| Message ID | 20220630184804.345-1-flowergom@gmail.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] epiphany: fix CVE-2022-29536 | expand |
I'm getting a do_patch error with this change: ERROR: epiphany-3.34.4-r0 do_patch: Applying patch 'CVE-2022-29536.patch' on target directory '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/epiphany/3.34.4-r0/epiphany-3.34.4' Command Error: 'quilt --quiltrc /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/epiphany/3.34.4-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2022-29536.patch patching file lib/ephy-string.c Hunk #1 FAILED at 115. 1 out of 1 hunk FAILED -- rejects in file lib/ephy-string.c Patch CVE-2022-29536.patch does not apply (enforce with -f) I took a quick look at failing file, and it is indeed slightly different than what the patch assumes. Steve On Thu, Jun 30, 2022 at 8:48 AM Minjae Kim <flowergom@gmail.com> wrote: > > Fix memory corruption in ephy_string_shorten() > > Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106] > CVE: CVE-2022-29536 > > Signed-off-by:Minjae Kim <flowergom@gmail.com> > --- > .../recipes-gnome/epiphany/epiphany_3.34.4.bb | 3 +- > .../epiphany/files/CVE-2022-29536.patch | 45 +++++++++++++++++++ > 2 files changed, 47 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch > > diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb > index e2afb29c12..6f04324d4e 100644 > --- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb > +++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb > @@ -16,7 +16,8 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl" > > SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \ > file://0002-help-meson.build-disable-the-use-of-yelp.patch \ > - " > + file://CVE-2022-29536.patch \ > + " > SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b" > SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d" > > diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch > new file mode 100644 > index 0000000000..c2160b471d > --- /dev/null > +++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch > @@ -0,0 +1,45 @@ > +From 79725738500917cf5e4d829c76753cfb4c68be7f Mon Sep 17 00:00:00 2001 > +From: Michael Catanzaro <mcatanzaro@redhat.com> > +Date: Fri, 15 Apr 2022 18:09:46 -0500 > +Subject: [PATCH] Fix memory corruption in ephy_string_shorten() > + > +This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228. > + > +I got my browser stuck in a crash loop today while visiting a website > +with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only > +condition in which ephy_string_shorten() is ever used. Turns out this > +commit is wrong: an ellipses is a multibyte character (three bytes in > +UTF-8) and so we're writing past the end of the buffer when calling > +strcat() here. Ooops. > + > +Shame it took nearly four years to notice and correct this. > + > +Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106> > + > +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106] > +Signed-off-by:Minjae Kim <flowergom@gmail.com> > +--- > + lib/ephy-string.c | 5 ++--- > + 1 file changed, 2 insertions(+), 3 deletions(-) > + > +diff --git a/lib/ephy-string.c b/lib/ephy-string.c > +index 509490c86..d678803ad 100644 > +--- a/lib/ephy-string.c > ++++ b/lib/ephy-string.c > +@@ -115,11 +115,10 @@ ephy_string_shorten (char *str, > + /* create string */ > + bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str); > + > +- /* +1 for ellipsis, +1 for trailing NUL */ > +- new_str = g_new (gchar, bytes + 1 + 1); > ++ new_str = g_new (gchar, bytes + strlen ("?~@?") + 1); > + > + strncpy (new_str, str, bytes); > +- strcat (new_str, "?~@?"); > ++ strncpy (new_str + bytes, "?~@?", strlen ("?~@?") + 1); > + > + g_free (str); > + > +-- > +2.25.1 > + > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#167433): https://lists.openembedded.org/g/openembedded-core/message/167433 > Mute This Topic: https://lists.openembedded.org/mt/92093509/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb index e2afb29c12..6f04324d4e 100644 --- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb @@ -16,7 +16,8 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl" SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \ file://0002-help-meson.build-disable-the-use-of-yelp.patch \ - " + file://CVE-2022-29536.patch \ + " SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b" SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d" diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch new file mode 100644 index 0000000000..c2160b471d --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch @@ -0,0 +1,45 @@ +From 79725738500917cf5e4d829c76753cfb4c68be7f Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@redhat.com> +Date: Fri, 15 Apr 2022 18:09:46 -0500 +Subject: [PATCH] Fix memory corruption in ephy_string_shorten() + +This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228. + +I got my browser stuck in a crash loop today while visiting a website +with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only +condition in which ephy_string_shorten() is ever used. Turns out this +commit is wrong: an ellipses is a multibyte character (three bytes in +UTF-8) and so we're writing past the end of the buffer when calling +strcat() here. Ooops. + +Shame it took nearly four years to notice and correct this. + +Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106> + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106] +Signed-off-by:Minjae Kim <flowergom@gmail.com> +--- + lib/ephy-string.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/ephy-string.c b/lib/ephy-string.c +index 509490c86..d678803ad 100644 +--- a/lib/ephy-string.c ++++ b/lib/ephy-string.c +@@ -115,11 +115,10 @@ ephy_string_shorten (char *str, + /* create string */ + bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str); + +- /* +1 for ellipsis, +1 for trailing NUL */ +- new_str = g_new (gchar, bytes + 1 + 1); ++ new_str = g_new (gchar, bytes + strlen ("?~@?") + 1); + + strncpy (new_str, str, bytes); +- strcat (new_str, "?~@?"); ++ strncpy (new_str + bytes, "?~@?", strlen ("?~@?") + 1); + + g_free (str); + +-- +2.25.1 +