dlt-daemon: add upstream patch to fix CVE-2020-29394

More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228 | A buffer overflow in the dlt_filter_load function in dlt_common.c in | dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary | code execution because fscanf is misused (no limit on the number of | characters to be read in a format argument). Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> [Fix up for Dunfell context - AK] Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Gianfranco <costamagna.gianfranco@gmail.com> 2020-12-02 10:19:37 +0100
committer: Armin Kuster <akuster808@gmail.com> 2020-12-10 08:17:01 -0800
commit: 0c158538eda581450dbdb5762d668721ba7fe4f0 (patch)
tree: 76e0d494a6cbda743fb01314a1e3ad15051fc26a
parent: 27832ef6c02bf71694f5539d42046f148453a49b (diff)
download: meta-openembedded-0c158538eda581450dbdb5762d668721ba7fe4f0.tar.gz
2 files changed, 39 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
new file mode 100644
index 0000000000..75065eb054
--- /dev/null
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
@@ -0,0 +1,38 @@
+Upstream-status: Backport
+CVE: CVE-2020-29394
+From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
+From: GwanYeong Kim <gy741.kim@gmail.com>
+Date: Sat, 28 Nov 2020 12:24:46 +0900
+Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load
+A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.
+Fixed: #274
+Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
+---
+ src/shared/dlt_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
+index 254f4ce4..d15b1cec 100644
+--- a/src/shared/dlt_common.c
+++ b/src/shared/dlt_common.c
+@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+     while (!feof(handle)) {
+         str1[0] = 0;
+ 
+-        if (fscanf(handle, "%s", str1) != 1)
+        if (fscanf(handle, "%254s", str1) != 1)
+             break;
+ 
+         if (str1[0] == 0)
+@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+ 
+         str1[0] = 0;
+ 
+-        if (fscanf(handle, "%s", str1) != 1)
+        if (fscanf(handle, "%254s", str1) != 1)
+             break;
+ 
+         if (str1[0] == 0)
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
index 35c638bc78..45724e98ac 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
    file://0002-Don-t-execute-processes-as-a-specific-user.patch \
    file://0004-Modify-systemd-config-directory.patch \
    file://204.patch \
+    file://275.patch \
 "
 SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4"
author	Gianfranco <costamagna.gianfranco@gmail.com>	2020-12-02 10:19:37 +0100
committer	Armin Kuster <akuster808@gmail.com>	2020-12-10 08:17:01 -0800
commit	0c158538eda581450dbdb5762d668721ba7fe4f0 (patch)
tree	76e0d494a6cbda743fb01314a1e3ad15051fc26a
parent	27832ef6c02bf71694f5539d42046f148453a49b (diff)
download	meta-openembedded-0c158538eda581450dbdb5762d668721ba7fe4f0.tar.gz

diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch new file mode 100644 index 0000000000..75065eb054 --- /dev/null +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
@@ -0,0 +1,38 @@
		1	Upstream-status: Backport
		2	CVE: CVE-2020-29394
		3	From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
		4	From: GwanYeong Kim <gy741.kim@gmail.com>
		5	Date: Sat, 28 Nov 2020 12:24:46 +0900
		6	Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load
		7
		8	A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.
		9
		10	Fixed: #274
		11
		12	Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
		13	---
		14	src/shared/dlt_common.c \| 4 ++--
		15	1 file changed, 2 insertions(+), 2 deletions(-)
		16
		17	diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
		18	index 254f4ce4..d15b1cec 100644
		19	--- a/src/shared/dlt_common.c
		20	+++ b/src/shared/dlt_common.c
		21	@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter filter, const char filename, int verb
		22	while (!feof(handle)) {
		23	str1[0] = 0;
		24
		25	- if (fscanf(handle, "%s", str1) != 1)
		26	+ if (fscanf(handle, "%254s", str1) != 1)
		27	break;
		28
		29	if (str1[0] == 0)
		30	@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter filter, const char filename, int verb
		31
		32	str1[0] = 0;
		33
		34	- if (fscanf(handle, "%s", str1) != 1)
		35	+ if (fscanf(handle, "%254s", str1) != 1)
		36	break;
		37
		38	if (str1[0] == 0)


diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb index 35c638bc78..45724e98ac 100644 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
18	file://0002-Don-t-execute-processes-as-a-specific-user.patch \	18	file://0002-Don-t-execute-processes-as-a-specific-user.patch \
19	file://0004-Modify-systemd-config-directory.patch \	19	file://0004-Modify-systemd-config-directory.patch \
20	file://204.patch \	20	file://204.patch \
		21	file://275.patch \
21	"	22	"
22	SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4"	23	SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4"
23		24