Skip to content
Snippets Groups Projects
Commit 089e41c4 authored by Ariadne Conill's avatar Ariadne Conill
Browse files

main/aspell: add mitigation for CVE-2019-25051 / OSV-2020-521

parent 136e0f8c
No related branches found
No related tags found
No related merge requests found
......@@ -2,7 +2,7 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
pkgname=aspell
pkgver=0.60.8
pkgrel=0
pkgrel=1
pkgdesc="A spell checker designed to eventually replace Ispell"
url="http://aspell.net/"
arch="all"
......@@ -11,9 +11,12 @@ subpackages="$pkgname-compat::noarch $pkgname-utils $pkgname-dev $pkgname-doc
$pkgname-lang $pkgname-libs"
depends_dev="$pkgname-utils"
makedepends="ncurses-dev perl gettext-dev"
source="https://ftp.gnu.org/gnu/aspell/aspell-$pkgver.tar.gz"
source="https://ftp.gnu.org/gnu/aspell/aspell-$pkgver.tar.gz
CVE-2019-25051.patch"
# secfixes:
# 0.60.8-r1:
# - CVE-2019-25051
# 0.60.8-r0:
# - CVE-2019-17544
......@@ -63,4 +66,7 @@ libs() {
rm -fr "$pkgdir"/usr/lib
}
sha512sums="8ef4952c553b6234dfe777240d2d97beb13ef9201e18d56bee3b5068d13525db3625b7130d9f5122f7c529da0ccb0c70eb852a81472a7d15fb7c4ee5ba21cd29 aspell-0.60.8.tar.gz"
sha512sums="
8ef4952c553b6234dfe777240d2d97beb13ef9201e18d56bee3b5068d13525db3625b7130d9f5122f7c529da0ccb0c70eb852a81472a7d15fb7c4ee5ba21cd29 aspell-0.60.8.tar.gz
529f3f4737d2e19f7571f4c8666b1cd089cc4e9dfdaa52dc468919f01ce9f8f8112d8fe8afda295b3dfb92f5e0c2bbd79bf1ec69f06c163c32eb28f0168ab263 CVE-2019-25051.patch
"
From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
From: Kevin Atkinson <kevina@gnu.org>
Date: Sat, 21 Dec 2019 20:32:47 +0000
Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
to prevent a buffer overflow
Bug found using OSS-Fuze.
---
common/objstack.hpp | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/common/objstack.hpp b/common/objstack.hpp
index 3997bf7..bd97ccd 100644
--- a/common/objstack.hpp
+++ b/common/objstack.hpp
@@ -5,6 +5,7 @@
#include "parm_string.hpp"
#include <stdlib.h>
#include <assert.h>
+#include <stddef.h>
namespace acommon {
@@ -26,6 +27,12 @@ class ObjStack
byte * temp_end;
void setup_chunk();
void new_chunk();
+ bool will_overflow(size_t sz) const {
+ return offsetof(Node,data) + sz > chunk_size;
+ }
+ void check_size(size_t sz) {
+ assert(!will_overflow(sz));
+ }
ObjStack(const ObjStack &);
void operator=(const ObjStack &);
@@ -56,7 +63,7 @@ class ObjStack
void * alloc_bottom(size_t size) {
byte * tmp = bottom;
bottom += size;
- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
+ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
return tmp;
}
// This alloc_bottom will insure that the object is aligned based on the
@@ -66,7 +73,7 @@ class ObjStack
align_bottom(align);
byte * tmp = bottom;
bottom += size;
- if (bottom > top) {new_chunk(); goto loop;}
+ if (bottom > top) {check_size(size); new_chunk(); goto loop;}
return tmp;
}
char * dup_bottom(ParmString str) {
@@ -79,7 +86,7 @@ class ObjStack
// always be aligned as such.
void * alloc_top(size_t size) {
top -= size;
- if (top < bottom) {new_chunk(); top -= size;}
+ if (top < bottom) {check_size(size); new_chunk(); top -= size;}
return top;
}
// This alloc_top will insure that the object is aligned based on
@@ -88,7 +95,7 @@ class ObjStack
{loop:
top -= size;
align_top(align);
- if (top < bottom) {new_chunk(); goto loop;}
+ if (top < bottom) {check_size(size); new_chunk(); goto loop;}
return top;
}
char * dup_top(ParmString str) {
@@ -117,6 +124,7 @@ class ObjStack
void * alloc_temp(size_t size) {
temp_end = bottom + size;
if (temp_end > top) {
+ check_size(size);
new_chunk();
temp_end = bottom + size;
}
@@ -131,6 +139,7 @@ class ObjStack
} else {
size_t s = temp_end - bottom;
byte * p = bottom;
+ check_size(size);
new_chunk();
memcpy(bottom, p, s);
temp_end = bottom + size;
@@ -150,6 +159,7 @@ class ObjStack
} else {
size_t s = temp_end - bottom;
byte * p = bottom;
+ check_size(size);
new_chunk();
memcpy(bottom, p, s);
temp_end = bottom + size;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment