[Buildroot] [PATCH 2/2] package/zlog: fix CVE-2021-43521
Fabrice Fontaine
fontaine.fabrice at gmail.com
Thu Apr 21 21:54:44 UTC 2022
A Buffer Overflow vulnerability exists in zlog 1.2.15 via
zlog_conf_build_with_file in src/zlog/src/conf.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
...verflow-at-zlog_conf_build_with_file.patch | 25 +++++++++++++++++++
package/zlog/zlog.mk | 3 +++
2 files changed, 28 insertions(+)
create mode 100644 package/zlog/0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch
diff --git a/package/zlog/0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch b/package/zlog/0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch
new file mode 100644
index 0000000000..d5f23e1b26
--- /dev/null
+++ b/package/zlog/0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch
@@ -0,0 +1,25 @@
+From a5be8b3a8ddc498de4ad041757285136a55d97e3 Mon Sep 17 00:00:00 2001
+From: XiangfeiCH <chenthrone at 163.com>
+Date: Tue, 12 Apr 2022 00:13:35 +0800
+Subject: [PATCH] Fix stack-buffer-overflow at zlog_conf_build_with_file
+
+[Retrieved from:
+https://github.com/HardySimpson/zlog/commit/a5be8b3a8ddc498de4ad041757285136a55d97e3]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+---
+ src/conf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conf.c b/src/conf.c
+index 0f862fa..9a4cb75 100644
+--- a/src/conf.c
++++ b/src/conf.c
+@@ -305,7 +305,7 @@ static int zlog_conf_build_with_file(zlog_conf_t * a_conf)
+ /* Oops the buffer is full - what now? */
+ pline = line;
+ } else {
+- for (p--; isspace((int)*p); --p)
++ for (p--; p >= line && isspace((int)*p); --p)
+ /*EMPTY*/;
+ p++;
+ *p = 0;
diff --git a/package/zlog/zlog.mk b/package/zlog/zlog.mk
index c7b7035c1f..1929a45a3e 100644
--- a/package/zlog/zlog.mk
+++ b/package/zlog/zlog.mk
@@ -11,6 +11,9 @@ ZLOG_LICENSE_FILES = COPYING
ZLOG_CPE_ID_VENDOR = zlog_project
ZLOG_INSTALL_STAGING = YES
+# 0001-Fix-stack-buffer-overflow-at-zlog_conf_build_with_file.patch
+ZLOG_IGNORE_CVES += CVE-2021-43521
+
define ZLOG_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE1) CC="$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS)" \
-C $(@D) all
--
2.35.1
More information about the buildroot
mailing list