diff options
author | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
---|---|---|
committer | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
commit | 5b80bfd7bffd4c20d80b7c70a7130529e9a755dd (patch) | |
tree | b4bb18dcd1487dbf1ea8127e5671b7bb2eded033 /external/poky/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | |
parent | 706ad73eb02caf8532deaf5d38995bd258725cb8 (diff) |
agl-basesystem
Diffstat (limited to 'external/poky/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch')
-rw-r--r-- | external/poky/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/external/poky/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 00000000..3925a4ab --- /dev/null +++ b/external/poky/meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch @@ -0,0 +1,49 @@ +From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 +From: Filipe Brandenburger <filbranden@google.com> +Date: Thu, 10 Jan 2019 14:53:33 -0800 +Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 + +The original code didn't account for the fact that strchr() would match on the +'\0' character, making it read past the end of the buffer if no non-whitespace +character was present. + +This bug was introduced in commit ec5ff4445cca6a which was first released in +systemd v221 and later fixed in commit 8595102d3ddde6 which was released in +v240, so versions in the range [v221, v240) are affected. + +Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b +also includes a change from systemd master which removes a heap buffer overflow +a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. + +CVE: CVE-2018-16866 +Upstream-Status: Backport +Signed-off-by: Marcus Cooper <marcusc@axis.com> +--- + src/journal/journald-syslog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c +index 9dea116722..809b318c06 100644 +--- a/src/journal/journald-syslog.c ++++ b/src/journal/journald-syslog.c +@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) + e = l; + l--; + +- if (p[l-1] == ']') { ++ if (l > 0 && p[l-1] == ']') { + size_t k = l-1; + + for (;;) { +@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) + if (t) + *identifier = t; + +- if (strchr(WHITESPACE, p[e])) ++ if (p[e] != '\0' && strchr(WHITESPACE, p[e])) + e++; + *buf = p + e; + return e; +-- +2.11.0 + |