* [OE-core] [PATCH] icu: CVE-2020-10531
@ 2020-04-29 11:13 Wang Mingyu
2020-04-29 11:13 ` [OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14 Wang Mingyu
0 siblings, 1 reply; 3+ messages in thread
From: Wang Mingyu @ 2020-04-29 11:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Wang Mingyu
From: Wang Mingyu <wangmy@cn.fujitsu.com>
security Advisory
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
.../icu/icu/CVE-2020-10531.patch | 128 ++++++++++++++++++
meta/recipes-support/icu/icu_66.1.bb | 1 +
2 files changed, 129 insertions(+)
create mode 100644 meta/recipes-support/icu/icu/CVE-2020-10531.patch
diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..6697b27dc8
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,128 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+
+Upstream-Status: Accepted
+CVE: CVE-2020-10531
+
+Reference to upstream patch:
+https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
+
+---
+ common/unistr.cpp | 6 ++-
+ test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++++++++
+ test/intltest/ustrtest.h | 1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/common/unistr.cpp b/common/unistr.cpp
+index 901bb33..6ea0915 100644
+--- a/common/unistr.cpp
++++ b/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+ }
+
+ int32_t oldLength = length();
+- int32_t newLength = oldLength + srcLength;
++ int32_t newLength;
++ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++ setToBogus();
++ return *this;
++ }
+
+ // Check for append onto ourself
+ const UChar* oldArray = getArrayStart();
+diff --git a/test/intltest/ustrtest.cpp b/test/intltest/ustrtest.cpp
+index b6515ea..ad38bdf 100644
+--- a/test/intltest/ustrtest.cpp
++++ b/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+ TESTCASE_AUTO(TestWCharPointers);
+ TESTCASE_AUTO(TestNullPointers);
+ TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++ TESTCASE_AUTO(TestLargeAppend);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+ str.insert(2, sub);
+ assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++ if(quick) return;
++
++ IcuTestErrorCode status(*this, "TestLargeAppend");
++ // Make a large UnicodeString
++ int32_t len = 0xAFFFFFF;
++ UnicodeString str;
++ char16_t *buf = str.getBuffer(len);
++ // A fast way to set buffer to valid Unicode.
++ // 4E4E is a valid unicode character
++ uprv_memset(buf, 0x4e, len * 2);
++ str.releaseBuffer(len);
++ UnicodeString dest;
++ // Append it 16 times
++ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++ int64_t total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++ dest.remove();
++ total = 0;
++ for (int32_t i = 0; i < 16; i++) {
++ dest.append(str);
++ total += len;
++ if (total + len <= INT32_MAX) {
++ assertFalse("dest is not bogus", dest.isBogus());
++ } else if (total <= INT32_MAX) {
++ // Check that a string of exactly the maximum size works
++ UnicodeString str2;
++ int32_t remain = INT32_MAX - total;
++ char16_t *buf2 = str2.getBuffer(remain);
++ if (buf2 == nullptr) {
++ // if somehow memory allocation fail, return the test
++ return;
++ }
++ uprv_memset(buf2, 0x4e, remain * 2);
++ str2.releaseBuffer(remain);
++ dest.append(str2);
++ total += remain;
++ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++ assertFalse("dest is not bogus", dest.isBogus());
++
++ // Check that a string size+1 goes bogus
++ str2.truncate(1);
++ dest.append(str2);
++ total++;
++ assertTrue("dest should be bogus", dest.isBogus());
++ } else {
++ assertTrue("dest should be bogus", dest.isBogus());
++ }
++ }
++}
+diff --git a/test/intltest/ustrtest.h b/test/intltest/ustrtest.h
+index 218befd..4a356a9 100644
+--- a/test/intltest/ustrtest.h
++++ b/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ public:
+ void TestWCharPointers();
+ void TestNullPointers();
+ void TestUnicodeStringInsertAppendToSelf();
++ void TestLargeAppend();
+ };
+
+ #endif
+--
+2.17.1
+
diff --git a/meta/recipes-support/icu/icu_66.1.bb b/meta/recipes-support/icu/icu_66.1.bb
index f2bb344e33..a8096c1840 100644
--- a/meta/recipes-support/icu/icu_66.1.bb
+++ b/meta/recipes-support/icu/icu_66.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \
file://fix-install-manx.patch \
file://0001-Fix-big-endian-build.patch;apply=no \
file://0001-icu-Added-armeb-support.patch \
+ file://CVE-2020-10531.patch \
"
SRC_URI_append_class-target = "\
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14
2020-04-29 11:13 [OE-core] [PATCH] icu: CVE-2020-10531 Wang Mingyu
@ 2020-04-29 11:13 ` Wang Mingyu
2020-04-30 19:07 ` Khem Raj
0 siblings, 1 reply; 3+ messages in thread
From: Wang Mingyu @ 2020-04-29 11:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Wang Mingyu
From: Wang Mingyu <wangmy@cn.fujitsu.com>
add-disable-werror-option-to-configure.patch
removed since it is included in 0.14
Make mode changes from autotools to cmake.
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
...d-disable-werror-option-to-configure.patch | 45 -------------------
.../{json-c_0.13.1.bb => json-c_0.14.bb} | 9 ++--
2 files changed, 3 insertions(+), 51 deletions(-)
delete mode 100644 meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
rename meta/recipes-devtools/json-c/{json-c_0.13.1.bb => json-c_0.14.bb} (70%)
diff --git a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch b/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
deleted file mode 100644
index 0c20c8458a..0000000000
--- a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-json-c: Backport --disable-werror patch to allow compilation under icecc
-
-icecc preprocesses source files locally before shipping them off to be compiled
-on remote hosts. This preprocessing removes comments, including /* fallthough */
-comments in switch statements that normally prevent an implicit-fallthrough
-warning, see https://github.com/icecc/icecream/issues/419
-
-Rather than turning off -Werror, the upstream project has implemented a
-configure option, --disable-werror, in response to Ross's
-https://github.com/json-c/json-c/issues/489
-
-This patch from
-https://github.com/json-c/json-c/commit/21c886534f8927fdc0fb5f8647394f3e0e0874b8
-
-Upstream-Status: Backport [Not yet released]
-Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
-
-From 21c886534f8927fdc0fb5f8647394f3e0e0874b8 Mon Sep 17 00:00:00 2001
-From: Pierce Lopez <pierce.lopez@gmail.com>
-Date: Sun, 9 Jun 2019 10:52:08 -0400
-Subject: [PATCH] build: add --disable-werror option to configure
-
-to omit -Werror compiler option
----
- configure.ac | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 272ea6af9c..798fd5b747 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -165,7 +165,12 @@ AS_IF([test "x$enable_Bsymbolic" = "xcheck"],
- AS_IF([test "x$enable_Bsymbolic" = "xyes"], [JSON_BSYMBOLIC_LDFLAGS=-Wl[,]-Bsymbolic-functions])
- AC_SUBST(JSON_BSYMBOLIC_LDFLAGS)
-
--AX_APPEND_COMPILE_FLAGS([-Wall -Werror -Wcast-qual -Wno-error=deprecated-declarations])
-+AC_ARG_ENABLE([werror],
-+ AS_HELP_STRING([--disable-werror], [avoid treating compiler warnings as fatal errors]))
-+
-+AS_IF([test "x$enable_werror" != "xno"], [AX_APPEND_COMPILE_FLAGS([-Werror])])
-+
-+AX_APPEND_COMPILE_FLAGS([-Wall -Wcast-qual -Wno-error=deprecated-declarations])
- AX_APPEND_COMPILE_FLAGS([-Wextra -Wwrite-string -Wno-unused-parameter])
- AX_APPEND_COMPILE_FLAGS([-D_GNU_SOURCE])
-
diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb
similarity index 70%
rename from meta/recipes-devtools/json-c/json-c_0.13.1.bb
rename to meta/recipes-devtools/json-c/json-c_0.14.bb
index 522879f21f..15226d2a3f 100644
--- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.14.bb
@@ -5,18 +5,15 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
- file://add-disable-werror-option-to-configure.patch \
"
-SRC_URI[md5sum] = "04969ad59cc37bddd83741a08b98f350"
-SRC_URI[sha256sum] = "b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873"
+SRC_URI[md5sum] = "72cbb065b43376d825cd521d115ae1f6"
+SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"
UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+"
RPROVIDES_${PN} = "libjson"
-inherit autotools
-
-EXTRA_OECONF = "--disable-werror"
+inherit cmake
BBCLASSEXTEND = "native nativesdk"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14
2020-04-29 11:13 ` [OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14 Wang Mingyu
@ 2020-04-30 19:07 ` Khem Raj
0 siblings, 0 replies; 3+ messages in thread
From: Khem Raj @ 2020-04-30 19:07 UTC (permalink / raw)
To: Patches and discussions about the oe-core layer; +Cc: Wang Mingyu
This is causing a couple of packages to fail so please address them
before we accept this patch.
https://errors.yoctoproject.org/Errors/Build/102058/
On Tue, Apr 28, 2020 at 8:14 PM Wang Mingyu <wangmy@cn.fujitsu.com> wrote:
>
> From: Wang Mingyu <wangmy@cn.fujitsu.com>
>
> add-disable-werror-option-to-configure.patch
> removed since it is included in 0.14
>
> Make mode changes from autotools to cmake.
>
> Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
> ---
> ...d-disable-werror-option-to-configure.patch | 45 -------------------
> .../{json-c_0.13.1.bb => json-c_0.14.bb} | 9 ++--
> 2 files changed, 3 insertions(+), 51 deletions(-)
> delete mode 100644 meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
> rename meta/recipes-devtools/json-c/{json-c_0.13.1.bb => json-c_0.14.bb} (70%)
>
> diff --git a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch b/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
> deleted file mode 100644
> index 0c20c8458a..0000000000
> --- a/meta/recipes-devtools/json-c/json-c/add-disable-werror-option-to-configure.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -json-c: Backport --disable-werror patch to allow compilation under icecc
> -
> -icecc preprocesses source files locally before shipping them off to be compiled
> -on remote hosts. This preprocessing removes comments, including /* fallthough */
> -comments in switch statements that normally prevent an implicit-fallthrough
> -warning, see https://github.com/icecc/icecream/issues/419
> -
> -Rather than turning off -Werror, the upstream project has implemented a
> -configure option, --disable-werror, in response to Ross's
> -https://github.com/json-c/json-c/issues/489
> -
> -This patch from
> -https://github.com/json-c/json-c/commit/21c886534f8927fdc0fb5f8647394f3e0e0874b8
> -
> -Upstream-Status: Backport [Not yet released]
> -Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
> -
> -From 21c886534f8927fdc0fb5f8647394f3e0e0874b8 Mon Sep 17 00:00:00 2001
> -From: Pierce Lopez <pierce.lopez@gmail.com>
> -Date: Sun, 9 Jun 2019 10:52:08 -0400
> -Subject: [PATCH] build: add --disable-werror option to configure
> -
> -to omit -Werror compiler option
> ----
> - configure.ac | 7 ++++++-
> - 1 file changed, 6 insertions(+), 1 deletion(-)
> -
> -diff --git a/configure.ac b/configure.ac
> -index 272ea6af9c..798fd5b747 100644
> ---- a/configure.ac
> -+++ b/configure.ac
> -@@ -165,7 +165,12 @@ AS_IF([test "x$enable_Bsymbolic" = "xcheck"],
> - AS_IF([test "x$enable_Bsymbolic" = "xyes"], [JSON_BSYMBOLIC_LDFLAGS=-Wl[,]-Bsymbolic-functions])
> - AC_SUBST(JSON_BSYMBOLIC_LDFLAGS)
> -
> --AX_APPEND_COMPILE_FLAGS([-Wall -Werror -Wcast-qual -Wno-error=deprecated-declarations])
> -+AC_ARG_ENABLE([werror],
> -+ AS_HELP_STRING([--disable-werror], [avoid treating compiler warnings as fatal errors]))
> -+
> -+AS_IF([test "x$enable_werror" != "xno"], [AX_APPEND_COMPILE_FLAGS([-Werror])])
> -+
> -+AX_APPEND_COMPILE_FLAGS([-Wall -Wcast-qual -Wno-error=deprecated-declarations])
> - AX_APPEND_COMPILE_FLAGS([-Wextra -Wwrite-string -Wno-unused-parameter])
> - AX_APPEND_COMPILE_FLAGS([-D_GNU_SOURCE])
> -
> diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/meta/recipes-devtools/json-c/json-c_0.14.bb
> similarity index 70%
> rename from meta/recipes-devtools/json-c/json-c_0.13.1.bb
> rename to meta/recipes-devtools/json-c/json-c_0.14.bb
> index 522879f21f..15226d2a3f 100644
> --- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
> +++ b/meta/recipes-devtools/json-c/json-c_0.14.bb
> @@ -5,18 +5,15 @@ LICENSE = "MIT"
> LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2"
>
> SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
> - file://add-disable-werror-option-to-configure.patch \
> "
> -SRC_URI[md5sum] = "04969ad59cc37bddd83741a08b98f350"
> -SRC_URI[sha256sum] = "b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873"
> +SRC_URI[md5sum] = "72cbb065b43376d825cd521d115ae1f6"
> +SRC_URI[sha256sum] = "b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870"
>
> UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
> UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+"
>
> RPROVIDES_${PN} = "libjson"
>
> -inherit autotools
> -
> -EXTRA_OECONF = "--disable-werror"
> +inherit cmake
>
> BBCLASSEXTEND = "native nativesdk"
> --
> 2.17.1
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-30 19:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-29 11:13 [OE-core] [PATCH] icu: CVE-2020-10531 Wang Mingyu
2020-04-29 11:13 ` [OE-core] [PATCH v2] json-c: upgrade 0.13.1 -> 0.14 Wang Mingyu
2020-04-30 19:07 ` Khem Raj
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.