uclibc: Security fix CVE-2016-2224

author Armin Kuster <akuster@mvista.com>

Wed, 10 Feb 2016 23:42:34 +0000 (15:42 -0800)

committer Richard Purdie <richard.purdie@linuxfoundation.org>

Sun, 21 Feb 2016 09:37:19 +0000 (09:37 +0000)
author Armin Kuster <akuster@mvista.com>
Wed, 10 Feb 2016 23:42:34 +0000 (15:42 -0800)
committer Richard Purdie <richard.purdie@linuxfoundation.org>
Sun, 21 Feb 2016 09:37:19 +0000 (09:37 +0000)
diff --git a/meta/recipes-core/uclibc/uclibc-git.inc b/meta/recipes-core/uclibc/uclibc-git.inc

index dcb616d0d2bcfa7a7f79f376742d997019eb998b..d3fb2a8a8ecdfd4ebf6ef51dad2622595f97a10f 100644 (file)
--- a/meta/recipes-core/uclibc/uclibc-git.inc
+++ b/meta/recipes-core/uclibc/uclibc-git.inc
@@ -19,5 +19,6 @@ SRC_URI = "git://uclibc.org/uClibc.git;branch=master \
          file://0001-gcc5-optimizes-away-the-write-only-static-functions-.patch \
          file://0001-fcntl-Add-AT_EMPTY_PATH-for-all-and-O_PATH-for-arm.patch \
          file://0001-wire-in-syncfs.patch \
+        file://CVE-2016-2224.patch \
  "
  S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch

new file mode 100644 (file)

index 0000000..218b60a
--- /dev/null
+++ b/meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch
@@ -0,0 +1,49 @@
+From 16719c1a7078421928e6d31dd1dec574825ef515 Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Sun, 17 Jan 2016 15:47:22 +0100
+Subject: [PATCH] Do not follow compressed items forever.
+
+It is possible to get stuck in an infinite loop when receiving a
+specially crafted DNS reply. Exit the loop after a number of iteration
+and consider the packet invalid.
+
+Signed-off-by: Daniel Fahlgren <daniel@fahlgren.se>
+Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
+
+Upstream-status: Backport
+http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
+
+CVE: CVE-2016-2224
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libc/inet/resolv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: git/libc/inet/resolv.c
+===================================================================
+--- git.orig/libc/inet/resolv.c
++++ git/libc/inet/resolv.c
+@@ -666,11 +666,12 @@ int __decode_dotted(const unsigned char
+       bool measure = 1;
+       unsigned total = 0;
+       unsigned used = 0;
++      unsigned maxiter = 256;
+ 
+       if (!packet)
+               return -1;
+ 
+-      while (1) {
++      while (--maxiter) {
+               if (offset >= packet_len)
+                       return -1;
+               b = packet[offset++];
+@@ -707,6 +708,8 @@ int __decode_dotted(const unsigned char
+               else
+                       dest[used++] = '\0';
+       }
++      if (!maxiter)
++              return -1;
+ 
+       /* The null byte must be counted too */
+       if (measure)
author	Armin Kuster <akuster@mvista.com>
	Wed, 10 Feb 2016 23:42:34 +0000 (15:42 -0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Sun, 21 Feb 2016 09:37:19 +0000 (09:37 +0000)
meta/recipes-core/uclibc/uclibc-git.inc		patch \| blob \| history
meta/recipes-core/uclibc/uclibc-git/CVE-2016-2224.patch	[new file with mode: 0644]	patch \| blob