mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-22 15:02:32 +00:00
cac723e8b8
Add two patches from Debian fixing CVEs in the bsdiff application. CVE-2014-9862: Heap vulnerability in bspatch CVE-2020-14315: Memory Corruption Vulnerability in bspatch Copied the patches from this location: https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/20-CVE-2014-9862.patch https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/33-CVE-2020-14315.patch Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From: The FreeBSD Project
|
|
Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
|
|
Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
|
|
The implementation of bspatch does not check for a negative value on numbers
|
|
of bytes read from the diff and extra streams, allowing an attacker who
|
|
can control the patch file to write at arbitrary locations in the heap.
|
|
.
|
|
bspatch's main loop reads three numbers from the "control" stream in
|
|
the patch: X, Y and Z. The first two are the number of bytes to read
|
|
from "diff" and "extra" (and thus only non-negative), while the
|
|
third one could be positive or negative and moves the oldpos pointer
|
|
on the source image. These 3 values are 64bits signed ints (encoded
|
|
somehow on the file) that are later passed the function that reads
|
|
from the streams, but those values are not verified to be
|
|
non-negative.
|
|
.
|
|
Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
|
|
The patch was downloaded from a link pointed by
|
|
https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
|
|
|
|
---
|
|
bspatch.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
--- a/bspatch.c
|
|
+++ b/bspatch.c
|
|
@@ -152,6 +152,10 @@ int main(int argc,char * argv[])
|
|
};
|
|
|
|
/* Sanity-check */
|
|
+ if ((ctrl[0] < 0) || (ctrl[1] < 0))
|
|
+ errx(1,"Corrupt patch\n");
|
|
+
|
|
+ /* Sanity-check */
|
|
if(newpos+ctrl[0]>newsize)
|
|
errx(1,"Corrupt patch\n");
|
|
|