* [Jethro][PATCH 1/2] uclibc: Security fix CVE-2016-2224
@ 2016-02-11 2:59 Armin Kuster
2016-02-11 2:59 ` [Jethro][PATCH 2/2] uclibc: Security fix CVE-2016-2225 Armin Kuster
0 siblings, 1 reply; 2+ messages in thread
From: Armin Kuster @ 2016-02-11 2:59 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
CVE-2016-2224 Do not follow compressed items forever.
This change is being provide to comply to Yocto compatiblity.
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/uclibc/uclibc-git.inc | 1 +
.../uclibc/uclibc-git/CVE-2016-2224.patch | 49 ++++++++++++++++++++++
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc
index dcb616d..d3fb2a8 100644
--- a/meta/recipes-core/uclibc/uclibc-git.inc
+++ b/meta/recipes-core/uclibc/uclibc-git.inc
@@ -19,5 +19,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \
file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \
file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \
file://0001-wire-in-syncfs.patch \
+ file://CVE-2016-2224.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
new file mode 100644
index 0000000..218b60a
--- /dev/null
+++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
@@ -0,0 +1,49 @@
+From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Sun, 17 Jan 2016 15:47:22 +0100
+Subject: [PATCH] Do not follow compressed items forever.
+
+It is possible to get stuck in an infinite loop when receiving a
+specially crafted DNS reply. Exit the loop after a number of iteration
+and consider the packet invalid.
+
+Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+
+Upstream-status: Backport
+http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
+
+CVE: CVE-2016-2224
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libc/inet/resolv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: git/libc/inet/resolv.c
+===================================================================
+--- git.orig/libc/inet/resolv.c
++++ git/libc/inet/resolv.c
+@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
+ bool measure = 1;
+ unsigned total = 0;
+ unsigned used = 0;
++ unsigned maxiter = 256;
+
+ if (!packet)
+ return -1;
+
+- while (1) {
++ while (--maxiter) {
+ if (offset >= packet_len)
+ return -1;
+ b = packet[offset++];
+@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
+ else
+ dest[used++] = '\0';
+ }
++ if (!maxiter)
++ return -1;
+
+ /* The null byte must be counted too */
+ if (measure)
--
2.3.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Jethro][PATCH 2/2] uclibc: Security fix CVE-2016-2225
2016-02-11 2:59 [Jethro][PATCH 1/2] uclibc: Security fix CVE-2016-2224 Armin Kuster
@ 2016-02-11 2:59 ` Armin Kuster
0 siblings, 0 replies; 2+ messages in thread
From: Armin Kuster @ 2016-02-11 2:59 UTC (permalink / raw)
To: akuster, openembedded-core
From: Armin Kuster <akuster@mvista.com>
CVE-2016-2225 Make sure to always terminate decoded string
This change is being provide to comply to Yocto compatiblility.
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/uclibc/uclibc-git.inc | 1 +
.../uclibc/uclibc-git/CVE-2016-2225.patch | 32 ++++++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch
diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc
index d3fb2a8..b718479 100644
--- a/meta/recipes-core/uclibc/uclibc-git.inc
+++ b/meta/recipes-core/uclibc/uclibc-git.inc
@@ -20,5 +20,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \
file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \
file://0001-wire-in-syncfs.patch \
file://CVE-2016-2224.patch \
+ file://CVE-2016-2225.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch
new file mode 100644
index 0000000..0217e4b
--- /dev/null
+++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2225.patch
@@ -0,0 +1,32 @@
+From bb01edff0377f2585ce304ecbadcb7b6cde372ac Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Mon, 25 Jan 2016 21:11:34 +0100
+Subject: [PATCH] Make sure to always terminate decoded string
+
+Write a terminating '\0' to dest when the first byte of the encoded data
+is 0. This corner case was previously missed.
+
+Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+
+Upstream-Status: Backport
+http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac
+CVE: CVE-2016-2225
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libc/inet/resolv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: git/libc/inet/resolv.c
+===================================================================
+--- git.orig/libc/inet/resolv.c
++++ git/libc/inet/resolv.c
+@@ -671,6 +671,7 @@ int __decode_dotted(const unsigned char
+ if (!packet)
+ return -1;
+
++ dest[0] = '\0';
+ while (--maxiter) {
+ if (offset >= packet_len)
+ return -1;
--
2.3.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-02-11 2:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-11 2:59 [Jethro][PATCH 1/2] uclibc: Security fix CVE-2016-2224 Armin Kuster
2016-02-11 2:59 ` [Jethro][PATCH 2/2] uclibc: Security fix CVE-2016-2225 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.