summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJunling Zheng <zhengjunling@huawei.com>2015-04-24 13:58:59 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-28 07:56:00 +0100
commit68994284f3c059b737bfc5afc2600ebd09bdf47f (patch)
tree152652114b9897ec3b75044ae3ae501fcbc67852
parentf280b4f28231ea5a416266ae022d6e4c4ea91117 (diff)
downloadopenembedded-core-68994284f3c059b737bfc5afc2600ebd09bdf47f.tar.gz
openembedded-core-68994284f3c059b737bfc5afc2600ebd09bdf47f.tar.bz2
openembedded-core-68994284f3c059b737bfc5afc2600ebd09bdf47f.zip
less: fix CVE-2014-9488
An out of bounds read access in the UTF-8 decoding can be triggered with a malformed file in the tool less. The access happens in the function is_utf8_well_formed due to a truncated multibyte character in the sample file. The bug does not crash less, it can only be made visible by running less with valgrind or compiling it with Address Sanitizer. Version 475 of less contains a fix for this issue. The file version.c contains some entry mentioning this issue (without any credit): - v475 3/2/15 Fix possible buffer overrun with invalid UTF-8 The fix is in the file line.c. We derive this patch from: https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html Thank Claire Robinson for validating it on Mageia 4 i586. Refer to: https://bugs.mageia.org/show_bug.cgi?id=15567 Signed-off-by: Junling Zheng <zhengjunling@huawei.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch49
-rw-r--r--meta/recipes-extended/less/less_471.bb4
2 files changed, 52 insertions, 1 deletions
diff --git a/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
new file mode 100644
index 0000000000..455eafc492
--- /dev/null
+++ b/meta/recipes-extended/less/less/0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch
@@ -0,0 +1,49 @@
+From e0a1add063a657b98611c94debb3631b8ffa36fe Mon Sep 17 00:00:00 2001
+From: Junling Zheng <zhengjunling@huawei.com>
+Date: Fri, 24 Apr 2015 11:24:04 +0800
+Subject: [PATCH] Fix possible buffer overrun with invalid UTF-8
+
+An out of bounds read access in the UTF-8 decoding can be triggered with
+a malformed file in the tool less. The access happens in the function
+is_utf8_well_formed due to a truncated multibyte character in the sample
+file.
+
+The bug does not crash less, it can only be made visible by running less
+with valgrind or compiling it with Address Sanitizer.
+
+Version 475 of less contains a fix for this issue. The file version.c
+contains some entry mentioning this issue (without any credit):
+
+ - v475 3/2/15 Fix possible buffer overrun with invalid UTF-8
+
+The fix is in the file line.c. We derive this patch from:
+
+https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
+
+Thank Claire Robinson for validating it on Mageia 4 i586. Refer to:
+
+https://bugs.mageia.org/show_bug.cgi?id=15567
+
+Upstream Status: Backported
+
+Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
+---
+ line.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/line.c b/line.c
+index 89495a3..474be2c 100644
+--- a/line.c
++++ b/line.c
+@@ -807,7 +807,7 @@ pappend(c, pos)
+ mbc_buf[mbc_buf_index++] = c;
+ if (mbc_buf_index < mbc_buf_len)
+ return (0);
+- if (is_utf8_well_formed(mbc_buf))
++ if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
+ r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
+ else
+ /* Complete, but not shortest form, sequence. */
+--
+1.9.1
+
diff --git a/meta/recipes-extended/less/less_471.bb b/meta/recipes-extended/less/less_471.bb
index 81d354ccf0..72d256276b 100644
--- a/meta/recipes-extended/less/less_471.bb
+++ b/meta/recipes-extended/less/less_471.bb
@@ -24,7 +24,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
file://LICENSE;md5=866cc220f330b04ae4661fc3cdfedea7"
DEPENDS = "ncurses"
-SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz"
+SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
+ file://0001-Fix-possible-buffer-overrun-with-invalid-UTF-8.patch \
+ "
SRC_URI[md5sum] = "9a40d29a2d84b41f9f36d7dd90b4f950"
SRC_URI[sha256sum] = "37f613fa9a526378788d790a92217d59b523574cf7159f6538da8564b3fb27f8"