diff options
| author | Xufeng Zhang <xufeng.zhang@windriver.com> | 2014-07-23 23:27:47 -0400 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-07-25 15:33:34 +0100 |
| commit | 191cab2f679491c2b6ddba49c5cf4886dcd22f57 (patch) | |
| tree | 3e62a3357d3f46d8ffc9b7c87ac4f85c095679e7 /meta/recipes-support | |
| parent | 86c2483f0fe05fb763d280ae22d70e54cb4bb0bc (diff) | |
| download | openembedded-core-191cab2f679491c2b6ddba49c5cf4886dcd22f57.tar.gz openembedded-core-191cab2f679491c2b6ddba49c5cf4886dcd22f57.tar.bz2 openembedded-core-191cab2f679491c2b6ddba49c5cf4886dcd22f57.zip | |
nspr: Fix for CVE-2014-1545
Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote
attackers to execute arbitrary code or cause a denial of service
(out-of-bounds write) via vectors involving the sprintf and console
functions.Per: http://cwe.mitre.org/data/definitions/787.html
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
| -rw-r--r-- | meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch | 67 | ||||
| -rw-r--r-- | meta/recipes-support/nspr/nspr_4.10.3.bb | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch new file mode 100644 index 0000000000..565ff168e0 --- /dev/null +++ b/meta/recipes-support/nspr/nspr/nspr-CVE-2014-1545.patch @@ -0,0 +1,67 @@ +Fix for CVE-2014-1545 + +Upstream-Status: Backport + +Backported from nspr-4.10.6.tar.gz. +--- +--- a/pr/src/io/prprf.c ++++ b/pr/src/io/prprf.c +@@ -50,6 +50,10 @@ + #include "prlog.h" + #include "prmem.h" + ++#ifdef _MSC_VER ++#define snprintf _snprintf ++#endif ++ + /* + ** WARNING: This code may *NOT* call PR_LOG (because PR_LOG calls it) + */ +@@ -330,7 +334,7 @@ + ** Convert a double precision floating point number into its printable + ** form. + ** +-** XXX stop using sprintf to convert floating point ++** XXX stop using snprintf to convert floating point + */ + static int cvt_f(SprintfState *ss, double d, const char *fmt0, const char *fmt1) + { +@@ -338,15 +342,14 @@ + char fout[300]; + int amount = fmt1 - fmt0; + +- PR_ASSERT((amount > 0) && (amount < sizeof(fin))); +- if (amount >= sizeof(fin)) { +- /* Totally bogus % command to sprintf. Just ignore it */ ++ if (amount <= 0 || amount >= sizeof(fin)) { ++ /* Totally bogus % command to snprintf. Just ignore it */ + return 0; + } + memcpy(fin, fmt0, amount); + fin[amount] = 0; + +- /* Convert floating point using the native sprintf code */ ++ /* Convert floating point using the native snprintf code */ + #ifdef DEBUG + { + const char *p = fin; +@@ -356,14 +359,11 @@ + } + } + #endif +- sprintf(fout, fin, d); +- +- /* +- ** This assert will catch overflow's of fout, when building with +- ** debugging on. At least this way we can track down the evil piece +- ** of calling code and fix it! +- */ +- PR_ASSERT(strlen(fout) < sizeof(fout)); ++ memset(fout, 0, sizeof(fout)); ++ snprintf(fout, sizeof(fout), fin, d); ++ /* Explicitly null-terminate fout because on Windows snprintf doesn't ++ * append a null-terminator if the buffer is too small. */ ++ fout[sizeof(fout) - 1] = '\0'; + + return (*ss->stuff)(ss, fout, strlen(fout)); + } diff --git a/meta/recipes-support/nspr/nspr_4.10.3.bb b/meta/recipes-support/nspr/nspr_4.10.3.bb index 0adfe3b3a3..60e1bfa7b1 100644 --- a/meta/recipes-support/nspr/nspr_4.10.3.bb +++ b/meta/recipes-support/nspr/nspr_4.10.3.bb @@ -9,6 +9,7 @@ SRC_URI = "ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v${PV}/src/nspr-$ file://remove-rpath-from-tests.patch \ file://fix-build-on-x86_64.patch \ file://trickly-fix-build-on-x86_64.patch \ + file://nspr-CVE-2014-1545.patch \ " SRC_URI += "file://nspr.pc.in" |