[Buildroot] [PATCH] package/file: add upstream security fix

Thomas Petazzoni thomas.petazzoni at bootlin.com
Sun Oct 27 08:45:14 UTC 2019


On Sun, 27 Oct 2019 08:45:59 +0100
Peter Korsgaard <peter at korsgaard.com> wrote:

> Fixes the following security vulnerability:
> 
> - CVE-2019-18218: cdf_read_property_info in cdf.c in file through 5.37 does
>   not restrict the number of CDF_VECTOR elements, which allows a heap-based
>   buffer overflow (4-byte out-of-bounds write).
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>  ...ation-overflow-when-computing-sector.patch | 68 +++++++++++++++++++
>  ...-of-elements-in-a-vector-found-by-os.patch | 62 +++++++++++++++++
>  2 files changed, 130 insertions(+)
>  create mode 100644 package/file/0001-Detect-multiplication-overflow-when-computing-sector.patch
>  create mode 100644 package/file/0002-Limit-the-number-of-elements-in-a-vector-found-by-os.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list