* [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory
@ 2021-01-21 6:59 Wang Mingyu
2021-01-21 10:50 ` Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Wang Mingyu @ 2021-01-21 6:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Wang Mingyu
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
.../libcroco/libcroco/CVE-2020-12825.patch | 170 ++++++++++++++++++
.../libcroco/libcroco_0.6.13.bb | 2 +
2 files changed, 172 insertions(+)
create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
new file mode 100644
index 0000000000..cde0abd676
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
@@ -0,0 +1,170 @@
+Subject: [PATCH] libcroco: Limit recursion in block and any productions
+
+Signed-off-by:Michael Catanzaro @mcatanzaro
+---
+ src/cr-parser.c | 42 +++++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index 18c9a01..4e5b424 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+
+ #define CHARS_TAB_SIZE 12
+
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+ * IS_NUM:
+ *@a_char: the char to test.
+@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls);
+
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls);
+
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+
+@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_parser_try_to_skip_spaces_and_comments (a_this);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ } while (status == CR_OK);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status,
+ FALSE);
+ goto done;
+@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+
+ } while (status == CR_OK);
+
+@@ -959,7 +963,8 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ *FIXME: code this function.
+ */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token = NULL;
+ CRInputPos init_pos;
+@@ -967,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -996,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+ } else if (token->type == CBO_TK) {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ } else {
+ cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ CHECK_PARSING_STATUS (status, FALSE);
+ goto parse_block_content;
+ }
+@@ -1109,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_block_core (a_this);
++ status = cr_parser_parse_block_core (a_this, 0);
+ CHECK_PARSING_STATUS (status, FALSE);
+ ref++;
+ goto continue_parsing;
+@@ -1123,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+ status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+ token);
+ token = NULL;
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, 0);
+ if (status == CR_OK) {
+ ref++;
+ goto continue_parsing;
+@@ -1165,7 +1173,8 @@ cr_parser_parse_value_core (CRParser * a_this)
+ *@return CR_OK upon successfull completion, an error code otherwise.
+ */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++ guint n_calls)
+ {
+ CRToken *token1 = NULL,
+ *token2 = NULL;
+@@ -1174,6 +1183,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+
+ g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+
++ if (n_calls > RECURSIVE_CALLERS_LIMIT)
++ return CR_ERROR;
++
+ RECORD_INITIAL_POS (a_this, &init_pos);
+
+ status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1212,7 +1224,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ *We consider parameter as being an "any*" production.
+ */
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1237,7 +1249,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1265,7 +1277,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+ }
+
+ do {
+- status = cr_parser_parse_any_core (a_this);
++ status = cr_parser_parse_any_core (a_this, n_calls + 1);
+ } while (status == CR_OK);
+
+ ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+--
+2.25.1
+
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 9171a9de5c..dbeec03c0b 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
+SRC_URI += "file://CVE-2020-12825.patch"
+
SECTION = "x11/utils"
DEPENDS = "glib-2.0 libxml2 zlib"
BBCLASSEXTEND = "native nativesdk"
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory
2021-01-21 6:59 [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory Wang Mingyu
@ 2021-01-21 10:50 ` Richard Purdie
2021-01-21 11:53 ` Ross Burton
0 siblings, 1 reply; 5+ messages in thread
From: Richard Purdie @ 2021-01-21 10:50 UTC (permalink / raw)
To: Wang Mingyu, openembedded-core
On Thu, 2021-01-21 at 14:59 +0800, Wang Mingyu wrote:
> References
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825
>
> Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
> ---
> .../libcroco/libcroco/CVE-2020-12825.patch | 170 ++++++++++++++++++
> .../libcroco/libcroco_0.6.13.bb | 2 +
> 2 files changed, 172 insertions(+)
> create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
>
> diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> new file mode 100644
> index 0000000000..cde0abd676
> --- /dev/null
> +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> @@ -0,0 +1,170 @@
> +Subject: [PATCH] libcroco: Limit recursion in block and any productions
> +
> +Signed-off-by:Michael Catanzaro @mcatanzaro
Thanks for this, the patch has no Upstream-Status set though? Could you
resend with one please?
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory
2021-01-21 10:50 ` Richard Purdie
@ 2021-01-21 11:53 ` Ross Burton
2021-02-06 6:44 ` Khem Raj
0 siblings, 1 reply; 5+ messages in thread
From: Ross Burton @ 2021-01-21 11:53 UTC (permalink / raw)
To: Richard Purdie; +Cc: Wang Mingyu, OE-core
And a CVE: CVE-2020-12825 tag alongside that too would be good.
Ross
On Thu, 21 Jan 2021 at 10:50, Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Thu, 2021-01-21 at 14:59 +0800, Wang Mingyu wrote:
> > References
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825
> >
> > Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
> > ---
> > .../libcroco/libcroco/CVE-2020-12825.patch | 170 ++++++++++++++++++
> > .../libcroco/libcroco_0.6.13.bb | 2 +
> > 2 files changed, 172 insertions(+)
> > create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> >
> > diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> > new file mode 100644
> > index 0000000000..cde0abd676
> > --- /dev/null
> > +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> > @@ -0,0 +1,170 @@
> > +Subject: [PATCH] libcroco: Limit recursion in block and any productions
> > +
> > +Signed-off-by:Michael Catanzaro @mcatanzaro
>
> Thanks for this, the patch has no Upstream-Status set though? Could you
> resend with one please?
>
> Cheers,
>
> Richard
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory
2021-01-21 11:53 ` Ross Burton
@ 2021-02-06 6:44 ` Khem Raj
2021-02-06 9:00 ` Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Khem Raj @ 2021-02-06 6:44 UTC (permalink / raw)
To: Ross Burton; +Cc: Richard Purdie, Wang Mingyu, OE-core
I am also seeing
ERROR: libcroco-native-0.6.13-r0 do_patch: Fuzz detected:
Applying patch CVE-2020-12825.patch
patching file src/cr-parser.c
Hunk #4 succeeded at 799 with fuzz 1.
The context lines in the patches can be updated with devtool:
devtool modify libcroco-native
devtool finish --force-patch-refresh libcroco-native <layer_path>
On Thu, Jan 21, 2021 at 3:53 AM Ross Burton <ross@burtonini.com> wrote:
>
> And a CVE: CVE-2020-12825 tag alongside that too would be good.
>
> Ross
>
> On Thu, 21 Jan 2021 at 10:50, Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> >
> > On Thu, 2021-01-21 at 14:59 +0800, Wang Mingyu wrote:
> > > References
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825
> > >
> > > Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
> > > ---
> > > .../libcroco/libcroco/CVE-2020-12825.patch | 170 ++++++++++++++++++
> > > .../libcroco/libcroco_0.6.13.bb | 2 +
> > > 2 files changed, 172 insertions(+)
> > > create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> > >
> > > diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> > > new file mode 100644
> > > index 0000000000..cde0abd676
> > > --- /dev/null
> > > +++ b/meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch
> > > @@ -0,0 +1,170 @@
> > > +Subject: [PATCH] libcroco: Limit recursion in block and any productions
> > > +
> > > +Signed-off-by:Michael Catanzaro @mcatanzaro
> >
> > Thanks for this, the patch has no Upstream-Status set though? Could you
> > resend with one please?
> >
> > Cheers,
> >
> > Richard
> >
> >
> >
> >
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory
2021-02-06 6:44 ` Khem Raj
@ 2021-02-06 9:00 ` Richard Purdie
0 siblings, 0 replies; 5+ messages in thread
From: Richard Purdie @ 2021-02-06 9:00 UTC (permalink / raw)
To: Khem Raj, Ross Burton; +Cc: Wang Mingyu, OE-core
On Fri, 2021-02-05 at 22:44 -0800, Khem Raj wrote:
> I am also seeing
>
> ERROR: libcroco-native-0.6.13-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2020-12825.patch
> patching file src/cr-parser.c
> Hunk #4 succeeded at 799 with fuzz 1.
>
>
> The context lines in the patches can be updated with devtool:
>
> devtool modify libcroco-native
> devtool finish --force-patch-refresh libcroco-native <layer_path>
There was a more recently submitted version of this. I've refreshed it,
in master-next it looks like it was whitespace damaged somehow.
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-06 9:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-21 6:59 [OE-core] [PATCH] libcroco: CVE-2020-12825 Security Advisory Wang Mingyu
2021-01-21 10:50 ` Richard Purdie
2021-01-21 11:53 ` Ross Burton
2021-02-06 6:44 ` Khem Raj
2021-02-06 9:00 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.