From: "Anuj Mittal" <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [hardknott][PATCH 10/28] libconvert-asn1-perl: fix CVE-2013-7488
Date: Fri, 16 Jul 2021 10:42:08 +0800 [thread overview]
Message-ID: <9010ccd086c5895902308f6cf185c930ce63e5eb.1626403078.git.anuj.mittal@intel.com> (raw)
In-Reply-To: <cover.1626403078.git.anuj.mittal@intel.com>
From: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../libconvert-asn1-perl/CVE-2013-7488.patch | 35 +++++++++++++++++++
.../perl/libconvert-asn1-perl_0.27.bb | 3 +-
2 files changed, 37 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch
diff --git a/meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch b/meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch
new file mode 100644
index 0000000000..d0aca65393
--- /dev/null
+++ b/meta/recipes-extended/perl/libconvert-asn1-perl/CVE-2013-7488.patch
@@ -0,0 +1,35 @@
+From 8070c6a4931801b6550c79c5766dfd3a99976036 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 8 Jul 2021 14:48:36 +0800
+Subject: [PATCH] Merge pull request #15 from danaj/danaj/unsafe-decoding
+
+Upstream-Status: Backport[https://github.com/gbarr/perl-Convert-ASN1/commit/108e784417db7893f348c381c837537c3bd39373]
+CVE: CVE-2013-7488
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/Convert/ASN1/_decode.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/Convert/ASN1/_decode.pm b/lib/Convert/ASN1/_decode.pm
+index cd173f9..495e1bf 100644
+--- a/lib/Convert/ASN1/_decode.pm
++++ b/lib/Convert/ASN1/_decode.pm
+@@ -683,12 +683,14 @@ sub _scan_indef {
+ $pos += 2;
+ next;
+ }
++ return if $pos >= $end;
+
+ my $tag = substr($_[0], $pos++, 1);
+
+ if((unpack("C",$tag) & 0x1f) == 0x1f) {
+ my $b;
+ do {
++ return if $pos >= $end;
+ $tag .= substr($_[0],$pos++,1);
+ $b = ord substr($tag,-1);
+ } while($b & 0x80);
+--
+2.17.1
+
diff --git a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
index 409a8f3896..8ec96860ad 100644
--- a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
+++ b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
@@ -5,7 +5,8 @@ DESCRIPTION = "Convert::ASN1 is a perl library for encoding/decoding data using
LICENSE = "Artistic-1.0 | GPL-1.0+"
LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f"
-SRC_URI = "http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Convert-ASN1-${PV}.tar.gz"
+SRC_URI = "http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Convert-ASN1-${PV}.tar.gz \
+ file://CVE-2013-7488.patch"
SRC_URI[md5sum] = "68723e96be0b258a9e20480276e8a62c"
SRC_URI[sha256sum] = "74a4a78ae0c5e973100ac0a8f203a110f76fb047b79dae4fc1fd7d6814d3d58a"
--
2.31.1
next prev parent reply other threads:[~2021-07-16 2:42 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-16 2:41 [hardknott][PATCH 00/28] review request Anuj Mittal
2021-07-16 2:41 ` [hardknott][PATCH 01/28] oeqa/selftest/runcmd: Tweal test timeouts Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 02/28] sstate/staging: Handle directory creation race issue Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 03/28] devtool: deploy-target: Fix preserving attributes when using --strip Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 04/28] oeqa/selftest/archiver: Allow tests to ignore empty directories Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 05/28] openssh: Remove temporary keys before generating new ones Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 06/28] linux-yocto/5.10: update to v5.10.47 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 07/28] linux-yocto/5.4: update to v5.4.129 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 08/28] linux-yocto/5.10: scsi-debug needs scsi-disk Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 09/28] linux-firmware: Package RSI 911x WiFi firmware Anuj Mittal
2021-07-16 2:42 ` Anuj Mittal [this message]
2021-07-16 2:42 ` [hardknott][PATCH 11/28] busybox: upgrade 1.33.0 -> 1.33.1 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 12/28] perl: correct libpth and glibpth Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 13/28] rxvt-unicode: fix CVE-2021-33477 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 14/28] binutils: Fix CVE-2021-20197 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 15/28] runqemu: Remove potential lock races around tap device handling Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 16/28] glibc-testsuite: Fix build failures when directly running recipe Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 17/28] boost-build-native: workaround one rarely hang problem on fedora34 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 18/28] linux-yocto-dev: base AUTOREV on specified version Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 19/28] go: upgrade 1.16.3 -> 1.16.4 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 20/28] go: upgrade 1.16.4 -> 1.16.5 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 21/28] curl: Fix CVE-2021-22898 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 22/28] curl: Fix CVE-2021-22897 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 23/28] oeqa/selftest/multiprocesslauch: Fix test race Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 24/28] dwarfsrcfiles: Avoid races over debug-link files Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 25/28] kernel-devsrc: fix scripts/prepare for ARM64 Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 26/28] kernel-devsrc: fix scripts prepare for powerpc Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 27/28] busybox: add tmpdir option into mktemp applet Anuj Mittal
2021-07-16 2:42 ` [hardknott][PATCH 28/28] xserver-xorg: Fix builds without glx Anuj Mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9010ccd086c5895902308f6cf185c930ce63e5eb.1626403078.git.anuj.mittal@intel.com \
--to=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.