[meta-oe,kirkstone,1/1] graphviz: fix CVE-2023-46045

Message ID	20240325071546.640286-1-meenali.gupta@windriver.com
State	New
Headers	show Return-Path: <meenali.gupta@windriver.com> ip: 205.220.166.238, mailfrom: prvs=3814f74163=meenali.gupta@windriver.com) From: mgupta1 <meenali.gupta@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [meta-oe][kirkstone][PATCH 1/1] graphviz: fix CVE-2023-46045 Date: Mon, 25 Mar 2024 07:15:46 +0000 Message-ID: <20240325071546.640286-1-meenali.gupta@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[meta-oe,kirkstone,1/1] graphviz: fix CVE-2023-46045 \| expand [meta-oe,kirkstone,1/1] graphviz: fix CVE-2023-46045

Message ID

20240325071546.640286-1-meenali.gupta@windriver.com

State

New

Headers

From: mgupta1 <meenali.gupta@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [meta-oe][kirkstone][PATCH 1/1] graphviz: fix CVE-2023-46045
Date: Mon, 25 Mar 2024 07:15:46 +0000
Message-ID: <20240325071546.640286-1-meenali.gupta@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[meta-oe,kirkstone,1/1] graphviz: fix CVE-2023-46045 | expand

Commit Message

mgupta1 March 25, 2024, 7:15 a.m. UTC

From: Meenali Gupta <meenali.gupta@windriver.com>

Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a crafted config6a file.
NOTE: exploitability may be uncommon because this file is typically owned by root.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
---
 .../graphviz/graphviz/CVE-2023-46045-1.patch  | 38 ++++++++++++++++++
 .../graphviz/graphviz/CVE-2023-46045-2.patch  | 39 +++++++++++++++++++
 .../graphviz/graphviz/CVE-2023-46045-3.patch  | 31 +++++++++++++++
 .../graphviz/graphviz_2.50.0.bb               |  3 ++
 4 files changed, 111 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch
 create mode 100644 meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch
 create mode 100644 meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch

diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch
new file mode 100644
index 000000000..a48f8aa06
--- /dev/null
+++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch
@@ -0,0 +1,38 @@ 
+From 361f274ca901c3c476697a6404662d95f4dd43cb Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Fri, 12 Jan 2024 17:06:17 +1100
+Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope 
+ 'gv_api'
+
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb]
+CVE: CVE-2023-46045
+ 
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/gvc/gvconfig.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index 2d86321..f9d1dcc 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -173,7 +173,6 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+     char *package_path, *name, *api;
+     const char *type;
+-    api_t gv_api;
+     int quality, rc;
+     int nest = 0;
+     gvplugin_package_t *package;
+@@ -188,7 +187,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+         package = gvplugin_package_record(gvc, package_path, name);
+ 	do {
+ 	    api = token(&nest, &s);
+-	    gv_api = gvplugin_api(api);
++	    const api_t gv_api = gvplugin_api(api);
+ 	    do {
+ 		if (nest == 2) {
+ 		    type = token(&nest, &s);
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch
new file mode 100644
index 000000000..4c70b1a87
--- /dev/null
+++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch
@@ -0,0 +1,39 @@ 
+From 3f31704cafd7da3e86bb2861accf5e90c973e62a Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Fri, 12 Jan 2024 17:06:17 +1100
+Subject: [PATCH] gvc gvconfig_plugin_install_from_config: more tightly scope 
+ 'api'
+
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/3f31704cafd7da3e86bb2861accf5e90c973e62a]
+CVE: CVE-2023-46045
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/gvc/gvconfig.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index f9d1dcc..95e8c6c 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -171,7 +171,7 @@ static char *token(int *nest, char **tokens)
+ 
+ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ {
+-    char *package_path, *name, *api;
++    char *package_path, *name;
+     const char *type;
+     int quality, rc;
+     int nest = 0;
+@@ -186,7 +186,7 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ 	    name = "x";
+         package = gvplugin_package_record(gvc, package_path, name);
+ 	do {
+-	    api = token(&nest, &s);
++	    const char *api = token(&nest, &s);
+ 	    const api_t gv_api = gvplugin_api(api);
+ 	    do {
+ 		if (nest == 2) {
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch
new file mode 100644
index 000000000..4746265ee
--- /dev/null
+++ b/meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch
@@ -0,0 +1,31 @@ 
+From a95f977f5d809915ec4b14836d2b5b7f5e74881e Mon Sep 17 00:00:00 2001
+From: Matthew Fernandez <matthew.fernandez@gmail.com>
+Date: Fri, 12 Jan 2024 17:06:17 +1100
+Subject: [PATCH] gvc: detect plugin installation failure and display an error
+
+Upstream-Status: Backport [https://gitlab.com/graphviz/graphviz/-/commit/a95f977f5d809915ec4b14836d2b5b7f5e74881e]
+CVE: CVE-2023-46045
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/gvc/gvconfig.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/gvc/gvconfig.c b/lib/gvc/gvconfig.c
+index 95e8c6c..77d0865 100644
+--- a/lib/gvc/gvconfig.c
++++ b/lib/gvc/gvconfig.c
+@@ -188,6 +188,10 @@ static int gvconfig_plugin_install_from_config(GVC_t * gvc, char *s)
+ 	do {
+ 	    const char *api = token(&nest, &s);
+ 	    const api_t gv_api = gvplugin_api(api);
++	    if (gv_api == (api_t)-1) {
++		agerr(AGERR, "config error: %s %s not found\n", package_path, api);
++		return 0;
++	    }
+ 	    do {
+ 		if (nest == 2) {
+ 		    type = token(&nest, &s);
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
index 4c51af669..f06e2adb0 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb
@@ -20,6 +20,9 @@  DEPENDS:append:class-nativesdk = " ${BPN}-native"
 inherit autotools-brokensep pkgconfig gettext qemu
 
 SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \
+	   file://CVE-2023-46045-1.patch \
+           file://CVE-2023-46045-2.patch \
+           file://CVE-2023-46045-3.patch \
            "
 # Use native mkdefs
 SRC_URI:append:class-target = "\

[meta-oe,kirkstone,1/1] graphviz: fix CVE-2023-46045

Commit Message

Patch