[OE-core] [PATCH] glibc: fix CVE-2019-9169

Thu Mar 21 13:40:53 UTC 2019

LGTM

On Thu, Mar 21, 2019 at 5:31 AM Ross Burton <ross.burton at intel.com> wrote:
>
> Signed-off-by: Ross Burton <ross.burton at intel.com>
> ---
>  meta/recipes-core/glibc/glibc/CVE-2019-9169.patch | 36 +++++++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.29.bb             |  1 +
>  2 files changed, 37 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
> new file mode 100644
> index 00000000000..bc40361c5d7
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
> @@ -0,0 +1,36 @@
> +CVE: CVE-2019-9169
> +Upstream-Status: Backport
> +Signed-off-by: Ross Burton <ross.burton at intel.com>
> +
> +From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001
> +From: Paul Eggert <eggert at cs.ucla.edu>
> +Date: Mon, 21 Jan 2019 11:08:13 -0800
> +Subject: [PATCH] regex: fix read overrun [BZ #24114]
> +
> +Problem found by AddressSanitizer, reported by Hongxu Chen in:
> +https://debbugs.gnu.org/34140
> +* posix/regexec.c (proceed_next_node):
> +Do not read past end of input buffer.
> +---
> + posix/regexec.c |  6 ++++--
> + 2 files changed, 13 insertions(+), 3 deletions(-)
> +
> +diff --git a/posix/regexec.c b/posix/regexec.c
> +index 91d5a79..084b122 100644
> +--- a/posix/regexec.c
> ++++ b/posix/regexec.c
> +@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
> +             else if (naccepted)
> +               {
> +                 char *buf = (char *) re_string_get_buffer (&mctx->input);
> +-                if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
> +-                            naccepted) != 0)
> ++                if (mctx->input.valid_len - *pidx < naccepted
> ++                    || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
> ++                                naccepted)
> ++                        != 0))
> +                   return -1;
> +               }
> +           }
> +--
> +2.9.3
> diff --git a/meta/recipes-core/glibc/glibc_2.29.bb b/meta/recipes-core/glibc/glibc_2.29.bb
> index db856c70adb..9184c5932cc 100644
> --- a/meta/recipes-core/glibc/glibc_2.29.bb
> +++ b/meta/recipes-core/glibc/glibc_2.29.bb
> @@ -55,6 +55,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>             file://0029-inject-file-assembly-directives.patch \
>             file://0030-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
>             file://0001-x86-64-memcmp-Use-unsigned-Jcc-instructions-on-size-.patch \
> +           file://CVE-2019-9169.patch \
>  "
>
>  S = "${WORKDIR}/git"
> --
> 2.11.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core