From 1a5b8447292acca23cff88a80dbc41c2c770cd2b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 23 2019 03:33:27 +0000 Subject: import libyang-0.16.105-3.el8_1.2 --- diff --git a/SOURCES/0001-libyang-0.16.105-CVE-2019-19333.patch b/SOURCES/0001-libyang-0.16.105-CVE-2019-19333.patch new file mode 100644 index 0000000..7802a52 --- /dev/null +++ b/SOURCES/0001-libyang-0.16.105-CVE-2019-19333.patch @@ -0,0 +1,242 @@ +diff --git a/src/parser.c b/src/parser.c +index 38fd137b..e5d7ebbd 100644 +--- a/src/parser.c ++++ b/src/parser.c +@@ -979,7 +979,7 @@ lyp_precompile_pattern(struct ly_ctx *ctx, const char *pattern, pcre** pcre_cmp, + * @param[in] data2 If \p type is #LY_TYPE_BITS: (int *) type bit field length, + * #LY_TYPE_DEC64: (uint8_t *) number of fraction digits (position of the floating point), + * otherwise ignored. +- * @return 1 if a conversion took place, 0 if the value was kept the same. ++ * @return 1 if a conversion took place, 0 if the value was kept the same, -1 on error. + */ + static int + make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, void *data2) +@@ -994,6 +994,8 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + uint64_t unum; + uint8_t c; + ++#define LOGBUF(str) LOGERR(ctx, LY_EINVAL, "Value \"%s\" is too long.", str) ++ + switch (type) { + case LY_TYPE_BITS: + bits = (struct lys_type_bit **)data1; +@@ -1006,8 +1008,10 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + continue; + } + if (buf[0]) { ++ LY_CHECK_ERR_RETURN(strlen(buf) + 1 + strlen(bits[i]->name) > buf_len, LOGBUF(bits[i]->name), -1); + sprintf(buf + strlen(buf), " %s", bits[i]->name); + } else { ++ LY_CHECK_ERR_RETURN(strlen(bits[i]->name) > buf_len, LOGBUF(bits[i]->name), -1); + strcpy(buf, bits[i]->name); + } + } +@@ -1025,7 +1029,7 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + + case LY_TYPE_INST: + exp = lyxp_parse_expr(ctx, *value); +- LY_CHECK_ERR_RETURN(!exp, LOGINT(ctx), 0); ++ LY_CHECK_ERR_RETURN(!exp, LOGINT(ctx), -1); + + module_name = NULL; + count = 0; +@@ -1035,9 +1039,9 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + /* copy WS */ + if (i && ((end = exp->expr + exp->expr_pos[i - 1] + exp->tok_len[i - 1]) != cur_expr)) { + if (count + (cur_expr - end) > buf_len) { +- LOGINT(ctx); + lyxp_expr_free(exp); +- return 0; ++ LOGBUF(end); ++ return -1; + } + strncpy(&buf[count], end, cur_expr - end); + count += cur_expr - end; +@@ -1051,9 +1055,9 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + if (!module_name || strncmp(cur_expr, module_name, j)) { + /* print module name with colon, it does not equal to the parent one */ + if (count + j > buf_len) { +- LOGINT(ctx); + lyxp_expr_free(exp); +- return 0; ++ LOGBUF(cur_expr); ++ return -1; + } + strncpy(&buf[count], cur_expr, j); + count += j; +@@ -1062,17 +1066,17 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + + /* copy the rest */ + if (count + (exp->tok_len[i] - j) > buf_len) { +- LOGINT(ctx); + lyxp_expr_free(exp); +- return 0; ++ LOGBUF(end); ++ return -1; + } + strncpy(&buf[count], end, exp->tok_len[i] - j); + count += exp->tok_len[i] - j; + } else { + if (count + exp->tok_len[i] > buf_len) { +- LOGINT(ctx); ++ LOGBUF(&exp->expr[exp->expr_pos[i]]); + lyxp_expr_free(exp); +- return 0; ++ return -1; + } + strncpy(&buf[count], &exp->expr[exp->expr_pos[i]], exp->tok_len[i]); + count += exp->tok_len[i]; +@@ -1081,7 +1085,7 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + if (count > buf_len) { + LOGINT(ctx); + lyxp_expr_free(exp); +- return 0; ++ return -1; + } + buf[count] = '\0'; + +@@ -1146,6 +1150,8 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + } + + return 0; ++ ++#undef LOGBUF + } + + static const char * +@@ -1412,7 +1418,10 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + c = c + len; + } + +- make_canonical(ctx, LY_TYPE_BITS, value_, bits, &type->info.bits.count); ++ if (make_canonical(ctx, LY_TYPE_BITS, value_, bits, &type->info.bits.count) == -1) { ++ free(bits); ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1470,7 +1479,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_DEC64, value_, &num, &type->info.dec64.dig); ++ if (make_canonical(ctx, LY_TYPE_DEC64, value_, &num, &type->info.dec64.dig) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1598,7 +1609,10 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + type->parent->flags |= LYS_DFLTJSON; + } + +- make_canonical(ctx, LY_TYPE_IDENT, &value, (void*)lys_main_module(local_mod)->name, NULL); ++ if (make_canonical(ctx, LY_TYPE_IDENT, &value, (void*)lys_main_module(local_mod)->name, NULL) == -1) { ++ lydict_remove(ctx, value); ++ goto error; ++ } + + /* replace the old value with the new one (even if they may be the same) */ + lydict_remove(ctx, *value_); +@@ -1651,7 +1665,11 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + /* turn logging back on */ + ly_ilo_restore(NULL, prev_ilo, NULL, 0); + } else { +- if (make_canonical(ctx, LY_TYPE_INST, &value, NULL, NULL)) { ++ if ((c = make_canonical(ctx, LY_TYPE_INST, &value, NULL, NULL))) { ++ if (c == -1) { ++ goto error; ++ } ++ + /* if a change occured, value was removed from the dicionary so fix the pointers */ + *value_ = value; + } +@@ -1749,7 +1767,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_INT8, value_, &num, NULL); ++ if (make_canonical(ctx, LY_TYPE_INT8, value_, &num, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1764,7 +1784,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_INT16, value_, &num, NULL); ++ if (make_canonical(ctx, LY_TYPE_INT16, value_, &num, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1779,7 +1801,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_INT32, value_, &num, NULL); ++ if (make_canonical(ctx, LY_TYPE_INT32, value_, &num, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1795,7 +1819,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_INT64, value_, &num, NULL); ++ if (make_canonical(ctx, LY_TYPE_INT64, value_, &num, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1810,7 +1836,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_UINT8, value_, &unum, NULL); ++ if (make_canonical(ctx, LY_TYPE_UINT8, value_, &unum, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1825,7 +1853,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_UINT16, value_, &unum, NULL); ++ if (make_canonical(ctx, LY_TYPE_UINT16, value_, &unum, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1840,7 +1870,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_UINT32, value_, &unum, NULL); ++ if (make_canonical(ctx, LY_TYPE_UINT32, value_, &unum, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ +@@ -1855,7 +1887,9 @@ lyp_parse_value(struct lys_type *type, const char **value_, struct lyxml_elem *x + goto error; + } + +- make_canonical(ctx, LY_TYPE_UINT64, value_, &unum, NULL); ++ if (make_canonical(ctx, LY_TYPE_UINT64, value_, &unum, NULL) == -1) { ++ goto error; ++ } + + if (store) { + /* store the result */ diff --git a/SOURCES/0002-libyang-0.16.105-CVE-2019-19334.patch b/SOURCES/0002-libyang-0.16.105-CVE-2019-19334.patch new file mode 100644 index 0000000..3c6fcc7 --- /dev/null +++ b/SOURCES/0002-libyang-0.16.105-CVE-2019-19334.patch @@ -0,0 +1,15 @@ +diff --git a/src/parser.c b/src/parser.c +index e5d7ebbd..4828c7c0 100644 +--- a/src/parser.c ++++ b/src/parser.c +@@ -1021,8 +1021,10 @@ make_canonical(struct ly_ctx *ctx, int type, const char **value, void *data1, vo + module_name = (const char *)data1; + /* identity must always have a prefix */ + if (!strchr(*value, ':')) { ++ LY_CHECK_ERR_RETURN(strlen(module_name) + 1 + strlen(*value) > buf_len, LOGBUF(*value), -1); + sprintf(buf, "%s:%s", module_name, *value); + } else { ++ LY_CHECK_ERR_RETURN(strlen(*value) > buf_len, LOGBUF(*value), -1); + strcpy(buf, *value); + } + break; diff --git a/SPECS/libyang.spec b/SPECS/libyang.spec index 24947b9..b2ed4cb 100644 --- a/SPECS/libyang.spec +++ b/SPECS/libyang.spec @@ -8,7 +8,7 @@ Name: libyang Version: 0.16.105 -Release: 3%{?dist} +Release: 3%{?dist}.2 Summary: YANG data modeling language library Url: https://github.com/CESNET/libyang Source: %{url}/archive/debian/libyang-%{version}-1.tar.gz @@ -27,6 +27,10 @@ BuildRequires: python3-devel BuildRequires: flex BuildRequires: bison BuildRequires: graphviz +BuildRequires: git-core + +Patch0001: 0001-libyang-0.16.105-CVE-2019-19333.patch +Patch0002: 0002-libyang-0.16.105-CVE-2019-19334.patch %package devel Summary: Development files for libyang @@ -72,7 +76,7 @@ Libyang is YANG data modeling language parser and toolkit written (and providing API) in C. %prep -%setup -q -n libyang-debian-libyang-%{version}-1 +%autosetup -S git -n libyang-debian-libyang-%{version}-1 mkdir build %build @@ -134,6 +138,13 @@ cp -r doc/html %{buildroot}/%{_docdir}/libyang/html %{python3_sitearch}/__pycache__/yang* %changelog +* Mon Dec 16 2019 Michal Ruprich - 0.16.105-3.2 +- Related: #1779573 - Fixing a few covscan issues + +* Tue Dec 10 2019 Michal Ruprich - 0.16.105-3.1 +- Resolves: #1779573 - CVE-2019-19333 libyang: stack-based buffer overflow in make_canonical when bits leaf type is used +- Resolves: #1779576 - CVE-2019-19334 libyang: stack-based buffer overflow in make_canonical when identityref leaf type is used + * Mon May 27 2019 Michal Ruprich - 0.16.105-3 - Related: #1698076 - Adding gating file