diff --git a/backport-0001-CVE-2024-40897.patch b/backport-0001-CVE-2024-40897.patch new file mode 100644 index 0000000..69f2f0f --- /dev/null +++ b/backport-0001-CVE-2024-40897.patch @@ -0,0 +1,123 @@ +From fb7db9ae3e8ac271651d1884a3611d30bac04a98 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 9 Jul 2024 12:11:37 +0300 +Subject: [PATCH] Use vasprintf() if available for error messages and otherwise + vsnprintf() + +vasprintf() is a GNU/BSD extension and would allocate as much memory as required +on the heap, similar to g_strdup_printf(). It's ridiculous that such a function +is still not provided as part of standard C. + +If it's not available, use vsnprintf() to at least avoid stack/heap buffer +overflows, which can lead to arbitrary code execution. + +Thanks to Noriko Totsuka for reporting. + +Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897 +Fixes #69 + +Part-of: +--- + meson.build | 1 + + orc/orccompiler.c | 6 +++++- + orc/orcparse.c | 28 +++++++++++++++++++++++++--- + 3 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/meson.build b/meson.build +index 4054c1d..d22c5e7 100644 +--- a/meson.build ++++ b/meson.build +@@ -120,6 +120,7 @@ int main() { + ''' + cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test)) + cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday')) ++cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf')) + cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include ')) + cdata.set('HAVE_MMAP', cc.has_function('mmap')) + +diff --git a/orc/orccompiler.c b/orc/orccompiler.c +index 7f7b4d4..a1c9699 100644 +--- a/orc/orccompiler.c ++++ b/orc/orccompiler.c +@@ -1310,8 +1310,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt, + + if (compiler->error_msg) return; + ++#ifdef HAVE_VASPRINTF ++ vasprintf (&s, fmt, args); ++#else + s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE); +- vsprintf (s, fmt, args); ++ vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args); ++#endif + compiler->error_msg = s; + compiler->error = TRUE; + compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE; +diff --git a/orc/orcparse.c b/orc/orcparse.c +index f46b0be..f90b5ff 100644 +--- a/orc/orcparse.c ++++ b/orc/orcparse.c +@@ -16,6 +16,7 @@ + * @short_description: Parse Orc source code + */ + ++#define ORC_ERROR_LENGTH 256 + + typedef struct _OrcParser OrcParser; + struct _OrcParser { +@@ -401,11 +402,19 @@ opcode_arg_size (OrcStaticOpcode *opcode, int arg) + static void + orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + { +- char s[100]; + int len; + + if (parser->error_program != parser->program) { +- sprintf(s, "In function %s:\n", parser->program->name); ++#ifdef HAVE_VASPRINTF ++ char *s = NULL; ++ asprintf (&s, "In function %s:\n", parser->program->name); ++#elif defined(_UCRT) ++ char s[100] = { '\0' }; ++ snprintf_s (s, 100, _TRUNCATE, "In function %s:\n", parser->program->name); ++#else ++ char s[100] = { '\0' }; ++ snprintf (s, sizeof (s), "In function %s:\n", parser->program->name); ++#endif + len = strlen(s); + + if (parser->log_size + len + 1 >= parser->log_alloc) { +@@ -416,9 +425,18 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + strcpy (parser->log + parser->log_size, s); + parser->log_size += len; + parser->error_program = parser->program; ++#ifdef HAVE_VASPRINTF ++ free (s); ++#endif + } + +- vsprintf(s, format, args); ++#ifdef HAVE_VASPRINTF ++ char *s; ++ vasprintf (&s, format, args); ++#else ++ char s[ORC_ERROR_LENGTH] = { '\0' }; ++ vsnprintf (s, sizeof (s), format, args); ++#endif + len = strlen(s); + + if (parser->log_size + len + 1 >= parser->log_alloc) { +@@ -428,6 +446,10 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + + strcpy (parser->log + parser->log_size, s); + parser->log_size += len; ++ ++#ifdef HAVE_VASPRINTF ++ free (s); ++#endif + } + + static void +-- +2.43.0 + diff --git a/backport-0002-CVE-2024-40897.patch b/backport-0002-CVE-2024-40897.patch new file mode 100644 index 0000000..9e6ce4d --- /dev/null +++ b/backport-0002-CVE-2024-40897.patch @@ -0,0 +1,55 @@ +From abd75edff9de9a06d0531b9db50963a0da42145c Mon Sep 17 00:00:00 2001 +From: "L. E. Segovia" +Date: Tue, 9 Jul 2024 12:03:53 -0300 +Subject: [PATCH] orccompiler, orcparse: Use secure UCRT printing functions on + Windows + +See #69 + +Part-of: +--- + orc/orccompiler.c | 5 ++++- + orc/orcparse.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/orc/orccompiler.c b/orc/orccompiler.c +index a1c9699..8131b9c 100644 +--- a/orc/orccompiler.c ++++ b/orc/orccompiler.c +@@ -1306,12 +1306,15 @@ static void + orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt, + va_list args) + { +- char *s; ++ char *s = NULL; + + if (compiler->error_msg) return; + + #ifdef HAVE_VASPRINTF + vasprintf (&s, fmt, args); ++#elif defined(_UCRT) ++ s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE); ++ vsnprintf_s (s, ORC_COMPILER_ERROR_BUFFER_SIZE, _TRUNCATE, fmt, args); + #else + s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE); + vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args); +diff --git a/orc/orcparse.c b/orc/orcparse.c +index f90b5ff..e24f698 100644 +--- a/orc/orcparse.c ++++ b/orc/orcparse.c +@@ -431,8 +431,11 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args) + } + + #ifdef HAVE_VASPRINTF +- char *s; ++ char *s = NULL; + vasprintf (&s, format, args); ++#elif defined(_UCRT) ++ char s[ORC_ERROR_LENGTH] = { '\0' }; ++ vsnprintf_s (s, ORC_ERROR_LENGTH, _TRUNCATE, format, args); + #else + char s[ORC_ERROR_LENGTH] = { '\0' }; + vsnprintf (s, sizeof (s), format, args); +-- +2.43.0 + diff --git a/orc.spec b/orc.spec index bc6d3d7..5ab2596 100644 --- a/orc.spec +++ b/orc.spec @@ -1,11 +1,14 @@ Name: orc Version: 0.4.32 -Release: 2 +Release: 3 Summary: The Oil Run-time Compiler License: BSD URL: http://cgit.freedesktop.org/gstreamer/orc/ Source0: http://gstreamer.freedesktop.org/src/orc/%{name}-%{version}.tar.xz +Patch6000: backport-0001-CVE-2024-40897.patch +Patch6001: backport-0002-CVE-2024-40897.patch + BuildRequires: gtk-doc libtool BuildRequires: meson >= 0.47.0 @@ -80,7 +83,10 @@ The Orc compiler. %doc %{_datadir}/gtk-doc/html/orc/ %changelog -* Tue Oct 25 2022 wangjiang 0.4.32-2 +* Thu Aug 01 2024 wangjiang - 0.4.32-3 +- fix CVE-2024-40897 + +* Tue Oct 25 2022 wangjiang - 0.4.32-2 - Rebuild for next release * Thu Jan 28 2021 yuanxin - 0.4.32-1