* [meta-oe][PATCH] dlt-daemon: add upstream patch to fix CVE-2020-29394
@ 2020-12-02 9:19 Gianfranco
0 siblings, 0 replies; 2+ messages in thread
From: Gianfranco @ 2020-12-02 9:19 UTC (permalink / raw)
To: openembedded-devel; +Cc: Gianfranco Costamagna, Gianfranco Costamagna
More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228
| A buffer overflow in the dlt_filter_load function in dlt_common.c in
| dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary
| code execution because fscanf is misused (no limit on the number of
| characters to be read in a format argument).
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org>
---
.../dlt-daemon/dlt-daemon/275.patch | 38 +++++++++++++++++++
.../dlt-daemon/dlt-daemon_2.18.5.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
new file mode 100644
index 000000000..75065eb05
--- /dev/null
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
@@ -0,0 +1,38 @@
+Upstream-status: Backport
+CVE: CVE-2020-29394
+From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
+From: GwanYeong Kim <gy741.kim@gmail.com>
+Date: Sat, 28 Nov 2020 12:24:46 +0900
+Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load
+
+A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.
+
+Fixed: #274
+
+Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
+---
+ src/shared/dlt_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
+index 254f4ce4..d15b1cec 100644
+--- a/src/shared/dlt_common.c
++++ b/src/shared/dlt_common.c
+@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+ while (!feof(handle)) {
+ str1[0] = 0;
+
+- if (fscanf(handle, "%s", str1) != 1)
++ if (fscanf(handle, "%254s", str1) != 1)
+ break;
+
+ if (str1[0] == 0)
+@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+
+ str1[0] = 0;
+
+- if (fscanf(handle, "%s", str1) != 1)
++ if (fscanf(handle, "%254s", str1) != 1)
+ break;
+
+ if (str1[0] == 0)
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb
index f3fcee4d2..5066e76d3 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
file://0004-Modify-systemd-config-directory.patch \
file://241.patch \
file://245.patch \
+ file://275.patch \
"
SRCREV = "f1ac087c766827b1d0ed9c3a814b3cc052e948f2"
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [meta-oe][PATCH] dlt-daemon: add upstream patch to fix CVE-2020-29394
@ 2020-12-01 21:00 Gianfranco
0 siblings, 0 replies; 2+ messages in thread
From: Gianfranco @ 2020-12-01 21:00 UTC (permalink / raw)
To: openembedded-devel; +Cc: Gianfranco Costamagna, Gianfranco Costamagna
More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228
| A buffer overflow in the dlt_filter_load function in dlt_common.c in
| dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary
| code execution because fscanf is misused (no limit on the number of
| characters to be read in a format argument).
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org>
---
.../dlt-daemon/dlt-daemon/275.patch | 36 +++++++++++++++++++
.../dlt-daemon/dlt-daemon_2.18.5.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
new file mode 100644
index 000000000..4edb62b30
--- /dev/null
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch
@@ -0,0 +1,36 @@
+From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
+From: GwanYeong Kim <gy741.kim@gmail.com>
+Date: Sat, 28 Nov 2020 12:24:46 +0900
+Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load
+
+A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.
+
+Fixed: #274
+
+Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
+---
+ src/shared/dlt_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
+index 254f4ce4..d15b1cec 100644
+--- a/src/shared/dlt_common.c
++++ b/src/shared/dlt_common.c
+@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+ while (!feof(handle)) {
+ str1[0] = 0;
+
+- if (fscanf(handle, "%s", str1) != 1)
++ if (fscanf(handle, "%254s", str1) != 1)
+ break;
+
+ if (str1[0] == 0)
+@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
+
+ str1[0] = 0;
+
+- if (fscanf(handle, "%s", str1) != 1)
++ if (fscanf(handle, "%254s", str1) != 1)
+ break;
+
+ if (str1[0] == 0)
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb
index f3fcee4d2..5066e76d3 100644
--- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb
+++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.5.bb
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \
file://0004-Modify-systemd-config-directory.patch \
file://241.patch \
file://245.patch \
+ file://275.patch \
"
SRCREV = "f1ac087c766827b1d0ed9c3a814b3cc052e948f2"
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-02 9:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-02 9:19 [meta-oe][PATCH] dlt-daemon: add upstream patch to fix CVE-2020-29394 Gianfranco
-- strict thread matches above, loose matches on Subject: below --
2020-12-01 21:00 Gianfranco
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.