Commit Graph

1168 Commits (5eb9cae0091e94c7a807360ef13019e5e9fef805)

Author SHA1 Message Date
Tobias Stoeckmann 5eb9cae009 libpkgconf: tuple: fix out of boundary write
This is the same issue which has been fixed in dependency code.

If a line contains a variable which is longer than PKGCONF_ITEM_SIZE,
then the varname buffer overflows.

The code itself still does not check if a closing } exists and
truncates variable names which are too long. Since these would
be functional changes and this commit is about a protection against
undefined behaviour on a language level, these changes are not
included.

Proof of concept:
$ echo "Description: poc" > poc.pc
$ echo "Version: 1" >> poc.pc
$ echo -n 'Name: ${'
$ dd if=/dev/zero bs=1 count=66535 | tr '\0' 'x' >> poc.pc
$ echo >> poc.pc
$ pkgconf poc.pc

On my Linux system, when compiled with gcc, the varname buffer overflows
directly into buf, which means that no crash can be notified.

It's easiest to figure out when adding strlen() and sizeof() output
as debug lines.
2020-05-30 19:09:24 -06:00
Tobias Stoeckmann 100bc605de libpkgconf: fragment: fix out of boundary write
fragment_quote adds quotation to fragments if needed. It allocates a
buffer and grows it as needed.

Unfortunately the dst pointer is not updated after a realloc, which
means that dst still points into the old memory area. Further writing
characters into that area leads to out of boundy writes.

Proof of concept:

$ cat > poc.pc << EOF
Name: poc
Description: poc
Version: 1
CFlags: -Ia
CFlags: -I%%%%%%%%%%%%%%%%%%%%b
CFlags: -I%%%%%%%%%%%%%%%%%%%%c
CFlags: -Id
EOF
$ pkgconf --cflags poc.pc

Most reliable attempt is to compile pkgconf with address sanitizer,
but this file should lead to an abort on a glibc system due to modified
chunk pointers (tested with Linux on amd64).

But since this is undefined behaviour, it depends on system details.
2020-05-30 19:05:53 -06:00
Ariadne Conill 7bd08a51bf update NEWS 2020-05-30 12:43:08 -06:00
Tobias Stoeckmann dc04193c48 libpkgconf: fragment: fix out of boundary read
Parsing a fragment which consists only of a single dash leads to
an out of boundary read. It duplicates the following entry which
is not expected behaviour if another fragment follows.

Proof of concept:

$ cat > poc.pc << "EOF"
Name: poc
Description: poc
Version: 1
Cflags: - -I/somewhere
EOF
$ PKG_CONFIG_PATH=. pkgconf --cflags poc
-I/somewhere -I/somewhere

If - is the last entry, it leads to an out of boundary read, which is
easy to see if pkgconf is compiled with address sanitizer.
2020-05-30 12:43:08 -06:00
Vincent Torri 42b355310f fix missing backslashes in paths on Windows
According to

https://docs.microsoft.com/fr-fr/windows/win32/fileio/naming-a-file

backslashes (with slashes) are a path separator, hence must no be
considered as an escape code.

The first fix, in argvsplit.c, disables this. But because of fragment_quote(),
the backslashes are doubled. Hence the second fix in fragment.c

With this pc file :

prefix=C:/Documents/msys2/opt/efl_64
libdir=${prefix}/lib
includedir=${prefix}/include

Name: eina
Description: efl: eina
Version: 1.24.99
Requires.private: iconv
Libs: -L${libdir} -leina -pthread -levil
Libs.private: -lpsapi -lole32 -lws2_32 -lsecur32 -luuid -lregex -lm
Cflags:-I${includedir}/eina-1 -I${includedir}/efl-1
-I${includedir}/eina-1/eina -pthread

pkgconf.exe --cflags eina

returns :

-IC:\Documents\msys2\opt\efl_64/include/eina-1
-IC:\Documents\msys2\opt\efl_64/include/efl-1
-IC:\Documents\msys2\opt\efl_64/include/eina-1/eina -pthread
-DWINICONV_CONST= -IC:\Documents\msys2\opt\ewpi_64/include
2020-05-30 12:39:43 -06:00
Ariadne Conill e3e89926b5 start NEWS for 1.7.3 2020-05-26 14:04:34 -06:00
Tobias Stoeckmann fb9acedcad libpkgconf: dependency: fix out of boundary write
It is possible to trigger an out of boundary write in function
pkgconf_dependency_parse_str if a dependency line contains a very
long comparator. The comparator is stored in a temporary buffer which
has a size of PKGCONF_ITEM_SIZE.

The line which is parsed can be up to PKGCONF_BUFSIZE characters long,
which is larger than PKGCONF_ITEM_SIZE (although it depends on PATH_MAX).

Having a comparator which is longer than PKGCONF_ITEM_SIZE therefore
leads to an out of boundary write. Although it is undefined behaviour,
this can lead to an overridden compare variable, which in turn can lead
to an invalid instruction pointer, i.e. most likely a crash or code
execution (very unlikely).

Proof of concept:

$ echo "Requires: x " > poc.pc
$ dd if=/dev/zero bs=1 count=65535 | tr '\0' '<' >> poc.pc
$ pkgconf poc.pc

Eiter compile pkgconf with address sanitizer or run pkgconf multiple
times, eventually it might crash (assuming that ASLR is in place).

In order to fix this, I decided to use an end pointer to avoid OOB write.
Alternative would be to increase the buffer size, but I try to avoid that
since this would be additional ~60 KB stack space for a very unlikely
situation.
2020-05-26 14:03:55 -06:00
Ariadne Conill c6b93941a0 pkgconf 1.7.2. 2020-05-26 13:46:20 -06:00
Ariadne Conill c613eb5cce libpkgconf: pkg: use a second pointer for demunging windows paths 2020-05-26 13:42:39 -06:00
Ariadne Conill 92b09aef9a pkgconf 1.7.1. 2020-05-26 11:06:35 -06:00
Ariadne Conill e70b536ea3 libpkgconf: pkg: when generating a search path, use the correct path separator
Before, this could result in generated paths like C:\foo\pkgconfig/bar.pc on Windows.
2020-05-26 11:01:46 -06:00
Ariadne Conill 47466470d2 main: extend copyright statement to 2020 in --about 2020-05-26 10:57:51 -06:00
Ariadne Conill ee1fe1a70a update NEWS for 1.7.1 changes so far 2020-05-26 07:49:15 -06:00
Ariadne Conill 0253fddc1d libpkgconf: pkg: fix computation of pkgconf_pkg_t.id on Windows.
Windows allows both \ and / as valid path characters.  A computed path
such as C:\development\libfoo\pkgconfig/foo.pc will result in a computed
pkgconf_pkg_t.id of "pkgconfig/foo".

Accordingly, correct the path normalization for checking for / after
the \ path has been dealt with in all cases.
2020-05-26 07:41:16 -06:00
Neal Gompa be6b382dde Makefile.am: Add remaining Meson files to be included in dist tarballs
The tarballs produced by 'make distcheck' did not include all files
required for using Meson because they were not all enumerated in
EXTRA_DIST.

This change adds the remaining Meson files to the tarball.
2020-05-25 05:59:35 -06:00
Tobias Stoeckmann 9e16d2709c libpkgconf: personality: fix out of boundary access
It is possible to set the instruction pointer to undefined values by
using an operator larger than ':' in ASCII.

Since the personality function array does not have 256 entries, an
invalid operator can overflow the array.

Proof of concept:

$ echo "a _ b" > poc
$ ln -s $(which pkgconf) poc-pkgconf
$ ./poc-pkgconf
2020-05-25 05:55:39 -06:00
Ariadne Conill dd57abfe9f pkgconf 1.7.0. 2020-05-24 14:55:02 -06:00
Ariadne Conill 82d57184e7 meson: fix detection of strndup() on windows 2020-05-24 14:54:58 -06:00
Ariadne Conill 4fb7683c3e add support for the PKGCONF_PKG_PKGF_DONT_MERGE_SPECIAL_FRAGMENTS flag used in build2. 2020-05-24 14:40:47 -06:00
Ariadne Conill fb9c2258d1 update NEWS for previous patch 2020-05-24 14:37:13 -06:00
Ben 011db1bb88 Do not complain about malformed whitespace from \n on Version line
Every version line has a newline at the end; the malformed whitespace checker
should just check for trailing spaces and tabs.

Resolves https://todo.sr.ht/~kaniini/pkgconf/15
2020-05-24 14:36:46 -06:00
Ariadne Conill fce1199b53 cli: add support for PKG_CONFIG_MSVC_SYNTAX env variable
Patch from Dan Kegel.
2020-05-24 14:34:17 -06:00
Olaf Hering cdc2bf887e use correct autoconf macro name
AC_CONFIG_MACRO_DIR without trailing S is known by autoconf since 2.58.
AC_CONFIG_MACRO_DIR with trailing S is known by autoconf newer than 2.69.

This fixes libtool after 'autoreconf -fi'.

Fixes commit a8a65c7f6c
Related to issue #145

Signed-off-by: Olaf Hering <olaf@aepfle.de>
2020-05-24 14:29:19 -06:00
Ariadne Conill 80508f7138 NEWS: start NEWS for 1.7.0
was hoping to go straight into 2.0 but we need a new maintenance
branch :(
2020-05-24 14:27:52 -06:00
Ariadne Conill 382a89c173 pkg: pkgconf_compare_version(): do not return levenshtein distance in strcmp() case 2020-05-24 14:18:16 -06:00
Tobias Stoeckmann 92745ad9cb libpkgconf: parser: fix out of boundary access
It is possible to trigger an out of boundary access with specially
crafted files. If a line consist of only a key and spaces, then
op will point to '\0'-ending of the buffer. Since p is iterated by
one byte right past this ending '\0', the next read access to p is
effectively out of bounds.

Theoretically this can also lead to out of boundary writes if spaces
are encountered.

Proof of concept (I recommend to compile with address sanitizer):

$ echo -n a > poc.pc
$ dd if=/dev/zero bs=1 count=65533 | tr '\0' ' ' >> poc.pc
$ pkgconf poc.pc
2020-05-24 14:10:18 -06:00
Tobias Stoeckmann bd4ed1ca02 libpkgconf: fileio: prevent buffer overflow.
pkgconf_fgetline is called with a user-defined buffer, its size, and
a FILE stream to read input from.

If the buffer is almost completely filled and the file stream contains
an escaped character, then it is possible to trigger an off-by-one
buffer overflow with a '\0' character.

Easiest example to trigger this:

char buf[2];
pkgconf_fgetline(buf, sizeof(buf), stdin);

Enter "\\" (two backslashes) and press enter. If the library and the
program are compiled with address sanitizer, you will see the program
crashing. Otherwise it depends on your architecture what happens.

Since nobody should be using a buffer of only size 1 or 2, keep enough
space for a possibly escaped character in while loop by subtracting one
more byte for this situation, not just for '\0'.
2020-05-24 14:09:44 -06:00
Ariadne Conill 62bbd3b664 cli: remove --version to --modversion remapping
This has been a source of frequent complaints, so we drop it.
Resolves: https://todo.sr.ht/~kaniini/pkgconf/6
2020-01-21 10:32:36 -06:00
Ariadne Conill 48dc665ae3 personality: add support for WantDefaultStatic setting 2019-10-19 00:56:17 -05:00
Ariadne Conill 40fe48355b cli: main: add --shared option 2019-10-19 00:46:32 -05:00
Ariadne Conill f1ce393632 fix pkgconf-personality man page 2019-09-30 05:22:21 -05:00
Ariadne Conill 2adafc2729 libpkgconf: personality: return the default personality if loading a personality file failed 2019-08-23 12:48:11 -05:00
Ariadne Conill 19aa93e371 prepare for pkgconf 2.0 development 2019-08-04 15:54:24 -05:00
Nicolas Braud-Santoni 1d8c6b71d6 Fix troff markup in pkgconf-personality(5)
A list was started with .Bl but not ended (with .El)
2019-07-12 09:54:02 -05:00
Nicolas Braud-Santoni db3ba0ef86 Fix spelling in pkg.m4(7) 2019-07-12 09:54:02 -05:00
Ariadne Conill af1fbf9820 builds: add fedora meson build 2019-07-12 08:57:25 -05:00
Ariadne Conill 3f178f71d7 builds: add fedora rawhide build 2019-07-12 08:50:23 -05:00
Ariadne Conill f3e1073f96 build: include meson build files in generated tarballs 2019-07-12 08:31:21 -05:00
Ariadne Conill d351e6ae59 Revert "tests: remove some no longer relevant bitrot in the test environment file"
This reverts commit 107ad34f8f.

Breaks autoconf.
2019-07-12 08:23:36 -05:00
Ariadne Conill 061627f091 meson: bump required version to 0.47 for copy directive 2019-07-12 08:20:05 -05:00
Ariadne Conill 107ad34f8f tests: remove some no longer relevant bitrot in the test environment file 2019-07-12 08:19:19 -05:00
Ariadne Conill c862e030cf pkgconf 1.6.3. 2019-07-12 06:53:37 -05:00
Ariadne Conill 5f3aa3a8d2 cli: bump copyright notice to 2019 2019-07-12 06:53:25 -05:00
Ariadne Conill 286e354785 update NEWS for 1.6.3. 2019-07-12 06:46:29 -05:00
Ariadne Conill 3740bfb6d7 tests: add test for malformed versions generating a diagnostic with --validate 2019-07-12 06:42:08 -05:00
Ariadne Conill a91e0bf215 tests: explicitly test --print-provides with malformed versions 2019-07-12 06:37:46 -05:00
Ariadne Conill c10f69994b libpkgconf: pkg: generate diagnostic for and trim malformed versions 2019-07-12 06:35:48 -05:00
Ariadne Conill 312b4e51a9 tests: add test for malformed version handling 2019-07-12 06:22:41 -05:00
Ariadne Conill 3783d65784 tests: add malformed-version fixture 2019-07-12 06:15:35 -05:00
Ariadne Conill 6c3356a094 update README [ci skip] 2019-07-12 05:56:35 -05:00