[Buildroot] [PATCH] package/file: add upstream security fix
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sun Oct 27 08:45:14 UTC 2019
On Sun, 27 Oct 2019 08:45:59 +0100
Peter Korsgaard <peter at korsgaard.com> wrote:
> Fixes the following security vulnerability:
>
> - CVE-2019-18218: cdf_read_property_info in cdf.c in file through 5.37 does
> not restrict the number of CDF_VECTOR elements, which allows a heap-based
> buffer overflow (4-byte out-of-bounds write).
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
> ...ation-overflow-when-computing-sector.patch | 68 +++++++++++++++++++
> ...-of-elements-in-a-vector-found-by-os.patch | 62 +++++++++++++++++
> 2 files changed, 130 insertions(+)
> create mode 100644 package/file/0001-Detect-multiplication-overflow-when-computing-sector.patch
> create mode 100644 package/file/0002-Limit-the-number-of-elements-in-a-vector-found-by-os.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list