summaryrefslogtreecommitdiffstats
path: root/patches
diff options
context:
space:
mode:
authorPatrick McDermott <patrick.mcdermott@libiquity.com>2019-04-06 22:29:32 (EDT)
committer Patrick McDermott <patrick.mcdermott@libiquity.com>2019-04-06 22:29:32 (EDT)
commit18e25107a68466fce17790e9c8d7d7e667651f55 (patch)
treeda92603d745f6da5500b8c216b86829f6fa829c1 /patches
parent6a0cf2652ca34bbf6dcc83d1d9d1dfdb32ebbd20 (diff)
patches: Fix security vulnerabilities
Diffstat (limited to 'patches')
-rw-r--r--patches/02_bzip2recover-race-open-output.patch46
-rw-r--r--patches/03_bzip2recover-CVE-2016-3189.patch15
2 files changed, 61 insertions, 0 deletions
diff --git a/patches/02_bzip2recover-race-open-output.patch b/patches/02_bzip2recover-race-open-output.patch
new file mode 100644
index 0000000..3a91e97
--- /dev/null
+++ b/patches/02_bzip2recover-race-open-output.patch
@@ -0,0 +1,46 @@
+Description: fix unsafe race condition in opening output files.
+Author: Colin Phipps <crp22@cam.ac.uk>
+Origin: Debian:
+ https://salsa.debian.org/debian/bzip2/blob/6baf99d2eb446f50f7986868b7d57e6f4fd9b459/debian/patches/bzip2recover-race-open-output.diff
+ https://sources.debian.org/src/bzip2/1.0.6-9/debian/patches/bzip2recover-race-open-output.diff/
+
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -24,6 +24,8 @@
+ #include <errno.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <fcntl.h>
++#include <unistd.h>
+
+
+ /* This program records bit locations in the file to be recovered.
+@@ -269,6 +271,19 @@
+ name[n-1] == '2');
+ }
+
++/*---------------------------------------------*/
++/* Open an output file safely with O_EXCL and good permissions */
++FILE* fopen_output( Char* name, const char* mode )
++{
++ FILE *fp;
++ int fh;
++
++ fh = open(name, O_WRONLY|O_CREAT|O_EXCL, 0600);
++ if (fh == -1) return NULL;
++ fp = fdopen(fh, mode);
++ if (fp == NULL) close(fh);
++ return fp;
++}
+
+ /*---------------------------------------------------*/
+ /*--- ---*/
+@@ -486,7 +501,7 @@
+ fprintf ( stderr, " writing block %d to `%s' ...\n",
+ wrBlock+1, outFileName );
+
+- outFile = fopen ( outFileName, "wb" );
++ outFile = fopen_output ( outFileName, "wb" );
+ if (outFile == NULL) {
+ fprintf ( stderr, "%s: can't write `%s'\n",
+ progName, outFileName );
diff --git a/patches/03_bzip2recover-CVE-2016-3189.patch b/patches/03_bzip2recover-CVE-2016-3189.patch
new file mode 100644
index 0000000..d4d413c
--- /dev/null
+++ b/patches/03_bzip2recover-CVE-2016-3189.patch
@@ -0,0 +1,15 @@
+Author: Jakub Martisko <jamartis@redhat.com>
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1319648
+Description: CVE-2016-3189 bzip2: heap use after free in bzip2recover
+
+diff -up ./bzip2recover.c.old ./bzip2recover.c
+--- ./bzip2recover.c.old 2016-03-22 08:49:38.855620000 +0100
++++ ./bzip2recover.c 2016-03-30 10:22:27.341430099 +0200
+@@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv )
+ bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+ bsPutUInt32 ( bsWr, blockCRC );
+ bsClose ( bsWr );
++ outFile = NULL;
+ }
+ if (wrBlock >= rbCtr) break;
+ wrBlock++;