Fix CVE-2023-26769 (#2181149)

Resolves: #2181149
2023-04-03 12:23:23 +01:00 · 2023-04-03 12:23:23 +01:00 · 48bf07a9dd
commit 48bf07a9dd
parent 9cc7c4421c
2 changed files with 165 additions and 0 deletions
--- a/liblouis-3.16.1-fix-CVE-2023-26769.patch
+++ b/liblouis-3.16.1-fix-CVE-2023-26769.patch
@ -0,0 +1,162 @@
+From d45430431f8c75941f863328eb3f7fc09f902b2e Mon Sep 17 00:00:00 2001
+From: Marsman1996 <lqliuyuwei@outlook.com>
+Date: Wed, 8 Feb 2023 22:10:01 +0800
+Subject: [PATCH 1/3] Check the path length before coping into tableFile
+
+---
+ liblouis/compileTranslationTable.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 3c74929bcb..2da766e169 100644
+--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
+@@ -4539,7 +4539,9 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 	char *tableFile;
+ 	static struct stat info;
+ 
+-	if (table == NULL || table[0] == '\0') return NULL;
+	if (table == NULL || table[0] == '\0' ||
+			strlen(table) >= MAXSTRING * sizeof(char) * 2)
+		return NULL;
+ 	tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2);
+ 
+ 	//
+@@ -4547,10 +4549,13 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 	//
+ 	if (base) {
+ 		int k;
+		if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure;
+ 		strcpy(tableFile, base);
+ 		k = (int)strlen(tableFile);
+ 		while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--;
+ 		tableFile[++k] = '\0';
+		if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2)
+			goto failure;
+ 		strcat(tableFile, table);
+ 		if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 			_lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4582,6 +4587,10 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 			last = (*cp == '\0');
+ 			*cp = '\0';
+ 			if (dir == cp) dir = ".";
+			if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) {
+				free(searchPath_copy);
+				goto failure;
+			}
+ 			sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table);
+ 			if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 				_lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4589,6 +4598,10 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 				return tableFile;
+ 			}
+ 			if (last) break;
+			if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) {
+				free(searchPath_copy);
+				goto failure;
+			}
+ 			sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP,
+ 					"tables", DIR_SEP, table);
+ 			if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+@@ -4600,6 +4613,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 		}
+ 		free(searchPath_copy);
+ 	}
+failure:
+ 	free(tableFile);
+ 	return NULL;
+ }
+
+From 6f39e88745e8ec602ccc46042c305a6188f28b0a Mon Sep 17 00:00:00 2001
+From: Marsman1996 <lqliuyuwei@outlook.com>
+Date: Wed, 8 Feb 2023 22:40:52 +0800
+Subject: [PATCH 2/3] fix format: 1. define MAX_TABLEFILE_SIZE 2. parse the
+ magic number
+
+---
+ liblouis/compileTranslationTable.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 2da766e169..f334a38371 100644
+--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
+@@ -4539,23 +4539,21 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 	char *tableFile;
+ 	static struct stat info;
+ 
+-	if (table == NULL || table[0] == '\0' ||
+-			strlen(table) >= MAXSTRING * sizeof(char) * 2)
+-		return NULL;
+-	tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2);
+#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2
+	if (table == NULL || table[0] == '\0') return NULL;
+	tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);
+ 
+ 	//
+ 	// First try to resolve against base
+ 	//
+ 	if (base) {
+ 		int k;
+-		if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure;
+		if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure;
+ 		strcpy(tableFile, base);
+ 		k = (int)strlen(tableFile);
+ 		while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--;
+ 		tableFile[++k] = '\0';
+-		if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2)
+-			goto failure;
+		if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
+ 		strcat(tableFile, table);
+ 		if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 			_lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4567,6 +4565,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 	// It could be an absolute path, or a path relative to the current working
+ 	// directory
+ 	//
+	if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
+ 	strcpy(tableFile, table);
+ 	if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 		_lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4587,7 +4586,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 			last = (*cp == '\0');
+ 			*cp = '\0';
+ 			if (dir == cp) dir = ".";
+-			if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) {
+			if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) {
+ 				free(searchPath_copy);
+ 				goto failure;
+ 			}
+@@ -4598,7 +4597,8 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 				return tableFile;
+ 			}
+ 			if (last) break;
+-			if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) {
+			if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >=
+					MAX_TABLEFILE_SIZE) {
+ 				free(searchPath_copy);
+ 				goto failure;
+ 			}
+
+From 9f6cec9b63c1d9396fcc32fed77267a2815b648f Mon Sep 17 00:00:00 2001
+From: Marsman1996 <lqliuyuwei@outlook.com>
+Date: Wed, 8 Feb 2023 23:01:56 +0800
+Subject: [PATCH 3/3] add parentheses for define expression
+
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index f334a38371..3575792796 100644
+--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
+@@ -4539,7 +4539,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ 	char *tableFile;
+ 	static struct stat info;
+ 
+-#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2
+#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2)
+ 	if (table == NULL || table[0] == '\0') return NULL;
+ 	tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);
+ 
--- a/liblouis.spec
+++ b/liblouis.spec
@ -13,6 +13,8 @@ Source0:        https://github.com/%{name}/%{name}/releases/download/v%{version}
 Patch0:         liblouis-3.16.1-fix-CVE-2023-26767.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2181151
 Patch1:         liblouis-3.16.1-fix-CVE-2023-26768.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2181149
+Patch2:         liblouis-3.16.1-fix-CVE-2023-26769.patch

 BuildRequires:  chrpath
 BuildRequires:  gcc
@ -150,6 +152,7 @@ done
 * Mon Apr 03 2023 David King <amigadave@amigadave.com> - 3.16.1-5
 - Fix CVE-2023-26767 (#2181147)
 - Fix CVE-2023-26768 (#2181151)
+- Fix CVE-2023-26769 (#2181149)

 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.1-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags