diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-09-23 13:34:58 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-09-23 13:35:48 +0000 |
commit | 7a08dd0335631987f7d96c246bc226dc514ab5ab (patch) | |
tree | 0e8b09fb27eb9a97271c7a108f2cce8afcf34fc4 | |
parent | 3e8e66af8eb57c1dc45545c6ad7ad09d2ad1bc8c (diff) | |
download | aports-7a08dd0335631987f7d96c246bc226dc514ab5ab.tar.bz2 aports-7a08dd0335631987f7d96c246bc226dc514ab5ab.tar.xz |
main/libbsd: security fix (CVE-2016-2090). Fixes #6096
(cherry picked from commit 5a6e2e3bcdc5dabbe395f3177a90544dd2ee04a3)
-rw-r--r-- | main/libbsd/APKBUILD | 16 | ||||
-rw-r--r-- | main/libbsd/CVE-2016-2090.patch | 40 |
2 files changed, 52 insertions, 4 deletions
diff --git a/main/libbsd/APKBUILD b/main/libbsd/APKBUILD index 7d069b59b4..85c20392c9 100644 --- a/main/libbsd/APKBUILD +++ b/main/libbsd/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: William Pitcock <nenolod@dereferenced.org> pkgname=libbsd pkgver=0.6.0 -pkgrel=1 +pkgrel=2 pkgdesc="commonly-used BSD functions not implemented by all libcs" url="http://libbsd.freedesktop.org/" arch="x86 x86_64" @@ -15,8 +15,13 @@ subpackages="$pkgname-dev $pkgname-doc" source="http://libbsd.freedesktop.org/releases/libbsd-$pkgver.tar.xz Revert_Force_setproctitle_into_.init_array_section.patch musl-fix-headers.patch + CVE-2016-2090.patch " +# secfixes: +# libbsd-0.6.0-r2: +# - CVE-2016-2090 + _builddir="$srcdir"/libbsd-$pkgver prepare() { cd "$_builddir" @@ -50,10 +55,13 @@ package() { md5sums="f6c75f0a9818e323a589bcbd560a0eb4 libbsd-0.6.0.tar.xz 628a86066f8a1222c7ffee5aa3d488ef Revert_Force_setproctitle_into_.init_array_section.patch -712fca9c718f8b0f4d664c214072d6b3 musl-fix-headers.patch" +712fca9c718f8b0f4d664c214072d6b3 musl-fix-headers.patch +f679905334815cf2984f166e123d5d2a CVE-2016-2090.patch" sha256sums="9e8f34ffa9c8579c87965a55a82d8ac37a1dc64858f717b7c49452ade277cc62 libbsd-0.6.0.tar.xz a4497defcc14d04e407130931ed89c6b9e5e79c684884291cc080c6e90c82777 Revert_Force_setproctitle_into_.init_array_section.patch -3082d5f47c6d895dc3546d517ba7d541602872f00d5b39852a0b28b3d74ce954 musl-fix-headers.patch" +3082d5f47c6d895dc3546d517ba7d541602872f00d5b39852a0b28b3d74ce954 musl-fix-headers.patch +6edb119ba87b81f4a8b0676588fc578b1c659d6a401d07ff512bb6000c15b4ef CVE-2016-2090.patch" sha512sums="d750ead28e76938ab8d9c5575c1c87bcf275754f9f82b19d647f522bfaf07e5a85dc47ed5faae093994e5456be806fdebb55eeeed74efff3c950dfb6142e2b5c libbsd-0.6.0.tar.xz 52d3e69a2589dc299bcc5ca99bcf595d054be4c8b6b2ce4101d7657a54fecc4bc843b4439f0c9b582266559288220b342f926e700e7ae7e91bf29f0ae30d707f Revert_Force_setproctitle_into_.init_array_section.patch -87a4337108776cf8ff05be5938b3c8a548a4dd5625ae8e4afbab54c4c06af287188a81213633540a82c07e90b028b616f30934b02e8ab7485efa0ae0afdf20ee musl-fix-headers.patch" +87a4337108776cf8ff05be5938b3c8a548a4dd5625ae8e4afbab54c4c06af287188a81213633540a82c07e90b028b616f30934b02e8ab7485efa0ae0afdf20ee musl-fix-headers.patch +f8478bbb58d8d25de181988dbe538bb4c79ce052b7f8829a671ad3fe55cdf1d858d5f52b5652559908bf7e0882447cbe62904d704a55a49a4afe0a3a528397d7 CVE-2016-2090.patch" diff --git a/main/libbsd/CVE-2016-2090.patch b/main/libbsd/CVE-2016-2090.patch new file mode 100644 index 0000000000..346787e231 --- /dev/null +++ b/main/libbsd/CVE-2016-2090.patch @@ -0,0 +1,40 @@ +From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001 +From: Hanno Boeck <hanno@hboeck.de> +Date: Wed, 27 Jan 2016 15:10:11 +0100 +Subject: Fix heap buffer overflow in fgetwln() + +In the function fgetwln() there's a 4 byte heap overflow. + +There is a while loop that has this check to see whether there's still +enough space in the buffer: + + if (!fb->len || wused > fb->len) { + +If this is true more memory gets allocated. However this test won't be +true if wused == fb->len, but at that point wused already points out +of the buffer. Some lines later there's a write to the buffer: + + fb->wbuf[wused++] = wc; + +This bug was found with the help of address sanitizer. + +Warned-by: ASAN +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 +Signed-off-by: Guillem Jover <guillem@hadrons.org> + +diff --git a/src/fgetwln.c b/src/fgetwln.c +index 9ee0776..aa3f927 100644 +--- a/src/fgetwln.c ++++ b/src/fgetwln.c +@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) + fb->fp = stream; + + while ((wc = fgetwc(stream)) != WEOF) { +- if (!fb->len || wused > fb->len) { ++ if (!fb->len || wused >= fb->len) { + wchar_t *wp; + + if (fb->len) +-- +cgit v0.10.2 + |