rpms/libyang
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libyang-0.16.105-3.el8_1.2

Browse Source
This commit is contained in:
CentOS Sources 2019-12-22 22:33:27 -05:00 committed by Andrew Lukoshko
parent 019a04169f
commit 4c66e0867f
3 changed files with 270 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

242
SOURCES/0001-libyang-0.16.105-CVE-2019-19333.patch Normal file
View File

@ -0,0 +1,242 @@
diff --git a/src/parser.c b/src/parser.c
index 38fd137b..e5d7ebbd 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -979,7 +979,7 @@ lyp_precompile_pattern(struct ly_ctx *ctx, const char *pattern, pcre** pcre_cmp,
* @param[in] data2 If \p type is #LY_TYPE_BITS: (int *) type bit field length,
* #LY_TYPE_DEC64: (uint8_t *) number of fraction digits (position of the floating point),
* otherwise ignored.
- * @return 1 if a conversion took place, 0 if the value was kept the same.
+ * @return 1 if a conversion took place, 0 if the value was kept the same, -1 on error.
*/
static int
make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, void *data2)
@@ -994,6 +994,8 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
uint64_t unum;
uint8_t c;
+#define LOGBUF(str) LOGERR(ctx, LY_EINVAL, "Value \"%s\" is too long.", str)
+
switch (type) {
case LY_TYPE_BITS:
bits = (struct lys_type_bit **)data1;
@@ -1006,8 +1008,10 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
continue;
}
if (buf[0]) {
+ LY_CHECK_ERR_RETURN(strlen(buf) + 1 + strlen(bits[i]->name) > buf_len, LOGBUF(bits[i]->name), -1);
sprintf(buf + strlen(buf), " %s", bits[i]->name);
} else {
+ LY_CHECK_ERR_RETURN(strlen(bits[i]->name) > buf_len, LOGBUF(bits[i]->name), -1);
strcpy(buf, bits[i]->name);
}
}
@@ -1025,7 +1029,7 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
case LY_TYPE_INST:
exp = lyxp_parse_expr(ctx, *value);
- LY_CHECK_ERR_RETURN(!exp, LOGINT(ctx), 0);
+ LY_CHECK_ERR_RETURN(!exp, LOGINT(ctx), -1);
module_name = NULL;
count = 0;
@@ -1035,9 +1039,9 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
/* copy WS */
if (i && ((end = exp->expr + exp->expr_pos[i - 1] + exp->tok_len[i - 1]) != cur_expr)) {
if (count + (cur_expr - end) > buf_len) {
- LOGINT(ctx);
lyxp_expr_free(exp);
- return 0;
+ LOGBUF(end);
+ return -1;
}
strncpy(&buf[count], end, cur_expr - end);
count += cur_expr - end;
@@ -1051,9 +1055,9 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
if (!module_name || strncmp(cur_expr, module_name, j)) {
/* print module name with colon, it does not equal to the parent one */
if (count + j > buf_len) {
- LOGINT(ctx);
lyxp_expr_free(exp);
- return 0;
+ LOGBUF(cur_expr);
+ return -1;
}
strncpy(&buf[count], cur_expr, j);
count += j;
@@ -1062,17 +1066,17 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
/* copy the rest */
if (count + (exp->tok_len[i] - j) > buf_len) {
- LOGINT(ctx);
lyxp_expr_free(exp);
- return 0;
+ LOGBUF(end);
+ return -1;
}
strncpy(&buf[count], end, exp->tok_len[i] - j);
count += exp->tok_len[i] - j;
} else {
if (count + exp->tok_len[i] > buf_len) {
- LOGINT(ctx);
+ LOGBUF(&exp->expr[exp->expr_pos[i]]);
lyxp_expr_free(exp);
- return 0;
+ return -1;
}
strncpy(&buf[count], &exp->expr[exp->expr_pos[i]], exp->tok_len[i]);
count += exp->tok_len[i];
@@ -1081,7 +1085,7 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
if (count > buf_len) {
LOGINT(ctx);
lyxp_expr_free(exp);
- return 0;
+ return -1;
}
buf[count] = '\0';
@@ -1146,6 +1150,8 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
}
return 0;
+
+#undef LOGBUF
}
static const char *
@@ -1412,7 +1418,10 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
c = c + len;
}
- make_canonical(ctx, LY_TYPE_BITS, value_, bits, &type->info.bits.count);
+ if (make_canonical(ctx, LY_TYPE_BITS, value_, bits, &type->info.bits.count) == -1) {
+ free(bits);
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1470,7 +1479,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_DEC64, value_, &num, &type->info.dec64.dig);
+ if (make_canonical(ctx, LY_TYPE_DEC64, value_, &num, &type->info.dec64.dig) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1598,7 +1609,10 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
type->parent->flags |= LYS_DFLTJSON;
}
- make_canonical(ctx, LY_TYPE_IDENT, &value, (void*)lys_main_module(local_mod)->name, NULL);
+ if (make_canonical(ctx, LY_TYPE_IDENT, &value, (void*)lys_main_module(local_mod)->name, NULL) == -1) {
+ lydict_remove(ctx, value);
+ goto error;
+ }
/* replace the old value with the new one (even if they may be the same) */
lydict_remove(ctx, *value_);
@@ -1651,7 +1665,11 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
/* turn logging back on */
ly_ilo_restore(NULL, prev_ilo, NULL, 0);
} else {
- if (make_canonical(ctx, LY_TYPE_INST, &value, NULL, NULL)) {
+ if ((c = make_canonical(ctx, LY_TYPE_INST, &value, NULL, NULL))) {
+ if (c == -1) {
+ goto error;
+ }
+
/* if a change occured, value was removed from the dicionary so fix the pointers */
*value_ = value;
}
@@ -1749,7 +1767,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_INT8, value_, &num, NULL);
+ if (make_canonical(ctx, LY_TYPE_INT8, value_, &num, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1764,7 +1784,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_INT16, value_, &num, NULL);
+ if (make_canonical(ctx, LY_TYPE_INT16, value_, &num, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1779,7 +1801,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_INT32, value_, &num, NULL);
+ if (make_canonical(ctx, LY_TYPE_INT32, value_, &num, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1795,7 +1819,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_INT64, value_, &num, NULL);
+ if (make_canonical(ctx, LY_TYPE_INT64, value_, &num, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1810,7 +1836,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_UINT8, value_, &unum, NULL);
+ if (make_canonical(ctx, LY_TYPE_UINT8, value_, &unum, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1825,7 +1853,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_UINT16, value_, &unum, NULL);
+ if (make_canonical(ctx, LY_TYPE_UINT16, value_, &unum, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1840,7 +1870,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_UINT32, value_, &unum, NULL);
+ if (make_canonical(ctx, LY_TYPE_UINT32, value_, &unum, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */
@@ -1855,7 +1887,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x
goto error;
}
- make_canonical(ctx, LY_TYPE_UINT64, value_, &unum, NULL);
+ if (make_canonical(ctx, LY_TYPE_UINT64, value_, &unum, NULL) == -1) {
+ goto error;
+ }
if (store) {
/* store the result */

15
SOURCES/0002-libyang-0.16.105-CVE-2019-19334.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/src/parser.c b/src/parser.c
index e5d7ebbd..4828c7c0 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -1021,8 +1021,10 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo
module_name = (const char *)data1;
/* identity must always have a prefix */
if (!strchr(*value, ':')) {
+ LY_CHECK_ERR_RETURN(strlen(module_name) + 1 + strlen(*value) > buf_len, LOGBUF(*value), -1);
sprintf(buf, "%s:%s", module_name, *value);
} else {
+ LY_CHECK_ERR_RETURN(strlen(*value) > buf_len, LOGBUF(*value), -1);
strcpy(buf, *value);
}
break;

15
SPECS/libyang.spec
View File

@ -8,7 +8,7 @@
Name: libyang
Version: 0.16.105
Release: 3%{?dist}
Release: 3%{?dist}.2
Summary: YANG data modeling language library
Url: https://github.com/CESNET/libyang
Source: %{url}/archive/debian/libyang-%{version}-1.tar.gz
@ -27,6 +27,10 @@ BuildRequires: python3-devel
BuildRequires: flex
BuildRequires: bison
BuildRequires: graphviz
BuildRequires: git-core
Patch0001: 0001-libyang-0.16.105-CVE-2019-19333.patch
Patch0002: 0002-libyang-0.16.105-CVE-2019-19334.patch
%package devel
Summary: Development files for libyang
@ -72,7 +76,7 @@ Libyang is YANG data modeling language parser and toolkit
written (and providing API) in C.
%prep
%setup -q -n libyang-debian-libyang-%{version}-1
%autosetup -S git -n libyang-debian-libyang-%{version}-1
mkdir build
%build
@ -134,6 +138,13 @@ cp -r doc/html %{buildroot}/%{_docdir}/libyang/html
%{python3_sitearch}/__pycache__/yang*
%changelog
* Mon Dec 16 2019 Michal Ruprich <mruprich@redhat.com> - 0.16.105-3.2
- Related: #1779573 - Fixing a few covscan issues
* Tue Dec 10 2019 Michal Ruprich <mruprich@redhat.com> - 0.16.105-3.1
- Resolves: #1779573 - CVE-2019-19333 libyang: stack-based buffer overflow in make_canonical when bits leaf type is used
- Resolves: #1779576 - CVE-2019-19334 libyang: stack-based buffer overflow in make_canonical when identityref leaf type is used
* Mon May 27 2019 Michal Ruprich <mruprich@redhat.com> - 0.16.105-3
- Related: #1698076 - Adding gating file