[OE-core] [PATCH] icu: CVE-2020-10531

[OE-core] [PATCH] icu: CVE-2020-10531

[Wang Mingyu]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

security Advisory

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
 .../icu/icu/CVE-2020-10531.patch              | 128 ++++++++++++++++++
 meta/recipes-support/icu/icu_66.1.bb          |   1 +
 2 files changed, 129 insertions(+)
 create mode 100644 meta/recipes-support/icu/icu/CVE-2020-10531.patch

diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..6697b27dc8
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,128 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+
+Upstream-Status: Accepted
+CVE: CVE-2020-10531
+
+Reference to upstream patch:
+https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
+
+---
+ common/unistr.cpp          |  6 ++-
+ test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++++++++
+ test/intltest/ustrtest.h   |  1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/common/unistr.cpp b/common/unistr.cpp
+index 901bb33..6ea0915 100644
+--- a/common/unistr.cpp
++++ b/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
++  int32_t newLength; 
++  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { 
++     setToBogus(); 
++     return *this; 
++  }
+ 
+   // Check for append onto ourself
+   const UChar* oldArray = getArrayStart();
+diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp
+index b6515ea..ad38bdf 100644
+--- a/test/intltest/ustrtest.cpp
++++ b/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+     TESTCASE_AUTO(TestWCharPointers);
+     TESTCASE_AUTO(TestNullPointers);
+     TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++    TESTCASE_AUTO(TestLargeAppend);
+     TESTCASE_AUTO_END;
+ }
+ 
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+     str.insert(2, sub);
+     assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++    if(quick) return;
++
++    IcuTestErrorCode status(*this, "TestLargeAppend");
++    // Make a large UnicodeString
++    int32_t len = 0xAFFFFFF;
++    UnicodeString str;
++    char16_t *buf = str.getBuffer(len);
++    // A fast way to set buffer to valid Unicode.
++    // 4E4E is a valid unicode character
++    uprv_memset(buf, 0x4e, len * 2);
++    str.releaseBuffer(len);
++    UnicodeString dest;
++    // Append it 16 times
++    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++    int64_t total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++    dest.remove();
++    total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total + len <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else if (total <= INT32_MAX) {
++            // Check that a string of exactly the maximum size works
++            UnicodeString str2;
++            int32_t remain = INT32_MAX - total;
++            char16_t *buf2 = str2.getBuffer(remain);
++            if (buf2 == nullptr) {
++                // if somehow memory allocation fail, return the test
++                return;
++            }
++            uprv_memset(buf2, 0x4e, remain * 2);
++            str2.releaseBuffer(remain);
++            dest.append(str2);
++            total += remain;
++            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++            assertFalse("dest is not bogus", dest.isBogus());
++
++            // Check that a string size+1 goes bogus
++            str2.truncate(1);
++            dest.append(str2);
++            total++;
++            assertTrue("dest should be bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++}
+diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h
+index 218befd..4a356a9 100644
+--- a/test/intltest/ustrtest.h
++++ b/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ public:
+     void TestWCharPointers();
+     void TestNullPointers();
+     void TestUnicodeStringInsertAppendToSelf();
++    void TestLargeAppend();
+ };
+ 
+ #endif
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/icu/icu_66.1.bb b/meta/recipes-support/icu/icu_66.1.bb
index f2bb344e33..a8096c1840 100644
--- a/meta/recipes-support/icu/icu_66.1.bb
+++ b/meta/recipes-support/icu/icu_66.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \
            file://fix-install-manx.patch \
            file://0001-Fix-big-endian-build.patch;apply=no \
            file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2020-10531.patch \
            "
 
 SRC_URI_append_class-target = "\
-- 
2.17.1

[OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14

[Wang Mingyu]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

add-disable-werror-option-to-configure.patch
removed since it is included in 0.14

Make mode changes from autotools to cmake.

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
 ...d-disable-werror-option-to-configure.patch | 45 -------------------
 .../{json-c_0.13.1.bb => json-c_0.14.bb}      |  9 ++--
 2 files changed, 3 insertions(+), 51 deletions(-)
 delete mode 100644 meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
 rename meta/recipes-devtools/json-c/{json-c_0.13.1.bb => json-c_0.14.bb} (70%)

diff --git a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch b/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
deleted file mode 100644
index 0c20c8458a..0000000000
--- a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-json-c: Backport --disable-werror patch to allow compilation under icecc
-
-icecc preprocesses source files locally before shipping them off to be compiled
-on remote hosts. This preprocessing removes comments, including /* fallthough */
-comments in switch statements that normally prevent an implicit-fallthrough
-warning, see https://github.com/icecc/icecream/issues/419
-
-Rather than turning off -Werror, the upstream project has implemented a
-configure option, --disable-werror, in response to Ross's
-https://github.com/json-c/json-c/issues/489
-
-This patch from
-https://github.com/json-c/json-c/commit/21c886534f8927fdc0fb5f8647394f3e0e0874b8
-
-Upstream-Status: Backport [Not yet released]
-Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
-
-From 21c886534f8927fdc0fb5f8647394f3e0e0874b8 Mon Sep 17 00:00:00 2001
-From: Pierce Lopez <pierce.lopez@gmail.com>
-Date: Sun, 9 Jun 2019 10:52:08 -0400
-Subject: [PATCH] build: add --disable-werror option to configure
-
-to omit -Werror compiler option
----
- configure.ac | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 272ea6af9c..798fd5b747 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -165,7 +165,12 @@ AS_IF([test "x$enable_Bsymbolic" = "xcheck"],
- AS_IF([test "x$enable_Bsymbolic" = "xyes"], [JSON_BSYMBOLIC_LDFLAGS=-Wl[,]-Bsymbolic-functions])
- AC_SUBST(JSON_BSYMBOLIC_LDFLAGS)
- 
--AX_APPEND_COMPILE_FLAGS([-Wall -Werror -Wcast-qual -Wno-error=deprecated-declarations])
-+AC_ARG_ENABLE([werror],
-+    AS_HELP_STRING([--disable-werror], [avoid treating compiler warnings as fatal errors]))
-+
-+AS_IF([test "x$enable_werror" != "xno"], [AX_APPEND_COMPILE_FLAGS([-Werror])])
-+
-+AX_APPEND_COMPILE_FLAGS([-Wall -Wcast-qual -Wno-error=deprecated-declarations])
- AX_APPEND_COMPILE_FLAGS([-Wextra -Wwrite-string -Wno-unused-parameter])
- AX_APPEND_COMPILE_FLAGS([-D_GNU_SOURCE])
- 
diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb
similarity index 70%
rename from meta/recipes-devtools/json-c/json-c_0.13.1.bb
rename to meta/recipes-devtools/json-c/json-c_0.14.bb
index 522879f21f..15226d2a3f 100644
--- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.14.bb
@@ -5,18 +5,15 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
 
 SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
-           file://add-disable-werror-option-to-configure.patch \
            "
-SRC_URI[md5sum] = "04969ad59cc37bddd83741a08b98f350"
-SRC_URI[sha256sum] = "b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873"
+SRC_URI[md5sum] = "72cbb065b43376d825cd521d115ae1f6"
+SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"
 
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
 UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+"
 
 RPROVIDES_${PN} = "libjson"
 
-inherit autotools
-
-EXTRA_OECONF = "--disable-werror"
+inherit cmake
 
 BBCLASSEXTEND = "native nativesdk"
-- 
2.17.1

Re: [OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14

[Khem Raj]

This is causing a couple of packages to fail so please address them
before we accept this patch.

https://errors.yoctoproject.org/Errors/Build/102058/

On Tue, Apr 28, 2020 at 8:14 PM Wang Mingyu <wangmy@cn.fujitsu.com> wrote:
>
> From: Wang Mingyu <wangmy@cn.fujitsu.com>
>
> add-disable-werror-option-to-configure.patch
> removed since it is included in 0.14
>
> Make mode changes from autotools to cmake.
>
> Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
> ---
>  ...d-disable-werror-option-to-configure.patch | 45 -------------------
>  .../{json-c_0.13.1.bb => json-c_0.14.bb}      |  9 ++--
>  2 files changed, 3 insertions(+), 51 deletions(-)
>  delete mode 100644 meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
>  rename meta/recipes-devtools/json-c/{json-c_0.13.1.bb => json-c_0.14.bb} (70%)
>
> diff --git a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch b/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
> deleted file mode 100644
> index 0c20c8458a..0000000000
> --- a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -json-c: Backport --disable-werror patch to allow compilation under icecc
> -
> -icecc preprocesses source files locally before shipping them off to be compiled
> -on remote hosts. This preprocessing removes comments, including /* fallthough */
> -comments in switch statements that normally prevent an implicit-fallthrough
> -warning, see https://github.com/icecc/icecream/issues/419
> -
> -Rather than turning off -Werror, the upstream project has implemented a
> -configure option, --disable-werror, in response to Ross's
> -https://github.com/json-c/json-c/issues/489
> -
> -This patch from
> -https://github.com/json-c/json-c/commit/21c886534f8927fdc0fb5f8647394f3e0e0874b8
> -
> -Upstream-Status: Backport [Not yet released]
> -Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
> -
> -From 21c886534f8927fdc0fb5f8647394f3e0e0874b8 Mon Sep 17 00:00:00 2001
> -From: Pierce Lopez <pierce.lopez@gmail.com>
> -Date: Sun, 9 Jun 2019 10:52:08 -0400
> -Subject: [PATCH] build: add --disable-werror option to configure
> -
> -to omit -Werror compiler option
> ----
> - configure.ac | 7 ++++++-
> - 1 file changed, 6 insertions(+), 1 deletion(-)
> -
> -diff --git a/configure.ac b/configure.ac
> -index 272ea6af9c..798fd5b747 100644
> ---- a/configure.ac
> -+++ b/configure.ac
> -@@ -165,7 +165,12 @@ AS_IF([test "x$enable_Bsymbolic" = "xcheck"],
> - AS_IF([test "x$enable_Bsymbolic" = "xyes"], [JSON_BSYMBOLIC_LDFLAGS=-Wl[,]-Bsymbolic-functions])
> - AC_SUBST(JSON_BSYMBOLIC_LDFLAGS)
> -
> --AX_APPEND_COMPILE_FLAGS([-Wall -Werror -Wcast-qual -Wno-error=deprecated-declarations])
> -+AC_ARG_ENABLE([werror],
> -+    AS_HELP_STRING([--disable-werror], [avoid treating compiler warnings as fatal errors]))
> -+
> -+AS_IF([test "x$enable_werror" != "xno"], [AX_APPEND_COMPILE_FLAGS([-Werror])])
> -+
> -+AX_APPEND_COMPILE_FLAGS([-Wall -Wcast-qual -Wno-error=deprecated-declarations])
> - AX_APPEND_COMPILE_FLAGS([-Wextra -Wwrite-string -Wno-unused-parameter])
> - AX_APPEND_COMPILE_FLAGS([-D_GNU_SOURCE])
> -
> diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb
> similarity index 70%
> rename from meta/recipes-devtools/json-c/json-c_0.13.1.bb
> rename to meta/recipes-devtools/json-c/json-c_0.14.bb
> index 522879f21f..15226d2a3f 100644
> --- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
> +++ b/meta/recipes-devtools/json-c/json-c_0.14.bb
> @@ -5,18 +5,15 @@ LICENSE = "MIT"
>  LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
>
>  SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
> -           file://add-disable-werror-option-to-configure.patch \
>             "
> -SRC_URI[md5sum] = "04969ad59cc37bddd83741a08b98f350"
> -SRC_URI[sha256sum] = "b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873"
> +SRC_URI[md5sum] = "72cbb065b43376d825cd521d115ae1f6"
> +SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"
>
>  UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
>  UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+"
>
>  RPROVIDES_${PN} = "libjson"
>
> -inherit autotools
> -
> -EXTRA_OECONF = "--disable-werror"
> +inherit cmake
>
>  BBCLASSEXTEND = "native nativesdk"
> --
> 2.17.1
>
>
>
>