diff options
-rw-r--r-- | system/bison/APKBUILD | 14 | ||||
-rw-r--r-- | system/bison/uaf.patch | 160 |
2 files changed, 170 insertions, 4 deletions
diff --git a/system/bison/APKBUILD b/system/bison/APKBUILD index c0a5ed0c2..c8e2b9710 100644 --- a/system/bison/APKBUILD +++ b/system/bison/APKBUILD @@ -1,11 +1,14 @@ # Contributor: Łukasz Jendrysik <scadu@yandex.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=bison -pkgver=3.5.4 +pkgver=3.7 pkgrel=0 pkgdesc="The GNU general-purpose parser generator" arch="all" -[ -n "$BOOTSTRAP" ] && options="!check" +# iconv issue: +# https://lists.gnu.org/archive/html/bug-bison/2020-07/msg00001.html +# https://www.openwall.com/lists/musl/2020/07/29/2 +options="!check" # see above license="GPL-3.0+" url="https://www.gnu.org/software/bison/bison.html" depends="m4" @@ -13,7 +16,9 @@ checkdepends="bison flex musl-locales" makedepends="perl" provider_priority=1 subpackages="$pkgname-doc $pkgname-lang" -source="https://ftp.gnu.org/gnu/bison/${pkgname}-${pkgver}.tar.xz" +source="https://ftp.gnu.org/gnu/bison/${pkgname}-${pkgver}.tar.xz + uaf.patch + " # secfixes: # 3.5.4-r0: @@ -44,4 +49,5 @@ package() { rmdir -p "$pkgdir"/usr/lib 2>/dev/null || true } -sha512sums="92f59122dc4d5cae1debdd5567253f269ef001c98582a5763a2051424fecb78e8710c80a09fc488f6784705e679a8bc82874bc11cc03e4eb83445cb9f418b331 bison-3.5.4.tar.xz" +sha512sums="f6c8f1522849b65046844bd51953b4f1e2c32818d8bca0b8e4a1035e72d6731d8a66bc307d4b20d1a576cac6cbe10aa1c66829112327f37938ace165e154ba6a bison-3.7.tar.xz +4a4e22589cd02fb301fdff98078a551f97967dd7add935341f47d0df3acd95827661633ff6489d1ae36730eed8ddec1c2a8ded054628abb839feda79feae4be0 uaf.patch" diff --git a/system/bison/uaf.patch b/system/bison/uaf.patch new file mode 100644 index 000000000..19ab59c56 --- /dev/null +++ b/system/bison/uaf.patch @@ -0,0 +1,160 @@ +From be95a4fe2951374676efc9454ffee8638faaf68d Mon Sep 17 00:00:00 2001 +From: Akim Demaille <akim.demaille@gmail.com> +Date: Tue, 28 Jul 2020 18:51:30 +0200 +Subject: scanner: don't crash on strings containing a NUL byte + +We crash if the input contains a string containing a NUL byte. +Reported by Suhwan Song. +https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html + +* src/flex-scanner.h (STRING_FREE): Avoid accidental use of +last_string. +* src/scan-gram.l: Don't call STRING_FREE without calling +STRING_FINISH first. +* tests/input.at (Invalid inputs): Check that case. +--- + THANKS | 1 + + src/flex-scanner.h | 10 +++++++++- + src/scan-gram.l | 3 ++- + tests/input.at | 48 ++++++++++++++++++++++++++++++++++++++---------- + 4 files changed, 50 insertions(+), 12 deletions(-) + +diff --git a/THANKS b/THANKS +index ac073ea6..5c64da3c 100644 +--- a/THANKS ++++ b/THANKS +@@ -185,6 +185,7 @@ Simon Sobisch simonsobisch@web.de + Stefano Lattarini stefano.lattarini@gmail.com + Stephen Cameron stephenmcameron@gmail.com + Steve Murphy murf@parsetree.com ++Suhwan Song prada960808@gmail.com + Sum Wu sum@geekhouse.org + Théophile Ranquet theophile.ranquet@gmail.com + Thiru Ramakrishnan thiru.ramakrishnan@gmail.com +diff --git a/src/flex-scanner.h b/src/flex-scanner.h +index 56ca7ce3..028847fd 100644 +--- a/src/flex-scanner.h ++++ b/src/flex-scanner.h +@@ -112,7 +112,15 @@ static struct obstack obstack_for_string; + # define STRING_1GROW(Char) \ + obstack_1grow (&obstack_for_string, Char) + +-# define STRING_FREE() \ ++# ifdef NDEBUG ++# define STRING_FREE() \ + obstack_free (&obstack_for_string, last_string) ++# else ++# define STRING_FREE() \ ++ do { \ ++ obstack_free (&obstack_for_string, last_string); \ ++ last_string = NULL; \ ++ } while (0) ++#endif + + #endif +diff --git a/src/scan-gram.l b/src/scan-gram.l +index f8d85f23..ad2904ce 100644 +--- a/src/scan-gram.l ++++ b/src/scan-gram.l +@@ -403,6 +403,7 @@ eqopt ({sp}=)? + { + \0 { + complain (loc, complaint, _("invalid null character")); ++ STRING_FINISH (); + STRING_FREE (); + return GRAM_error; + } +@@ -599,7 +600,6 @@ eqopt ({sp}=)? + STRING_FINISH (); + BEGIN INITIAL; + loc->start = token_start; +- val->CHAR = last_string[0]; + + if (last_string[0] == '\0') + { +@@ -615,6 +615,7 @@ eqopt ({sp}=)? + } + else + { ++ val->CHAR = last_string[0]; + STRING_FREE (); + return CHAR; + } +diff --git a/tests/input.at b/tests/input.at +index 4da63795..effcd1cc 100644 +--- a/tests/input.at ++++ b/tests/input.at +@@ -1,4 +1,4 @@ +-# Checking the Bison scanner. -*- Autotest -*- ++# Checking the Bison reader. -*- Autotest -*- + + # Copyright (C) 2002-2015, 2018-2020 Free Software Foundation, Inc. + +@@ -78,10 +78,13 @@ AT_CLEANUP + ## Invalid inputs. ## + ## ---------------- ## + ++# The truly bad guys no human would write, but easily uncovered by ++# fuzzers. + AT_SETUP([Invalid inputs]) + + AT_DATA([input.y], + [[\000\001\002\377? ++"\000" + %% + ? + default: 'a' } +@@ -92,16 +95,41 @@ default: 'a' } + ]]) + AT_PERL_REQUIRE([[-pi -e 's/\\(\d{3})/chr(oct($1))/ge' input.y]]) + +-AT_BISON_CHECK([input.y], [1], [], ++AT_BISON_CHECK([-fcaret input.y], [1], [], [stderr]) ++ ++# Autotest's diffing, when there are NUL bytes, just reports "binary ++# files differ". So don't leave NUL bytes. ++AT_PERL_CHECK([[-p -e 's{([\0\377])}{sprintf "\\x%02x", ord($1)}ge' stderr]], [], + [[input.y:1.1-2: error: invalid characters: '\0\001\002\377?' +-input.y:3.1: error: invalid character: '?' +-input.y:4.14: error: invalid character: '}' +-input.y:5.1: error: invalid character: '%' +-input.y:5.2: error: invalid character: '&' +-input.y:6.1-17: error: invalid directive: '%a-does-not-exist' +-input.y:7.1: error: invalid character: '%' +-input.y:7.2: error: invalid character: '-' +-input.y:8.1-9.0: error: missing '%}' at end of file ++ 1 | \x00\xff? ++ | ^~ ++input.y:2.2: error: invalid null character ++ 2 | "\x00" ++ | ^ ++input.y:4.1: error: invalid character: '?' ++ 4 | ? ++ | ^ ++input.y:5.14: error: invalid character: '}' ++ 5 | default: 'a' } ++ | ^ ++input.y:6.1: error: invalid character: '%' ++ 6 | %& ++ | ^ ++input.y:6.2: error: invalid character: '&' ++ 6 | %& ++ | ^ ++input.y:7.1-17: error: invalid directive: '%a-does-not-exist' ++ 7 | %a-does-not-exist ++ | ^~~~~~~~~~~~~~~~~ ++input.y:8.1: error: invalid character: '%' ++ 8 | %- ++ | ^ ++input.y:8.2: error: invalid character: '-' ++ 8 | %- ++ | ^ ++input.y:9.1-10.0: error: missing '%}' at end of file ++ 9 | %{ ++ | ^~ + ]]) + + AT_CLEANUP +-- +cgit v1.2.1 + |