diff options
Diffstat (limited to 'poky/meta/recipes-support')
15 files changed, 449 insertions, 2 deletions
diff --git a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch new file mode 100644 index 000000000..57e745331 --- /dev/null +++ b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch @@ -0,0 +1,135 @@ +From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Wed, 12 Sep 2018 17:16:36 +0800 +Subject: [PATCH] Fix error handling in gdbm + +Only check for gdbm_errno if the return value of the called gdbm_* +function says so. This fixes apr-util with gdbm 1.14, which does not +seem to always reset gdbm_errno. + +Also make the gdbm driver return error codes starting with +APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is +what the berkleydb driver already does. + +Also ensure that dsize is 0 if dptr == NULL. + +Upstream-Status: Backport[https://svn.apache.org/viewvc? +view=revision&revision=1825311] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------ + 1 file changed, 29 insertions(+), 18 deletions(-) + +diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c +index 749447a..1c86327 100644 +--- a/dbm/apr_dbm_gdbm.c ++++ b/dbm/apr_dbm_gdbm.c +@@ -36,13 +36,25 @@ + static apr_status_t g2s(int gerr) + { + if (gerr == -1) { +- /* ### need to fix this */ +- return APR_EGENERAL; ++ if (gdbm_errno == GDBM_NO_ERROR) ++ return APR_SUCCESS; ++ return APR_OS_START_USEERR + gdbm_errno; + } + + return APR_SUCCESS; + } + ++static apr_status_t gdat2s(datum d) ++{ ++ if (d.dptr == NULL) { ++ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND) ++ return APR_SUCCESS; ++ return APR_OS_START_USEERR + gdbm_errno; ++ } ++ ++ return APR_SUCCESS; ++} ++ + static apr_status_t datum_cleanup(void *dptr) + { + if (dptr) +@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr) + + static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said) + { +- apr_status_t rv = APR_SUCCESS; + +- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */ ++ dbm->errcode = dbm_said; + +- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) { ++ if (dbm_said == APR_SUCCESS) + dbm->errmsg = NULL; +- } +- else { +- dbm->errmsg = gdbm_strerror(gdbm_errno); +- rv = APR_EGENERAL; /* ### need something better */ +- } +- +- /* captured it. clear it now. */ +- gdbm_errno = GDBM_NO_ERROR; ++ else ++ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR); + +- return rv; ++ return dbm_said; + } + + /* -------------------------------------------------------------------------- +@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname, + NULL); + + if (file == NULL) +- return APR_EGENERAL; /* ### need a better error */ ++ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */ + + /* we have an open database... return it */ + *pdb = apr_pcalloc(pool, sizeof(**pdb)); +@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key, + if (pvalue->dptr) + apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup, + apr_pool_cleanup_null); ++ else ++ pvalue->dsize = 0; + + /* store the error info into DBM, and return a status code. Also, note + that *pvalue should have been cleared on error. */ +- return set_error(dbm, APR_SUCCESS); ++ return set_error(dbm, gdat2s(rd)); + } + + static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key, +@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey) + if (pkey->dptr) + apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, + apr_pool_cleanup_null); ++ else ++ pkey->dsize = 0; + + /* store any error info into DBM, and return a status code. */ +- return set_error(dbm, APR_SUCCESS); ++ return set_error(dbm, gdat2s(rd)); + } + + static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) +@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) + if (pkey->dptr) + apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, + apr_pool_cleanup_null); ++ else ++ pkey->dsize = 0; + + /* store any error info into DBM, and return a status code. */ +- return set_error(dbm, APR_SUCCESS); ++ return set_error(dbm, gdat2s(rd)); + } + + static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data) +-- +2.7.4 + diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb index 88b4300f9..12d71cbb6 100644 --- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb +++ b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb @@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \ file://configfix.patch \ file://configure_fixes.patch \ file://run-ptest \ + file://0001-Fix-error-handling-in-gdbm.patch \ " SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f" diff --git a/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch new file mode 100644 index 000000000..f6f43c3d2 --- /dev/null +++ b/poky/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch @@ -0,0 +1,56 @@ +input: check end of input before reading a byte + +When reading bytes we weren't check that the index wasn't +out of bound and this could produce an invalid read which +could deal to a security bug. + +Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/ + commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394] + +CVE: CVE-2017-7960 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +diff --git a/src/cr-input.c b/src/cr-input.c +index 49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099 100644 +--- a/src/cr-input.c ++++ b/src/cr-input.c +@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) + *we should free buf here because it's own by CRInput. + *(see the last parameter of cr_input_new_from_buf(). + */ +- buf = NULL ; ++ buf = NULL; + } + + cleanup: +@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) + enum CRStatus + cr_input_read_byte (CRInput * a_this, guchar * a_byte) + { ++ gulong nb_bytes_left = 0; ++ + g_return_val_if_fail (a_this && PRIVATE (a_this) + && a_byte, CR_BAD_PARAM_ERROR); + +@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) + if (PRIVATE (a_this)->end_of_input == TRUE) + return CR_END_OF_INPUT_ERROR; + ++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this); ++ ++ if (nb_bytes_left < 1) { ++ return CR_END_OF_INPUT_ERROR; ++ } ++ + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; + + if (PRIVATE (a_this)->nb_bytes - +@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) + if (*a_char == '\n') { + PRIVATE (a_this)->end_of_line = TRUE; + } +- + } + + return status; diff --git a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb index d86ddd646..5b962ee73 100644 --- a/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb +++ b/poky/meta/recipes-support/libcroco/libcroco_0.6.12.bb @@ -16,5 +16,7 @@ BINCONFIG = "${bindir}/croco-0.6-config" inherit gnomebase gtk-doc binconfig-disabled +SRC_URI += "file://CVE-2017-7960.patch" + SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce" SRC_URI[archive.sha256sum] = "ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860" diff --git a/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch new file mode 100644 index 000000000..e49481ff8 --- /dev/null +++ b/poky/meta/recipes-support/libexif/libexif/CVE-2017-7544.patch @@ -0,0 +1,40 @@ +From 8a92f964a66d476ca8907234359e92a70fc1325b Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 28 Aug 2018 15:12:10 +0800 +Subject: [PATCH] On saving makernotes, make sure the makernote container tags + has a type with 1 byte components. + +Fixes (at least): + https://sourceforge.net/p/libexif/bugs/130 + https://sourceforge.net/p/libexif/bugs/129 + +Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ +c39acd1692023b26290778a02a9232c873f9d71a#diff-830e348923810f00726700b083ec00cd] + +CVE: CVE-2017-7544 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + libexif/exif-data.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 67df4db..6bf89eb 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, + exif_mnote_data_set_offset (data->priv->md, *ds - 6); + exif_mnote_data_save (data->priv->md, &e->data, &e->size); + e->components = e->size; ++ if (exif_format_get_size (e->format) != 1) { ++ /* e->format is taken from input code, ++ * but we need to make sure it is a 1 byte ++ * entity due to the multiplication below. */ ++ e->format = EXIF_FORMAT_UNDEFINED; ++ } + } + } + +-- +2.7.4 + diff --git a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb index cff4caede..b550a1125 100644 --- a/poky/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/poky/meta/recipes-support/libexif/libexif_0.6.21.bb @@ -4,7 +4,8 @@ SECTION = "libs" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" -SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2" +SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ + file://CVE-2017-7544.patch" SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" diff --git a/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch new file mode 100644 index 000000000..4a5832ac1 --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch @@ -0,0 +1,29 @@ +From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 10:50:08 -0700 +Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building + with most recent scons version. + +* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both python + 3.0 and 2.7. + +Upstream-Status: Backport +[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + SConstruct | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SConstruct b/SConstruct +index 1670459..18a45fa 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or env.GetOption('help')) + + unknown = opts.UnknownVariables() + if unknown: +- print 'Warning: Used unknown variables:', ', '.join(unknown.keys()) ++ print('Warning: Used unknown variables:', ', '.join(unknown.keys())) + + apr = str(env['APR']) + apu = str(env['APU']) diff --git a/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch new file mode 100644 index 000000000..cec881ee1 --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0002-SConstruct-Fix-path-quoting-for-.def-generator.patch @@ -0,0 +1,27 @@ +From e51b4b37916dd20b13133cb7af16601b6bf3ace9 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 10:54:54 -0700 +Subject: [PATCH] SConstruct: Fix path quoting for .def generator + +Patch by: Martin Keller <m.keller{_AT_}codesys.com> +Upstream-Status: Backport +[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1807594&r2=1809132] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + SConstruct | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SConstruct b/SConstruct +index 18a45fa..571bdce 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -160,7 +160,7 @@ env = Environment(variables=opts, + + env.Append(BUILDERS = { + 'GenDef' : +- Builder(action = sys.executable + ' build/gen_def.py $SOURCES > $TARGET', ++ Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,), + suffix='.def', src_suffix='.h') + }) + diff --git a/poky/meta/recipes-support/serf/serf/0003-gen_def.patch b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch new file mode 100644 index 000000000..e37e9034b --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0003-gen_def.patch @@ -0,0 +1,22 @@ +From 98e793d9f2250e7c1f9f1eb5dfd616a6a8829e9a Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 11:12:27 -0700 +Subject: [PATCH] gen_def + +--- + SConstruct | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/SConstruct b/SConstruct +index 571bdce..877731e 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -158,6 +158,8 @@ env = Environment(variables=opts, + ENV = os.environ, + ) + ++gen_def_script = env.File('build/gen_def.py').rstr() ++ + env.Append(BUILDERS = { + 'GenDef' : + Builder(action = '"%s" "%s" $SOURCES > $TARGET' % (sys.executable, gen_def_script,), diff --git a/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch new file mode 100644 index 000000000..02fa9e3a0 --- /dev/null +++ b/poky/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch @@ -0,0 +1,29 @@ +From 565211fd082ef653ca9c44a345350fc1451f5a0f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 Sep 2018 11:12:38 -0700 +Subject: [PATCH] Follow-up to r1811083 fix building with scons 3.0.0 and + Python3 + +* SConstruct: Append decode('utf-8) to FILE.get_contents() to avoid + TypeError: cannot use a string pattern on a bytes-like object + +Upstream-Status: Backport +[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1811088&r2=1814604] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + SConstruct | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SConstruct b/SConstruct +index 877731e..7678bb1 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -169,7 +169,7 @@ env.Append(BUILDERS = { + match = re.search('SERF_MAJOR_VERSION ([0-9]+).*' + 'SERF_MINOR_VERSION ([0-9]+).*' + 'SERF_PATCH_VERSION ([0-9]+)', +- env.File('serf.h').get_contents(), ++ env.File('serf.h').get_contents().decode('utf-8'), + re.DOTALL) + MAJOR, MINOR, PATCH = [int(x) for x in match.groups()] + env.Append(MAJOR=str(MAJOR)) diff --git a/poky/meta/recipes-support/serf/serf_1.3.9.bb b/poky/meta/recipes-support/serf/serf_1.3.9.bb index 2be5a069c..65a8114bb 100644 --- a/poky/meta/recipes-support/serf/serf_1.3.9.bb +++ b/poky/meta/recipes-support/serf/serf_1.3.9.bb @@ -1,7 +1,12 @@ SUMMARY = "High-Performance Asynchronous HTTP Client Library" SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://norpath.patch \ - file://env.patch" + file://env.patch \ + file://0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch \ + file://0002-SConstruct-Fix-path-quoting-for-.def-generator.patch \ + file://0003-gen_def.patch \ + file://0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch \ + " SRC_URI[md5sum] = "370a6340ff20366ab088012cd13f2b57" SRC_URI[sha256sum] = "549c2d21c577a8a9c0450facb5cca809f26591f048e466552240947bdf7a87cc" diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch new file mode 100644 index 000000000..5d95e37af --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2018-8740.patch @@ -0,0 +1,47 @@ +From 19aed4d2be46c4516caf2bee31f79044bbd1d57d Mon Sep 17 00:00:00 2001 +From: Sinan Kaya <okaya@kernel.org> +Date: Fri, 21 Sep 2018 16:22:01 +0000 +Subject: [PATCH] Detect databases whose schema is corrupted using a CREATE TABLE AS statement and issue an appropriate error message + +Upstream-Status: Backport [ https://www.sqlite.org/cgi/src/vdiff?from=1774f1c3baf0bc3d&to=d75e67654aa9620b&diff=1&w] +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + sqlite3.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 73c69ef..6863bc6 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -103474,8 +103474,6 @@ SQLITE_PRIVATE void sqlite3EndTable( + p = pParse->pNewTable; + if( p==0 ) return; + +- assert( !db->init.busy || !pSelect ); +- + /* If the db->init.busy is 1 it means we are reading the SQL off the + ** "sqlite_master" or "sqlite_temp_master" table on the disk. + ** So do not write to the disk again. Extract the root page number +@@ -103486,6 +103484,10 @@ SQLITE_PRIVATE void sqlite3EndTable( + ** table itself. So mark it read-only. + */ + if( db->init.busy ){ ++ if( pSelect ){ ++ sqlite3ErrorMsg(pParse, ""); ++ return; ++ } + p->tnum = db->init.newTnum; + if( p->tnum==1 ) p->tabFlags |= TF_Readonly; + } +@@ -117813,7 +117815,7 @@ static void corruptSchema( + char *z; + if( zObj==0 ) zObj = "?"; + z = sqlite3MPrintf(db, "malformed database schema (%s)", zObj); +- if( zExtra ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); ++ if( zExtra && zExtra[0] ) z = sqlite3MPrintf(db, "%z - %s", z, zExtra); + sqlite3DbFree(db, *pData->pzErrMsg); + *pData->pzErrMsg = z; + } +-- +2.19.0 + diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb index ef88659e9..b90f89886 100644 --- a/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb +++ b/poky/meta/recipes-support/sqlite/sqlite3_3.22.0.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "\ http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \ + file://CVE-2018-8740.patch \ " SRC_URI[md5sum] = "96b5648d542e8afa6ab7ffb8db8ddc3d" SRC_URI[sha256sum] = "2824ab1238b706bc66127320afbdffb096361130e23291f26928a027b885c612" diff --git a/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch new file mode 100644 index 000000000..cdd66e67f --- /dev/null +++ b/poky/meta/recipes-support/taglib/taglib/CVE-2018-11439.patch @@ -0,0 +1,51 @@ +From 272648ccfcccae30e002ccf34a22e075dd477278 Mon Sep 17 00:00:00 2001 +From: Scott Gayou <github.scott@gmail.com> +Date: Mon, 4 Jun 2018 11:34:36 -0400 +Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) + +This CVE is caused by a failure to check the minimum length +of a ogg flac header. This header is detailed in full at: +https://xiph.org/flac/ogg_mapping.html. Added more strict checking +for entire header. + +Upstream-Status: Backport +[https://github.com/taglib/taglib/pull/869/commits/272648ccfcccae30e002ccf34a22e075dd477278] + +CVE: CVE-2018-11439 + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp +index 53d0450..07ea9dc 100644 +--- a/taglib/ogg/flac/oggflacfile.cpp ++++ b/taglib/ogg/flac/oggflacfile.cpp +@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() + + if(!metadataHeader.startsWith("fLaC")) { + // FLAC 1.1.2+ ++ // See https://xiph.org/flac/ogg_mapping.html for the header specification. ++ if(metadataHeader.size() < 13) ++ return; ++ ++ if(metadataHeader[0] != 0x7f) ++ return; ++ + if(metadataHeader.mid(1, 4) != "FLAC") + return; + +- if(metadataHeader[5] != 1) +- return; // not version 1 ++ if(metadataHeader[5] != 1 && metadataHeader[6] != 0) ++ return; // not version 1.0 ++ ++ if(metadataHeader.mid(9, 4) != "fLaC") ++ return; + + metadataHeader = metadataHeader.mid(13); + } +-- +2.7.4 + diff --git a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb index 50439bc14..01dcf66d1 100644 --- a/poky/meta/recipes-support/taglib/taglib_1.11.1.bb +++ b/poky/meta/recipes-support/taglib/taglib_1.11.1.bb @@ -10,6 +10,7 @@ DEPENDS = "zlib" SRC_URI = "http://taglib.github.io/releases/${BP}.tar.gz \ file://CVE-2017-12678.patch \ + file://CVE-2018-11439.patch \ " SRC_URI[md5sum] = "cee7be0ccfc892fa433d6c837df9522a" |
