==    by 0x10C670: init_unshar (unshar.c:450)
+==30582==    by 0x10BC55: main (unshar-opts.c:630)
+
+This was reported in
+<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>.
+
+CVE: CVE-2018-1000097
+Upstream-Status: no upstream [http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html]
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+Signed-off-by: Sinan Kaya <okaya at kernel.org>
+---
+ src/unshar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+ 	{
+ 	  if (!start)
+ 	    error (0, 0, _("Found no shell commands in %s"), name);
+-- 
+2.19.0
+
diff --git a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
index 812fee9..c12289b 100644
--- a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
+++ b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
@@ -8,6 +8,7 @@ inherit gettext autotools
 
 SRC_URI = "ftp://ftp.gnu.org/gnu/${BPN}/${BP}.tar.gz \
            file://0001-Fix-build-with-clang.patch \
+           file://CVE-2018-1000097.patch \
 "
 SRC_URI[md5sum] = "32a51b23e25ad5e6af4b89f228be1800"
 SRC_URI[sha256sum] = "ee336e68549664e7a19b117adf02edfdeac6307f22e5ba78baca457116914637"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list