[OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
From: Pawan Badganchi Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 CVE-2022-25308.patch Link: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 CVE-2022-25309.patch Link: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 CVE-2022-25310.patch Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f Signed-off-by: Pawan Badganchi --- .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++ .../fribidi/fribidi/CVE-2022-25309.patch | 31 .../fribidi/fribidi/CVE-2022-25310.patch | 30 +++ meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++ 4 files changed, 114 insertions(+) create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 00..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch @@ -0,0 +1,50 @@ +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 17:30:12 +0900 +Subject: [PATCH] Fix the stack buffer overflow issue + +strlen() could returns 0. Without a conditional check for len, +accessing S_ pointer with len - 1 may causes a stack buffer overflow. + +AddressSanitizer reports this like: +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0 +43b30 sp 0x7ffdce043b28 +READ of size 1 at 0x7ffdce043c1f thread T0 +#0 0x403546 in main ../bin/fribidi-main.c:393 +#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) +#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) +#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame +#0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): +[32, 36) 'option_index' (line 233) +[48, 52) 'base' (line 386) +[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable +[65328, 130328) 'outstring' (line 385) +[130592, 390592) 'logical' (line 384) + +This fixes https://github.com/fribidi/fribidi/issues/181 + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] +Signed-off-by: Pawan Badganchi + +--- + bin/fribidi-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch new file mode 100644 index 00..0efba3d05c --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch @@ -0,0 +1,31 @@ +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Fri, 25 Mar 2022 09:09:49 +0300 +Subject: [PATCH] Protected against garbage in the CapRTL encoder + +CVE: CVE-2022-25309 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] +Signed-off-by: Pawan Badganchi + +--- + lib/fribidi-char-sets-cap-rtl.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++if ((int)s[i] < 0) ++ us[j++] = '?'; ++else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch new file mode 100644 index 00..d79a82d648 --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch @@ -0,0 +1,30 @@ +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 19:06:10 +0900 +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks + +Escape from
Re: [OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
You can simplify your subject to: [OE-core][dunfell] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 Sadly the patch in the recipe does not apply. Have you done a test build? ERROR: fribidi-1.0.9-r0 do_patch: Applying patch 'CVE-2022-25308.patch' on target directory '/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/fribidi-1.0.9' Command Error: 'quilt --quiltrc /home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2022-25308.patch patching file bin/fribidi-main.c Hunk #1 FAILED at 390. 1 out of 1 hunk FAILED -- rejects in file bin/fribidi-main.c Patch CVE-2022-25308.patch does not apply (enforce with -f) Steve On Thu, May 5, 2022 at 10:08 PM Pawan via lists.openembedded.org wrote: > > From: Pawan Badganchi > > Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 > > CVE-2022-25308.patch > Link: > https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 > > CVE-2022-25309.patch > Link: > https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 > > CVE-2022-25310.patch > Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f > > Signed-off-by: pawan badganchi > --- > .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++ > .../fribidi/fribidi/CVE-2022-25309.patch | 31 > .../fribidi/fribidi/CVE-2022-25310.patch | 30 +++ > meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++ > 4 files changed, 114 insertions(+) > create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > new file mode 100644 > index 00..8f2c2ade0e > --- /dev/null > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > @@ -0,0 +1,50 @@ > +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 > +From: Akira TAGOH > +Date: Thu, 17 Feb 2022 17:30:12 +0900 > +Subject: [PATCH] Fix the stack buffer overflow issue > + > +strlen() could returns 0. Without a conditional check for len, > +accessing S_ pointer with len - 1 may causes a stack buffer overflow. > + > +AddressSanitizer reports this like: > +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address > 0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0 > +43b30 sp 0x7ffdce043b28 > +READ of size 1 at 0x7ffdce043c1f thread T0 > +#0 0x403546 in main ../bin/fribidi-main.c:393 > +#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) > +#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) > +#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) > + > +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame > +#0 0x4022bf in main ../bin/fribidi-main.c:193 > + > + This frame has 5 object(s): > +[32, 36) 'option_index' (line 233) > +[48, 52) 'base' (line 386) > +[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows > this variable > +[65328, 130328) 'outstring' (line 385) > +[130592, 390592) 'logical' (line 384) > + > +This fixes https://github.com/fribidi/fribidi/issues/181 > + > +CVE: CVE-2022-25308 > +Upstream-Status: Backport > [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] > +Signed-off-by: Pawan Badganchi > + > +--- > + bin/fribidi-main.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c > +index 3cf9fe1..3ae4fb6 100644 > +--- a/bin/fribidi-main.c > b/bin/fribidi-main.c > +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS > + S_[sizeof (S_) - 1] = 0; > + len = strlen (S_); > + /* chop */ > +- if (S_[len - 1] == '\n') > ++ if (len > 0 && S_[len - 1] == '\n') > + { > + len--; > + S_[len] = '\0'; > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > new file mode 100644 > index 00..0efba3d05c > --- /dev/null > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > @@ -0,0 +1,31 @@ > +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 > +From: Dov Grobgeld > +Date: Fri, 25 Mar 2022 09:09:49 +0300 > +Subject: [PATCH] Protected against garbage in the CapRTL encoder > + > +CVE: CVE-2022-25309 > +Upstream-Status: Backport > [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] > +Signed-off-by: Pawan Badganchi > + > +---
[OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
From: Pawan Badganchi Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 CVE-2022-25308.patch Link: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 CVE-2022-25309.patch Link: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 CVE-2022-25310.patch Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f Signed-off-by: pawan badganchi --- .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++ .../fribidi/fribidi/CVE-2022-25309.patch | 31 .../fribidi/fribidi/CVE-2022-25310.patch | 30 +++ meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++ 4 files changed, 114 insertions(+) create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 00..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch @@ -0,0 +1,50 @@ +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 17:30:12 +0900 +Subject: [PATCH] Fix the stack buffer overflow issue + +strlen() could returns 0. Without a conditional check for len, +accessing S_ pointer with len - 1 may causes a stack buffer overflow. + +AddressSanitizer reports this like: +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0 +43b30 sp 0x7ffdce043b28 +READ of size 1 at 0x7ffdce043c1f thread T0 +#0 0x403546 in main ../bin/fribidi-main.c:393 +#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) +#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) +#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame +#0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): +[32, 36) 'option_index' (line 233) +[48, 52) 'base' (line 386) +[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable +[65328, 130328) 'outstring' (line 385) +[130592, 390592) 'logical' (line 384) + +This fixes https://github.com/fribidi/fribidi/issues/181 + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] +Signed-off-by: Pawan Badganchi + +--- + bin/fribidi-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch new file mode 100644 index 00..0efba3d05c --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch @@ -0,0 +1,31 @@ +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Fri, 25 Mar 2022 09:09:49 +0300 +Subject: [PATCH] Protected against garbage in the CapRTL encoder + +CVE: CVE-2022-25309 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] +Signed-off-by: Pawan Badganchi + +--- + lib/fribidi-char-sets-cap-rtl.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++if ((int)s[i] < 0) ++ us[j++] = '?'; ++else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch new file mode 100644 index 00..d79a82d648 --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch @@ -0,0 +1,30 @@ +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 19:06:10 +0900 +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks + +Escape from