[meta-filesystems][dunfell][PATCH 5/8] ntfs-3g-ntfsprogs: Add Patch For Multiple CVE


Ranjitsinh Rathod
 

From: Omkar Patil <omkar.patil@...>

Fixed CVE's:
CVE-2022-30785
CVE-2022-30787

Signed-off-by: Omkar Patil <omkar.patil@...>
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@...>
---
.../CVE-2022-30785_30787.patch | 32 +++++++++++++++++++
.../ntfs-3g-ntfsprogs_2021.8.22.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30785_30787.patch

diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30785_30787.patch b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30785_30787.patch
new file mode 100644
index 000000000..ae71e8ccf
--- /dev/null
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30785_30787.patch
@@ -0,0 +1,32 @@
+From fb28eef6f1c26170566187c1ab7dc913a13ea43c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@...>
+Date: Tue, 10 May 2022 10:48:18 +0200
+Subject: [PATCH] Hardened the checking of directory offset requested by a
+ readdir
+
+When asked for the next directory entries, make sure the chunk offset
+is within valid values, otherwise return no more entries in chunk.
+
+CVE: CVE-2022-30785
+CVE: CVE-2022-30787
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/ntfs-3g/ntfs-3g_2021.8.22-3ubuntu1.1.debian.tar.xz]
+Comment: No change in any hunk
+Signed-off-by: Omkar Patil <Omkar.Patil@...>
+
+---
+ libfuse-lite/fuse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfuse-lite/fuse.c b/libfuse-lite/fuse.c
+index 6f9242b7..3d653e63 100644
+--- a/libfuse-lite/fuse.c
++++ b/libfuse-lite/fuse.c
+@@ -2223,7 +2223,7 @@ static void fuse_lib_readdir(fuse_req_t req, fuse_ino_t ino, size_t size,
+ }
+ }
+ if (dh->filled) {
+- if (off < dh->len) {
++ if ((off >= 0) && (off < dh->len)) {
+ if (off + size > dh->len)
+ size = dh->len - off;
+ } else
diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
index 9e233e127..ea8607e6d 100644
--- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
file://CVE-2021-46790.patch \
file://CVE-2022-30783.patch \
file://CVE-2022-30784.patch \
+ file://CVE-2022-30785_30787.patch \
"

S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Join openembedded-devel@lists.openembedded.org to automatically receive all group messages.