mirror of
https://github.com/motioneye-project/motioneyeos.git
synced 2025-07-27 21:26:36 +00:00
libyaml: add security patches for CVE-2013-6393
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
parent
26cdb3568c
commit
83209f9f6c
176
package/libyaml/libyaml-0001-indent-column-overflow-v2.patch
Normal file
176
package/libyaml/libyaml-0001-indent-column-overflow-v2.patch
Normal file
@ -0,0 +1,176 @@
|
|||||||
|
Description: CVE-2013-6393: yaml_parser-{un,}roll-indent: fix int overflow in column argument
|
||||||
|
This expands upon the original indent column overflow patch from
|
||||||
|
comment #12.
|
||||||
|
.
|
||||||
|
The default parser indention is represented as an indention of -1.
|
||||||
|
The original patch only modified the type of the column parameter to
|
||||||
|
the roll/unroll functions, changing it from int to size_t to guard
|
||||||
|
against integer overflow. However, there are code paths that call
|
||||||
|
yaml_parser_unroll_indent with a column of -1 in order to reset the
|
||||||
|
parser back to the initial indention. Since the column is now of
|
||||||
|
type size_t and thus unsigned, passing a column value of -1 caused
|
||||||
|
the column to underflow in this case.
|
||||||
|
.
|
||||||
|
This new patch modifies the roll/unroll functions to handle the -1
|
||||||
|
indent as a special case. In addition, it adds a new function,
|
||||||
|
yaml_parser_reset_indent. It is nearly an exact copy of
|
||||||
|
yaml_parser_unroll_indent, except it does not take a column
|
||||||
|
parameter. Instead it unrolls to a literal -1 indention, which does
|
||||||
|
not suffer from the underflow.
|
||||||
|
.
|
||||||
|
Code paths that previously called yaml_parser_unroll_indent with a
|
||||||
|
column of -1 are updated to call the new yaml_parser_reset_indent
|
||||||
|
function instead.
|
||||||
|
.
|
||||||
|
With this patch instead of the original:
|
||||||
|
.
|
||||||
|
- `make check` still passes
|
||||||
|
.
|
||||||
|
- The reproducer script completes successfully with exit code 0
|
||||||
|
.
|
||||||
|
- The issue raised by John Haxby has been corrected and exits with SUCCESS
|
||||||
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||||
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||||
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
||||||
|
Last-Update: 2014-01-29
|
||||||
|
---
|
||||||
|
# HG changeset patch
|
||||||
|
# User John Eckersberg <jeckersb@redhat.com>
|
||||||
|
# Date 1390870108 18000
|
||||||
|
# Mon Jan 27 19:48:28 2014 -0500
|
||||||
|
# Node ID 7179aa474f31e73834adda26b77bfc25bfe5143d
|
||||||
|
# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
|
||||||
|
yaml_parser-{un,}roll-indent: fix int overflow in column argument
|
||||||
|
|
||||||
|
diff -r 3e6507fa0c26 -r 7179aa474f31 src/scanner.c
|
||||||
|
--- a/src/scanner.c Mon Dec 24 03:51:32 2012 +0000
|
||||||
|
+++ b/src/scanner.c Mon Jan 27 19:48:28 2014 -0500
|
||||||
|
@@ -615,11 +615,14 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
static int
|
||||||
|
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
|
||||||
|
+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
|
||||||
|
int number, yaml_token_type_t type, yaml_mark_t mark);
|
||||||
|
|
||||||
|
static int
|
||||||
|
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
|
||||||
|
+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column);
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+yaml_parser_reset_indent(yaml_parser_t *parser);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Token fetchers.
|
||||||
|
@@ -1206,7 +1209,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
static int
|
||||||
|
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
|
||||||
|
+yaml_parser_roll_indent(yaml_parser_t *parser, size_t column,
|
||||||
|
int number, yaml_token_type_t type, yaml_mark_t mark)
|
||||||
|
{
|
||||||
|
yaml_token_t token;
|
||||||
|
@@ -1216,7 +1219,7 @@
|
||||||
|
if (parser->flow_level)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
- if (parser->indent < column)
|
||||||
|
+ if (parser->indent == -1 || parser->indent < column)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Push the current indentation level to the stack and set the new
|
||||||
|
@@ -1254,7 +1257,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
|
||||||
|
+yaml_parser_unroll_indent(yaml_parser_t *parser, size_t column)
|
||||||
|
{
|
||||||
|
yaml_token_t token;
|
||||||
|
|
||||||
|
@@ -1263,6 +1266,15 @@
|
||||||
|
if (parser->flow_level)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * column is unsigned and parser->indent is signed, so if
|
||||||
|
+ * parser->indent is less than zero the conditional in the while
|
||||||
|
+ * loop below is incorrect. Guard against that.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (parser->indent < 0)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
/* Loop through the intendation levels in the stack. */
|
||||||
|
|
||||||
|
while (parser->indent > column)
|
||||||
|
@@ -1283,6 +1295,41 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Pop indentation levels from the indents stack until the current
|
||||||
|
+ * level resets to -1. For each intendation level, append the
|
||||||
|
+ * BLOCK-END token.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+yaml_parser_reset_indent(yaml_parser_t *parser)
|
||||||
|
+{
|
||||||
|
+ yaml_token_t token;
|
||||||
|
+
|
||||||
|
+ /* In the flow context, do nothing. */
|
||||||
|
+
|
||||||
|
+ if (parser->flow_level)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ /* Loop through the intendation levels in the stack. */
|
||||||
|
+
|
||||||
|
+ while (parser->indent > -1)
|
||||||
|
+ {
|
||||||
|
+ /* Create a token and append it to the queue. */
|
||||||
|
+
|
||||||
|
+ TOKEN_INIT(token, YAML_BLOCK_END_TOKEN, parser->mark, parser->mark);
|
||||||
|
+
|
||||||
|
+ if (!ENQUEUE(parser, parser->tokens, token))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* Pop the indentation level. */
|
||||||
|
+
|
||||||
|
+ parser->indent = POP(parser, parser->indents);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Initialize the scanner and produce the STREAM-START token.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -1338,7 +1385,7 @@
|
||||||
|
|
||||||
|
/* Reset the indentation level. */
|
||||||
|
|
||||||
|
- if (!yaml_parser_unroll_indent(parser, -1))
|
||||||
|
+ if (!yaml_parser_reset_indent(parser))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Reset simple keys. */
|
||||||
|
@@ -1369,7 +1416,7 @@
|
||||||
|
|
||||||
|
/* Reset the indentation level. */
|
||||||
|
|
||||||
|
- if (!yaml_parser_unroll_indent(parser, -1))
|
||||||
|
+ if (!yaml_parser_reset_indent(parser))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Reset simple keys. */
|
||||||
|
@@ -1407,7 +1454,7 @@
|
||||||
|
|
||||||
|
/* Reset the indentation level. */
|
||||||
|
|
||||||
|
- if (!yaml_parser_unroll_indent(parser, -1))
|
||||||
|
+ if (!yaml_parser_reset_indent(parser))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Reset simple keys. */
|
35
package/libyaml/libyaml-0002-node-id-hardening.patch
Normal file
35
package/libyaml/libyaml-0002-node-id-hardening.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
|
||||||
|
This is a hardening patch also from Florian Weimer
|
||||||
|
<fweimer@redhat.com>. It is not required to fix this CVE however it
|
||||||
|
improves the robustness of the code against future issues by avoiding
|
||||||
|
large node ID's in a central place.
|
||||||
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||||
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||||
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
||||||
|
Last-Update: 2014-01-29
|
||||||
|
---
|
||||||
|
# HG changeset patch
|
||||||
|
# User Florian Weimer <fweimer@redhat.com>
|
||||||
|
# Date 1389274355 -3600
|
||||||
|
# Thu Jan 09 14:32:35 2014 +0100
|
||||||
|
# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
|
||||||
|
# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
|
||||||
|
yaml_stack_extend: guard against integer overflow
|
||||||
|
|
||||||
|
diff --git a/src/api.c b/src/api.c
|
||||||
|
--- a/src/api.c
|
||||||
|
+++ b/src/api.c
|
||||||
|
@@ -117,7 +117,12 @@
|
||||||
|
YAML_DECLARE(int)
|
||||||
|
yaml_stack_extend(void **start, void **top, void **end)
|
||||||
|
{
|
||||||
|
- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
||||||
|
+ void *new_start;
|
||||||
|
+
|
||||||
|
+ if ((char *)*end - (char *)*start >= INT_MAX / 2)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
|
||||||
|
|
||||||
|
if (!new_start) return 0;
|
||||||
|
|
28
package/libyaml/libyaml-0003-string-overflow.patch
Normal file
28
package/libyaml/libyaml-0003-string-overflow.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
||||||
|
This is a proposed patch from Florian Weimer <fweimer@redhat.com> for
|
||||||
|
the string overflow issue. It has been ack'd by upstream.
|
||||||
|
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||||
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
|
||||||
|
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
|
||||||
|
Last-Update: 2014-01-29
|
||||||
|
---
|
||||||
|
# HG changeset patch
|
||||||
|
# User Florian Weimer <fweimer@redhat.com>
|
||||||
|
# Date 1389273500 -3600
|
||||||
|
# Thu Jan 09 14:18:20 2014 +0100
|
||||||
|
# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
|
||||||
|
# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
|
||||||
|
yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
|
||||||
|
|
||||||
|
diff --git a/src/scanner.c b/src/scanner.c
|
||||||
|
--- a/src/scanner.c
|
||||||
|
+++ b/src/scanner.c
|
||||||
|
@@ -2574,7 +2574,7 @@
|
||||||
|
|
||||||
|
/* Resize the string to include the head. */
|
||||||
|
|
||||||
|
- while (string.end - string.start <= (int)length) {
|
||||||
|
+ while ((size_t)(string.end - string.start) <= length) {
|
||||||
|
if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
|
||||||
|
parser->error = YAML_MEMORY_ERROR;
|
||||||
|
goto error;
|
Loading…
x
Reference in New Issue
Block a user