main/pkgconf: add mitigation for CVE-2023-24056

2026-05-05 20:36:40 +02:00 · 2023-01-22 10:13:53 +00:00 · 2023-01-22 10:13:53 +00:00 · a757b1e70c
commit a757b1e70c
parent 9c97299217
2 changed files with 81 additions and 3 deletions
--- a/main/pkgconf/APKBUILD
+++ b/main/pkgconf/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Ariadne Conill <ariadne@dereferenced.org>
 pkgname=pkgconf
 pkgver=1.7.4
-pkgrel=0
+pkgrel=1
 pkgdesc="development framework configuration tools"
 url="https://git.sr.ht/~kaniini/pkgconf"
 arch="all"
@ -9,9 +9,14 @@ license="ISC"
 replaces="pkgconfig"
 provides="pkgconfig=1"
 subpackages="$pkgname-doc $pkgname-dev"
-source="https://distfiles.dereferenced.org/pkgconf/pkgconf-$pkgver.tar.xz"
+source="https://distfiles.dereferenced.org/pkgconf/pkgconf-$pkgver.tar.xz
+	CVE-2023-24056.patch"
 checkdepends="kyua atf"

+# secfixes:
+#   1.7.4-r1:
+#     - CVE-2023-24056
+
 prepare() {
 	default_prepare
 	update_config_sub
@ -50,4 +55,7 @@ dev() {
 	mv "$subpkgdir"/usr/share/aclocal/pkg.m4 "$pkgdir"/usr/share/aclocal/
 }

-sha512sums="92c080684898b42824a1f1a7e3ce8a600896fc9c20fcf263f032b856fa4c7139607f87ba44d18ed358b8c5f4f04477708800d20a4e10f96e4268a55682f7f0c1  pkgconf-1.7.4.tar.xz"
+sha512sums="
+92c080684898b42824a1f1a7e3ce8a600896fc9c20fcf263f032b856fa4c7139607f87ba44d18ed358b8c5f4f04477708800d20a4e10f96e4268a55682f7f0c1  pkgconf-1.7.4.tar.xz
+fad38c14b0e91ccc4c82e1a1f688262e81f7cc63cf9372dd603d6bdacdd5288a2452aa19a2e0ac2a0f2ba4ab0262814d3ed5ef864f26ab1961ae9a01e80a98bc  CVE-2023-24056.patch
+"
--- a/main/pkgconf/CVE-2023-24056.patch
+++ b/main/pkgconf/CVE-2023-24056.patch
@ -0,0 +1,70 @@
+From 81cc9b3e6dafcdd02579bcccec6ac47d91e5d023 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Fri, 20 Jan 2023 22:07:03 +0000
+Subject: [PATCH] tuple: test for, and stop string processing, on truncation
+
+otherwise a buffer overflow occurs.
+this has been a bug in pkgconf since the beginning, it seems.
+instead of disclosing the bug correctly, a "hotshot" developer
+decided to blog about it instead.  sigh.
+
+https://nullprogram.com/blog/2023/01/18/
+---
+ libpkgconf/tuple.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
+index 2d550d8..707fdf8 100644
+--- a/libpkgconf/tuple.c
+++ b/libpkgconf/tuple.c
+@@ -293,12 +293,23 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+ 				}
+ 			}
+ 
+			PKGCONF_TRACE(client, "lookup tuple %s", varname);
+
+			size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
+ 			ptr += (pptr - ptr);
+ 			kv = pkgconf_tuple_find_global(client, varname);
+ 			if (kv != NULL)
+ 			{
+-				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
+-				bptr += strlen(kv);
+				size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
+				if (nlen > remain)
+				{
+					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+
+					bptr = buf + (PKGCONF_BUFSIZE - 1);
+					break;
+				}
+
+				bptr += nlen;
+ 			}
+ 			else
+ 			{
+@@ -306,12 +317,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+ 
+ 				if (kv != NULL)
+ 				{
+					size_t nlen;
+
+ 					parsekv = pkgconf_tuple_parse(client, vars, kv);
+					nlen = pkgconf_strlcpy(bptr, parsekv, remain);
+					free(parsekv);
+ 
+-					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
+-					bptr += strlen(parsekv);
+					if (nlen > remain)
+					{
+						pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+ 
+-					free(parsekv);
+						bptr = buf + (PKGCONF_BUFSIZE - 1);
+						break;
+					}
+
+					bptr += nlen;
+ 				}
+ 			}
+ 		}