[thud,v2] bzip2: Fix CVE-2019-12900

Submitted by anatol.oe@belski.net on June 29, 2019, 7:27 p.m. | Patch ID: 162647

Details

Message ID 20190629192754.101979-1-anatol.oe@belski.net
State New
Headers show

Commit Message

anatol.oe@belski.net June 29, 2019, 7:27 p.m.
From: Anatol Belski <anatol.belski@microsoft.com>

Affects bzip2 <= 1.0.6

Signed-off-by: Anatol Belski <anatol.belski@microsoft.com>
---
 .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37 +++++++++++++++++++
 meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 0000000000..8313fdcfcc
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,37 @@ 
+bzip2: Fix CVE-2019-12900
+Upstream-Status: Accepted [https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc]
+CVE: CVE-2019-12900
+Signed-off-by: Albert Astals Cid <aacid@kde.org>
+
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+	UChar    selectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+
+Fixes out of bounds access discovered while fuzzying karchive
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
++++ b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+       for (i = 0; i < nSelectors; i++) {
+          j = 0;
+          while (True) {
+-- 
+2.21.0
+
diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
index 025f45c472..6791020d05 100644
--- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
+++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
@@ -6,7 +6,7 @@  HOMEPAGE = "https://sourceware.org/bzip2/"
 SECTION = "console/utils"
 LICENSE = "bzip2"
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531daedd2ae"
-PR = "r5"
+PR = "r6"
 
 SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
            file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch \
@@ -14,6 +14,7 @@  SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
            file://Makefile.am;subdir=${BP} \
            file://run-ptest \
            file://CVE-2016-3189.patch \
+           file://CVE-2019-12900.patch \
            "
 
 SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"

Comments

Ross Burton June 29, 2019, 7:30 p.m.
For master, lets upgrade to 1.0.7 instead.

Ross

On Sat, 29 Jun 2019 at 20:28, <anatol.oe@belski.net> wrote:
>
> From: Anatol Belski <anatol.belski@microsoft.com>
>
> Affects bzip2 <= 1.0.6
>
> Signed-off-by: Anatol Belski <anatol.belski@microsoft.com>
> ---
>  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37 +++++++++++++++++++
>  meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
>  2 files changed, 39 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
>
> diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> new file mode 100644
> index 0000000000..8313fdcfcc
> --- /dev/null
> +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> @@ -0,0 +1,37 @@
> +bzip2: Fix CVE-2019-12900
> +Upstream-Status: Accepted [https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc]
> +CVE: CVE-2019-12900
> +Signed-off-by: Albert Astals Cid <aacid@kde.org>
> +
> +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <aacid@kde.org>
> +Date: Tue, 28 May 2019 19:35:18 +0200
> +Subject: [PATCH] Make sure nSelectors is not out of range
> +
> +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
> +which is
> +       UChar    selectorMtf[BZ_MAX_SELECTORS];
> +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
> +access
> +
> +Fixes out of bounds access discovered while fuzzying karchive
> +---
> + decompress.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/decompress.c b/decompress.c
> +index ab6a624..f3db91d 100644
> +--- a/decompress.c
> ++++ b/decompress.c
> +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
> +       for (i = 0; i < nSelectors; i++) {
> +          j = 0;
> +          while (True) {
> +--
> +2.21.0
> +
> diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> index 025f45c472..6791020d05 100644
> --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"
>  SECTION = "console/utils"
>  LICENSE = "bzip2"
>  LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531daedd2ae"
> -PR = "r5"
> +PR = "r6"
>
>  SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
>             file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch \
> @@ -14,6 +14,7 @@ SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
>             file://Makefile.am;subdir=${BP} \
>             file://run-ptest \
>             file://CVE-2016-3189.patch \
> +           file://CVE-2019-12900.patch \
>             "
>
>  SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
> --
> 2.17.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
anatol.oe@belski.net June 29, 2019, 9:50 p.m.
Hi,


> -----Original Message-----
> From: Burton, Ross <ross.burton@intel.com>
> Sent: Saturday, June 29, 2019 9:30 PM
> To: anatol.oe@belski.net
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900
> 
> For master, lets upgrade to 1.0.7 instead.
> 
Thanks for checking. Probably makes sense, yep. Whereby it's released just two days ago, after all the years :) Probably have time to expect some newer version.

In general, should I have posted this patch against master? As seems I've targeted thud only, according to the policies below

https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance

Or it's going to be merged up, if accepted?

Thanks

Anatol

> Ross
> 
> On Sat, 29 Jun 2019 at 20:28, <anatol.oe@belski.net> wrote:
> >
> > From: Anatol Belski <anatol.belski@microsoft.com>
> >
> > Affects bzip2 <= 1.0.6
> >
> > Signed-off-by: Anatol Belski <anatol.belski@microsoft.com>
> > ---
> >  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37
> +++++++++++++++++++
> >  meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
> >  2 files changed, 39 insertions(+), 1 deletion(-)  create mode 100644
> > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> >
> > diff --git
> > a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > new file mode 100644
> > index 0000000000..8313fdcfcc
> > --- /dev/null
> > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > @@ -0,0 +1,37 @@
> > +bzip2: Fix CVE-2019-12900
> > +Upstream-Status: Accepted
> >
> +[https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d5
> > +1ef9824db71a8ffee5962cdbc]
> > +CVE: CVE-2019-12900
> > +Signed-off-by: Albert Astals Cid <aacid@kde.org>
> > +
> > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17
> 00:00:00
> > +2001
> > +From: Albert Astals Cid <aacid@kde.org>
> > +Date: Tue, 28 May 2019 19:35:18 +0200
> > +Subject: [PATCH] Make sure nSelectors is not out of range
> > +
> > +nSelectors is used in a loop from 0 to nSelectors to access
> > +selectorMtf which is
> > +       UChar    selectorMtf[BZ_MAX_SELECTORS];
> > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid
> > +memory access
> > +
> > +Fixes out of bounds access discovered while fuzzying karchive
> > +---
> > + decompress.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d
> > +100644
> > +--- a/decompress.c
> > ++++ b/decompress.c
> > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> > +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> > +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> > +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> > +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> > ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> > ++ RETURN(BZ_DATA_ERROR);
> > +       for (i = 0; i < nSelectors; i++) {
> > +          j = 0;
> > +          while (True) {
> > +--
> > +2.21.0
> > +
> > diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > index 025f45c472..6791020d05 100644
> > --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"
> >  SECTION = "console/utils"
> >  LICENSE = "bzip2"
> >  LIC_FILES_CHKSUM =
> "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531da
> edd2ae"
> > -PR = "r5"
> > +PR = "r6"
> >
> >  SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz
> \
> >             file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch
> > \ @@ -14,6 +14,7 @@ SRC_URI =
> "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
> >             file://Makefile.am;subdir=${BP} \
> >             file://run-ptest \
> >             file://CVE-2016-3189.patch \
> > +           file://CVE-2019-12900.patch \
> >             "
> >
> >  SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
> > --
> > 2.17.1
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton July 1, 2019, 9:48 a.m.
*All* security issues are fixed in master first and then bubble down
the stable branches.  Otherwise, if you just fix thud we may end up
with the next release not having the fix.

So, ideally, we upgrade master to 1.07 and then apply the backport to
the stable branches.

Ross

On Sat, 29 Jun 2019 at 22:50, <anatol.oe@belski.net> wrote:
>
> Hi,
>
>
> > -----Original Message-----
> > From: Burton, Ross <ross.burton@intel.com>
> > Sent: Saturday, June 29, 2019 9:30 PM
> > To: anatol.oe@belski.net
> > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900
> >
> > For master, lets upgrade to 1.0.7 instead.
> >
> Thanks for checking. Probably makes sense, yep. Whereby it's released just two days ago, after all the years :) Probably have time to expect some newer version.
>
> In general, should I have posted this patch against master? As seems I've targeted thud only, according to the policies below
>
> https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
>
> Or it's going to be merged up, if accepted?
>
> Thanks
>
> Anatol
>
> > Ross
> >
> > On Sat, 29 Jun 2019 at 20:28, <anatol.oe@belski.net> wrote:
> > >
> > > From: Anatol Belski <anatol.belski@microsoft.com>
> > >
> > > Affects bzip2 <= 1.0.6
> > >
> > > Signed-off-by: Anatol Belski <anatol.belski@microsoft.com>
> > > ---
> > >  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37
> > +++++++++++++++++++
> > >  meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
> > >  2 files changed, 39 insertions(+), 1 deletion(-)  create mode 100644
> > > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > >
> > > diff --git
> > > a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > new file mode 100644
> > > index 0000000000..8313fdcfcc
> > > --- /dev/null
> > > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > @@ -0,0 +1,37 @@
> > > +bzip2: Fix CVE-2019-12900
> > > +Upstream-Status: Accepted
> > >
> > +[https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d5
> > > +1ef9824db71a8ffee5962cdbc]
> > > +CVE: CVE-2019-12900
> > > +Signed-off-by: Albert Astals Cid <aacid@kde.org>
> > > +
> > > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17
> > 00:00:00
> > > +2001
> > > +From: Albert Astals Cid <aacid@kde.org>
> > > +Date: Tue, 28 May 2019 19:35:18 +0200
> > > +Subject: [PATCH] Make sure nSelectors is not out of range
> > > +
> > > +nSelectors is used in a loop from 0 to nSelectors to access
> > > +selectorMtf which is
> > > +       UChar    selectorMtf[BZ_MAX_SELECTORS];
> > > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid
> > > +memory access
> > > +
> > > +Fixes out of bounds access discovered while fuzzying karchive
> > > +---
> > > + decompress.c | 2 +-
> > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > +
> > > +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d
> > > +100644
> > > +--- a/decompress.c
> > > ++++ b/decompress.c
> > > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> > > +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> > > +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> > > +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> > > +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> > > ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> > > ++ RETURN(BZ_DATA_ERROR);
> > > +       for (i = 0; i < nSelectors; i++) {
> > > +          j = 0;
> > > +          while (True) {
> > > +--
> > > +2.21.0
> > > +
> > > diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > index 025f45c472..6791020d05 100644
> > > --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"
> > >  SECTION = "console/utils"
> > >  LICENSE = "bzip2"
> > >  LIC_FILES_CHKSUM =
> > "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531da
> > edd2ae"
> > > -PR = "r5"
> > > +PR = "r6"
> > >
> > >  SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz
> > \
> > >             file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch
> > > \ @@ -14,6 +14,7 @@ SRC_URI =
> > "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
> > >             file://Makefile.am;subdir=${BP} \
> > >             file://run-ptest \
> > >             file://CVE-2016-3189.patch \
> > > +           file://CVE-2019-12900.patch \
> > >             "
> > >
> > >  SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
> > > --
> > > 2.17.1
> > >
> > > --
> > > _______________________________________________
> > > Openembedded-core mailing list
> > > Openembedded-core@lists.openembedded.org
> > > http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
Ross Burton July 1, 2019, 9:50 a.m.
I just noticed that Oleksandr sent the 1.0.7 upgrade, so the backport
patch is good for all other stable branches.

Ross

On Mon, 1 Jul 2019 at 10:48, Burton, Ross <ross.burton@intel.com> wrote:
>
> *All* security issues are fixed in master first and then bubble down
> the stable branches.  Otherwise, if you just fix thud we may end up
> with the next release not having the fix.
>
> So, ideally, we upgrade master to 1.07 and then apply the backport to
> the stable branches.
>
> Ross
>
> On Sat, 29 Jun 2019 at 22:50, <anatol.oe@belski.net> wrote:
> >
> > Hi,
> >
> >
> > > -----Original Message-----
> > > From: Burton, Ross <ross.burton@intel.com>
> > > Sent: Saturday, June 29, 2019 9:30 PM
> > > To: anatol.oe@belski.net
> > > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > > Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900
> > >
> > > For master, lets upgrade to 1.0.7 instead.
> > >
> > Thanks for checking. Probably makes sense, yep. Whereby it's released just two days ago, after all the years :) Probably have time to expect some newer version.
> >
> > In general, should I have posted this patch against master? As seems I've targeted thud only, according to the policies below
> >
> > https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
> >
> > Or it's going to be merged up, if accepted?
> >
> > Thanks
> >
> > Anatol
> >
> > > Ross
> > >
> > > On Sat, 29 Jun 2019 at 20:28, <anatol.oe@belski.net> wrote:
> > > >
> > > > From: Anatol Belski <anatol.belski@microsoft.com>
> > > >
> > > > Affects bzip2 <= 1.0.6
> > > >
> > > > Signed-off-by: Anatol Belski <anatol.belski@microsoft.com>
> > > > ---
> > > >  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37
> > > +++++++++++++++++++
> > > >  meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
> > > >  2 files changed, 39 insertions(+), 1 deletion(-)  create mode 100644
> > > > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > >
> > > > diff --git
> > > > a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > > new file mode 100644
> > > > index 0000000000..8313fdcfcc
> > > > --- /dev/null
> > > > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > > @@ -0,0 +1,37 @@
> > > > +bzip2: Fix CVE-2019-12900
> > > > +Upstream-Status: Accepted
> > > >
> > > +[https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d5
> > > > +1ef9824db71a8ffee5962cdbc]
> > > > +CVE: CVE-2019-12900
> > > > +Signed-off-by: Albert Astals Cid <aacid@kde.org>
> > > > +
> > > > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17
> > > 00:00:00
> > > > +2001
> > > > +From: Albert Astals Cid <aacid@kde.org>
> > > > +Date: Tue, 28 May 2019 19:35:18 +0200
> > > > +Subject: [PATCH] Make sure nSelectors is not out of range
> > > > +
> > > > +nSelectors is used in a loop from 0 to nSelectors to access
> > > > +selectorMtf which is
> > > > +       UChar    selectorMtf[BZ_MAX_SELECTORS];
> > > > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid
> > > > +memory access
> > > > +
> > > > +Fixes out of bounds access discovered while fuzzying karchive
> > > > +---
> > > > + decompress.c | 2 +-
> > > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > +
> > > > +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d
> > > > +100644
> > > > +--- a/decompress.c
> > > > ++++ b/decompress.c
> > > > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> > > > +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> > > > +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> > > > +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> > > > +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> > > > ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> > > > ++ RETURN(BZ_DATA_ERROR);
> > > > +       for (i = 0; i < nSelectors; i++) {
> > > > +          j = 0;
> > > > +          while (True) {
> > > > +--
> > > > +2.21.0
> > > > +
> > > > diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > index 025f45c472..6791020d05 100644
> > > > --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"
> > > >  SECTION = "console/utils"
> > > >  LICENSE = "bzip2"
> > > >  LIC_FILES_CHKSUM =
> > > "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531da
> > > edd2ae"
> > > > -PR = "r5"
> > > > +PR = "r6"
> > > >
> > > >  SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz
> > > \
> > > >             file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch
> > > > \ @@ -14,6 +14,7 @@ SRC_URI =
> > > "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
> > > >             file://Makefile.am;subdir=${BP} \
> > > >             file://run-ptest \
> > > >             file://CVE-2016-3189.patch \
> > > > +           file://CVE-2019-12900.patch \
> > > >             "
> > > >
> > > >  SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
> > > > --
> > > > 2.17.1
> > > >
> > > > --
> > > > _______________________________________________
> > > > Openembedded-core mailing list
> > > > Openembedded-core@lists.openembedded.org
> > > > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >
anatol.oe@belski.net July 1, 2019, 11:50 a.m.
Hi Ross,

ack, thanks for the tips. I'm now aware for the next contributions.

For now seems either way, a backport or a full upgrade would work, depends probably on whether the new bzip2 version is compatible enough.

Regards

Anatol

> -----Original Message-----
> From: Burton, Ross <ross.burton@intel.com>
> Sent: Monday, July 1, 2019 11:51 AM
> To: anatol.oe@belski.net
> Cc: OE-core <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900
> 
> I just noticed that Oleksandr sent the 1.0.7 upgrade, so the backport patch is
> good for all other stable branches.
> 
> Ross
> 
> On Mon, 1 Jul 2019 at 10:48, Burton, Ross <ross.burton@intel.com> wrote:
> >
> > *All* security issues are fixed in master first and then bubble down
> > the stable branches.  Otherwise, if you just fix thud we may end up
> > with the next release not having the fix.
> >
> > So, ideally, we upgrade master to 1.07 and then apply the backport to
> > the stable branches.
> >
> > Ross
> >
> > On Sat, 29 Jun 2019 at 22:50, <anatol.oe@belski.net> wrote:
> > >
> > > Hi,
> > >
> > >
> > > > -----Original Message-----
> > > > From: Burton, Ross <ross.burton@intel.com>
> > > > Sent: Saturday, June 29, 2019 9:30 PM
> > > > To: anatol.oe@belski.net
> > > > Cc: OE-core <openembedded-core@lists.openembedded.org>
> > > > Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900
> > > >
> > > > For master, lets upgrade to 1.0.7 instead.
> > > >
> > > Thanks for checking. Probably makes sense, yep. Whereby it's released
> just two days ago, after all the years :) Probably have time to expect some
> newer version.
> > >
> > > In general, should I have posted this patch against master? As seems
> > > I've targeted thud only, according to the policies below
> > >
> > > https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
> > >
> > > Or it's going to be merged up, if accepted?
> > >
> > > Thanks
> > >
> > > Anatol
> > >
> > > > Ross
> > > >
> > > > On Sat, 29 Jun 2019 at 20:28, <anatol.oe@belski.net> wrote:
> > > > >
> > > > > From: Anatol Belski <anatol.belski@microsoft.com>
> > > > >
> > > > > Affects bzip2 <= 1.0.6
> > > > >
> > > > > Signed-off-by: Anatol Belski <anatol.belski@microsoft.com>
> > > > > ---
> > > > >  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 37
> > > > +++++++++++++++++++
> > > > >  meta/recipes-extended/bzip2/bzip2_1.0.6.bb    |  3 +-
> > > > >  2 files changed, 39 insertions(+), 1 deletion(-)  create mode
> > > > > 100644
> > > > > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > > >
> > > > > diff --git
> > > > > a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > > > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> > > > > new file mode 100644
> > > > > index 0000000000..8313fdcfcc
> > > > > --- /dev/null
> > > > > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.pat
> > > > > +++ ch
> > > > > @@ -0,0 +1,37 @@
> > > > > +bzip2: Fix CVE-2019-12900
> > > > > +Upstream-Status: Accepted
> > > > >
> > > >
> +[https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ff
> > > > +c9d5
> > > > > +1ef9824db71a8ffee5962cdbc]
> > > > > +CVE: CVE-2019-12900
> > > > > +Signed-off-by: Albert Astals Cid <aacid@kde.org>
> > > > > +
> > > > > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17
> > > > 00:00:00
> > > > > +2001
> > > > > +From: Albert Astals Cid <aacid@kde.org>
> > > > > +Date: Tue, 28 May 2019 19:35:18 +0200
> > > > > +Subject: [PATCH] Make sure nSelectors is not out of range
> > > > > +
> > > > > +nSelectors is used in a loop from 0 to nSelectors to access
> > > > > +selectorMtf which is
> > > > > +       UChar    selectorMtf[BZ_MAX_SELECTORS];
> > > > > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an
> > > > > +invalid memory access
> > > > > +
> > > > > +Fixes out of bounds access discovered while fuzzying karchive
> > > > > +---
> > > > > + decompress.c | 2 +-
> > > > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > +
> > > > > +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d
> > > > > +100644
> > > > > +--- a/decompress.c
> > > > > ++++ b/decompress.c
> > > > > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> > > > > +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> > > > > +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> > > > > +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> > > > > +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> > > > > ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> > > > > ++ RETURN(BZ_DATA_ERROR);
> > > > > +       for (i = 0; i < nSelectors; i++) {
> > > > > +          j = 0;
> > > > > +          while (True) {
> > > > > +--
> > > > > +2.21.0
> > > > > +
> > > > > diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > > b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > > index 025f45c472..6791020d05 100644
> > > > > --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > > +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb
> > > > > @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"
> > > > >  SECTION = "console/utils"
> > > > >  LICENSE = "bzip2"
> > > > >  LIC_FILES_CHKSUM =
> > > >
> "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b153
> > > > 1da
> > > > edd2ae"
> > > > > -PR = "r5"
> > > > > +PR = "r6"
> > > > >
> > > > >  SRC_URI =
> > > > > "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz
> > > > \
> > > > >
> > > > > file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch
> > > > > \ @@ -14,6 +14,7 @@ SRC_URI =
> > > > "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \
> > > > >             file://Makefile.am;subdir=${BP} \
> > > > >             file://run-ptest \
> > > > >             file://CVE-2016-3189.patch \
> > > > > +           file://CVE-2019-12900.patch \
> > > > >             "
> > > > >
> > > > >  SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b"
> > > > > --
> > > > > 2.17.1
> > > > >
> > > > > --
> > > > > _______________________________________________
> > > > > Openembedded-core mailing list
> > > > > Openembedded-core@lists.openembedded.org
> > > > > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> > >