[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/03: gnu: aspell: Patch CVE-2019-25051.
|
From: |
guix-commits |
|
Subject: |
01/03: gnu: aspell: Patch CVE-2019-25051. |
|
Date: |
Tue, 9 Aug 2022 15:43:14 -0400 (EDT) |
efraim pushed a commit to branch master
in repository guix.
commit 468c95e9415bc303cfa36c9b67bbd2ce0abe904b
Author: Efraim Flashner <efraim@flashner.co.il>
AuthorDate: Tue Aug 9 22:05:28 2022 +0300
gnu: aspell: Patch CVE-2019-25051.
* gnu/packages/aspell.scm (aspell)[source]: Add patch.
* gnu/packages/patches/aspell-CVE-2019-25051.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/aspell.scm | 3 +-
gnu/packages/patches/aspell-CVE-2019-25051.patch | 99 ++++++++++++++++++++++++
3 files changed, 102 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index ac40640658..f907c8b635 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -861,6 +861,7 @@ dist_patch_DATA =
\
%D%/packages/patches/aoflagger-use-system-provided-pybind11.patch \
%D%/packages/patches/apr-skip-getservbyname-test.patch \
%D%/packages/patches/ark-skip-xar-test.patch \
+ %D%/packages/patches/aspell-CVE-2019-25051.patch \
%D%/packages/patches/aspell-default-dict-dir.patch \
%D%/packages/patches/ath9k-htc-firmware-binutils.patch \
%D%/packages/patches/ath9k-htc-firmware-gcc.patch \
diff --git a/gnu/packages/aspell.scm b/gnu/packages/aspell.scm
index ef225ac64d..d2737ee79a 100644
--- a/gnu/packages/aspell.scm
+++ b/gnu/packages/aspell.scm
@@ -55,7 +55,8 @@
(sha256
(base32
"1wi60ankalmh8ds7nplz434jd7j94gdvbahdwsr539rlad8pxdzr"))
- (patches (search-patches "aspell-default-dict-dir.patch"))))
+ (patches (search-patches "aspell-default-dict-dir.patch"
+ "aspell-CVE-2019-25051.patch"))))
(build-system gnu-build-system)
(arguments
`(#:phases
diff --git a/gnu/packages/patches/aspell-CVE-2019-25051.patch
b/gnu/packages/patches/aspell-CVE-2019-25051.patch
new file mode 100644
index 0000000000..a7471dacd4
--- /dev/null
+++ b/gnu/packages/patches/aspell-CVE-2019-25051.patch
@@ -0,0 +1,99 @@
+https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a
+https://nvd.nist.gov/vuln/detail/CVE-2019-25051
+
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+
+ namespace acommon {
+
+@@ -26,6 +27,12 @@ class ObjStack
+ byte * temp_end;
+ void setup_chunk();
+ void new_chunk();
++ bool will_overflow(size_t sz) const {
++ return offsetof(Node,data) + sz > chunk_size;
++ }
++ void check_size(size_t sz) {
++ assert(!will_overflow(sz));
++ }
+
+ ObjStack(const ObjStack &);
+ void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ class ObjStack
+ void * alloc_bottom(size_t size) {
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom +=
size;}
+ return tmp;
+ }
+ // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ class ObjStack
+ align_bottom(align);
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); goto loop;}
++ if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+ return tmp;
+ }
+ char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ class ObjStack
+ // always be aligned as such.
+ void * alloc_top(size_t size) {
+ top -= size;
+- if (top < bottom) {new_chunk(); top -= size;}
++ if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+ return top;
+ }
+ // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ class ObjStack
+ {loop:
+ top -= size;
+ align_top(align);
+- if (top < bottom) {new_chunk(); goto loop;}
++ if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+ return top;
+ }
+ char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ class ObjStack
+ void * alloc_temp(size_t size) {
+ temp_end = bottom + size;
+ if (temp_end > top) {
++ check_size(size);
+ new_chunk();
+ temp_end = bottom + size;
+ }
+@@ -131,6 +139,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
+@@ -150,6 +159,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;