diff --git a/0001-Use-vasprintf-if-available-for-error-messages-and-ot.patch b/0001-Use-vasprintf-if-available-for-error-messages-and-ot.patch new file mode 100644 index 0000000..0527e96 --- /dev/null +++ b/0001-Use-vasprintf-if-available-for-error-messages-and-ot.patch @@ -0,0 +1,115 @@ +From 4077146f8a49eeb0fc0c01ef45398aaca53bc958 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 31 Jul 2024 11:12:48 +0200 +Subject: [PATCH] Use vasprintf() if available for error messages and otherwise + vsnprintf() + +vasprintf() is a GNU/BSD extension and would allocate as much memory as required +on the heap, similar to g_strdup_printf(). It's ridiculous that such a function +is still not provided as part of standard C. + +If it's not available, use vsnprintf() to at least avoid stack/heap buffer +overflows, which can lead to arbitrary code execution. + +Thanks to Noriko Totsuka for reporting. + +Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897 +Fixes #69 + +Part-of: +--- + configure.ac | 1 + + meson.build | 1 + + orc/orccompiler.c | 6 +++++- + orc/orcparse.c | 18 +++++++++++++++--- + 4 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index bdf89a6..0dd7d7a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -64,6 +64,7 @@ AC_CHECK_HEADERS([inttypes.h]) + AC_CHECK_HEADERS([sys/time.h]) + AC_CHECK_HEADERS([unistd.h]) + ++AC_CHECK_FUNCS([vasprintf]) + AC_CHECK_FUNCS([gettimeofday]) + AC_CHECK_FUNCS([sigaction]) + AC_CHECK_FUNCS([sigsetjmp]) +diff --git a/meson.build b/meson.build +index 32f6492..ec085f0 100644 +--- a/meson.build ++++ b/meson.build +@@ -97,6 +97,7 @@ int main() { + ''' + cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test)) + cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday')) ++cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf')) + cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign')) + cdata.set('HAVE_MMAP', cc.has_function('mmap')) + +diff --git a/orc/orccompiler.c b/orc/orccompiler.c +index 57c3ea4..6c16816 100644 +--- a/orc/orccompiler.c ++++ b/orc/orccompiler.c +@@ -1207,8 +1207,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt, + + if (compiler->error_msg) return; + ++#ifdef HAVE_VASPRINTF ++ vasprintf (&s, fmt, args); ++#else + s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE); +- vsprintf (s, fmt, args); ++ vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args); ++#endif + compiler->error_msg = s; + compiler->error = TRUE; + compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE; +diff --git a/orc/orcparse.c b/orc/orcparse.c +index f46b0be..56a9c3a 100644 +--- a/orc/orcparse.c ++++ b/orc/orcparse.c +@@ -401,9 +401,13 @@ opcode_arg_size (OrcStaticOpcode *opcode, int arg) + static void + orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + { +- char s[100]; ++#ifdef HAVE_VASPRINTF ++ char *s; ++#else ++ char s[100] = { '\0' }; ++#endif + int len; +- ++ + if (parser->error_program != parser->program) { + sprintf(s, "In function %s:\n", parser->program->name); + len = strlen(s); +@@ -418,7 +422,11 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + parser->error_program = parser->program; + } + +- vsprintf(s, format, args); ++#ifdef HAVE_VASPRINTF ++ vasprintf (&s, format, args); ++#else ++ vsnprintf (s, sizeof (s), format, args); ++#endif + len = strlen(s); + + if (parser->log_size + len + 1 >= parser->log_alloc) { +@@ -428,6 +436,10 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + + strcpy (parser->log + parser->log_size, s); + parser->log_size += len; ++ ++#ifdef HAVE_VASPRINTF ++ free (s); ++#endif + } + + static void +-- +2.45.2 + diff --git a/orc.spec b/orc.spec index bc7c6a6..aa5a565 100644 --- a/orc.spec +++ b/orc.spec @@ -1,6 +1,6 @@ Name: orc Version: 0.4.28 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Oil Run-time Compiler Group: System Environment/Libraries @@ -10,6 +10,7 @@ Source0: http://gstreamer.freedesktop.org/src/orc/%{name}-%{version}.tar.xz # upstream patches Patch0: 0001-x86-add-endbr32-and-endbr64-instructions.patch +Patch1: 0001-Use-vasprintf-if-available-for-error-messages-and-ot.patch BuildRequires: gtk-doc, libtool @@ -53,6 +54,7 @@ The Orc compiler, to produce optimized code. %prep %setup -q %patch0 -p1 +%patch1 -p1 gtkdocize --copy NOCONFIGURE=1 autoreconf -vif @@ -105,6 +107,10 @@ make check %changelog +* Wed Jul 31 2024 Wim Taymans 0.4.28-4 +- Add patch for CVE-2024-40897 +- Resolves: RHEL-50710 + * Thu Sep 12 2019 Wim Taymans 0.4.28-3 - x86: add endbr32 and endbr64 instructions - Resolves: rhbz#1693292