[OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900

Burton, Ross ross.burton at intel.com
Mon Jul 1 09:48:17 UTC 2019 

*All* security issues are fixed in master first and then bubble down
the stable branches.  Otherwise, if you just fix thud we may end up
with the next release not having the fix.

So, ideally, we upgrade master to 1.07 and then apply the backport to
the stable branches.

Ross

On Sat, 29 Jun 2019 at 22:50, <anatol.oe at belski.net> wrote:
>
> Hi,
>
>
> > -----Original Message-----
> > From: Burton, Ross <ross.burton at intel.com>
> > Sent: Saturday, June 29, 2019 9:30 PM
> > To: anatol.oe at belski.net
> > Cc: OE-core <openembedded-core at lists.openembedded.org>
> > Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900
> >
> > For master, lets upgrade to 1.0.7 instead.
> >
> Thanks for checking. Probably makes sense, yep. Whereby it's released just two days ago, after all the years :) Probably have time to expect some newer version.
>
> In general, should I have posted this patch against master? As seems I've targeted thud only, according to the policies below
>
> https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
>
> Or it's going to be merged up, if accepted?
>
> Thanks
>
> Anatol
>
> > Ross
> >
> > On Sat, 29 Jun 2019 at 20:28, <anatol.oe at belski.net> wrote:
> > >
> > > From: Anatol Belski <anatol.belski at microsoft.com>
> > >
> > > Affects bzip2 <= 1.0.6
> > >
> > > Signed-off-by: Anatol Belski <anatol.belski at microsoft.com>
> > > ---
> > >  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37
> > +++++++++++++++++++
> > >  meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
> > >  2 files changed, 39 insertions(+), 1 deletion(-)  create mode 100644
> > > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > >
> > > diff --git
> > > a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > new file mode 100644
> > > index 0000000000..8313fdcfcc
> > > --- /dev/null
> > > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > @@ -0,0 +1,37 @@
> > > +bzip2: Fix CVE-2019-12900
> > > +Upstream-Status: Accepted
> > >
> > +[https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d5
> > > +1ef9824db71a8ffee5962cdbc]
> > > +CVE: CVE-2019-12900
> > > +Signed-off-by: Albert Astals Cid <aacid at kde.org>
> > > +
> > > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17
> > 00:00:00
> > > +2001
> > > +From: Albert Astals Cid <aacid at kde.org>
> > > +Date: Tue, 28 May 2019 19:35:18 +0200
> > > +Subject: [PATCH] Make sure nSelectors is not out of range
> > > +
> > > +nSelectors is used in a loop from 0 to nSelectors to access
> > > +selectorMtf which is
> > > +       UChar    selectorMtf[BZ_MAX_SELECTORS];
> > > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid
> > > +memory access
> > > +
> > > +Fixes out of bounds access discovered while fuzzying karchive
> > > +---
> > > + decompress.c | 2 +-
> > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > +
> > > +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d
> > > +100644
> > > +--- a/decompress.c
> > > ++++ b/decompress.c
> > > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> > > +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> > > +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> > > +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> > > +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> > > ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> > > ++ RETURN(BZ_DATA_ERROR);
> > > +       for (i = 0; i < nSelectors; i++) {
> > > +          j = 0;
> > > +          while (True) {
> > > +--
> > > +2.21.0
> > > +
> > > diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > index 025f45c472..6791020d05 100644
> > > --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"
> > >  SECTION = "console/utils"
> > >  LICENSE = "bzip2"
> > >  LIC_FILES_CHKSUM =
> > "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531da
> > edd2ae"
> > > -PR = "r5"
> > > +PR = "r6"
> > >
> > >  SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz
> > \
> > >             file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch
> > > \ @@ -14,6 +14,7 @@ SRC_URI =
> > "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
> > >             file://Makefile.am;subdir=${BP} \
> > >             file://run-ptest \
> > >             file://CVE-2016-3189.patch \
> > > +           file://CVE-2019-12900.patch \
> > >             "
> > >
> > >  SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
> > > --
> > > 2.17.1
> > >
> > > --
> > > _______________________________________________
> > > Openembedded-core mailing list
> > > Openembedded-core at lists.openembedded.org
> > > http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

More information about the Openembedded-core mailing list