package/orc: add patch for CVE-2024-40897
This fixes the following vulnerabilities:
- CVE-2024-40897
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC
versions prior to 0.4.39. If a developer is tricked to process a
specially crafted file with the affected ORC compiler, an arbitrary
code may be executed on the developer's build environment. This may
lead to compromise of developer machines or CI build environments.
https://www.cve.org/CVERecord?id=CVE-2024-40897
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-40897
- fb7db9ae3e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Thomas Perale
committed by
Julien Olivain
Julien Olivain
parent
279cb43814
commit
2f7afa54ce
@@ -0,0 +1,94 @@
|
||||
From fb7db9ae3e8ac271651d1884a3611d30bac04a98 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Tue, 9 Jul 2024 12:11:37 +0300
|
||||
Subject: [PATCH] Use vasprintf() if available for error messages and otherwise
|
||||
vsnprintf()
|
||||
|
||||
vasprintf() is a GNU/BSD extension and would allocate as much memory as required
|
||||
on the heap, similar to g_strdup_printf(). It's ridiculous that such a function
|
||||
is still not provided as part of standard C.
|
||||
|
||||
If it's not available, use vsnprintf() to at least avoid stack/heap buffer
|
||||
overflows, which can lead to arbitrary code execution.
|
||||
|
||||
Thanks to Noriko Totsuka for reporting.
|
||||
|
||||
Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897
|
||||
Fixes #69
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
|
||||
Upstream: https://gitlab.freedesktop.org/gstreamer/orc/-/commit/fb7db9ae3e8ac271651d1884a3611d30bac04a98
|
||||
CVE: CVE-2024-40897
|
||||
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
|
||||
---
|
||||
meson.build | 1 +
|
||||
orc/orccompiler.c | 6 +++++-
|
||||
orc/orcparse.c | 14 +++++++++++---
|
||||
3 files changed, 17 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/meson.build b/meson.build
|
||||
index c7ba5d7d..fe8c6016 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -128,6 +128,7 @@ int main() {
|
||||
'''
|
||||
cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test))
|
||||
cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday'))
|
||||
+cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf'))
|
||||
cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include <stdlib.h>'))
|
||||
cdata.set('HAVE_MMAP', cc.has_function('mmap'))
|
||||
cdata.set('HAVE_SYS_TIME_H', cc.has_header('sys/time.h'))
|
||||
diff --git a/orc/orccompiler.c b/orc/orccompiler.c
|
||||
index 1e24b8a3..d3394612 100644
|
||||
--- a/orc/orccompiler.c
|
||||
+++ b/orc/orccompiler.c
|
||||
@@ -1332,8 +1332,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
|
||||
|
||||
if (compiler->error_msg) return;
|
||||
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ vasprintf (&s, fmt, args);
|
||||
+#else
|
||||
s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
|
||||
- vsprintf (s, fmt, args);
|
||||
+ vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
|
||||
+#endif
|
||||
compiler->error_msg = s;
|
||||
compiler->error = TRUE;
|
||||
compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE;
|
||||
diff --git a/orc/orcparse.c b/orc/orcparse.c
|
||||
index b0d67095..ae4f1b6b 100644
|
||||
--- a/orc/orcparse.c
|
||||
+++ b/orc/orcparse.c
|
||||
@@ -424,17 +424,25 @@ orc_parse_get_error_where (OrcParser *parser)
|
||||
static void
|
||||
orc_parse_add_error_valist (OrcParser *parser, const char *format, va_list args)
|
||||
{
|
||||
- char text[ORC_ERROR_LENGTH] = { '\0' };
|
||||
-
|
||||
if (parser->error_program != parser->program) {
|
||||
parser->error_program = parser->program;
|
||||
}
|
||||
|
||||
- vsprintf (text, format, args);
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ char *text;
|
||||
+ vasprintf (&text, format, args);
|
||||
+#else
|
||||
+ char text[ORC_ERROR_LENGTH] = { '\0' };
|
||||
+ vsnprintf (text, sizeof (text), format, args);
|
||||
+#endif
|
||||
|
||||
orc_vector_append (&parser->errors,
|
||||
orc_parse_error_new (orc_parse_get_error_where (parser),
|
||||
parser->line_number, -1, text));
|
||||
+
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ free (text);
|
||||
+#endif
|
||||
}
|
||||
|
||||
static void
|
||||
--
|
||||
GitLab
|
||||
|
||||
@@ -20,5 +20,8 @@ ORC_CONF_OPTS = \
|
||||
-Dtests=disabled \
|
||||
-Dtools=disabled
|
||||
|
||||
# 0001-use-vasprintf-if-available-for-error-messages-and-otherwise-vsnprintf.patch
|
||||
ORC_IGNORE_CVES += CVE-2024-40897
|
||||
|
||||
$(eval $(meson-package))
|
||||
$(eval $(host-meson-package))
|
||||
|
||||
Reference in New Issue
Block a user