pkgconf: fix CVE-2023-24056

Backport from https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059

Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch
new file mode 100644 (file)
index 0000000..c6ec7c9
--- /dev/null
+++ b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch
@@ -0,0 +1,75 @@
+From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Wed, 15 Mar 2023 16:12:43 +0800
+Subject: [PATCH] tuple: test for, and stop string processing, on truncation
+
+otherwise a buffer overflow occurs.
+this has been a bug in pkgconf since the beginning, it seems.
+instead of disclosing the bug correctly, a "hotshot" developer
+decided to blog about it instead.  sigh.
+
+https://nullprogram.com/blog/2023/01/18/
+
+Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059]
+CVE: CVE-2023-24056
+Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
+---
+ libpkgconf/tuple.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
+index 2d550d8..b831070 100644
+--- a/libpkgconf/tuple.c
++++ b/libpkgconf/tuple.c
+@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+                               }
+                       }
+ 
++                      size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
+                       ptr += (pptr - ptr);
+                       kv = pkgconf_tuple_find_global(client, varname);
+                       if (kv != NULL)
+                       {
+-                              strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
+-                              bptr += strlen(kv);
++                              size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
++                              if (nlen > remain)
++                              {
++                                      pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
++
++                                      bptr = buf + (PKGCONF_BUFSIZE - 1);
++                                      break;
++                              }
++
++                              bptr += nlen;
+                       }
+                       else
+                       {
+@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+ 
+                               if (kv != NULL)
+                               {
++                                      size_t nlen;
++
+                                       parsekv = pkgconf_tuple_parse(client, vars, kv);
++                                      nlen = pkgconf_strlcpy(bptr, parsekv, remain);
++                                      free(parsekv);
+ 
+-                                      strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
+-                                      bptr += strlen(parsekv);
++                                      if (nlen > remain)
++                                      {
++                                              pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+ 
+-                                      free(parsekv);
++                                              bptr = buf + (PKGCONF_BUFSIZE - 1);
++                                              break;
++                                      }
++
++                                      bptr += nlen;
+                               }
+                       }
+               }
+-- 
+2.27.0
+

diff --git a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
index 887e15e28ce8ef2aa0dbf045fceae58ebb5d04de..cad0a0fa4f3929ea2ee6f6949eaaf606e3d58122 100644 (file)
--- a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
+++ b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0"
 
 SRC_URI = "\
     https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \
+    file://0001-tuple-test-for-and-stop-string-processing-on-truncat.patch \
     file://pkg-config-wrapper \
     file://pkg-config-native.in \
     file://pkg-config-esdk.in \