From patchwork Tue Oct 31 22:05:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 33221 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC810C4332F for ; Tue, 31 Oct 2023 22:05:44 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.8515.1698789935200997187 for ; Tue, 31 Oct 2023 15:05:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=RxyK81QN; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-6b36e1fcee9so5444422b3a.3 for ; Tue, 31 Oct 2023 15:05:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1698789934; x=1699394734; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=y0FrSrwwM1xSYEzHkAQFJAEZbfe+YGL1NrmMlmBnPTE=; b=RxyK81QNazc4Svls3Pkc2izR3dnG4Tc2tUx07CAG8dktQrHhU3x10pcWLuA0m2ZsSp G6Q5rKUoZmQfLWMIz+4WQ/B8EE8iE5/E5hyhR2EETYdQKwxYxrFYUrgD2d5gu9efLbFJ xDJ4Y9ICbQPHFLnH+rbmc8gnfPs6Nyhrq7Xg3ueEPxH1GkRzbKhFTGH3LYFxXCE/06Dx L5Q6X/djamv5JSc3LVgp1JwsiwWqp3z3IaKRWTRP4cxFLQ77LZxZpii6+s0HP7ZZdcLo NLwPxEqSLEh8K5nn3E6BwXFcyGgEb7baoHgc6gk2EFSZk2Vu9XROmANHF+kfAcsmY1Qd CM8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698789934; x=1699394734; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y0FrSrwwM1xSYEzHkAQFJAEZbfe+YGL1NrmMlmBnPTE=; b=AvCQUZ91dwaAX7B07aCcXG/UyiA+PV54lUjPoZW5YGDrfDG9KuLIrTFiYuf942xbE7 Atb0SIrveHjLFv5l7DYihCDxPEx6AHiL8gsy0iqVIrGmFzI2g/+WaWgzjwOtR5H13uVw KPQGSeEbas7DOc0XxICBSPRQe7Lsx9OLIX22KEquVcBgqLMrfN9SugMDt6KNC0IYYdw5 iCak+48NlK3Oi9EqmTeQXhF1SijRxT+q0Osb9lx/wrqSeh7FZtxyFiy4XR2V7o6Op3gK QLo8KxgI0O5W5dzL60UKzWedSKyxfux6vUAZ4IRU9F1LaOHF4OQSiPprDM9Pyh4sQxQ8 OuQw== X-Gm-Message-State: AOJu0Yy3lXL9zbJi2Fqn3QazTg23TRX6NJBbIOsUU6z2sY1E4BW6Fwjq e1m8nVTvZhA76WvIaij+14duXjTDQ6+jRe8L1pov4w== X-Google-Smtp-Source: AGHT+IHhpIUChgLOicGUuMl6Y77ZCjnPjyjgIK75jC19LxSAMkp1Z1wXJBQrI3B2/2dg6maow8lgGA== X-Received: by 2002:a05:6a00:84b:b0:69b:5395:59a8 with SMTP id q11-20020a056a00084b00b0069b539559a8mr13250874pfk.34.1698789933482; Tue, 31 Oct 2023 15:05:33 -0700 (PDT) Received: from hexa.router0800d9.com (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id c24-20020a62e818000000b0068be3489b0dsm100301pfi.172.2023.10.31.15.05.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 15:05:33 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/3] libxml2: Patch CVE-2023-45322 Date: Tue, 31 Oct 2023 12:05:17 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 31 Oct 2023 22:05:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189871 From: Peter Marko Backport patch for gitlab issue mentioned in NVD CVE report. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 Backport also one of 14 patches for older issue with similar errors to have clean cherry-pick without patch fuzz. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 The CVE is disputed because the maintainer does not think that errors after memory allocation failures are not critical enough to warrant a CVE ID. This patch will formally fix reported error case, trying to backport another 13 patches and resolve conflicts would be probably overkill due to disputed state. This CVE was ignored on master branch (as diputed). Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2023-45322-1.patch | 49 ++++++++++++ .../libxml/libxml2/CVE-2023-45322-2.patch | 79 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 + 3 files changed, 130 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch new file mode 100644 index 0000000000..5f1cb72534 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch @@ -0,0 +1,49 @@ +From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 15:44:42 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList + +Found with libFuzzer, see #344. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce] + +Signed-off-by: Peter Marko +--- + tree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 507869efe..647288ce3 100644 +--- a/tree.c ++++ b/tree.c +@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + if (doc->intSubset == NULL) { + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); +- if (q == NULL) return(NULL); ++ if (q == NULL) goto error; + q->doc = doc; + q->parent = parent; + doc->intSubset = (xmlDtdPtr) q; +@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } else + #endif /* LIBXML_TREE_ENABLED */ + q = xmlStaticCopyNode(node, doc, parent, 1); +- if (q == NULL) return(NULL); ++ if (q == NULL) goto error; + if (ret == NULL) { + q->prev = NULL; + ret = p = q; +@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + node = node->next; + } + return(ret); ++error: ++ xmlFreeNodeList(ret); ++ return(NULL); + } + + /** +-- +GitLab + diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..845fd70c66 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch @@ -0,0 +1,79 @@ +From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 23 Aug 2023 20:24:24 +0200 +Subject: [PATCH] tree: Fix copying of DTDs + +- Don't create multiple DTD nodes. +- Fix UAF if malloc fails. +- Skip DTD nodes if tree module is disabled. + +Fixes #583. + +CVE: CVE-2023-45322 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9] + +Signed-off-by: Peter Marko +--- + tree.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/tree.c b/tree.c +index 6c8a875b9..02c1b5791 100644 +--- a/tree.c ++++ b/tree.c +@@ -4471,29 +4471,28 @@ xmlNodePtr + xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; ++ xmlDtdPtr newSubset = NULL; + + while (node != NULL) { +-#ifdef LIBXML_TREE_ENABLED + if (node->type == XML_DTD_NODE ) { +- if (doc == NULL) { ++#ifdef LIBXML_TREE_ENABLED ++ if ((doc == NULL) || (doc->intSubset != NULL)) { + node = node->next; + continue; + } +- if (doc->intSubset == NULL) { +- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); +- if (q == NULL) goto error; +- q->doc = doc; +- q->parent = parent; +- doc->intSubset = (xmlDtdPtr) q; +- xmlAddChild(parent, q); +- } else { +- q = (xmlNodePtr) doc->intSubset; +- xmlAddChild(parent, q); +- } +- } else ++ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); ++ if (q == NULL) goto error; ++ q->doc = doc; ++ q->parent = parent; ++ newSubset = (xmlDtdPtr) q; ++#else ++ node = node->next; ++ continue; + #endif /* LIBXML_TREE_ENABLED */ ++ } else { + q = xmlStaticCopyNode(node, doc, parent, 1); +- if (q == NULL) goto error; ++ if (q == NULL) goto error; ++ } + if (ret == NULL) { + q->prev = NULL; + ret = p = q; +@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + node = node->next; + } ++ if (newSubset != NULL) ++ doc->intSubset = newSubset; + return(ret); + error: + xmlFreeNodeList(ret); +-- +GitLab + diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 437bccf4ed..533a6dae01 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -29,6 +29,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2023-29469.patch \ file://CVE-2023-39615-0001.patch \ file://CVE-2023-39615-0002.patch \ + file://CVE-2023-45322-1.patch \ + file://CVE-2023-45322-2.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Tue Oct 31 22:05:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 33222 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF486C4167B for ; Tue, 31 Oct 2023 22:05:44 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web11.8517.1698789936842204693 for ; Tue, 31 Oct 2023 15:05:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=q4d5DmTs; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-6b1ef786b7fso6179795b3a.3 for ; Tue, 31 Oct 2023 15:05:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1698789935; x=1699394735; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oKJ3WKgftyaOhIo3+up5mIzXZnH5SmfMPGh373VqImU=; b=q4d5DmTs8kqS4FZz42SH2fqkiC/YnaReDmEFwMHfbEUUV/N/ya6PqKRJeGnlTjxhVU gZrgBQ5Qg6G6yBzV5lE7zXLCEPkTAEVXDL6uqsp3XcF7WbuMJVvRHIeBrHxRWcRRnqSE VmJcsa6rxzWk5LwizDwLpKvyEcZ7j+zsTPn0n2fpbsRTEgZA8FBy5zGqfwlZoWf6ywRk /6GRRSOhNW6ttYPodS4b9FFPq3boGdo6gt/2RPBLePKGG4+yq0h5xF/yclLZWmu4PFsH W3gqQF5+DdFiIRysFqGD8mRZWbDlcohx7Cm6zO/znzRjXVSOuZ4pT4zD/X7fvOPzvZP4 erzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698789935; x=1699394735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oKJ3WKgftyaOhIo3+up5mIzXZnH5SmfMPGh373VqImU=; b=ObL9NR2kgCxo2drVMDUTQz1eJ1DORUuFZ3cqaKCpE3MmEW7sW4bbM0aSsfaH/+zw13 l3YEafu1c0S4krNkVHdWFcFppuJydmCXlL12Psi26toboGHllUijBNxrxmXeUTaO9icc y1Zy5aC3NwwZFhs026e6Elv29yzvSO1bx6GtArlnVCAIQUMWc6KAYQOZA/L3VTfz3VPn LnNy5z3jM1sHuvvsIKqn0IwcjJ76akxzwpsuCWA5V7kcw4Z1ava+P5eETinF6qpulMe+ R9Kq0x5urSGB2MLGF0h42IAD83Hx+jbqALnjWUXwR0lhxdLjSLo81ZvEsg1nqbhhoym4 xGTw== X-Gm-Message-State: AOJu0YwNgNdz1cDw8i4cYHJ1Bi4zw0ZPMVWs6H61g5AUFOoDStwne2ID 5XzEQhNW+EOrrCfhvfr/d7UhxkXVxVIhLsSN0/9GOg== X-Google-Smtp-Source: AGHT+IE9TNtC+Y197TVHnNp9NIAZRP/5MTl0EX4mz7aVtyMvkLCvyG1d0lrx253AsDR0qOz0kGppog== X-Received: by 2002:a05:6a00:24cb:b0:6b4:ac0e:2f70 with SMTP id d11-20020a056a0024cb00b006b4ac0e2f70mr17780544pfv.29.1698789935490; Tue, 31 Oct 2023 15:05:35 -0700 (PDT) Received: from hexa.router0800d9.com (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id c24-20020a62e818000000b0068be3489b0dsm100301pfi.172.2023.10.31.15.05.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 15:05:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/3] tiff: CVE patch correction for CVE-2023-3576 Date: Tue, 31 Oct 2023 12:05:18 -1000 Message-Id: <63daa00279c0c3a8650d6e08a68cc32a2b98d843.1698789786.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 31 Oct 2023 22:05:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189872 From: Vijay Anusuri - The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] fixes CVE-2023-3576 - Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch - Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576 https://security-tracker.debian.org/tracker/CVE-2023-3618 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch} | 3 ++- .../tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch} | 0 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch} (93%) rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch} (100%) diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch similarity index 93% rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch index 8f55d2b496..b17dd72170 100644 --- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch @@ -4,8 +4,9 @@ Date: Tue, 7 Mar 2023 15:02:08 +0800 Subject: [PATCH] Fix memory leak in tiffcrop.c Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] -CVE: CVE-2023-3618 +CVE: CVE-2023-3576 Signed-off-by: Hitendra Prajapati +Signed-off-by: Vijay Anusuri --- tools/tiffcrop.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch similarity index 100% rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 8dcd73273e..e925b7d652 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -40,8 +40,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-26965.patch \ file://CVE-2023-2908.patch \ file://CVE-2023-3316.patch \ - file://CVE-2023-3618-1.patch \ - file://CVE-2023-3618-2.patch \ + file://CVE-2023-3576.patch \ + file://CVE-2023-3618.patch \ file://CVE-2023-26966.patch \ file://CVE-2022-40090.patch \ file://CVE-2023-1916.patch \ From patchwork Tue Oct 31 22:05:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 33223 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF556C41535 for ; Tue, 31 Oct 2023 22:05:44 +0000 (UTC) Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) by mx.groups.io with SMTP id smtpd.web11.8520.1698789938781128248 for ; Tue, 31 Oct 2023 15:05:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=eWQqzDaf; spf=softfail (domain: sakoman.com, ip: 209.85.167.181, mailfrom: steve@sakoman.com) Received: by mail-oi1-f181.google.com with SMTP id 5614622812f47-3b2e73a17a0so3948358b6e.3 for ; Tue, 31 Oct 2023 15:05:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1698789937; x=1699394737; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Le8sb61L4yT3h17TkvUqCSqPCJ7kRu93PR5hq5gRzIk=; b=eWQqzDafELzOqcbZdIIHbXeAoxXHe7MOO8EQhZepyYpJk6eZvkldDd/n9AI6uvw7Iw B/K3sBVDGfVOeggQFyg0o3ZDIpdZAQEP4HJ7RmE3HgLXEg8Y6+2yIH75FNbgzkr3lPN4 BRjszKxx2g6emOB0X/ETje7uKtXBZcwBe1V5XywjVK8SPksYxuspGIr6bx6L70XxGxjX l/cOBTGhSASPkCb7MZS6s2rFF/u8i39tP+a72zVMYhQH8RZdvbU/A7xPAQOY5oUHkwUv X3eR6uUj1RzVeqgooqUn1Ke2rIy3VJe1lc6vccloN1W92FQgzf7puDsThMziPI5dpCvL DjXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698789937; x=1699394737; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Le8sb61L4yT3h17TkvUqCSqPCJ7kRu93PR5hq5gRzIk=; b=GgF5MZ5MAj8rmzJBdR0mr2y5Yc9hd7nz/nNt14hZdhDAB/tP2bue8n9i/R9CDsGe/T b3+iDsFIxVwU9pa5D59mJzWD8sdtdOHo68MoMpVQUg7RjeBQBk05O28Ca9Uo5tVtmPVE YGdkfZzEI2YlJayWMTnqI/PbhrIl/nTIApgroQBdOPKV7/qeVgA0ZfpIpOt1J3vcfldC 1EyJEx8A1LMa/8fATl3nYDw+ZhCrUZFkiOCwmUszulE+XfebOHcUQEQh1D9LTtsRTLtk GefZTeWirfR92Y0puyOFFj/5mm0ADYAaJjiq3z6W+fdLfInpI3gRt5Truk4j+fS8Q+pQ opHg== X-Gm-Message-State: AOJu0YwJ6v5XuPrFzqqKXT9o6V2PnlA301a5knnCWx31jD9gdyZCcEKo a3ZAH1jbuxXYROxmFuLptvsX4PQhxCFWX4bp9NuInw== X-Google-Smtp-Source: AGHT+IGkecU74J6Fl9VhM3F4vlWvx1Xy2HY4TAT+kd4XlsxAJ/7PBOdE6asAgxsx0KxJ4ebY5ILhpw== X-Received: by 2002:a05:6808:9b5:b0:3b2:f15e:459f with SMTP id e21-20020a05680809b500b003b2f15e459fmr13801156oig.58.1698789937330; Tue, 31 Oct 2023 15:05:37 -0700 (PDT) Received: from hexa.router0800d9.com (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id c24-20020a62e818000000b0068be3489b0dsm100301pfi.172.2023.10.31.15.05.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Oct 2023 15:05:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863 Date: Tue, 31 Oct 2023 12:05:19 -1000 Message-Id: <4dcd5e0a0bb43c23850e3a711fc7e2230575d245.1698789786.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 31 Oct 2023 22:05:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189873 From: Soumya Sambu Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../webp/files/CVE-2023-4863.patch | 53 +++++++++++++++++++ meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch new file mode 100644 index 0000000000..2b1817822c --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch @@ -0,0 +1,53 @@ +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Mon, 11 Sep 2023 16:06:08 +0200 +Subject: [PATCH] Fix invalid incremental decoding check. + +The first condition is only necessary if we have not read enough +(enough being defined by src_last, not src_end which is the end +of the image). +The second condition now fits the comment below: "if not +incremental, and we are past the end of buffer". + +BUG=oss-fuzz:62136 + +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f + +CVE: CVE-2023-4863 + +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] + +Signed-off-by: Soumya Sambu +--- + src/dec/vp8l_dec.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 186b0b2..59a9e64 100644 +--- a/src/dec/vp8l_dec.c ++++ b/src/dec/vp8l_dec.c +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, + } + + br->eos_ = VP8LIsEndOfStream(br); +- if (dec->incremental_ && br->eos_ && src < src_end) { ++ // In incremental decoding: ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to ++ // be reset until there is more data. ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer is ++ // fully read, either enough has been read to reach 'src_last'. ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes further. ++ // The buffer might have been enough or there is some left. 'br->eos_' does ++ // not matter. ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); ++ if (dec->incremental_ && br->eos_ && src < src_last) { + RestoreState(dec); +- } else if (!br->eos_) { ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { + // Process the remaining rows corresponding to last row-block. + if (process_func != NULL) { + process_func(dec, row > last_row ? last_row : row); +-- +2.40.0 diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb index 4defdd5e42..0728ca60f5 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ file://CVE-2023-1999.patch \ file://CVE-2023-5129.patch \ + file://CVE-2023-4863.patch \ " SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"