2 files changed, 59 insertions, 1 deletions
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
new file mode 100644
index 0000000000..c728f58658
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2014-3564.
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 30 Jul 2014 11:04:55 +0200
+Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
+ engines.
+After a realloc (realloc is also used for initial alloc) the allocated
+size if the buffer is not correctly recorded.  Thus an overflow can be
+introduced by receiving data with different line lengths in a specific
+order.  This is not easy exploitable because libassuan constructs the
+line.  However a crash has been reported and thus it might be possible
+to constructs an exploit.
+CVE-id: CVE-2014-3564
+Reported-by: TomÃ¡Å¡ Trnka
+---
+ src/engine-gpgsm.c    | 2 +-
+ src/engine-uiserver.c | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
+index 8ec1598..3a83757 100644
+--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
+@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 gpgsm->colon.attic.linesize += linelen + 1;
+                 gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
+index 2738c36..a7184b7 100644
+--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
+@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
+              else
+                {
+                  *aline = newline;
+-                 uiserver->colon.attic.linesize += linelen + 1;
+                 uiserver->colon.attic.linesize = *alinelen + linelen + 1;
+                }
+            }
+          if (!err)
+-- 
+2.1.4
diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
index cba358984c..f80457842b 100644
--- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
 SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
           file://gpgme.pc \
-           file://pkgconfig.patch"
+           file://pkgconfig.patch \
+           file://gpgme-fix-CVE-2014-3564.patch \
+          "
 SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
 SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"

diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch new file mode 100644 index 0000000000..c728f58658 --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2014-3564.
		4
		5	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8	---
		9	From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
		10	From: Werner Koch <wk@gnupg.org>
		11	Date: Wed, 30 Jul 2014 11:04:55 +0200
		12	Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
		13	engines.
		14
		15	After a realloc (realloc is also used for initial alloc) the allocated
		16	size if the buffer is not correctly recorded. Thus an overflow can be
		17	introduced by receiving data with different line lengths in a specific
		18	order. This is not easy exploitable because libassuan constructs the
		19	line. However a crash has been reported and thus it might be possible
		20	to constructs an exploit.
		21
		22	CVE-id: CVE-2014-3564
		23	Reported-by: TomÃ¡Å¡ Trnka
		24	---
		25	src/engine-gpgsm.c \| 2 +-
		26	src/engine-uiserver.c \| 2 +-
		27	3 files changed, 5 insertions(+), 2 deletions(-)
		28
		29	diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
		30	index 8ec1598..3a83757 100644
		31	--- a/src/engine-gpgsm.c
		32	+++ b/src/engine-gpgsm.c
		33	@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
		34	else
		35	{
		36	*aline = newline;
		37	- gpgsm->colon.attic.linesize += linelen + 1;
		38	+ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
		39	}
		40	}
		41	if (!err)
		42	diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
		43	index 2738c36..a7184b7 100644
		44	--- a/src/engine-uiserver.c
		45	+++ b/src/engine-uiserver.c
		46	@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
		47	else
		48	{
		49	*aline = newline;
		50	- uiserver->colon.attic.linesize += linelen + 1;
		51	+ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
		52	}
		53	}
		54	if (!err)
		55	--
		56	2.1.4


diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb index cba358984c..f80457842b 100644 --- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb +++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
11		11
12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \	12	SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
13	file://gpgme.pc \	13	file://gpgme.pc \
14	file://pkgconfig.patch"	14	file://pkgconfig.patch \
		15	file://gpgme-fix-CVE-2014-3564.patch \
		16	"
15		17
16	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"	18	SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
17	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"	19	SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"