[OE-core] [zeus 5/8] bzip2: Fix CVE-2019-12900

Mittal, Anuj anuj.mittal at intel.com
Wed Feb 5 00:44:36 UTC 2020 

I think this should be reverted. Sorry, I had given comments at the time patch was sent but missed this in zeus review.

http://lists.openembedded.org/pipermail/openembedded-core/2020-January/291826.html

This CVE is not applicable to 1.0.7. This is not failing because the CVE patch file is not included in SRC_URI in recipe.

Thanks,

Anuj 

> -----Original Message-----
> From: openembedded-core-bounces at lists.openembedded.org <openembedded-core-
> bounces at lists.openembedded.org> On Behalf Of Armin Kuster
> Sent: Tuesday, February 4, 2020 11:06 PM
> To: openembedded-core at openembedded.org
> Subject: [OE-core] [zeus 5/8] bzip2: Fix CVE-2019-12900
> 
> From: Sana Kazi <Sana.Kazi at kpit.com>
> 
> Added patch for CVE-2019-12900 as backport from upstream.
> Fixes out of bound access discovered while fuzzying karchive.
> 
> Tested by: Sana.Kazi at kpit.com
> 
> Signed-off-by: Saloni Jain <Saloni.Jain at kpit.com>
> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> ---
>  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 36 +++++++++++++++++++
>  1 file changed, 36 insertions(+)
>  create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-
> 12900.patch
> 
> diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> new file mode 100644
> index 0000000000..9859d9d1a2
> --- /dev/null
> +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> @@ -0,0 +1,36 @@
> +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <aacid at kde.org>
> +Date: Tue, 28 May 2019 19:35:18 +0200
> +Subject: [PATCH] Make sure nSelectors is not out of range
> +
> +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
> +which is
> +UChar    selectorMtf[BZ_MAX_SELECTORS];
> +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid
> +memory access Fixes out of bounds access discovered while fuzzying
> +karchive
> +
> +Link:
> +https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef
> +9824db71a8ffee5962cdbc.patch
> +
> +Upstream-Status: Backport
> +CVE: CVE-2019-12900.patch
> +Signed-off-by: Saloni Jain <Saloni.Jain at kpit.com>
> +---
> + decompress.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d 100644
> +--- a/decompress.c
> ++++ b/decompress.c
> +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> ++ RETURN(BZ_DATA_ERROR);
> +       for (i = 0; i < nSelectors; i++) {
> +          j = 0;
> +          while (True) {
> +--
> +2.22.0
> --
> 2.17.1
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list