new file mode 100644
@@ -0,0 +1,70 @@
+From 5e8b9d0c9cef6194b3588b12f04afd617de3587d Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 05:16:34 +0200
+Subject: [PATCH] cpio: Fix possible integer overflow on 32-bit systems
+
+The maximum name and file sizes in the "new" header format are 32-bit
+unsigned values. However, the I/O functions mostly use long for sizes
+and offsets, so that sizes >= 2^31 are handled wrongly on 32-bit
+systems.
+
+The current GNU cpio code doesn't seem to have this problem, but the
+divergence between this version and that is large enough that I can't
+simply cherry-pick a fix for it.
+
+As a short-term fix, in read_in_new_ascii(), fail if c_namesize or
+c_filesize is > LONG_MAX.
+
+CVE-2021-31872
+
+CVE: CVE-2021-31872
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff]
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/utils/cpio.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
+index a13c876..9b0b6ae 100644
+--- a/usr/utils/cpio.c
++++ b/usr/utils/cpio.c
+@@ -17,6 +17,7 @@
+
+ #include <errno.h>
+ #include <fcntl.h>
++#include <limits.h>
+ #include <malloc.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -904,6 +905,15 @@ static void read_in_new_ascii(struct new_cpio_header *file_hdr, int in_des)
+ file_hdr->c_hdr[i] = strtoul(hexbuf, NULL, 16);
+ ah += 8;
+ }
++
++ /* Sizes > LONG_MAX can currently result in integer overflow
++ in various places. Fail if name is too large. */
++ if (file_hdr->c_namesize > LONG_MAX) {
++ fprintf(stderr, "%s: name size out of range\n",
++ progname);
++ exit(1);
++ }
++
+ /* Read file name from input. */
+ free(file_hdr->c_name);
+ file_hdr->c_name = (char *)xmalloc(file_hdr->c_namesize);
+@@ -914,6 +924,14 @@ static void read_in_new_ascii(struct new_cpio_header *file_hdr, int in_des)
+ is rounded up to the next long-word, so we might need to drop
+ 1-3 bytes. */
+ tape_skip_padding(in_des, file_hdr->c_namesize + 110);
++
++ /* Fail if file is too large. We could check this earlier
++ but it's helpful to report the name. */
++ if (file_hdr->c_filesize > LONG_MAX) {
++ fprintf(stderr, "%s: %s: file size out of range\n",
++ progname, file_hdr->c_name);
++ exit(1);
++ }
+ }
+
+ /* Return 16-bit integer I with the bytes swapped. */
@@ -23,6 +23,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/klibc/2.0/klibc-${PV}.tar.xz \
file://0001-workaround-for-overlapping-sections-in-binary.patch \
file://CVE-2021-31870.patch \
file://CVE-2021-31871.patch \
+ file://CVE-2021-31872.patch \
"
ARMPATCHES ?= ""
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-31872 Pick the patch mentioned by the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../klibc/files/CVE-2021-31872.patch | 70 +++++++++++++++++++ .../recipes-devtools/klibc/klibc.inc | 1 + 2 files changed, 71 insertions(+) create mode 100644 meta-initramfs/recipes-devtools/klibc/files/CVE-2021-31872.patch