[PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472

[PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472

[Sona Sarmadi]

Fixes a heap buffer overflow in glibc wscanf.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
http://openwall.com/lists/oss-security/2015/02/04/1

Reference to upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.20.bb              |   1 +
 2 files changed, 109 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
new file mode 100644
index 0000000..ab513aa
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,108 @@
+CVE-2015-1472: wscanf allocates too little memory
+
+BZ #16618
+
+Under certain conditions wscanf can allocate too little memory for the
+to-be-scanned arguments and overflow the allocated buffer.  The
+implementation now correctly computes the required buffer size when
+using malloc.
+
+A regression test was added to tst-sscanf.
+
+Upstream-Status: Backport
+
+The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
+[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
+
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog	2015-09-22 10:20:14.399408389 +0200
++++ b/ChangeLog	2015-09-22 10:33:07.374388595 +0200
+@@ -1,3 +1,12 @@
++2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
++
++       [BZ #16618] CVE-2015-1472
++       * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
++       * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
++       size in bytes. Store needed elements in wpmax. Use needed size
++       in bytes for extend_alloca.
++
++
+ 2014-12-16  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #17630]
+diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
+--- a/stdio-common/tst-sscanf.c	2015-09-22 10:20:09.995596201 +0200
++++ b/stdio-common/tst-sscanf.c	2015-09-22 10:21:39.211791399 +0200
+@@ -233,5 +233,38 @@
+ 	}
+     }
+ 
++  /* BZ #16618
++     The test will segfault during SSCANF if the buffer overflow
++     is not fixed.  The size of `s` is such that it forces the use
++     of malloc internally and this triggers the incorrect computation.
++     Thus the value for SIZE is arbitrariy high enough that malloc
++     is used.  */
++  {
++#define SIZE 131072
++    CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
++    if (s == NULL)
++      abort ();
++    for (size_t i = 0; i < SIZE; i++)
++      s[i] = L('0');
++    s[SIZE] = L('\0');
++    int i = 42;
++    /* Scan multi-digit zero into `i`.  */
++    if (SSCANF (s, L("%d"), &i) != 1)
++      {
++	printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
++	result = 1;
++      }
++    if (i != 0)
++      {
++	printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
++	result = 1;
++      }
++    free (s);
++    if (result != 1)
++      printf ("PASS: bug16618: Did not crash.\n");
++#undef SIZE
++  }
++
++
+   return result;
+ }
+diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
+--- a/stdio-common/vfscanf.c	2015-09-22 10:20:14.051423230 +0200
++++ b/stdio-common/vfscanf.c	2015-09-22 10:21:39.215791228 +0200
+@@ -279,9 +279,10 @@
+       if (__glibc_unlikely (wpsize == wpmax))				      \
+ 	{								    \
+ 	  CHAR_T *old = wp;						    \
+-	  size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax			    \
+-			    ? UCHAR_MAX + 1 : 2 * wpmax);		    \
+-	  if (use_malloc || !__libc_use_alloca (newsize))		    \
++	  bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
++	  size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);		    \
++	  size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;	    \
++	  if (!__libc_use_alloca (newsize))				    \
+ 	    {								    \
+ 	      wp = realloc (use_malloc ? wp : NULL, newsize);		    \
+ 	      if (wp == NULL)						    \
+@@ -293,14 +294,13 @@
+ 		}							    \
+ 	      if (! use_malloc)						    \
+ 		MEMCPY (wp, old, wpsize);				    \
+-	      wpmax = newsize;						    \
++	      wpmax = wpneed;						    \
+ 	      use_malloc = true;					    \
+ 	    }								    \
+ 	  else								    \
+ 	    {								    \
+ 	      size_t s = wpmax * sizeof (CHAR_T);			    \
+-	      wp = (CHAR_T *) extend_alloca (wp, s,			    \
+-					     newsize * sizeof (CHAR_T));    \
++	      wp = (CHAR_T *) extend_alloca (wp, s, newsize);		    \
+ 	      wpmax = s / sizeof (CHAR_T);				    \
+ 	      if (old != NULL)						    \
+ 		MEMCPY (wp, old, wpsize);				    \
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index a0736cd..cfbc1c2 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -48,6 +48,7 @@ CVEPATCHES = "\
         file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
+        file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
     "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
1.9.1

[PATCH][dizzy 2/6] libxml2: CVE-2015-7942

[Sona Sarmadi]

Fixes heap-based buffer overflow in xmlParseConditionalSections().

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-7942.patch             | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 840a8eb..15a2421 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://libxml2-CVE-2014-3660.patch \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+           file://CVE-2015-7942.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000..738ae94
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,58 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Fixes CVE-2015-7942.
+Upstream-Status: Backport
+
+Upstream patch:
+https://git.gnome.org/browse/libxml2/commit/
+?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
+-- 
+cgit v0.11.2
+
-- 
1.9.1

[PATCH][dizzy 3/6] unzip: CVE-2015-7696, CVE-2015-7697

[Sona Sarmadi]

From: Tudor Florea <tudor.florea@enea.com>

CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping

References:
http://www.openwall.com/lists/oss-security/2015/10/11/5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 .../unzip/unzip/CVE-2015-7696.patch                | 38 ++++++++++++++++++++++
 .../unzip/unzip/CVE-2015-7697.patch                | 31 ++++++++++++++++++
 meta/recipes-extended/unzip/unzip_6.0.bb           |  2 ++
 3 files changed, 71 insertions(+)
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch

diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
new file mode 100644
index 0000000..ea93823
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
@@ -0,0 +1,38 @@
+Upstream-Status: Backport
+Signed-off-by: Tudor Florea <tudor.flore@enea.com>
+
+From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Mon, 14 Sep 2015 18:23:17 +0200
+Subject: [PATCH 1/2] upstream fix for heap overflow
+
+https://bugzilla.redhat.com/attachment.cgi?id=1073002
+---
+ crypt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/crypt.c b/crypt.c
+index 784e411..a8975f2 100644
+--- a/crypt.c
++++ b/crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+     GLOBAL(pInfo->encrypted) = FALSE;
+     defer_leftover_input(__G);
+     for (n = 0; n < RAND_HEAD_LEN; n++) {
+-        b = NEXTBYTE;
++        /* 2012-11-23 SMS.  (OUSPG report.)
++         * Quit early if compressed size < HEAD_LEN.  The resulting
++         * error message ("unable to get password") could be improved,
++         * but it's better than trying to read nonexistent data, and
++         * then continuing with a negative G.csize.  (See
++         * fileio.c:readbyte()).
++         */
++        if ((b = NEXTBYTE) == (ush)EOF)
++        {
++            return PK_ERR;
++        }
+         h[n] = (uch)b;
+         Trace((stdout, " (%02x)", h[n]));
+     }
+-- 
+2.4.6
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
new file mode 100644
index 0000000..da68988
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
@@ -0,0 +1,31 @@
+Upstream-Status: Backport
+Signed-off-by: Tudor Florea <tudor.flore@enea.com>
+
+From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 14 Sep 2015 18:24:56 +0200
+Subject: [PATCH 2/2] fix infinite loop when extracting empty bzip2 data
+
+---
+ extract.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/extract.c b/extract.c
+index 7134bfe..29db027 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2733,6 +2733,12 @@ __GDEF
+     int repeated_buf_err;
+     bz_stream bstrm;
+ 
++    if (G.incnt <= 0 && G.csize <= 0L) {
++        /* avoid an infinite loop */
++        Trace((stderr, "UZbunzip2() got empty input\n"));
++        return 2;
++    }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+     if (G.redirect_slide)
+         wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+-- 
+2.4.6
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index e590f81..acbc837 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -14,6 +14,8 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
 	file://09-cve-2014-8139-crc-overflow.patch \
 	file://10-cve-2014-8140-test-compr-eb.patch \
 	file://11-cve-2014-8141-getzip64data.patch \
+	file://CVE-2015-7696.patch \
+	file://CVE-2015-7697.patch \
 "
 
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
-- 
1.9.1

[PATCH][dizzy 4/6] grep2.19: CVE-2015-1345

[Sona Sarmadi]

Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21

Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=83a95bd8c8561875b948cadd417c653dbe7ef2e2

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129 +++++++++++++++++++++
 meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch

diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 0000000..32846f5
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypisetsky@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +0000
+Subject: grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+  Use of uninitialised value of size 8
+     at 0x4142BE: bmexec_trans (kwset.c:657)
+     by 0x4143CA: bmexec (kwset.c:678)
+     by 0x414973: kwsexec (kwset.c:848)
+     by 0x414DC4: Fexecute (kwsearch.c:128)
+     by 0x404E2E: grepbuf (grep.c:1238)
+     by 0x4054BF: grep (grep.c:1417)
+     by 0x405CEB: grepdesc (grep.c:1645)
+     by 0x405EC1: grep_command_line_arg (grep.c:1692)
+     by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+
+Fixes CVE-2015-1345.
+Upstream-Status: Backport
+
+---
+diff --git a/NEWS b/NEWS
+index 975440d..3835d8d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -2,6 +2,11 @@ GNU grep NEWS                                    -*- outline -*-
+ 
+ * Noteworthy changes in release ?.? (????-??-??) [?]
+ 
++** Bug fixes
++
++  grep no longer reads from uninitialized memory or from beyond the end
++  of the heap-allocated input buffer.
++
+ 
+ * Noteworthy changes in release 2.21 (2014-11-23) [stable]
+ 
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
++++ b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+                     if (! tp)
+                       return -1;
+                     tp++;
++                    if (ep <= tp)
++                      break;
+                   }
+               }
+           }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2cba2cd..0508cd2 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -75,6 +75,7 @@ TESTS =						\
+   inconsistent-range				\
+   invalid-multibyte-infloop			\
+   khadafy					\
++  kwset-abuse					\
+   long-line-vs-2GiB-read			\
+   match-lines					\
+   max-count-overread				\
+diff --git a/tests/kwset-abuse b/tests/kwset-abuse
+new file mode 100755
+index 0000000..6d8ec0c
+--- a/dev/null
++++ b/tests/kwset-abuse
+@@ -0,0 +1,32 @@
++#! /bin/sh
++# Evoke a segfault in a hard-to-reach code path of kwset.c.
++# This bug affected grep versions 2.19 through 2.21.
++#
++# Copyright (C) 2015 Free Software Foundation, Inc.
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/init.sh"; path_prepend_ ../src
++
++fail=0
++
++# This test case chooses a haystack of size 260,000, since prodding
++# with gdb showed a reallocation slightly larger than that in fillbuf.
++# To reach the buggy code, the needle must have length < 1/11 that of
++# the haystack, and 10,000 is a nice round number that fits the bill.
++printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
++
++test $? = 1 || fail=1
++
++Exit $fail
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/grep/grep_2.19.bb b/meta/recipes-extended/grep/grep_2.19.bb
index 9c162cc..d60ce5e 100644
--- a/meta/recipes-extended/grep/grep_2.19.bb
+++ b/meta/recipes-extended/grep/grep_2.19.bb
@@ -5,7 +5,9 @@ SECTION = "console/utils"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"
 
-SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz"
+SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \
+           file://grep2.19-CVE-2015-1345.patch \
+           "
 
 SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"
 SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"
-- 
1.9.1

[PATCH][dizzy 5/6] libxml2: CVE-2015-8035

[Sona Sarmadi]

Fixes DoS when parsing specially crafted XML document
if XZ support is enabled.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=757466

Upstream correction:
https://git.gnome.org/browse/libxml2/commit/?id=
f0709e3ca8f8947f2d91ed34e92e38a4c23eae63

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-8035.patch             | 35 ++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 15a2421..d5e263b 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -24,6 +24,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-CVE-2014-3660.patch \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
            file://CVE-2015-7942.patch \
+           file://CVE-2015-8035.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000..d08693f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,35 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+cgit v0.11.2
+
-- 
1.9.1

[PATCH][dizzy 6/6] libxml2: CVE-2015-8241

[Sona Sarmadi]

Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-8241.patch             | 41 ++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index d5e263b..2dafeb4 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -25,6 +25,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
            file://CVE-2015-7942.patch \
            file://CVE-2015-8035.patch \
+           file://CVE-2015-8241.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
new file mode 100644
index 0000000..98b30f0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
@@ -0,0 +1,41 @@
+From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: Avoid extra processing of MarkupDecl when EOF
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Fixes CVE-2015-8241.
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d67b300..134afe7 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6972,6 +6972,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) {
+ 	    xmlParsePI(ctxt);
+ 	}
+     }
++
++    /*
++     * detect requirement to exit there and act accordingly
++     * and avoid having instate overriden later on
++     */
++    if (ctxt->instate == XML_PARSER_EOF)
++        return;
++
+     /*
+      * This is only for internal subset. On external entities,
+      * the replacement is done before parsing stage
+-- 
+cgit v0.11.2
+
-- 
1.9.1

Re: [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 6373 bytes --]


> On Dec 14, 2015, at 4:24 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
> 
> Fixes a heap buffer overflow in glibc wscanf.
> 
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
> https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
> http://openwall.com/lists/oss-security/2015/02/04/1
> 
> Reference to upstream fix:
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06

this is ok.

> 
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> ---
> ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.20.bb              |   1 +
> 2 files changed, 109 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> 
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> new file mode 100644
> index 0000000..ab513aa
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> @@ -0,0 +1,108 @@
> +CVE-2015-1472: wscanf allocates too little memory
> +
> +BZ #16618
> +
> +Under certain conditions wscanf can allocate too little memory for the
> +to-be-scanned arguments and overflow the allocated buffer.  The
> +implementation now correctly computes the required buffer size when
> +using malloc.
> +
> +A regression test was added to tst-sscanf.
> +
> +Upstream-Status: Backport
> +
> +The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
> +[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
> +
> +diff -ruN a/ChangeLog b/ChangeLog
> +--- a/ChangeLog	2015-09-22 10:20:14.399408389 +0200
> ++++ b/ChangeLog	2015-09-22 10:33:07.374388595 +0200
> +@@ -1,3 +1,12 @@
> ++2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
> ++
> ++       [BZ #16618] CVE-2015-1472
> ++       * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
> ++       * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
> ++       size in bytes. Store needed elements in wpmax. Use needed size
> ++       in bytes for extend_alloca.
> ++
> ++
> + 2014-12-16  Florian Weimer  <fweimer@redhat.com>
> +
> +        [BZ #17630]
> +diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
> +--- a/stdio-common/tst-sscanf.c	2015-09-22 10:20:09.995596201 +0200
> ++++ b/stdio-common/tst-sscanf.c	2015-09-22 10:21:39.211791399 +0200
> +@@ -233,5 +233,38 @@
> + 	}
> +     }
> +
> ++  /* BZ #16618
> ++     The test will segfault during SSCANF if the buffer overflow
> ++     is not fixed.  The size of `s` is such that it forces the use
> ++     of malloc internally and this triggers the incorrect computation.
> ++     Thus the value for SIZE is arbitrariy high enough that malloc
> ++     is used.  */
> ++  {
> ++#define SIZE 131072
> ++    CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
> ++    if (s == NULL)
> ++      abort ();
> ++    for (size_t i = 0; i < SIZE; i++)
> ++      s[i] = L('0');
> ++    s[SIZE] = L('\0');
> ++    int i = 42;
> ++    /* Scan multi-digit zero into `i`.  */
> ++    if (SSCANF (s, L("%d"), &i) != 1)
> ++      {
> ++	printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
> ++	result = 1;
> ++      }
> ++    if (i != 0)
> ++      {
> ++	printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
> ++	result = 1;
> ++      }
> ++    free (s);
> ++    if (result != 1)
> ++      printf ("PASS: bug16618: Did not crash.\n");
> ++#undef SIZE
> ++  }
> ++
> ++
> +   return result;
> + }
> +diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
> +--- a/stdio-common/vfscanf.c	2015-09-22 10:20:14.051423230 +0200
> ++++ b/stdio-common/vfscanf.c	2015-09-22 10:21:39.215791228 +0200
> +@@ -279,9 +279,10 @@
> +       if (__glibc_unlikely (wpsize == wpmax))				      \
> + 	{								    \
> + 	  CHAR_T *old = wp;						    \
> +-	  size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax			    \
> +-			    ? UCHAR_MAX + 1 : 2 * wpmax);		    \
> +-	  if (use_malloc || !__libc_use_alloca (newsize))		    \
> ++	  bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
> ++	  size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);		    \
> ++	  size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;	    \
> ++	  if (!__libc_use_alloca (newsize))				    \
> + 	    {								    \
> + 	      wp = realloc (use_malloc ? wp : NULL, newsize);		    \
> + 	      if (wp == NULL)						    \
> +@@ -293,14 +294,13 @@
> + 		}							    \
> + 	      if (! use_malloc)						    \
> + 		MEMCPY (wp, old, wpsize);				    \
> +-	      wpmax = newsize;						    \
> ++	      wpmax = wpneed;						    \
> + 	      use_malloc = true;					    \
> + 	    }								    \
> + 	  else								    \
> + 	    {								    \
> + 	      size_t s = wpmax * sizeof (CHAR_T);			    \
> +-	      wp = (CHAR_T *) extend_alloca (wp, s,			    \
> +-					     newsize * sizeof (CHAR_T));    \
> ++	      wp = (CHAR_T *) extend_alloca (wp, s, newsize);		    \
> + 	      wpmax = s / sizeof (CHAR_T);				    \
> + 	      if (old != NULL)						    \
> + 		MEMCPY (wp, old, wpsize);				    \
> diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
> index a0736cd..cfbc1c2 100644
> --- a/meta/recipes-core/glibc/glibc_2.20.bb
> +++ b/meta/recipes-core/glibc/glibc_2.20.bb
> @@ -48,6 +48,7 @@ CVEPATCHES = "\
>         file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
>         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
>         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
> +        file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
>     "
> LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
>       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
> --
> 1.9.1
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]

Re: [PATCH][dizzy 1/6] glibc/wscanf: CVE-2015-1472

[akuster808]

all in series merged to staging.

git@git.yoctoproject.org/poky-contrib.git akuster/dizzy-next

thanks,
Armin

On 12/14/2015 04:24 AM, Sona Sarmadi wrote:
> Fixes a heap buffer overflow in glibc wscanf.
> 
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
> https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
> http://openwall.com/lists/oss-security/2015/02/04/1
> 
> Reference to upstream fix:
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
> 
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> ---
>  ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +++++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.20.bb              |   1 +
>  2 files changed, 109 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> 
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> new file mode 100644
> index 0000000..ab513aa
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> @@ -0,0 +1,108 @@
> +CVE-2015-1472: wscanf allocates too little memory
> +
> +BZ #16618
> +
> +Under certain conditions wscanf can allocate too little memory for the
> +to-be-scanned arguments and overflow the allocated buffer.  The
> +implementation now correctly computes the required buffer size when
> +using malloc.
> +
> +A regression test was added to tst-sscanf.
> +
> +Upstream-Status: Backport
> +
> +The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
> +[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
> +
> +diff -ruN a/ChangeLog b/ChangeLog
> +--- a/ChangeLog	2015-09-22 10:20:14.399408389 +0200
> ++++ b/ChangeLog	2015-09-22 10:33:07.374388595 +0200
> +@@ -1,3 +1,12 @@
> ++2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
> ++
> ++       [BZ #16618] CVE-2015-1472
> ++       * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
> ++       * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
> ++       size in bytes. Store needed elements in wpmax. Use needed size
> ++       in bytes for extend_alloca.
> ++
> ++
> + 2014-12-16  Florian Weimer  <fweimer@redhat.com>
> + 
> +        [BZ #17630]
> +diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
> +--- a/stdio-common/tst-sscanf.c	2015-09-22 10:20:09.995596201 +0200
> ++++ b/stdio-common/tst-sscanf.c	2015-09-22 10:21:39.211791399 +0200
> +@@ -233,5 +233,38 @@
> + 	}
> +     }
> + 
> ++  /* BZ #16618
> ++     The test will segfault during SSCANF if the buffer overflow
> ++     is not fixed.  The size of `s` is such that it forces the use
> ++     of malloc internally and this triggers the incorrect computation.
> ++     Thus the value for SIZE is arbitrariy high enough that malloc
> ++     is used.  */
> ++  {
> ++#define SIZE 131072
> ++    CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
> ++    if (s == NULL)
> ++      abort ();
> ++    for (size_t i = 0; i < SIZE; i++)
> ++      s[i] = L('0');
> ++    s[SIZE] = L('\0');
> ++    int i = 42;
> ++    /* Scan multi-digit zero into `i`.  */
> ++    if (SSCANF (s, L("%d"), &i) != 1)
> ++      {
> ++	printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
> ++	result = 1;
> ++      }
> ++    if (i != 0)
> ++      {
> ++	printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
> ++	result = 1;
> ++      }
> ++    free (s);
> ++    if (result != 1)
> ++      printf ("PASS: bug16618: Did not crash.\n");
> ++#undef SIZE
> ++  }
> ++
> ++
> +   return result;
> + }
> +diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
> +--- a/stdio-common/vfscanf.c	2015-09-22 10:20:14.051423230 +0200
> ++++ b/stdio-common/vfscanf.c	2015-09-22 10:21:39.215791228 +0200
> +@@ -279,9 +279,10 @@
> +       if (__glibc_unlikely (wpsize == wpmax))				      \
> + 	{								    \
> + 	  CHAR_T *old = wp;						    \
> +-	  size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax			    \
> +-			    ? UCHAR_MAX + 1 : 2 * wpmax);		    \
> +-	  if (use_malloc || !__libc_use_alloca (newsize))		    \
> ++	  bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
> ++	  size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);		    \
> ++	  size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;	    \
> ++	  if (!__libc_use_alloca (newsize))				    \
> + 	    {								    \
> + 	      wp = realloc (use_malloc ? wp : NULL, newsize);		    \
> + 	      if (wp == NULL)						    \
> +@@ -293,14 +294,13 @@
> + 		}							    \
> + 	      if (! use_malloc)						    \
> + 		MEMCPY (wp, old, wpsize);				    \
> +-	      wpmax = newsize;						    \
> ++	      wpmax = wpneed;						    \
> + 	      use_malloc = true;					    \
> + 	    }								    \
> + 	  else								    \
> + 	    {								    \
> + 	      size_t s = wpmax * sizeof (CHAR_T);			    \
> +-	      wp = (CHAR_T *) extend_alloca (wp, s,			    \
> +-					     newsize * sizeof (CHAR_T));    \
> ++	      wp = (CHAR_T *) extend_alloca (wp, s, newsize);		    \
> + 	      wpmax = s / sizeof (CHAR_T);				    \
> + 	      if (old != NULL)						    \
> + 		MEMCPY (wp, old, wpsize);				    \
> diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
> index a0736cd..cfbc1c2 100644
> --- a/meta/recipes-core/glibc/glibc_2.20.bb
> +++ b/meta/recipes-core/glibc/glibc_2.20.bb
> @@ -48,6 +48,7 @@ CVEPATCHES = "\
>          file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
>          file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
>          file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
> +        file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
>      "
>  LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
>        file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>