From abb96a79c37818ea55dafcc5ad3065f34a0cf3dd Mon Sep 17 00:00:00 2001 From: DongHun Kwak Date: Tue, 6 Sep 2022 09:47:52 +0900 Subject: [PATCH] fix: Security patch 0001-CVE-2018-17942 0002-CVE-2009-5155 Change-Id: I0e6a8680b66c0d0b9e592e5037d49d3b7ad141eb --- ...942-vasnprintf-Fix-heap-memory-overrun-bu.patch | 35 ++++++++++++++ packaging/0002-CVE-2009-5155-Diagnose-ERE-1.patch | 54 ++++++++++++++++++++++ packaging/wdiff.spec | 4 ++ 3 files changed, 93 insertions(+) create mode 100644 packaging/0001-CVE-2018-17942-vasnprintf-Fix-heap-memory-overrun-bu.patch create mode 100644 packaging/0002-CVE-2009-5155-Diagnose-ERE-1.patch diff --git a/packaging/0001-CVE-2018-17942-vasnprintf-Fix-heap-memory-overrun-bu.patch b/packaging/0001-CVE-2018-17942-vasnprintf-Fix-heap-memory-overrun-bu.patch new file mode 100644 index 0000000..191bac9 --- /dev/null +++ b/packaging/0001-CVE-2018-17942-vasnprintf-Fix-heap-memory-overrun-bu.patch @@ -0,0 +1,35 @@ +From 09eae9d970b7d200afa9b50d428f039dbd8dc07c Mon Sep 17 00:00:00 2001 +From: Bruno Haible +Date: Sun, 23 Sep 2018 14:13:52 +0200 +Subject: [PATCH 1/2] [CVE-2018-17942] vasnprintf: Fix heap memory overrun bug. + +Reported by Ben Pfaff in +. + +* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of +memory. + +Change-Id: Id0c55f547fef88da6848754e84568c09e800203f +Signed-off-by: DongHun Kwak +--- + lib/vasnprintf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c +index 71f8d80..dfe7bdc 100644 +--- a/lib/vasnprintf.c ++++ b/lib/vasnprintf.c +@@ -850,7 +850,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes) + size_t a_len = a.nlimbs; + /* 0.03345 is slightly larger than log(2)/(9*log(10)). */ + size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1); +- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes)); ++ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the ++ digits of a, followed by 1 byte for the terminating NUL. */ ++ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1)); + if (c_ptr != NULL) + { + char *d_ptr = c_ptr; +-- +2.25.1 + diff --git a/packaging/0002-CVE-2009-5155-Diagnose-ERE-1.patch b/packaging/0002-CVE-2009-5155-Diagnose-ERE-1.patch new file mode 100644 index 0000000..f7ec923 --- /dev/null +++ b/packaging/0002-CVE-2009-5155-Diagnose-ERE-1.patch @@ -0,0 +1,54 @@ +From fad4795ead98f151bcf3134305ea7d1ede1bba1f Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Sat, 19 Sep 2015 13:53:34 -0700 +Subject: [PATCH 2/2] [CVE-2009-5155] Diagnose ERE '()|\1' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Hanno Böck in: http://bugs.gnu.org/21513 +* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep +track of the set of previously-completed subexpressions available +before the first alternative, and restore this set just before +parsing each subsequent alternative. This lets us diagnose the +invalid back-reference in the ERE '()|\1'. + +Change-Id: I33d1ba3c5c4e3460b81cda46eac2a4eac625b8c3 +Signed-off-by: DongHun Kwak +--- + lib/regcomp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/regcomp.c b/lib/regcomp.c +index 747fa40..10770d3 100644 +--- a/lib/regcomp.c ++++ b/lib/regcomp.c +@@ -2142,6 +2142,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, + { + re_dfa_t *dfa = (re_dfa_t *) preg->buffer; + bin_tree_t *tree, *branch = NULL; ++ bitset_word_t initial_bkref_map = dfa->completed_bkref_map; + tree = parse_branch (regexp, preg, token, syntax, nest, err); + if (BE (*err != REG_NOERROR && tree == NULL, 0)) + return NULL; +@@ -2152,9 +2153,16 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token, + if (token->type != OP_ALT && token->type != END_OF_RE + && (nest == 0 || token->type != OP_CLOSE_SUBEXP)) + { ++ bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map; ++ dfa->completed_bkref_map = initial_bkref_map; + branch = parse_branch (regexp, preg, token, syntax, nest, err); + if (BE (*err != REG_NOERROR && branch == NULL, 0)) +- return NULL; ++ { ++ if (tree != NULL) ++ postorder (tree, free_tree, NULL); ++ return NULL; ++ } ++ dfa->completed_bkref_map |= accumulated_bkref_map; + } + else + branch = NULL; +-- +2.25.1 + diff --git a/packaging/wdiff.spec b/packaging/wdiff.spec index 1dc9cb9..9f6dcc4 100644 --- a/packaging/wdiff.spec +++ b/packaging/wdiff.spec @@ -6,6 +6,8 @@ Summary: Display Word Differences Between Text Files Url: https://ftp.gnu.org/gnu/wdiff/ Group: Productivity/Text/Utilities Source: %{name}-%{version}.tar.bz2 +Source2: 0001-CVE-2018-17942-vasnprintf-Fix-heap-memory-overrun-bu.patch +Source3: 0002-CVE-2009-5155-Diagnose-ERE-1.patch Source1001: wdiff.manifest BuildRequires: ncurses-devel @@ -30,6 +32,8 @@ Contains language specific files for of wdiff. %prep %setup -q cp %{SOURCE1001} . +%{__patch} -p1 < %{SOURCE2} +%{__patch} -p1 < %{SOURCE3} %build LIBS=-lncurses \ -- 2.7.4