From 9a4dd68239e7da0aa80a217968fd6ca7cc9efa89 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dongsu@kinvolk.io>
Date: Mon, 11 Jan 2021 18:31:57 +0100
Subject: [PATCH] dev-util/bsdiff: fix heap overflow vulnerability
 CVE-2020-14315

Fix a heap overflow vulnerability in bspatch included in bsdiff.

Originally the security issue was published as [FreeBSD-SA-16:29](https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc),
which pointed to a FreeBSD [patch](https://security.freebsd.org/patches/SA-16:29/bspatch.patch).
However, the patch was a set of huge changes including other unrelated
changes. That's why it was not simple at all to apply the patch to
bsdiff. Both Gentoo and Flatcar have not included the fix.

Fortunately X41 D-SEC [examined](https://www.x41-dsec.de/security/news/working/research/2020/07/15/bspatch/)
the issue again, and nailed down to a simple patch that can be easily
applied to other trees. We simply take the patch with minimal changes.

See also [CVE-2020-14315](https://nvd.nist.gov/vuln/detail/CVE-2020-14315).
---
 ...iff-4.3-r7.ebuild => bsdiff-4.3-r8.ebuild} |  4 +++-
 .../files/bsdiff-4.3-CVE-2020-14315.patch     | 22 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/{bsdiff-4.3-r7.ebuild => bsdiff-4.3-r8.ebuild} (87%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/files/bsdiff-4.3-CVE-2020-14315.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/bsdiff-4.3-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/bsdiff-4.3-r8.ebuild
similarity index 87%
rename from sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/bsdiff-4.3-r7.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/bsdiff-4.3-r8.ebuild
index 1c36fc7add..140635d62d 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/bsdiff-4.3-r7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/bsdiff-4.3-r8.ebuild
@@ -18,8 +18,10 @@ RDEPEND="app-arch/bzip2"
 
 PATCHES=(
 	"${FILESDIR}/${P}-CVE-2014-9862.patch"
-	# Flatcar: Apply patch to change suffix sort to sais-lite
+	# Flatcar: Apply patch to change suffix sort to sais-lite, and
+	# to fix heap overflow vulnerability CVE-2020-14315.
 	"${FILESDIR}/${PV}_bsdiff-convert-to-sais-lite-suffix-sort.patch"
+	"${FILESDIR}/${P}-CVE-2020-14315.patch"
 )
 
 src_compile() {
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/files/bsdiff-4.3-CVE-2020-14315.patch b/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/files/bsdiff-4.3-CVE-2020-14315.patch
new file mode 100644
index 0000000000..1ee302dca2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-util/bsdiff/files/bsdiff-4.3-CVE-2020-14315.patch
@@ -0,0 +1,22 @@
+--- a/bspatch.c	2021-01-11 15:53:32.642707355 +0100
++++ b/bspatch.c	2021-01-11 16:00:14.704637769 +0100
+@@ -35,6 +35,7 @@
+ #include <err.h>
+ #include <unistd.h>
+ #include <fcntl.h>
++#include <limits.h>
+ 
+ static off_t offtin(u_char *buf)
+ {
+@@ -152,8 +153,9 @@
+ 		};
+ 
+ 		/* Sanity-check */
+-		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+-			errx(1,"Corrupt patch\n");
++		if (ctrl[0] < 0 || ctrl[0] > INT_MAX ||
++		    ctrl[1] < 0 || ctrl[1] > INT_MAX)
++			errx(1, "Corrupt patch\n");
+ 
+ 		/* Sanity-check */
+ 		if(newpos+ctrl[0]>newsize)