| Message ID | 20220506080738.18888-1-pawan.badganchi@kpit.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [meta,dunfell] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 | expand |
You can simplify your subject to: [OE-core][dunfell] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 Sadly the patch in the recipe does not apply. Have you done a test build? ERROR: fribidi-1.0.9-r0 do_patch: Applying patch 'CVE-2022-25308.patch' on target directory '/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/fribidi-1.0.9' Command Error: 'quilt --quiltrc /home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2022-25308.patch patching file bin/fribidi-main.c Hunk #1 FAILED at 390. 1 out of 1 hunk FAILED -- rejects in file bin/fribidi-main.c Patch CVE-2022-25308.patch does not apply (enforce with -f) Steve On Thu, May 5, 2022 at 10:08 PM Pawan via lists.openembedded.org <pawan.badganchi=kpit.com@lists.openembedded.org> wrote: > > From: Pawan Badganchi <pawan.badganchi@kpit.com> > > Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 > > CVE-2022-25308.patch > Link: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 > > CVE-2022-25309.patch > Link: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 > > CVE-2022-25310.patch > Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f > > Signed-off-by: pawan badganchi <pawan.badganchi@kpit.com> > --- > .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++++++++++++++++++ > .../fribidi/fribidi/CVE-2022-25309.patch | 31 ++++++++++++ > .../fribidi/fribidi/CVE-2022-25310.patch | 30 +++++++++++ > meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++ > 4 files changed, 114 insertions(+) > create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > new file mode 100644 > index 0000000000..8f2c2ade0e > --- /dev/null > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch > @@ -0,0 +1,50 @@ > +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 > +From: Akira TAGOH <akira@tagoh.org> > +Date: Thu, 17 Feb 2022 17:30:12 +0900 > +Subject: [PATCH] Fix the stack buffer overflow issue > + > +strlen() could returns 0. Without a conditional check for len, > +accessing S_ pointer with len - 1 may causes a stack buffer overflow. > + > +AddressSanitizer reports this like: > +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 > +43b30 sp 0x7ffdce043b28 > +READ of size 1 at 0x7ffdce043c1f thread T0 > + #0 0x403546 in main ../bin/fribidi-main.c:393 > + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) > + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) > + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) > + > +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame > + #0 0x4022bf in main ../bin/fribidi-main.c:193 > + > + This frame has 5 object(s): > + [32, 36) 'option_index' (line 233) > + [48, 52) 'base' (line 386) > + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable > + [65328, 130328) 'outstring' (line 385) > + [130592, 390592) 'logical' (line 384) > + > +This fixes https://github.com/fribidi/fribidi/issues/181 > + > +CVE: CVE-2022-25308 > +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > + > +--- > + bin/fribidi-main.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c > +index 3cf9fe1..3ae4fb6 100644 > +--- a/bin/fribidi-main.c > ++++ b/bin/fribidi-main.c > +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS > + S_[sizeof (S_) - 1] = 0; > + len = strlen (S_); > + /* chop */ > +- if (S_[len - 1] == '\n') > ++ if (len > 0 && S_[len - 1] == '\n') > + { > + len--; > + S_[len] = '\0'; > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > new file mode 100644 > index 0000000000..0efba3d05c > --- /dev/null > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch > @@ -0,0 +1,31 @@ > +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 > +From: Dov Grobgeld <dov.grobgeld@gmail.com> > +Date: Fri, 25 Mar 2022 09:09:49 +0300 > +Subject: [PATCH] Protected against garbage in the CapRTL encoder > + > +CVE: CVE-2022-25309 > +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > + > +--- > + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c > +index b0c0e4a..f74e010 100644 > +--- a/lib/fribidi-char-sets-cap-rtl.c > ++++ b/lib/fribidi-char-sets-cap-rtl.c > +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( > + } > + } > + else > +- us[j++] = caprtl_to_unicode[(int) s[i]]; > ++ { > ++ if ((int)s[i] < 0) > ++ us[j++] = '?'; > ++ else > ++ us[j++] = caprtl_to_unicode[(int) s[i]]; > ++ } > + } > + > + return j; > diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > new file mode 100644 > index 0000000000..d79a82d648 > --- /dev/null > +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch > @@ -0,0 +1,30 @@ > +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 > +From: Akira TAGOH <akira@tagoh.org> > +Date: Thu, 17 Feb 2022 19:06:10 +0900 > +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks > + > +Escape from fribidi_remove_bidi_marks() immediately if str is null. > + > +This fixes https://github.com/fribidi/fribidi/issues/183 > + > +CVE: CVE-2022-25310 > +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f] > +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> > + > +--- > + lib/fribidi.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/lib/fribidi.c b/lib/fribidi.c > +index f5da0da..70bdab2 100644 > +--- a/lib/fribidi.c > ++++ b/lib/fribidi.c > +@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks ( > + fribidi_boolean status = false; > + > + if UNLIKELY > +- (len == 0) > ++ (len == 0 || str == NULL) > + { > + status = true; > + goto out; > diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb > index ac9ef88e27..62b7d72812 100644 > --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb > +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb > @@ -10,6 +10,9 @@ LICENSE = "LGPLv2.1+" > LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" > > SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ > + file://CVE-2022-25308.patch \ > + file://CVE-2022-25309.patch \ > + file://CVE-2022-25310.patch \ > " > SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" > SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#165334): https://lists.openembedded.org/g/openembedded-core/message/165334 > Mute This Topic: https://lists.openembedded.org/mt/90929213/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 0000000000..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch @@ -0,0 +1,50 @@ +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 +From: Akira TAGOH <akira@tagoh.org> +Date: Thu, 17 Feb 2022 17:30:12 +0900 +Subject: [PATCH] Fix the stack buffer overflow issue + +strlen() could returns 0. Without a conditional check for len, +accessing S_ pointer with len - 1 may causes a stack buffer overflow. + +AddressSanitizer reports this like: +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 +43b30 sp 0x7ffdce043b28 +READ of size 1 at 0x7ffdce043c1f thread T0 + #0 0x403546 in main ../bin/fribidi-main.c:393 + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame + #0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): + [32, 36) 'option_index' (line 233) + [48, 52) 'base' (line 386) + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable + [65328, 130328) 'outstring' (line 385) + [130592, 390592) 'logical' (line 384) + +This fixes https://github.com/fribidi/fribidi/issues/181 + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> + +--- + bin/fribidi-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c ++++ b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch new file mode 100644 index 0000000000..0efba3d05c --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch @@ -0,0 +1,31 @@ +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld <dov.grobgeld@gmail.com> +Date: Fri, 25 Mar 2022 09:09:49 +0300 +Subject: [PATCH] Protected against garbage in the CapRTL encoder + +CVE: CVE-2022-25309 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> + +--- + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c ++++ b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++ if ((int)s[i] < 0) ++ us[j++] = '?'; ++ else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch new file mode 100644 index 0000000000..d79a82d648 --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch @@ -0,0 +1,30 @@ +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 +From: Akira TAGOH <akira@tagoh.org> +Date: Thu, 17 Feb 2022 19:06:10 +0900 +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks + +Escape from fribidi_remove_bidi_marks() immediately if str is null. + +This fixes https://github.com/fribidi/fribidi/issues/183 + +CVE: CVE-2022-25310 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> + +--- + lib/fribidi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/fribidi.c b/lib/fribidi.c +index f5da0da..70bdab2 100644 +--- a/lib/fribidi.c ++++ b/lib/fribidi.c +@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks ( + fribidi_boolean status = false; + + if UNLIKELY +- (len == 0) ++ (len == 0 || str == NULL) + { + status = true; + goto out; diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb index ac9ef88e27..62b7d72812 100644 --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb @@ -10,6 +10,9 @@ LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ + file://CVE-2022-25308.patch \ + file://CVE-2022-25309.patch \ + file://CVE-2022-25310.patch \ " SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"