diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2023-10-07 21:07:20 +0200 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2023-10-09 23:45:35 +0200 |
| commit | 6637af95aa9085c8367ce8184b0fe6917365c3d3 (patch) | |
| tree | 047e2fcf549f70e2cdd777e540d2308a8bfa3e8c /package/utils/bsdiff/patches/020-CVE-2014-9862.patch | |
| parent | fadbec8857efddf5d1b55b77af56afac8428a943 (diff) | |
| download | upstream-6637af95aa9085c8367ce8184b0fe6917365c3d3.tar.gz upstream-6637af95aa9085c8367ce8184b0fe6917365c3d3.tar.bz2 upstream-6637af95aa9085c8367ce8184b0fe6917365c3d3.zip | |
bsdiff: Add patches for CVEs
Add two patches from Debian fixing CVEs in the bsdiff application.
CVE-2014-9862: Heap vulnerability in bspatch
CVE-2020-14315: Memory Corruption Vulnerability in bspatch
Copied the patches from this location:
https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/20-CVE-2014-9862.patch
https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/33-CVE-2020-14315.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cac723e8b8748938b8d80603578c60189fc32b24)
Diffstat (limited to 'package/utils/bsdiff/patches/020-CVE-2014-9862.patch')
| -rw-r--r-- | package/utils/bsdiff/patches/020-CVE-2014-9862.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/package/utils/bsdiff/patches/020-CVE-2014-9862.patch b/package/utils/bsdiff/patches/020-CVE-2014-9862.patch new file mode 100644 index 0000000000..98a49312f3 --- /dev/null +++ b/package/utils/bsdiff/patches/020-CVE-2014-9862.patch @@ -0,0 +1,37 @@ +From: The FreeBSD Project +Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862 +Subject: CVE-2014-9862 - check for a negative value on numbers of bytes + The implementation of bspatch does not check for a negative value on numbers + of bytes read from the diff and extra streams, allowing an attacker who + can control the patch file to write at arbitrary locations in the heap. + . + bspatch's main loop reads three numbers from the "control" stream in + the patch: X, Y and Z. The first two are the number of bytes to read + from "diff" and "extra" (and thus only non-negative), while the + third one could be positive or negative and moves the oldpos pointer + on the source image. These 3 values are 64bits signed ints (encoded + somehow on the file) that are later passed the function that reads + from the streams, but those values are not verified to be + non-negative. + . + Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862 + The patch was downloaded from a link pointed by + https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp + +--- + bspatch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/bspatch.c ++++ b/bspatch.c +@@ -152,6 +152,10 @@ int main(int argc,char * argv[]) + }; + + /* Sanity-check */ ++ if ((ctrl[0] < 0) || (ctrl[1] < 0)) ++ errx(1,"Corrupt patch\n"); ++ ++ /* Sanity-check */ + if(newpos+ctrl[0]>newsize) + errx(1,"Corrupt patch\n"); + |