On Thu, May 5, 2022 at 6:16 AM Steve Sakoman via lists.openembedded.org <[email protected]> wrote: > > Thanks for this CVE patch (and the one for libinput) > > However this is the wrong mailing list! In the future please tag with > [OE-core][dunfell] and send to > [email protected] - otherwise I might miss > seeing them. > > No need to resend this time, I've got them.
And one, hopefully final comment! Do these vulnerabilities also exist for the versions in master/kirkstone? If so, you'll need to submit a patch for master too before I can take them in dunfell and kirkstone. Steve > On Thu, May 5, 2022 at 2:03 AM Pawan via lists.yoctoproject.org > <[email protected]> wrote: > > > > From: Pawan Badganchi <[email protected]> > > > > Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 > > > > CVE-2022-25308.patch > > Link: > > https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 > > > > CVE-2022-25309.patch > > Link: > > https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 > > > > CVE-2022-25310.patch > > Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f > > > > Signed-off-by: pawan badganchi <[email protected]> > > --- > > .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++++++++++++++++++ > > .../fribidi/fribidi/CVE-2022-25309.patch | 31 ++++++++++++ > > .../fribidi/fribidi/CVE-2022-25310.patch | 30 +++++++++++ > > meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++ > > 4 files changed, 114 insertions(+) > > create mode 100644 > > meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > > create mode 100644 > > meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > > create mode 100644 > > meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > > > > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > > b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > > new file mode 100644 > > index 0000000000..8f2c2ade0e > > --- /dev/null > > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > > @@ -0,0 +1,50 @@ > > +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 > > +From: Akira TAGOH <[email protected]> > > +Date: Thu, 17 Feb 2022 17:30:12 +0900 > > +Subject: [PATCH] Fix the stack buffer overflow issue > > + > > +strlen() could returns 0. Without a conditional check for len, > > +accessing S_ pointer with len - 1 may causes a stack buffer overflow. > > + > > +AddressSanitizer reports this like: > > +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address > > 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 > > +43b30 sp 0x7ffdce043b28 > > +READ of size 1 at 0x7ffdce043c1f thread T0 > > + #0 0x403546 in main ../bin/fribidi-main.c:393 > > + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) > > + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) > > + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) > > + > > +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in > > frame > > + #0 0x4022bf in main ../bin/fribidi-main.c:193 > > + > > + This frame has 5 object(s): > > + [32, 36) 'option_index' (line 233) > > + [48, 52) 'base' (line 386) > > + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows > > this variable > > + [65328, 130328) 'outstring' (line 385) > > + [130592, 390592) 'logical' (line 384) > > + > > +This fixes https://github.com/fribidi/fribidi/issues/181 > > + > > +CVE: CVE-2022-25308 > > +Upstream-Status: Backport > > [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] > > +Signed-off-by: Pawan Badganchi <[email protected]> > > + > > +--- > > + bin/fribidi-main.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c > > +index 3cf9fe1..3ae4fb6 100644 > > +--- a/bin/fribidi-main.c > > ++++ b/bin/fribidi-main.c > > +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS > > + S_[sizeof (S_) - 1] = 0; > > + len = strlen (S_); > > + /* chop */ > > +- if (S_[len - 1] == '\n') > > ++ if (len > 0 && S_[len - 1] == '\n') > > + { > > + len--; > > + S_[len] = '\0'; > > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > > b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > > new file mode 100644 > > index 0000000000..0efba3d05c > > --- /dev/null > > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > > @@ -0,0 +1,31 @@ > > +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 > > +From: Dov Grobgeld <[email protected]> > > +Date: Fri, 25 Mar 2022 09:09:49 +0300 > > +Subject: [PATCH] Protected against garbage in the CapRTL encoder > > + > > +CVE: CVE-2022-25309 > > +Upstream-Status: Backport > > [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] > > +Signed-off-by: Pawan Badganchi <[email protected]> > > + > > +--- > > + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- > > + 1 file changed, 6 insertions(+), 1 deletion(-) > > + > > +diff --git a/lib/fribidi-char-sets-cap-rtl.c > > b/lib/fribidi-char-sets-cap-rtl.c > > +index b0c0e4a..f74e010 100644 > > +--- a/lib/fribidi-char-sets-cap-rtl.c > > ++++ b/lib/fribidi-char-sets-cap-rtl.c > > +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( > > + } > > + } > > + else > > +- us[j++] = caprtl_to_unicode[(int) s[i]]; > > ++ { > > ++ if ((int)s[i] < 0) > > ++ us[j++] = '?'; > > ++ else > > ++ us[j++] = caprtl_to_unicode[(int) s[i]]; > > ++ } > > + } > > + > > + return j; > > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > > b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > > new file mode 100644 > > index 0000000000..d79a82d648 > > --- /dev/null > > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > > @@ -0,0 +1,30 @@ > > +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 > > +From: Akira TAGOH <[email protected]> > > +Date: Thu, 17 Feb 2022 19:06:10 +0900 > > +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks > > + > > +Escape from fribidi_remove_bidi_marks() immediately if str is null. > > + > > +This fixes https://github.com/fribidi/fribidi/issues/183 > > + > > +CVE: CVE-2022-25310 > > +Upstream-Status: Backport > > [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f] > > +Signed-off-by: Pawan Badganchi <[email protected]> > > + > > +--- > > + lib/fribidi.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/lib/fribidi.c b/lib/fribidi.c > > +index f5da0da..70bdab2 100644 > > +--- a/lib/fribidi.c > > ++++ b/lib/fribidi.c > > +@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks ( > > + fribidi_boolean status = false; > > + > > + if UNLIKELY > > +- (len == 0) > > ++ (len == 0 || str == NULL) > > + { > > + status = true; > > + goto out; > > diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb > > b/meta/recipes-support/fribidi/fribidi_1.0.9.bb > > index ac9ef88e27..62b7d72812 100644 > > --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb > > +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb > > @@ -10,6 +10,9 @@ LICENSE = "LGPLv2.1+" > > LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" > > > > SRC_URI = > > "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ > > + file://CVE-2022-25308.patch \ > > + file://CVE-2022-25309.patch \ > > + file://CVE-2022-25310.patch \ > > " > > SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" > > SRC_URI[sha256sum] = > > "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7" > > -- > > 2.17.1 > > > > This message contains information that may be privileged or confidential > > and is the property of the KPIT Technologies Ltd. It is intended only for > > the person to whom it is addressed. If you are not the intended recipient, > > you are not authorized to read, print, retain copy, disseminate, > > distribute, or use this message or any part thereof. If you receive this > > message in error, please notify the sender immediately and delete all > > copies of this message. KPIT Technologies Ltd. does not accept any > > liability for virus infected mails. > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165306): https://lists.openembedded.org/g/openembedded-core/message/165306 Mute This Topic: https://lists.openembedded.org/mt/90914655/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
