NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/zlog: fix CVE-2021-43521

Browse Source 
A Buffer Overflow vulnerability exists in zlog 1.2.15 via
zlog_conf_build_with_file in src/zlog/src/conf.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This commit is contained in:
Fabrice Fontaine 2022-04-21 23:54:44 +02:00 committed by Arnout Vandecappelle (Essensium/Mind)
parent 01427de27d
commit 6eefe2f8f4
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
package/zlog/0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch Normal file
View File

@ -0,0 +1,25 @@
From a5be8b3a8ddc498de4ad041757285136a55d97e3 Mon Sep 17 00:00:00 2001
From: XiangfeiCH <chenthrone@163.com>
Date: Tue, 12 Apr 2022 00:13:35 +0800
Subject: [PATCH] Fix stack-buffer-overflow at zlog_conf_build_with_file
[Retrieved from:
https://github.com/HardySimpson/zlog/commit/a5be8b3a8ddc498de4ad041757285136a55d97e3]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf.c b/src/conf.c
index 0f862fa..9a4cb75 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -305,7 +305,7 @@ static int zlog_conf_build_with_file(zlog_conf_t * a_conf)
/* Oops the buffer is full - what now? */
pline = line;
} else {
- for (p--; isspace((int)*p); --p)
+ for (p--; p >= line && isspace((int)*p); --p)
/*EMPTY*/;
p++;
*p = 0;

3
package/zlog/zlog.mk
View File

@ -11,6 +11,9 @@ ZLOG_LICENSE_FILES = COPYING
ZLOG_CPE_ID_VENDOR = zlog_project
ZLOG_INSTALL_STAGING = YES
# 0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch
ZLOG_IGNORE_CVES += CVE-2021-43521
define ZLOG_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE1) CC="$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS)" \
-C $(@D) all