summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch')
-rw-r--r--sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch136
1 files changed, 0 insertions, 136 deletions
diff --git a/sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch b/sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch
deleted file mode 100644
index c245cb78dcb..00000000000
--- a/sys-apps/pacman/files/pacman-5.0.2-CVE-2016-5434.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From bf84fd00d3ac1ae2a43dac57f7ef689ef2e8b8aa Mon Sep 17 00:00:00 2001
-From: Nils Freydank <holgersson@posteo.de>
-Date: Fri, 20 Oct 2017 22:30:33 +0200
-Subject: [PATCH] Fix CVE-2016-5434 (DoS/loop and out of boundary read)
-
-This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using
-functions instead of macros. (Thanks to Tobias for explanations of his patch.)
-A short question on Freenode IRC showed that macros are generally discouraged
-and functions should be used.
-
-The patch introduces a static size_t length_check() in libalpm/signing.c.
-
-[1] Original patch:
-https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html
-CVE request (and assignment):
-http://seclists.org/oss-sec/2016/q2/526
----
- This patch is provided to upstream, but not merged (2017-10-25).
-
- lib/libalpm/signing.c | 48 ++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 44 insertions(+), 4 deletions(-)
-
-diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
-index 95cb3280..51b11df6 100644
---- a/lib/libalpm/signing.c
-+++ b/lib/libalpm/signing.c
-@@ -986,6 +986,19 @@ int SYMEXPORT alpm_siglist_cleanup(alpm_siglist_t *siglist)
- return 0;
- }
-
-+/* Check to avoid out of boundary reads */
-+static size_t length_check(size_t length, size_t position, size_t a,
-+ alpm_handle_t *handle, const char *identifier)
-+{
-+ if( a == 0 || length - position <= a) {
-+ _alpm_log(handle, ALPM_LOG_ERROR,
-+ _("%s: signature format error"), identifier);
-+ return -1;
-+ } else {
-+ return 0;
-+ }
-+}
-+
- /**
- * Extract the Issuer Key ID from a signature
- * @param sig PGP signature
-@@ -1022,16 +1035,25 @@ int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier,
-
- switch(sig[pos] & 0x03) {
- case 0:
-+ if(length_check(len, pos, 2, handle, identifier) != 0) {
-+ return -1;
-+ }
- blen = sig[pos + 1];
- pos = pos + 2;
- break;
-
- case 1:
-+ if(length_check(len, pos, 3, handle, identifier)) {
-+ return -1;
-+ }
- blen = (sig[pos + 1] << 8) | sig[pos + 2];
- pos = pos + 3;
- break;
-
- case 2:
-+ if(length_check(len, pos, 5, handle, identifier)) {
-+ return -1;
-+ }
- blen = (sig[pos + 1] << 24) | (sig[pos + 2] << 16) | (sig[pos + 3] << 8) | sig[pos + 4];
- pos = pos + 5;
- break;
-@@ -1059,7 +1081,16 @@ int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier,
-
- pos = pos + 4;
-
-+ /* pos got changed above, so an explicit check is necessary
-+ * check for 2 as that catches another some lines down */
-+ if(length_check(len, pos, 2, handle, identifier)) {
-+ return -1;
-+ }
- hlen = (sig[pos] << 8) | sig[pos + 1];
-+
-+ if(length_check(len, pos, hlen + 2, handle, identifier)) {
-+ return -1;
-+ }
- pos = pos + hlen + 2;
-
- ulen = (sig[pos] << 8) | sig[pos + 1];
-@@ -1072,30 +1103,39 @@ int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier,
- slen = sig[spos];
- spos = spos + 1;
- } else if(sig[spos] < 255) {
-+ if(length_check(pos + ulen, spos, 2, handle, identifier)){
-+ return -1;
-+ }
- slen = (sig[spos] << 8) | sig[spos + 1];
- spos = spos + 2;
- } else {
-+ /* check for pos and spos, as spos is still pos */
-+ if(length_check(len, pos, 5, handle, identifier)) {
-+ return -1;
-+ }
- slen = (sig[spos + 1] << 24) | (sig[spos + 2] << 16) | (sig[spos + 3] << 8) | sig[spos + 4];
- spos = spos + 5;
- }
--
- if(sig[spos] == 16) {
- /* issuer key ID */
- char key[17];
- size_t i;
-+ if(length_check(pos + ulen, spos, 8, handle, identifier)) {
-+ return -1;
-+ }
- for (i = 0; i < 8; i++) {
- sprintf(&key[i * 2], "%02X", sig[spos + i + 1]);
- }
- *keys = alpm_list_add(*keys, strdup(key));
- break;
- }
--
-+ if(length_check(pos + ulen + 1, spos, slen, handle, identifier)) {
-+ return -1;
-+ }
- spos = spos + slen;
- }
--
- pos = pos + (blen - hlen - 8);
- }
--
- return 0;
- }
-
---
-2.14.2
-