2 files changed, 62 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
new file mode 100644
index 0000000000..99dc4e3046
--- /dev/null
+++ b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
@@ -0,0 +1,61 @@
+From bd68ae1271598e8fdc72f2adb457e6882604582d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 22 Feb 2018 16:39:43 +0100
+Subject: [PATCH] Fix a heap-buffer-overflow in find_archive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in
+find_archive() reads up-to BUFSIZ bytes.
+On my system, BUFSIZ is 8192. rw_base_size is usually equaled to
+a memory page size, 4096 on my system. Thus find_archive() can write
+beyonded allocated memmory for rw_buffer array:
+$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4
+==30582== Memcheck, a memory error detector
+==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
+==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4
+==30582==
+==30582== Invalid write of size 1
+==30582==    at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so)
+==30582==    by 0x10BF60: fgets_unlocked (stdio2.h:320)
+==30582==    by 0x10BF60: find_archive (unshar.c:243)
+==30582==    by 0x10BF60: unshar_file (unshar.c:379)
+==30582==    by 0x10BCCC: validate_fname (unshar-opts.c:604)
+==30582==    by 0x10BCCC: main (unshar-opts.c:639)
+==30582==  Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd
+==30582==    at 0x4C2DBBB: malloc (vg_replace_malloc.c:299)
+==30582==    by 0x10C670: init_unshar (unshar.c:450)
+==30582==    by 0x10BC55: main (unshar-opts.c:630)
+This was reported in
+<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>.
+CVE: CVE-2018-1000097
+Upstream-Status: no upstream [http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html]
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ src/unshar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
+++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
+      if (!fgets (rw_buffer, rw_base_size, file))
+        {
+          if (!start)
+            error (0, 0, _("Found no shell commands in %s"), name);
+-- 
+2.19.0
diff --git a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
index 812fee955b..c12289b5d0 100644
--- a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
+++ b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
@@ -8,6 +8,7 @@ inherit gettext autotools
 SRC_URI = "ftp://ftp.gnu.org/gnu/${BPN}/${BP}.tar.gz \
           file://0001-Fix-build-with-clang.patch \
+           file://CVE-2018-1000097.patch \
 "
 SRC_URI[md5sum] = "32a51b23e25ad5e6af4b89f228be1800"
 SRC_URI[sha256sum] = "ee336e68549664e7a19b117adf02edfdeac6307f22e5ba78baca457116914637"

diff --git a/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch new file mode 100644 index 0000000000..99dc4e3046 --- /dev/null +++ b/meta-oe/recipes-support/sharutils/sharutils/CVE-2018-1000097.patch
@@ -0,0 +1,61 @@
		1	From bd68ae1271598e8fdc72f2adb457e6882604582d Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
		3	Date: Thu, 22 Feb 2018 16:39:43 +0100
		4	Subject: [PATCH] Fix a heap-buffer-overflow in find_archive()
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in
		10	find_archive() reads up-to BUFSIZ bytes.
		11
		12	On my system, BUFSIZ is 8192. rw_base_size is usually equaled to
		13	a memory page size, 4096 on my system. Thus find_archive() can write
		14	beyonded allocated memmory for rw_buffer array:
		15
		16	$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4
		17	==30582== Memcheck, a memory error detector
		18	==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
		19	==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
		20	==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4
		21	==30582==
		22	==30582== Invalid write of size 1
		23	==30582== at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so)
		24	==30582== by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so)
		25	==30582== by 0x10BF60: fgets_unlocked (stdio2.h:320)
		26	==30582== by 0x10BF60: find_archive (unshar.c:243)
		27	==30582== by 0x10BF60: unshar_file (unshar.c:379)
		28	==30582== by 0x10BCCC: validate_fname (unshar-opts.c:604)
		29	==30582== by 0x10BCCC: main (unshar-opts.c:639)
		30	==30582== Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd
		31	==30582== at 0x4C2DBBB: malloc (vg_replace_malloc.c:299)
		32	==30582== by 0x10C670: init_unshar (unshar.c:450)
		33	==30582== by 0x10BC55: main (unshar-opts.c:630)
		34
		35	This was reported in
		36	<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>.
		37
		38	CVE: CVE-2018-1000097
		39	Upstream-Status: no upstream [http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html]
		40	Signed-off-by: Petr Písař <ppisar@redhat.com>
		41	Signed-off-by: Sinan Kaya <okaya@kernel.org>
		42	---
		43	src/unshar.c \| 2 +-
		44	1 file changed, 1 insertion(+), 1 deletion(-)
		45
		46	diff --git a/src/unshar.c b/src/unshar.c
		47	index 80bc3a9..0fc3773 100644
		48	--- a/src/unshar.c
		49	+++ b/src/unshar.c
		50	@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
		51	off_t position = ftello (file);
		52
		53	/* Read next line, fail if no more and no previous process. */
		54	- if (!fgets (rw_buffer, BUFSIZ, file))
		55	+ if (!fgets (rw_buffer, rw_base_size, file))
		56	{
		57	if (!start)
		58	error (0, 0, _("Found no shell commands in %s"), name);
		59	--
		60	2.19.0
		61


diff --git a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb index 812fee955b..c12289b5d0 100644 --- a/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb +++ b/meta-oe/recipes-support/sharutils/sharutils_4.15.2.bb
@@ -8,6 +8,7 @@ inherit gettext autotools
8		8
9	SRC_URI = "ftp://ftp.gnu.org/gnu/${BPN}/${BP}.tar.gz \	9	SRC_URI = "ftp://ftp.gnu.org/gnu/${BPN}/${BP}.tar.gz \
10	file://0001-Fix-build-with-clang.patch \	10	file://0001-Fix-build-with-clang.patch \
		11	file://CVE-2018-1000097.patch \
11	"	12	"
12	SRC_URI[md5sum] = "32a51b23e25ad5e6af4b89f228be1800"	13	SRC_URI[md5sum] = "32a51b23e25ad5e6af4b89f228be1800"
13	SRC_URI[sha256sum] = "ee336e68549664e7a19b117adf02edfdeac6307f22e5ba78baca457116914637"	14	SRC_URI[sha256sum] = "ee336e68549664e7a19b117adf02edfdeac6307f22e5ba78baca457116914637"