SHA256
1
0
forked from pool/pkgconf

Accepting request 1062028 from home:qzhao:branches:devel:tools

Add pkgconf-CVE-2023-24056.patch: Backport commit 628b2b2baf from upstream, test for, and stop string processing, on truncation (bsc#1207394 CVE-2023-24056).

OBS-URL: https://build.opensuse.org/request/show/1062028
OBS-URL: https://build.opensuse.org/package/show/devel:tools/pkgconf?expand=0&rev=26
This commit is contained in:
Neal Gompa 2023-01-30 12:44:21 +00:00 committed by Git OBS Bridge
parent 517f858857
commit 10f0d517c1
3 changed files with 63 additions and 1 deletions

View File

@ -0,0 +1,53 @@
diff -Nura pkgconf-1.8.0/libpkgconf/tuple.c pkgconf-1.8.0_new/libpkgconf/tuple.c
--- pkgconf-1.8.0/libpkgconf/tuple.c 2021-03-18 20:15:16.000000000 +0800
+++ pkgconf-1.8.0_new/libpkgconf/tuple.c 2023-01-30 16:07:40.750297141 +0800
@@ -293,12 +293,23 @@
}
}
+ PKGCONF_TRACE(client, "lookup tuple %s", varname);
+
+ size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
ptr += (pptr - ptr);
kv = pkgconf_tuple_find_global(client, varname);
if (kv != NULL)
{
- strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
- bptr += strlen(kv);
+ size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
+ if (nlen > remain)
+ {
+ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+
+ bptr = buf + (PKGCONF_BUFSIZE - 1);
+ break;
+ }
+
+ bptr += nlen;
}
else
{
@@ -306,12 +317,20 @@
if (kv != NULL)
{
+ size_t nlen;
+
parsekv = pkgconf_tuple_parse(client, vars, kv);
+ nlen = pkgconf_strlcpy(bptr, parsekv, remain);
+ free(parsekv);
- strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
- bptr += strlen(parsekv);
+ if (nlen > remain)
+ {
+ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+ bptr = buf + (PKGCONF_BUFSIZE - 1);
+ break;
+ }
- free(parsekv);
+ bptr += nlen;
}
}
}

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sun Jan 29 09:26:47 UTC 2023 - Cliff Zhao <qzhao@suse.com>
- Add pkgconf-CVE-2023-24056.patch: Backport commit 628b2b2baf from
upstream, test for, and stop string processing, on truncation
(bsc#1207394 CVE-2023-24056).
-------------------------------------------------------------------
Mon Aug 23 09:18:29 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

View File

@ -1,7 +1,7 @@
#
# spec file for package pkgconf
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2020 Neal Gompa <ngompa13@gmail.com>.
#
# All modifications and additions to the file contributed by third parties
@ -54,6 +54,8 @@ URL: http://pkgconf.org/
Source0: https://distfiles.dereferenced.org/%{name}/%{name}-%{version}.tar.xz
# Simple wrapper script to offer platform versions of pkgconfig from Fedora
Source1: platform-pkg-config.in
# PATCH-FIX-UPSTREAM pkgconf-CVE-2023-24056.patch bsc#1207394 CVE-2023-24056 qzhao@suse.com -- Backport commit 628b2b2baf from upstream, test for, and stop string processing, on truncation.
Patch0: pkgconf-CVE-2023-24056.patch
# For regenerating autotools scripts
BuildRequires: autoconf
BuildRequires: automake