diff options
| author |   Gianfranco <costamagna.gianfranco@gmail.com> | 2020-12-02 10:19:37 +0100 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2020-12-10 08:17:01 -0800 |
| commit | 0c158538eda581450dbdb5762d668721ba7fe4f0 (patch) | |
| tree | 76e0d494a6cbda743fb01314a1e3ad15051fc26a /meta-oe | |
| parent | 27832ef6c02bf71694f5539d42046f148453a49b (diff) | |
| download | meta-openembedded-0c158538eda581450dbdb5762d668721ba7fe4f0.tar.gz | |
dlt-daemon: add upstream patch to fix CVE-2020-29394
More information on: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976228
| A buffer overflow in the dlt_filter_load function in dlt_common.c in
| dlt-daemon 2.8.5 (GENIVI Diagnostic Log and Trace) allows arbitrary
| code execution because fscanf is misused (no limit on the number of
| characters to be read in a format argument).
Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[Fix up for Dunfell context - AK]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch | 38 | ||||
| -rw-r--r-- | meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch new file mode 100644 index 0000000000..75065eb054 --- /dev/null +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch @@ -0,0 +1,38 @@ +Upstream-status: Backport +CVE: CVE-2020-29394 +From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001 +From: GwanYeong Kim <gy741.kim@gmail.com> +Date: Sat, 28 Nov 2020 12:24:46 +0900 +Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load + +A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument. + +Fixed: #274 + +Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> +--- + src/shared/dlt_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c +index 254f4ce4..d15b1cec 100644 +--- a/src/shared/dlt_common.c ++++ b/src/shared/dlt_common.c +@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb + while (!feof(handle)) { + str1[0] = 0; + +- if (fscanf(handle, "%s", str1) != 1) ++ if (fscanf(handle, "%254s", str1) != 1) + break; + + if (str1[0] == 0) +@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb + + str1[0] = 0; + +- if (fscanf(handle, "%s", str1) != 1) ++ if (fscanf(handle, "%254s", str1) != 1) + break; + + if (str1[0] == 0) diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb index 35c638bc78..45724e98ac 100644 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \ file://0002-Don-t-execute-processes-as-a-specific-user.patch \ file://0004-Modify-systemd-config-directory.patch \ file://204.patch \ + file://275.patch \ " SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4" |