diff options
Diffstat (limited to 'poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch')
| -rw-r--r-- | poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch b/poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch new file mode 100644 index 0000000000..c6ec7c94e1 --- /dev/null +++ b/poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch @@ -0,0 +1,75 @@ +From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Wed, 15 Mar 2023 16:12:43 +0800 +Subject: [PATCH] tuple: test for, and stop string processing, on truncation + +otherwise a buffer overflow occurs. +this has been a bug in pkgconf since the beginning, it seems. +instead of disclosing the bug correctly, a "hotshot" developer +decided to blog about it instead. sigh. + +https://nullprogram.com/blog/2023/01/18/ + +Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059] +CVE: CVE-2023-24056 +Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com> +--- + libpkgconf/tuple.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c +index 2d550d8..b831070 100644 +--- a/libpkgconf/tuple.c ++++ b/libpkgconf/tuple.c +@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const + } + } + ++ size_t remain = PKGCONF_BUFSIZE - (bptr - buf); + ptr += (pptr - ptr); + kv = pkgconf_tuple_find_global(client, varname); + if (kv != NULL) + { +- strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf)); +- bptr += strlen(kv); ++ size_t nlen = pkgconf_strlcpy(bptr, kv, remain); ++ if (nlen > remain) ++ { ++ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); ++ ++ bptr = buf + (PKGCONF_BUFSIZE - 1); ++ break; ++ } ++ ++ bptr += nlen; + } + else + { +@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const + + if (kv != NULL) + { ++ size_t nlen; ++ + parsekv = pkgconf_tuple_parse(client, vars, kv); ++ nlen = pkgconf_strlcpy(bptr, parsekv, remain); ++ free(parsekv); + +- strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf)); +- bptr += strlen(parsekv); ++ if (nlen > remain) ++ { ++ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); + +- free(parsekv); ++ bptr = buf + (PKGCONF_BUFSIZE - 1); ++ break; ++ } ++ ++ bptr += nlen; + } + } + } +-- +2.27.0 + |