[oe] [meta-oe][kirkstone][PATCH 8/8] dbus-broker: patch CVE-2022-31212

[Gyorgy Sarvari via lists.openembedded.org]

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-31212

A detailed writeup[1] is referenced by the nvd report, which
describes that the vulnerability itself is not in the application,
rather in a dependency of it, in c-shutil, which is pulled in as
a submodule.

Pick the patch from this submodule that fixes a stack overflow, and
adds a test explictly verifying the described vulnerability.

[1]: 
https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/

Signed-off-by: Gyorgy Sarvari <skandigr...@gmail.com>
---
 .../dbus/dbus-broker/CVE-2022-31212.patch     | 70 +++++++++++++++++++
 meta-oe/recipes-core/dbus/dbus-broker_29.bb   |  4 +-
 2 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch

diff --git a/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch 
b/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch
new file mode 100644
index 0000000000..a173e88d34
--- /dev/null
+++ b/meta-oe/recipes-core/dbus/dbus-broker/CVE-2022-31212.patch
@@ -0,0 +1,70 @@
+From 2dfb73805571bd48e92b2d09962bc99f3bc4f86b Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsb...@gmail.com>
+Date: Tue, 19 Apr 2022 13:11:02 +0200
+Subject: [PATCH] strnspn: fix buffer overflow
+
+Fix the strnspn and strncspn functions to use a properly sized buffer.
+It used to be 1 byte too short. Checking for `0xff` in a string will
+thus write `0xff` once byte beyond the stack space of the local buffer.
+
+Note that the public API does not allow to pass `0xff` to those
+functions. Therefore, this is a read-only buffer overrun, possibly
+causing bogus reports from the parser, but still well-defined.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsb...@gmail.com>
+
+CVE: CVE-2022-31212
+Upstream-Status: Backport 
[https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1]
+Signed-off-by: Gyorgy Sarvari <skandigr...@gmail.com>
+---
+ subprojects/c-shquote/src/c-shquote.c    | 4 ++--
+ subprojects/c-shquote/src/test-private.c | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/c-shquote/src/c-shquote.c 
b/subprojects/c-shquote/src/c-shquote.c
+index b268906..abb55d6 100644
+--- a/subprojects/c-shquote/src/c-shquote.c
++++ b/subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
+ size_t c_shquote_strnspn(const char *string,
+                         size_t n_string,
+                         const char *accept) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         for ( ; *accept; ++accept)
+                 buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
+ size_t c_shquote_strncspn(const char *string,
+                           size_t n_string,
+                           const char *reject) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         if (strlen(reject) == 1) {
+                 const char *p;
+diff --git a/subprojects/c-shquote/src/test-private.c 
b/subprojects/c-shquote/src/test-private.c
+index 57a7250..c6afe40 100644
+--- a/subprojects/c-shquote/src/test-private.c
++++ b/subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@ static void test_strnspn(void) {
+ 
+         len = c_shquote_strnspn("ab", 2, "bc");
+         c_assert(len == 0);
++
++        len = c_shquote_strnspn("ab", 2, "\xff");
++        c_assert(len == 0);
+ }
+ 
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@ static void test_strncspn(void) {
+ 
+         len = c_shquote_strncspn("ab", 2, "cd");
+         c_assert(len == 2);
++
++        len = c_shquote_strncspn("ab", 2, "\xff");
++        c_assert(len == 2);
+ }
+ 
+ static void test_discard_comment(void) {
diff --git a/meta-oe/recipes-core/dbus/dbus-broker_29.bb 
b/meta-oe/recipes-core/dbus/dbus-broker_29.bb
index 525db345b0..aafeda206e 100644
--- a/meta-oe/recipes-core/dbus/dbus-broker_29.bb
+++ b/meta-oe/recipes-core/dbus/dbus-broker_29.bb
@@ -6,7 +6,9 @@ SECTION = "base"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=7b486c2338d225a1405d979ed2c15ce8"
 
-SRC_URI = 
"https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz";
+SRC_URI = 
"https://github.com/bus1/dbus-broker/releases/download/v${PV}/dbus-broker-${PV}.tar.xz
 \
+           file://CVE-2022-31212.patch \
+           "
 SRC_URI[sha256sum] = 
"4eca425db52b7ab1027153e93fea9b3f11759db9e93ffbf88759b73ddfb8026a"
 
 UPSTREAM_CHECK_URI = "https://github.com/bus1/${BPN}/releases";

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122920): 
https://lists.openembedded.org/g/openembedded-devel/message/122920
Mute This Topic: https://lists.openembedded.org/mt/116939932/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-