Hi Khem Raj, FYI, the patch is committed in hardknott branch, https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=hardknott&id=9df882ce6835692774c649405fcb474ea0eacda4
Regards, Vinay On Mon, Aug 16, 2021 at 8:45 PM Khem Raj <[email protected]> wrote: > > On Mon, Aug 16, 2021 at 1:59 AM Vinay Kumar <[email protected]> wrote: > > > > Hi Khen Raj, > > > > The patch for hardknott branch was also submitted. > > https://lists.openembedded.org/g/openembedded-core/message/154810 > > OK, now we have glibc 2.34 in master so the master version is not > needed anymore but we still should pursue the hardknott version. > Please bring it to hardknott maintainer's attention if need be. > > > > > Regards, > > Vinay > > > > On Sun, Aug 15, 2021 at 11:01 PM Khem Raj <[email protected]> wrote: > > > > > > On Sun, Aug 15, 2021 at 2:19 AM Alexandre Belloni > > > <[email protected]> wrote: > > > > > > > > Hello, > > > > > > > > On 15/08/2021 13:19:33+0530, Vinay Kumar wrote: > > > > > Hi Richard, > > > > > > > > > > Any update on the above patch. > > > > > Please let me know if anything is pending from my side. > > > > > > > > > > > > > I didn't test because the plan is to switch to glibc2.34 which IIRC has > > > > the fix. > > > > > > We perhaps still need it for hardknott. > > > > > > > > > > > > Regards, > > > > > Vinay > > > > > > > > > > On Wed, Jul 28, 2021 at 1:22 PM Vinay Kumar <[email protected]> > > > > > wrote: > > > > > > > > > > > > Source: https://sourceware.org/git/glibc.git > > > > > > Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=28011 > > > > > > > > > > > > Backported upstream commit 5adda61f62b77384718b4c0d8336ade8f2b4b35c > > > > > > to > > > > > > glibc-2.33 source. > > > > > > > > > > > > Upstream-Status: Backport > > > > > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c] > > > > > > > > > > > > Signed-off-by: Vinay Kumar <[email protected]> > > > > > > --- > > > > > > .../glibc/glibc/CVE-2021-35942.patch | 44 > > > > > > +++++++++++++++++++ > > > > > > meta/recipes-core/glibc/glibc_2.33.bb | 1 + > > > > > > 2 files changed, 45 insertions(+) > > > > > > create mode 100644 > > > > > > meta/recipes-core/glibc/glibc/CVE-2021-35942.patch > > > > > > > > > > > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch > > > > > > b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch > > > > > > new file mode 100644 > > > > > > index 0000000000..5cae1bc91c > > > > > > --- /dev/null > > > > > > +++ b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch > > > > > > @@ -0,0 +1,44 @@ > > > > > > +From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 > > > > > > 2001 > > > > > > +From: Andreas Schwab <[email protected]> > > > > > > +Date: Fri, 25 Jun 2021 15:02:47 +0200 > > > > > > +Subject: [PATCH] wordexp: handle overflow in positional parameter > > > > > > number (bug > > > > > > + 28011) > > > > > > + > > > > > > +Use strtoul instead of atoi so that overflow can be detected. > > > > > > + > > > > > > +Upstream-Status: Backport > > > > > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c] > > > > > > +CVE: CVE-2021-35942 > > > > > > +Signed-off-by: Vinay Kumar <[email protected]> > > > > > > +--- > > > > > > + posix/wordexp-test.c | 1 + > > > > > > + posix/wordexp.c | 2 +- > > > > > > + 2 files changed, 2 insertions(+), 1 deletion(-) > > > > > > + > > > > > > +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c > > > > > > +index f93a546d7e..9df02dbbb3 100644 > > > > > > +--- a/posix/wordexp-test.c > > > > > > ++++ b/posix/wordexp-test.c > > > > > > +@@ -183,6 +183,7 @@ struct test_case_struct > > > > > > + { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, > > > > > > + { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, > > > > > > + { 0, NULL, "", 0, 0, { NULL, }, IFS }, > > > > > > ++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS > > > > > > }, > > > > > > + > > > > > > + /* Flags not already covered (testit() has special handling > > > > > > for these) */ > > > > > > + { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS > > > > > > }, > > > > > > +diff --git a/posix/wordexp.c b/posix/wordexp.c > > > > > > +index bcbe96e48d..1f3b09f721 100644 > > > > > > +--- a/posix/wordexp.c > > > > > > ++++ b/posix/wordexp.c > > > > > > +@@ -1399,7 +1399,7 @@ envsubst: > > > > > > + /* Is it a numeric parameter? */ > > > > > > + else if (isdigit (env[0])) > > > > > > + { > > > > > > +- int n = atoi (env); > > > > > > ++ unsigned long n = strtoul (env, NULL, 10); > > > > > > + > > > > > > + if (n >= __libc_argc) > > > > > > + /* Substitute NULL. */ > > > > > > +-- > > > > > > +2.17.1 > > > > > > + > > > > > > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb > > > > > > b/meta/recipes-core/glibc/glibc_2.33.bb > > > > > > index e9f01a14c5..abb01f8468 100644 > > > > > > --- a/meta/recipes-core/glibc/glibc_2.33.bb > > > > > > +++ b/meta/recipes-core/glibc/glibc_2.33.bb > > > > > > @@ -58,6 +58,7 @@ SRC_URI = > > > > > > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > > > > > > > > > > > > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \ > > > > > > file://mte-backports.patch \ > > > > > > file://CVE-2021-33574.patch \ > > > > > > + file://CVE-2021-35942.patch \ > > > > > > " > > > > > > S = "${WORKDIR}/git" > > > > > > B = "${WORKDIR}/build-${TARGET_SYS}" > > > > > > -- > > > > > > 2.31.1 > > > > > > > > > > > > > > -- > > > > Alexandre Belloni, co-owner and COO, Bootlin > > > > Embedded Linux and Kernel engineering > > > > https://bootlin.com > > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154957): https://lists.openembedded.org/g/openembedded-core/message/154957 Mute This Topic: https://lists.openembedded.org/mt/84500620/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
