talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
nixpkgs/pkgs/tools/misc/coreutils/CVE-2025-5278.patch
Vladimír Čunát 59918e44cf
coreutils: avoid autotools by not adding a new test 
Extra dependencies can be annoying by making stdenv bootstrapping
more complex.
2025-05-30 18:39:59 +02:00

70 lines
2.2 KiB
Diff
Raw Blame History

From 8c9602e3a145e9596dc1a63c6ed67865814b6633 Mon Sep 17 00:00:00 2001
From: Pádraig Brady <P@draigBrady.com>
Date: Tue, 20 May 2025 16:03:44 +0100
Subject: sort: fix buffer under-read (CWE-127)
* src/sort.c (begfield): Check pointer adjustment
to avoid Out-of-range pointer offset (CWE-823).
(limfield): Likewise.
* tests/sort/sort-field-limit.sh: Add a new test,
which triggers with ASAN or Valgrind.
* tests/local.mk: Reference the new test.
* NEWS: Mention bug fix introduced in v7.2 (2009).
Fixes https://bugs.gnu.org/78507
---
NEWS | 5 +++++
src/sort.c | 12 ++++++++++--
tests/local.mk | 1 +
tests/sort/sort-field-limit.sh | 35 +++++++++++++++++++++++++++++++++++
4 files changed, 51 insertions(+), 2 deletions(-)
create mode 100755 tests/sort/sort-field-limit.sh
The new tests is NOT added in NixOS.
diff --git a/NEWS b/NEWS
index 6ff403206..923aa72f8 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,11 @@ GNU coreutils NEWS -*- outline -*-
copying to non-NFS files from NFSv4 files with trivial ACLs.
[bug introduced in coreutils-9.6]
+ sort with key character offsets of SIZE_MAX, could induce
+ a read of 1 byte before an allocated heap buffer. For example:
+ 'sort +0.18446744073709551615R input' on 64 bit systems.
+ [bug introduced in coreutils-7.2]
+
* Noteworthy changes in release 9.7 (2025-04-09) [stable]
diff --git a/src/sort.c b/src/sort.c
index b10183b6f..7af1a2512 100644
--- a/src/sort.c
+++ b/src/sort.c
@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
++ptr;
/* Advance PTR by SCHAR (if possible), but no further than LIM. */
- ptr = MIN (lim, ptr + schar);
+ size_t remaining_bytes = lim - ptr;
+ if (schar < remaining_bytes)
+ ptr += schar;
+ else
+ ptr = lim;
return ptr;
}
@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
++ptr;
/* Advance PTR by ECHAR (if possible), but no further than LIM. */
- ptr = MIN (lim, ptr + echar);
+ size_t remaining_bytes = lim - ptr;
+ if (echar < remaining_bytes)
+ ptr += echar;
+ else
+ ptr = lim;
}
return ptr;
Reference in New Issue View Git Blame Copy Permalink