SHA256
1
0
forked from pool/libical

Accepting request 505726 from home:mgorse:branches:devel:libraries:c_c++

- Add fixes for various crashes:
  libical-boo986631-read-past-end.patch
  libical-boo986631-check-prev-char.patch
  libical-parser-sanity-check.patch
  libical-timezone-use-after-free.patch
  libical-boo1015964-use-after-free.patch
  Fixes boo#986631 (CVE-2016-5827), boo#986639 (CVE-2016-5824),
  boo#1015964 (CVE-2016-9584), and boo#1044995.

OBS-URL: https://build.opensuse.org/request/show/505726
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libical?expand=0&rev=43
This commit is contained in:
Michal Vyskocil 2017-06-26 06:09:35 +00:00 committed by Git OBS Bridge
parent 1688dfea79
commit d2fbb3222f
7 changed files with 267 additions and 1 deletions

View File

@ -0,0 +1,27 @@
From 6b9438d746cec6e4e632d78c5244f4be6314d1c9 Mon Sep 17 00:00:00 2001
From: Allen Winter <allen.winter@kdab.com>
Date: Sun, 28 May 2017 12:51:10 -0400
Subject: [PATCH] icaltypes.c - icalreqstattype_from_string(), copy the
reqstattype's debug string into its own memory in the ring buffer.
Issue#253
---
src/libical/icaltypes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libical/icaltypes.c b/src/libical/icaltypes.c
index 70c50d29..85c33545 100644
--- a/src/libical/icaltypes.c
+++ b/src/libical/icaltypes.c
@@ -140,7 +140,7 @@ struct icalreqstattype icalreqstattype_from_string(const char *str)
p2 = strchr(p1 + 1, ';');
if (p2 != 0 && *p2 != 0) {
- stat.debug = p2 + 1;
+ stat.debug = icalmemory_tmp_copy(p2 + 1);
}
return stat;
--
2.12.3

View File

@ -0,0 +1,26 @@
From 04d84749e53db08c71ed0ce8b6ba5c11082743cd Mon Sep 17 00:00:00 2001
From: Ken Murchison <murch@andrew.cmu.edu>
Date: Fri, 2 Dec 2016 14:14:03 -0500
Subject: [PATCH] icalparser.c: make sure we have a prev_char before checking
it
---
src/libical/icalparser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
index 9d332375..2735c9ac 100644
--- a/src/libical/icalparser.c
+++ b/src/libical/icalparser.c
@@ -148,7 +148,7 @@ static char *parser_get_next_char(char c, char *str, int qm)
char prev_char = 0;
while (next_char != 0) {
- if (prev_char != '\\') {
+ if (prev_char && prev_char != '\\') {
if (qm == 1 && next_char == '"') {
/* Encountered a quote, toggle quote mode */
quote_mode = !quote_mode;
--
2.12.3

View File

@ -0,0 +1,26 @@
From 38757abb495ea6cb40faa5418052278bf75040f7 Mon Sep 17 00:00:00 2001
From: Ken Murchison <murch@andrew.cmu.edu>
Date: Fri, 2 Dec 2016 14:13:22 -0500
Subject: [PATCH] icaltime.c: don't read past end of string (can't check
str[19] if length is 16)
---
src/libical/icaltime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libical/icaltime.c b/src/libical/icaltime.c
index ca647633..4077ce75 100644
--- a/src/libical/icaltime.c
+++ b/src/libical/icaltime.c
@@ -445,7 +445,7 @@ struct icaltimetype icaltime_from_string(const char *str)
tt.is_utc = 0;
tt.is_date = 0;
} else if ((size == 16) || (size == 20)) { /* UTC time, ends in 'Z' */
- if ((str[15] != 'Z') && (str[19] != 'Z'))
+ if ((str[size-1] != 'Z'))
goto FAIL;
tt.is_utc = 1;
--
2.12.3

View File

@ -0,0 +1,100 @@
From 53e68ff6e2133c54ff44df53e8b75ef21125fb3d Mon Sep 17 00:00:00 2001
From: Ken Murchison <murch@andrew.cmu.edu>
Date: Tue, 13 Dec 2016 16:22:42 -0500
Subject: [PATCH] icalparser.c: sanity check VALUE parameter against what is
allowed
Backported by Mike Gorse <mgorse@suse.com>
---
src/libical/icalparser.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 67 insertions(+), 2 deletions(-)
diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
index 998bc96d..62e3a401 100644
--- a/src/libical/icalparser.c
+++ b/src/libical/icalparser.c
@@ -1023,6 +1023,12 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
/* If it is a VALUE parameter, set the kind of value */
if (icalparameter_isa(param) == ICAL_VALUE_PARAMETER) {
+ const char unknown_type[] =
+ "Got a VALUE parameter with an unknown type";
+ const char illegal_type[] =
+ "Got a VALUE parameter with an illegal type for property";
+ const char *value_err = NULL;
+
value_kind =
(icalvalue_kind)icalparameter_value_to_value_kind(
icalparameter_get_value(param));
@@ -1033,8 +1039,66 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
parameter ( it was not one of the defined
values ), so reset the value_kind */
- insert_error(tail, str,
- "Got a VALUE parameter with an unknown type",
+ value_err = unknown_type;
+ }
+ else if (value_kind !=
+ icalproperty_kind_to_value_kind(icalproperty_isa(prop))) {
+ /* VALUE parameter type does not match default type
+ for this property (check for allowed alternate types) */
+
+ switch (prop_kind) {
+ case ICAL_ATTACH_PROPERTY:
+ /* Accept BINARY */
+ if (value_kind != ICAL_BINARY_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_DTEND_PROPERTY:
+ case ICAL_DUE_PROPERTY:
+ case ICAL_DTSTART_PROPERTY:
+ case ICAL_EXDATE_PROPERTY:
+ case ICAL_RECURRENCEID_PROPERTY:
+ /* Accept DATE */
+ if (value_kind != ICAL_DATE_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_GEO_PROPERTY:
+ /* Accept FLOAT (but change to GEO) */
+ if (value_kind != ICAL_FLOAT_VALUE)
+ value_err = illegal_type;
+ else value_kind = ICAL_GEO_VALUE;
+ break;
+
+ case ICAL_RDATE_PROPERTY:
+ /* Accept DATE or PERIOD */
+ if (value_kind != ICAL_DATE_VALUE &&
+ value_kind != ICAL_PERIOD_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_TRIGGER_PROPERTY:
+ /* Accept DATE-TIME */
+ if (value_kind != ICAL_DATETIME_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_X_PROPERTY:
+ /* Accept ANY value type */
+ break;
+
+ default:
+ /* ONLY default type is allowed */
+ value_err = illegal_type;
+ break;
+ }
+ }
+
+ if (value_err != NULL) {
+ /* Ooops, unknown/illegal VALUE parameter,
+ so reset the value_kind */
+
+ insert_error(tail, str, value_err,
ICAL_XLICERRORTYPE_PARAMETERVALUEPARSEERROR);
value_kind = icalproperty_kind_to_value_kind(icalproperty_isa(prop));
--
2.12.3

View File

@ -0,0 +1,60 @@
From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001
From: Allen Winter <allen.winter@kdab.com>
Date: Thu, 15 Dec 2016 18:17:10 -0500
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by
fetch_lat_long_from_string() issue#262
Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libical-2.0.0.orig/src/libical/icaltimezone.c libical-2.0.0/src/libical/icaltimezone.c
--- libical-2.0.0.orig/src/libical/icaltimezone.c 2015-12-28 15:44:53.000000000 -0600
+++ libical-2.0.0/src/libical/icaltimezone.c 2017-06-19 15:48:27.789017341 -0500
@@ -1520,39 +1520,39 @@ static int fetch_lat_long_from_string(co
/* We need to parse the latitude/longitude co-ordinates and location fields */
sptr = (char *)str;
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
temp = ++sptr;
- while (*sptr != '\t') {
+ while (*sptr != '\t' && *sptr != '\0') {
sptr++;
}
len = (ptrdiff_t) (sptr - temp);
lat = (char *)malloc(len + 1);
lat = strncpy(lat, temp, len);
lat[len] = '\0';
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
loc = ++sptr;
- while (!isspace((int)(*sptr))) {
+ while (!isspace((int)(*sptr)) && (*sptr != '\0')) {
sptr++;
}
- len = (ptrdiff_t) (sptr - loc);
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy(location, loc, len);
location[len] = '\0';
#if defined(sun) && defined(__SVR4)
/* Handle EET, MET and WET in zone_sun.tab. */
if (!strcmp(location, "Europe/")) {
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
loc = ++sptr;
- while (!isspace(*sptr)) {
+ while (!isspace(*sptr) && (*sptr != '\0')) {
sptr++;
}
- len = sptr - loc;
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy(location, loc, len);
location[len] = '\0';
}
Only in libical-2.0.0/src/libical: icaltimezone.c.orig

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Mon Jun 19 19:54:50 UTC 2017 - mgorse@suse.com
- Add fixes for various crashes:
libical-boo986631-read-past-end.patch
libical-boo986631-check-prev-char.patch
libical-parser-sanity-check.patch
libical-timezone-use-after-free.patch
libical-boo1015964-use-after-free.patch
Fixes boo#986631 (CVE-2016-5827), boo#986639 (CVE-2016-5824),
boo#1015964 (CVE-2016-9584), and boo#1044995.
-------------------------------------------------------------------
Mon Oct 3 08:38:07 UTC 2016 - jengelh@inai.de

View File

@ -1,7 +1,7 @@
#
# spec file for package libical
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -29,6 +29,16 @@ Url: http://sourceforge.net/projects/freeassociation/
Source: https://github.com/libical/libical/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source2: baselibs.conf
Patch1: 0001-build-ICU-must-appear-as-Requires-in-pkgconfig.patch
# PATCH-FIX-UPSTREAM libical-boo986631-read-past-end.patch boo#986631 mgorse@suse.com -- fix for reading passed end of string (CVE-2016-5827)
Patch2: libical-boo986631-read-past-end.patch
# PATCH-FIX-UPSTREAM libical-boo986631-check-prev-char.patch boo#986631 mgorse@suse.com -- make sure we have a prev_char before checking it
Patch3: libical-boo986631-check-prev-char.patch
# PATCH-FIX-UPSTREAM libical-parser-sanity-check.patch mgorse@suse.com -- sanity check value parameter against what is allowed.
Patch4: libical-parser-sanity-check.patch
# PATCH-FIX-UPSTREAM libical-timezone-use-after-free.patch mgorse@suse.com -- fix use after free in fetch_lat_long_from_string
Patch5: libical-timezone-use-after-free.patch
# PATCH-FIX-UPSTREAM libical-boo1015964-use-after-free.patch boo#986639 boo#1015984 mgorse@suse.com -- copy reqstattype's debug string into its own memory (CVE-2016-5824 CVE-2016-9584).
Patch6: libical-boo1015964-use-after-free.patch
BuildRequires: cmake >= 2.4
BuildRequires: gcc-c++
BuildRequires: pkg-config
@ -91,6 +101,11 @@ component properties, parameters, and subcomponents.
%prep
%setup -q
%patch -P 1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%build
%cmake