diff --git a/0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch b/0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch new file mode 100644 index 0000000000000000000000000000000000000000..4cf1c9844657586db6c5cb6b3ade1f7b9eea9eca --- /dev/null +++ b/0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch @@ -0,0 +1,68 @@ +From a948ac01744f3490fa5af4b38039f7dade68bb3e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 15 Apr 2020 15:45:02 -0400 +Subject: [PATCH EMBARGOED CVE-2020-10713] yylex: Make lexer fatal errors + actually be fatal + +When presented with a command that can't be tokenized to anything +smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), +expecting that will stop further processing, as such: + + #define YY_DO_BEFORE_ACTION \ + yyg->yytext_ptr = yy_bp; \ + yyleng = (int) (yy_cp - yy_bp); \ + yyg->yy_hold_char = *yy_cp; \ + *yy_cp = '\0'; \ + if ( yyleng >= YYLMAX ) \ + YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ + yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ + yyg->yy_c_buf_p = yy_cp; + +The code flex generates expects that YY_FATAL_ERROR() will either return +for it or do some form of longjmp(), or handle the error in some way at +least, and so the strncpy() call isn't in an "else" clause, and thus if +YY_FATAL_ERROR() is *not* actually fatal, it does the call with the +questionable limit, and predictable results ensue. + +Unfortunately, our implementation of YY_FATAL_ERROR() is: + + #define YY_FATAL_ERROR(msg) \ + do { \ + grub_printf (_("fatal error: %s\n"), _(msg)); \ + } while (0) + +The same pattern exists in yyless(), and similar problems exist in users +of YY_INPUT(), several places in the main parsing loop, +yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, +yy_scan_buffer(), etc. + +All of these callers expect YY_FATAL_ERROR() to actually be fatal, and +the things they do if it returns after calling it are wildly unsafe. + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +--- + grub-core/script/yylex.l | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l +index 7b44c37b7..b7203c823 100644 +--- a/grub-core/script/yylex.l ++++ b/grub-core/script/yylex.l +@@ -37,11 +37,11 @@ + + /* + * As we don't have access to yyscanner, we cannot do much except to +- * print the fatal error. ++ * print the fatal error and exit. + */ + #define YY_FATAL_ERROR(msg) \ + do { \ +- grub_printf (_("fatal error: %s\n"), _(msg)); \ ++ grub_fatal (_("fatal error: %s\n"), _(msg));\ + } while (0) + + #define COPY(str, hint) \ +-- +2.11.0 + diff --git a/grub.patches b/grub.patches index cc3619086cf9ef502e29db4a655cfc75f8447c91..1b7623675e3f64c60e5d62f47334425e271ed4ae 100644 --- a/grub.patches +++ b/grub.patches @@ -251,6 +251,7 @@ Patch6008: normal-menu-Do-not-treat-error-values-as-key-presses.patch Patch6009: osdep-freebsd-Fix-partition-calculation-for-EBR-entr.patch Patch6010: 0001-CVE-2019-14865.patch Patch6011: 0002-CVE-2019-14865.patch +Patch6012: 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch Patch9000: 0001-fix-grub-search-configfile-failed-in-net.patch Patch9001: Workaround-for-EFI-Bug-Plan3.patch Patch9002: revert-0067-Be-more-aggro.patch diff --git a/grub2.spec b/grub2.spec index 03c89364853337ae0dcaaa34f7e8e94e7a75cdb6..398d0a1dc9069a3900496efae6665cdc9795b2d2 100644 --- a/grub2.spec +++ b/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 75 +Release: 76 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -361,6 +361,12 @@ fi %{_datadir}/man/man* %changelog +* Fri Jul 31 2020 openEuler Buildteam - 2.02-76 +- Type:cves +- Id:CVE-2020-10713 +- SUG:NA +- DESC:fix CVE-2020-10713 + * Fri Jun 5 2020 fengtao - 2.02-75 - remove sign for grub efi