From: Omkar Patil <[email protected]> CVE: CVE-2022-30786
Signed-off-by: Omkar Patil <[email protected]> Signed-off-by: Ranjitsinh Rathod <[email protected]> --- .../ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch | 36 +++++++++++++++ .../ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch | 45 +++++++++++++++++++ .../ntfs-3g-ntfsprogs_2021.8.22.bb | 2 + 3 files changed, 83 insertions(+) create mode 100644 meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch create mode 100644 meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch new file mode 100644 index 000000000..9d485fed8 --- /dev/null +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch @@ -0,0 +1,36 @@ +From 838b6e35b43062353998853eab50cd0675201ed7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <[email protected]> +Date: Tue, 21 Sep 2021 10:54:50 +0200 +Subject: [PATCH] Made sure there is no null character in an attribute name + +When copying an attribute name which contains a null, it is truncated +and this may lead to accessing non-allocated bytes when relying on the +expected name length. Such names must therefore be rejected. + +CVE: CVE-2022-30786 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/ntfs-3g/ntfs-3g_2021.8.22-3ubuntu1.1.debian.tar.xz] +Comment: No change in any hunk +Signed-off-by: Omkar Patil <[email protected]> + +--- + libntfs-3g/attrib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/libntfs-3g/attrib.c ++++ b/libntfs-3g/attrib.c +@@ -426,7 +426,15 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni + na = ntfs_calloc(sizeof(ntfs_attr)); + if (!na) + goto out; ++ if (!name_len) ++ name = (ntfschar*)NULL; + if (name && name != AT_UNNAMED && name != NTFS_INDEX_I30) { ++ /* A null char leads to a short name and unallocated bytes */ ++ if (ntfs_ucsnlen(name, name_len) != name_len) { ++ ntfs_log_error("Null character in attribute name" ++ " of inode %lld\n",(long long)ni->mft_no); ++ goto err_out; ++ } + name = ntfs_ucsndup(name, name_len); + if (!name) + goto err_out; diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch new file mode 100644 index 000000000..85a2971b4 --- /dev/null +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch @@ -0,0 +1,45 @@ +From 5ce8941bf47291cd6ffe7cdb1797253f1cc3a86f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <[email protected]> +Date: Fri, 5 Nov 2021 08:41:20 +0100 +Subject: [PATCH] Made sure there is no null character in an attribute name + (bis) + +When copying an attribute name which contains a null, it is truncated +and this may lead to accessing non-allocated bytes when relying on the +expected name length. Such (illegal) names must therefore be rejected. + +CVE: CVE-2022-30786 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/ntfs-3g/ntfs-3g_2021.8.22-3ubuntu1.1.debian.tar.xz] +Comment: No change in any hunk +Signed-off-by: Omkar Patil <[email protected]> + +--- + libntfs-3g/attrib.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c +index 51c8536f..efb91943 100644 +--- a/libntfs-3g/attrib.c ++++ b/libntfs-3g/attrib.c +@@ -452,8 +452,19 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni, const ATTR_TYPES type, + + if (!name) { + if (a->name_length) { +- name = ntfs_ucsndup((ntfschar*)((u8*)a + le16_to_cpu( +- a->name_offset)), a->name_length); ++ ntfschar *attr_name; ++ ++ attr_name = (ntfschar*)((u8*)a ++ + le16_to_cpu(a->name_offset)); ++ /* A null character leads to illegal memory access */ ++ if (ntfs_ucsnlen(attr_name, a->name_length) ++ != a->name_length) { ++ ntfs_log_error("Null character in attribute" ++ " name in inode %lld\n", ++ (long long)ni->mft_no); ++ goto put_err_out; ++ } ++ name = ntfs_ucsndup(attr_name, a->name_length); + if (!name) + goto put_err_out; + newname = name; diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb index ea8607e6d..f74e91c93 100644 --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb @@ -12,6 +12,8 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \ file://CVE-2022-30783.patch \ file://CVE-2022-30784.patch \ file://CVE-2022-30785_30787.patch \ + file://CVE-2022-30786-1.patch \ + file://CVE-2022-30786-2.patch \ " S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#97659): https://lists.openembedded.org/g/openembedded-devel/message/97659 Mute This Topic: https://lists.openembedded.org/mt/92104306/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
