diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/busybox.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/busybox-CVE-2021-28831.patch | 57 |
2 files changed, 2 insertions, 60 deletions
diff --git a/gnu/packages/busybox.scm b/gnu/packages/busybox.scm index 7ede3ee330..5b038870de 100644 --- a/gnu/packages/busybox.scm +++ b/gnu/packages/busybox.scm @@ -33,7 +33,7 @@ (define-public busybox (package (name "busybox") - (version "1.33.0") + (version "1.33.1") (source (origin (method url-fetch) (uri (string-append @@ -41,8 +41,7 @@ version ".tar.bz2")) (sha256 (base32 - "1gcg7ggg79apdlp5qnrh9pbjl10fx30yn33p21kxqpm8j4f6hs6m")) - (patches (search-patches "busybox-CVE-2021-28831.patch")))) + "0a0dcvsh7nxnhxc5y73fky0z30i9p7r30qfidm2akn0n5fywdkhj")))) (build-system gnu-build-system) (arguments '(#:phases diff --git a/gnu/packages/patches/busybox-CVE-2021-28831.patch b/gnu/packages/patches/busybox-CVE-2021-28831.patch deleted file mode 100644 index da3107fbb1..0000000000 --- a/gnu/packages/patches/busybox-CVE-2021-28831.patch +++ /dev/null @@ -1,57 +0,0 @@ -From f25d254dfd4243698c31a4f3153d4ac72aa9e9bd Mon Sep 17 00:00:00 2001 -From: Samuel Sapalski <samuel.sapalski@nokia.com> -Date: Wed, 3 Mar 2021 16:31:22 +0100 -Subject: decompress_gunzip: Fix DoS if gzip is corrupt - -On certain corrupt gzip files, huft_build will set the error bit on -the result pointer. If afterwards abort_unzip is called huft_free -might run into a segmentation fault or an invalid pointer to -free(p). - -In order to mitigate this, we check in huft_free if the error bit -is set and clear it before the linked list is freed. - -Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> -Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> -Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> ---- - archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c -index eb3b64930..e93cd5005 100644 ---- a/archival/libarchive/decompress_gunzip.c -+++ b/archival/libarchive/decompress_gunzip.c -@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { - * each table. - * t: table to free - */ -+#define BAD_HUFT(p) ((uintptr_t)(p) & 1) -+#define ERR_RET ((huft_t*)(uintptr_t)1) - static void huft_free(huft_t *p) - { - huft_t *q; - -+ /* -+ * If 'p' has the error bit set we have to clear it, otherwise we might run -+ * into a segmentation fault or an invalid pointer to free(p) -+ */ -+ if (BAD_HUFT(p)) { -+ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); -+ } -+ - /* Go through linked list, freeing from the malloced (t[-1]) address. */ - while (p) { - q = (--p)->v.t; -@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current - * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table - * is given: "fixed inflate" decoder feeds us such data. - */ --#define BAD_HUFT(p) ((uintptr_t)(p) & 1) --#define ERR_RET ((huft_t*)(uintptr_t)1) - static huft_t* huft_build(const unsigned *b, const unsigned n, - const unsigned s, const struct cp_ext *cp_ext, - unsigned *m) --- -cgit v1.2.1 - |