gpgme: fix CVE-2014-3564
Backport patch to fix CVE-2014-3564. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f (From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
1c5e37acb9
commit
fb0da9e6f3
|
@ -0,0 +1,56 @@
|
|||
Upstream-Status: Backport
|
||||
|
||||
Backport patch to fix CVE-2014-3564.
|
||||
|
||||
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
|
||||
|
||||
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
||||
---
|
||||
From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
|
||||
From: Werner Koch <wk@gnupg.org>
|
||||
Date: Wed, 30 Jul 2014 11:04:55 +0200
|
||||
Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
|
||||
engines.
|
||||
|
||||
After a realloc (realloc is also used for initial alloc) the allocated
|
||||
size if the buffer is not correctly recorded. Thus an overflow can be
|
||||
introduced by receiving data with different line lengths in a specific
|
||||
order. This is not easy exploitable because libassuan constructs the
|
||||
line. However a crash has been reported and thus it might be possible
|
||||
to constructs an exploit.
|
||||
|
||||
CVE-id: CVE-2014-3564
|
||||
Reported-by: Tomáš Trnka
|
||||
---
|
||||
src/engine-gpgsm.c | 2 +-
|
||||
src/engine-uiserver.c | 2 +-
|
||||
3 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
|
||||
index 8ec1598..3a83757 100644
|
||||
--- a/src/engine-gpgsm.c
|
||||
+++ b/src/engine-gpgsm.c
|
||||
@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
|
||||
else
|
||||
{
|
||||
*aline = newline;
|
||||
- gpgsm->colon.attic.linesize += linelen + 1;
|
||||
+ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
|
||||
}
|
||||
}
|
||||
if (!err)
|
||||
diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
|
||||
index 2738c36..a7184b7 100644
|
||||
--- a/src/engine-uiserver.c
|
||||
+++ b/src/engine-uiserver.c
|
||||
@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
|
||||
else
|
||||
{
|
||||
*aline = newline;
|
||||
- uiserver->colon.attic.linesize += linelen + 1;
|
||||
+ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
|
||||
}
|
||||
}
|
||||
if (!err)
|
||||
--
|
||||
2.1.4
|
|
@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
|
|||
|
||||
SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
|
||||
file://gpgme.pc \
|
||||
file://pkgconfig.patch"
|
||||
file://pkgconfig.patch \
|
||||
file://gpgme-fix-CVE-2014-3564.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
|
||||
SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"
|
||||
|
|
Loading…
Reference in New Issue