[OE-core] [sumo][PATCH 6/8] systemd: Security fix CVE-2018-16866
George McCollister
george.mccollister at gmail.com
Mon Feb 25 16:37:11 UTC 2019
From: Marcus Cooper <marcus.cooper at axis.com>
Affects < v240
Signed-off-by: Marcus Cooper <marcusc at axis.com>
>From v2 patch on openembedded-core at lists.openembedded.org
Incresed file name number from 0026 to 0027.
Signed-off-by: George McCollister <george.mccollister at gmail.com>
---
...nal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 ++++++++++++++++++++++
meta/recipes-core/systemd/systemd_237.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
new file mode 100644
index 0000000000..3925a4abbb
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
@@ -0,0 +1,49 @@
+From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
+From: Filipe Brandenburger <filbranden at google.com>
+Date: Thu, 10 Jan 2019 14:53:33 -0800
+Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
+
+The original code didn't account for the fact that strchr() would match on the
+'\0' character, making it read past the end of the buffer if no non-whitespace
+character was present.
+
+This bug was introduced in commit ec5ff4445cca6a which was first released in
+systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
+v240, so versions in the range [v221, v240) are affected.
+
+Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b
+also includes a change from systemd master which removes a heap buffer overflow
+a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
+
+CVE: CVE-2018-16866
+Upstream-Status: Backport
+Signed-off-by: Marcus Cooper <marcusc at axis.com>
+---
+ src/journal/journald-syslog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
+index 9dea116722..809b318c06 100644
+--- a/src/journal/journald-syslog.c
++++ b/src/journal/journald-syslog.c
+@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
+ e = l;
+ l--;
+
+- if (p[l-1] == ']') {
++ if (l > 0 && p[l-1] == ']') {
+ size_t k = l-1;
+
+ for (;;) {
+@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
+ if (t)
+ *identifier = t;
+
+- if (strchr(WHITESPACE, p[e]))
++ if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
+ e++;
+ *buf = p + e;
+ return e;
+--
+2.11.0
+
diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb
index e6ef385f52..b53221896f 100644
--- a/meta/recipes-core/systemd/systemd_237.bb
+++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \
file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \
file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
+ file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
"
SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
--
2.11.0
More information about the Openembedded-core
mailing list