Skip to content

[CVE-2022-23990] lib: Prevent integer overflow in function doProlog #551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 26, 2022

Conversation

hartwork
Copy link
Member

@hartwork hartwork commented Jan 26, 2022

The related code has been introduced by commit cb8a4c7 about 20 years ago.
A CVE has been requested from Mitre just now.

CC @rillig

@hartwork hartwork added this to the 2.4.4 milestone Jan 26, 2022
@hartwork hartwork changed the title Prevent integer overflow in function doProlog lib: Prevent integer overflow in function doProlog Jan 26, 2022
@hartwork hartwork force-pushed the prevent-doprolog-overflow branch from 75761d4 to 89c54a3 Compare January 26, 2022 02:19
@hartwork hartwork changed the title lib: Prevent integer overflow in function doProlog [CVE-2022-23990] lib: Prevent integer overflow in function doProlog Jan 26, 2022
@hartwork
Copy link
Member Author

Got CVE-2022-23990 just now

The change from "int nameLen" to "size_t nameLen"
addresses the overflow on "nameLen++" in code
"for (; name[nameLen++];)" right above the second
change in the patch.
@hartwork hartwork force-pushed the prevent-doprolog-overflow branch from 89c54a3 to 6e34495 Compare January 26, 2022 18:33
@rillig
Copy link

rillig commented Jan 26, 2022

Looks good to me, same pattern as everywhere else. the data types are consistently unsigned int in this case.

@hartwork hartwork merged commit 5c16827 into master Jan 26, 2022
@hartwork
Copy link
Member Author

@rillig thanks for the review! 👍

@hartwork hartwork deleted the prevent-doprolog-overflow branch January 29, 2022 21:16
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this pull request Mar 9, 2022
Source: https://github.com/libexpat/libexpat
MR: 115289
Type: Security Fix
Disposition: Backport from libexpat/libexpat#551
ChangeID: d95b360ccd5b3cce4e8bcc4a279b660cefed197c
Description:

CVE-2022-23990 expat: integer overflow in the doProlog function

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this pull request Apr 6, 2022
Source: libexpat/libexpat#551
MR: 115285
Type: Security Fix
Disposition: Backport from libexpat/libexpat#551
ChangeID: 52032b80970b3a40e5c34198dabf8b72e46c3e26
Description:
           lib: Prevent integer overflow in doProlog (CVE-2022-23990)
           The change from "int nameLen" to "size_t nameLen"
           addresses the overflow on "nameLen++" in code
           "for (; name[nameLen++];)" right above the second
           change in the patch.

Signed-off-by: vivek kumbhar <vkumbhar@mvista.com>
Reviewed-by:  Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants