Re: [OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310

Steve Sakoman Fri, 06 May 2022 08:32:59 -0700

You can simplify your subject to: [OE-core][dunfell] fribidi: Add fix
for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310


Sadly the patch in the recipe does not apply.  Have you done a test build?

ERROR: fribidi-1.0.9-r0 do_patch: Applying patch
'CVE-2022-25308.patch' on target directory
'/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/fribidi-1.0.9'
Command Error: 'quilt --quiltrc
/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0  Output:
Applying patch CVE-2022-25308.patch
patching file bin/fribidi-main.c
Hunk #1 FAILED at 390.
1 out of 1 hunk FAILED -- rejects in file bin/fribidi-main.c
Patch CVE-2022-25308.patch does not apply (enforce with -f)

Steve

On Thu, May 5, 2022 at 10:08 PM Pawan via lists.openembedded.org
<[email protected]> wrote:
>
> From: Pawan Badganchi <[email protected]>
>
> Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
>
> CVE-2022-25308.patch
> Link: 
> https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
>
> CVE-2022-25309.patch
> Link: 
> https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
>
> CVE-2022-25310.patch
> Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
>
> Signed-off-by: pawan badganchi <[email protected]>
> ---
>  .../fribidi/fribidi/CVE-2022-25308.patch      | 50 +++++++++++++++++++
>  .../fribidi/fribidi/CVE-2022-25309.patch      | 31 ++++++++++++
>  .../fribidi/fribidi/CVE-2022-25310.patch      | 30 +++++++++++
>  meta/recipes-support/fribidi/fribidi_1.0.9.bb |  3 ++
>  4 files changed, 114 insertions(+)
>  create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
>  create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
>  create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
>
> diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch 
> b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
> new file mode 100644
> index 0000000000..8f2c2ade0e
> --- /dev/null
> +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
> @@ -0,0 +1,50 @@
> +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
> +From: Akira TAGOH <[email protected]>
> +Date: Thu, 17 Feb 2022 17:30:12 +0900
> +Subject: [PATCH] Fix the stack buffer overflow issue
> +
> +strlen() could returns 0. Without a conditional check for len,
> +accessing S_ pointer with len - 1 may causes a stack buffer overflow.
> +
> +AddressSanitizer reports this like:
> +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 
> 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
> +43b30 sp 0x7ffdce043b28
> +READ of size 1 at 0x7ffdce043c1f thread T0
> +    #0 0x403546 in main ../bin/fribidi-main.c:393
> +    #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
> +    #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
> +    #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
> +
> +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
> +    #0 0x4022bf in main ../bin/fribidi-main.c:193
> +
> +  This frame has 5 object(s):
> +    [32, 36) 'option_index' (line 233)
> +    [48, 52) 'base' (line 386)
> +    [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows 
> this variable
> +    [65328, 130328) 'outstring' (line 385)
> +    [130592, 390592) 'logical' (line 384)
> +
> +This fixes https://github.com/fribidi/fribidi/issues/181
> +
> +CVE: CVE-2022-25308
> +Upstream-Status: Backport 
> [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
> +Signed-off-by: Pawan Badganchi <[email protected]>
> +
> +---
> + bin/fribidi-main.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
> +index 3cf9fe1..3ae4fb6 100644
> +--- a/bin/fribidi-main.c
> ++++ b/bin/fribidi-main.c
> +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
> +           S_[sizeof (S_) - 1] = 0;
> +           len = strlen (S_);
> +           /* chop */
> +-          if (S_[len - 1] == '\n')
> ++          if (len > 0 && S_[len - 1] == '\n')
> +             {
> +               len--;
> +               S_[len] = '\0';
> diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch 
> b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
> new file mode 100644
> index 0000000000..0efba3d05c
> --- /dev/null
> +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
> @@ -0,0 +1,31 @@
> +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
> +From: Dov Grobgeld <[email protected]>
> +Date: Fri, 25 Mar 2022 09:09:49 +0300
> +Subject: [PATCH] Protected against garbage in the CapRTL encoder
> +
> +CVE: CVE-2022-25309
> +Upstream-Status: Backport 
> [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
> +Signed-off-by: Pawan Badganchi <[email protected]>
> +
> +---
> + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/fribidi-char-sets-cap-rtl.c 
> b/lib/fribidi-char-sets-cap-rtl.c
> +index b0c0e4a..f74e010 100644
> +--- a/lib/fribidi-char-sets-cap-rtl.c
> ++++ b/lib/fribidi-char-sets-cap-rtl.c
> +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
> +           }
> +       }
> +       else
> +-      us[j++] = caprtl_to_unicode[(int) s[i]];
> ++      {
> ++        if ((int)s[i] < 0)
> ++          us[j++] = '?';
> ++        else
> ++          us[j++] = caprtl_to_unicode[(int) s[i]];
> ++      }
> +     }
> +
> +   return j;
> diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch 
> b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
> new file mode 100644
> index 0000000000..d79a82d648
> --- /dev/null
> +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
> @@ -0,0 +1,30 @@
> +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
> +From: Akira TAGOH <[email protected]>
> +Date: Thu, 17 Feb 2022 19:06:10 +0900
> +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
> +
> +Escape from fribidi_remove_bidi_marks() immediately if str is null.
> +
> +This fixes https://github.com/fribidi/fribidi/issues/183
> +
> +CVE: CVE-2022-25310
> +Upstream-Status: Backport 
> [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f]
> +Signed-off-by: Pawan Badganchi <[email protected]>
> +
> +---
> + lib/fribidi.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/lib/fribidi.c b/lib/fribidi.c
> +index f5da0da..70bdab2 100644
> +--- a/lib/fribidi.c
> ++++ b/lib/fribidi.c
> +@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
> +   fribidi_boolean status = false;
> +
> +   if UNLIKELY
> +-    (len == 0)
> ++    (len == 0 || str == NULL)
> +     {
> +       status = true;
> +       goto out;
> diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb 
> b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
> index ac9ef88e27..62b7d72812 100644
> --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb
> +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
> @@ -10,6 +10,9 @@ LICENSE = "LGPLv2.1+"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
>
>  SRC_URI = 
> "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
> +           file://CVE-2022-25308.patch \
> +           file://CVE-2022-25309.patch \
> +           file://CVE-2022-25310.patch \
>             "
>  SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc"
>  SRC_URI[sha256sum] = 
> "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and 
> is the property of the KPIT Technologies Ltd. It is intended only for the 
> person to whom it is addressed. If you are not the intended recipient, you 
> are not authorized to read, print, retain copy, disseminate, distribute, or 
> use this message or any part thereof. If you receive this message in error, 
> please notify the sender immediately and delete all copies of this message. 
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165342): 
https://lists.openembedded.org/g/openembedded-core/message/165342
Mute This Topic: https://lists.openembedded.org/mt/90929213/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310

Reply via email to