[meta-oe,warrior] gpsd: Fix CVE-2018-17937
Submitted by Adrian Bunk on Oct. 31, 2019, 4:54 p.m.
|
Patch ID: 166453
Details
Commit Message
new file mode 100644
@@ -0,0 +1,46 @@
+From a6e718c0dd32501c8961b6ac0493b148b6489f14 Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Fri, 15 Jun 2018 13:26:28 -0400
+Subject: Add bounds check in in_escape state of JSON parser.
+
+CVE: CVE-2018-17937
+Upstream-Status: Backport
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+
+---
+ json.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/json.c b/json.c
+index f5b59fba2..e7cac81fd 100644
+--- a/json.c
++++ b/json.c
+@@ -374,6 +374,12 @@ static int json_internal_read_object(const char *cp,
+ if (pval == NULL)
+ /* don't update end here, leave at value start */
+ return JSON_ERR_NULLPTR;
++ else if (pval > valbuf + JSON_VAL_MAX - 1
++ || pval > valbuf + maxlen) {
++ json_debug_trace((1, "String value too long.\n"));
++ /* don't update end here, leave at value start */
++ return JSON_ERR_STRLONG; /* */
++ }
+ switch (*cp) {
+ case 'b':
+ *pval++ = '\b';
+@@ -394,8 +400,10 @@ static int json_internal_read_object(const char *cp,
+ for (n = 0; n < 4 && cp[n] != '\0'; n++)
+ uescape[n] = *cp++;
+ --cp;
+- (void)sscanf(uescape, "%04x", &u);
+- *pval++ = (char)u; /* will truncate values above 0xff */
++ if (1 != sscanf(uescape, "%4x", &u)) {
++ return JSON_ERR_BADSTRING;
++ }
++ *pval++ = (unsigned char)u; /* will truncate values above 0xff */
+ break;
+ default: /* handles double quote and solidus */
+ *pval++ = *cp;
+--
+2.20.1
+
@@ -11,6 +11,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.gz \
file://0001-SConstruct-prefix-includepy-with-sysroot-and-drop-sy.patch \
file://0004-SConstruct-disable-html-and-man-docs-building-becaus.patch \
file://0001-include-sys-ttydefaults.h.patch \
+ file://0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch \
"
SRC_URI[md5sum] = "e0cfadcf4a65dfbdd2afb11c58f4e4a1"
SRC_URI[sha256sum] = "68e0dbecfb5831997f8b3d6ba48aed812eb465d8c0089420ab68f9ce4d85e77a"
Signed-off-by: Adrian Bunk <bunk@stusta.de> --- Already fixed in gpsd 3.19 in zeus and master. --- ...ck-in-in_escape-state-of-JSON-parser.patch | 46 +++++++++++++++++++ meta-oe/recipes-navigation/gpsd/gpsd_3.17.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-oe/recipes-navigation/gpsd/gpsd-3.17/0001-Add-bounds-check-in-in_escape-state-of-JSON-parser.patch