diff options
author | Michael Mair-Keimberger <mmk@levelnine.at> | 2021-05-02 14:00:16 +0200 |
---|---|---|
committer | Jory Pratt <anarchy@gentoo.org> | 2021-05-02 09:36:12 -0500 |
commit | 1e3c5b806bde5ac553054d63b07029d3c16efeb9 (patch) | |
tree | 9eb274f2bb0b45639fefb0bdee04a4a8bf6de5da /sys-libs | |
parent | dev-perl/Class-C3: Version bump 0.35 (diff) | |
download | gentoo-1e3c5b806bde5ac553054d63b07029d3c16efeb9.tar.gz gentoo-1e3c5b806bde5ac553054d63b07029d3c16efeb9.tar.bz2 gentoo-1e3c5b806bde5ac553054d63b07029d3c16efeb9.zip |
sys-libs/musl: remove unused patch
Closes: https://github.com/gentoo/gentoo/pull/20651
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Michael Mair-Keimberger <mmk@levelnine.at>
Signed-off-by: Jory Pratt <anarchy@gentoo.org>
Diffstat (limited to 'sys-libs')
-rw-r--r-- | sys-libs/musl/files/musl-1.2.1-CVE-2020-28928.patch | 114 |
1 files changed, 0 insertions, 114 deletions
diff --git a/sys-libs/musl/files/musl-1.2.1-CVE-2020-28928.patch b/sys-libs/musl/files/musl-1.2.1-CVE-2020-28928.patch deleted file mode 100644 index 9797e92ec423..000000000000 --- a/sys-libs/musl/files/musl-1.2.1-CVE-2020-28928.patch +++ /dev/null @@ -1,114 +0,0 @@ -https://bugs.gentoo.org/755695 -https://git.musl-libc.org/cgit/musl/patch/?id=3ab2a4e02682df1382955071919d8aa3c3ec40d4 -From 3ab2a4e02682df1382955071919d8aa3c3ec40d4 Mon Sep 17 00:00:00 2001 -From: Rich Felker <dalias@aerifal.cx> -Date: Thu, 19 Nov 2020 17:12:43 -0500 -Subject: rewrite wcsnrtombs to fix buffer overflow and other bugs - -the original wcsnrtombs implementation, which has been largely -untouched since 0.5.0, attempted to build input-length-limiting -conversion on top of wcsrtombs, which only limits output length. as -best I recall, this choice was made out of a mix of disdain over -having yet another variant function to implement (added in POSIX 2008; -not standard C) and preference not to switch things around and -implement the wcsrtombs in terms of the more general new function, -probably over namespace issues. the strategy employed was to impose -output limits that would ensure the input limit wasn't exceeded, then -finish up the tail character-at-a-time. unfortunately, none of that -worked correctly. - -first, the logic in the wcsrtombs loop was wrong in that it could -easily get stuck making no forward progress, by imposing an output -limit too small to convert even one character. - -the character-at-a-time loop that followed was even worse. it made no -effort to ensure that the converted multibyte character would fit in -the remaining output space, only that there was a nonzero amount of -output space remaining. it also employed an incorrect interpretation -of wcrtomb's interface contract for converting the null character, -thereby failing to act on end of input, and remaining space accounting -was subject to unsigned wrap-around. together these errors allow -unbounded overflow of the destination buffer, controlled by input -length limit and input wchar_t string contents. - -given the extent to which this function was broken, it's plausible -that most applications that would have been rendered exploitable were -sufficiently broken not to be usable in the first place. however, it's -also plausible that common (especially ASCII-only) inputs succeeded in -the wcsrtombs loop, which mostly worked, while leaving the wildly -erroneous code in the second loop exposed to particular non-ASCII -inputs. - -CVE-2020-28928 has been assigned for this issue. ---- - src/multibyte/wcsnrtombs.c | 46 +++++++++++++++++++--------------------------- - 1 file changed, 19 insertions(+), 27 deletions(-) - -diff --git a/src/multibyte/wcsnrtombs.c b/src/multibyte/wcsnrtombs.c -index 676932b5..95e25e70 100644 ---- a/src/multibyte/wcsnrtombs.c -+++ b/src/multibyte/wcsnrtombs.c -@@ -1,41 +1,33 @@ - #include <wchar.h> -+#include <limits.h> -+#include <string.h> - - size_t wcsnrtombs(char *restrict dst, const wchar_t **restrict wcs, size_t wn, size_t n, mbstate_t *restrict st) - { -- size_t l, cnt=0, n2; -- char *s, buf[256]; - const wchar_t *ws = *wcs; -- const wchar_t *tmp_ws; -- -- if (!dst) s = buf, n = sizeof buf; -- else s = dst; -- -- while ( ws && n && ( (n2=wn)>=n || n2>32 ) ) { -- if (n2>=n) n2=n; -- tmp_ws = ws; -- l = wcsrtombs(s, &ws, n2, 0); -- if (!(l+1)) { -- cnt = l; -- n = 0; -+ size_t cnt = 0; -+ if (!dst) n=0; -+ while (ws && wn) { -+ char tmp[MB_LEN_MAX]; -+ size_t l = wcrtomb(n<MB_LEN_MAX ? tmp : dst, *ws, 0); -+ if (l==-1) { -+ cnt = -1; - break; - } -- if (s != buf) { -- s += l; -+ if (dst) { -+ if (n<MB_LEN_MAX) { -+ if (l>n) break; -+ memcpy(dst, tmp, l); -+ } -+ dst += l; - n -= l; - } -- wn = ws ? wn - (ws - tmp_ws) : 0; -- cnt += l; -- } -- if (ws) while (n && wn) { -- l = wcrtomb(s, *ws, 0); -- if ((l+1)<=1) { -- if (!l) ws = 0; -- else cnt = l; -+ if (!*ws) { -+ ws = 0; - break; - } -- ws++; wn--; -- /* safe - this loop runs fewer than sizeof(buf) times */ -- s+=l; n-=l; -+ ws++; -+ wn--; - cnt += l; - } - if (dst) *wcs = ws; --- -cgit v1.2.1 - |