diff options
| author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2021-10-01 17:10:49 -0400 |
|---|---|---|
| committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2021-10-01 17:10:49 -0400 |
| commit | 2e65e4834a226c570866f2e8976ed7f252b45cd1 (patch) | |
| tree | 21d625bce8d03627680214df4a6622bf8eb79dc9 /gnu/packages/patches/busybox-CVE-2021-28831.patch | |
| parent | 9c68ecb24dd1660ce736cdcdea0422a73ec318a2 (diff) | |
| parent | f1a3c11407b52004e523ec5de20d326c5661681f (diff) | |
Merge remote-tracking branch 'origin/master' into staging
With resolved conflicts in:
gnu/packages/bittorrent.scm
gnu/packages/databases.scm
gnu/packages/geo.scm
gnu/packages/gnupg.scm
gnu/packages/gstreamer.scm
gnu/packages/gtk.scm
gnu/packages/linux.scm
gnu/packages/python-xyz.scm
gnu/packages/xorg.scm
guix/build/qt-utils.scm
Diffstat (limited to 'gnu/packages/patches/busybox-CVE-2021-28831.patch')
| -rw-r--r-- | gnu/packages/patches/busybox-CVE-2021-28831.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/gnu/packages/patches/busybox-CVE-2021-28831.patch b/gnu/packages/patches/busybox-CVE-2021-28831.patch deleted file mode 100644 index da3107fbb1..0000000000 --- a/gnu/packages/patches/busybox-CVE-2021-28831.patch +++ /dev/null @@ -1,57 +0,0 @@ -From f25d254dfd4243698c31a4f3153d4ac72aa9e9bd Mon Sep 17 00:00:00 2001 -From: Samuel Sapalski <samuel.sapalski@nokia.com> -Date: Wed, 3 Mar 2021 16:31:22 +0100 -Subject: decompress_gunzip: Fix DoS if gzip is corrupt - -On certain corrupt gzip files, huft_build will set the error bit on -the result pointer. If afterwards abort_unzip is called huft_free -might run into a segmentation fault or an invalid pointer to -free(p). - -In order to mitigate this, we check in huft_free if the error bit -is set and clear it before the linked list is freed. - -Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> -Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> -Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> ---- - archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c -index eb3b64930..e93cd5005 100644 ---- a/archival/libarchive/decompress_gunzip.c -+++ b/archival/libarchive/decompress_gunzip.c -@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { - * each table. - * t: table to free - */ -+#define BAD_HUFT(p) ((uintptr_t)(p) & 1) -+#define ERR_RET ((huft_t*)(uintptr_t)1) - static void huft_free(huft_t *p) - { - huft_t *q; - -+ /* -+ * If 'p' has the error bit set we have to clear it, otherwise we might run -+ * into a segmentation fault or an invalid pointer to free(p) -+ */ -+ if (BAD_HUFT(p)) { -+ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); -+ } -+ - /* Go through linked list, freeing from the malloced (t[-1]) address. */ - while (p) { - q = (--p)->v.t; -@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current - * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table - * is given: "fixed inflate" decoder feeds us such data. - */ --#define BAD_HUFT(p) ((uintptr_t)(p) & 1) --#define ERR_RET ((huft_t*)(uintptr_t)1) - static huft_t* huft_build(const unsigned *b, const unsigned n, - const unsigned s, const struct cp_ext *cp_ext, - unsigned *m) --- -cgit v1.2.1 - |