diff --git a/srcpkgs/yara/patches/CVE-2018-1997{4-6}.patch b/srcpkgs/yara/patches/CVE-2018-1997{4-6}.patch new file mode 100644 index 00000000000..0de7ef9d5c9 --- /dev/null +++ b/srcpkgs/yara/patches/CVE-2018-1997{4-6}.patch @@ -0,0 +1,108 @@ +From 0a3ede0125c8b88a020fa4c98df78f6eea7eb9ab Mon Sep 17 00:00:00 2001 +From: "Victor M. Alvarez" +Date: Thu, 13 Dec 2018 12:23:09 +0100 +Subject: [PATCH] Fix issue #999 (#1001) + +* Add additional check in OP_COUNT for making sure that the string pointer is not a fake one. + +* Initialize scratch memory in order to avoid maliciously crafted YARA rules from reading values left in the stack. +--- + libyararena.c | 10 +++++----- + libyarexec.c | 11 +++++++++++ + libyarinclude/yara/arena.h | 5 +++++ + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git libyara/arena.c libyara/arena.c +index 34a374ef..805f6d70 100644 +--- libyara/arena.c ++++ libyararena.c +@@ -109,7 +109,7 @@ static YR_ARENA_PAGE* _yr_arena_new_page( + + + // +-// _yr_arena_page_for_address ++// yr_arena_page_for_address + // + // Returns the page within the arena where an address reside. + // +@@ -122,7 +122,7 @@ static YR_ARENA_PAGE* _yr_arena_new_page( + // resides. + // + +-static YR_ARENA_PAGE* _yr_arena_page_for_address( ++YR_ARENA_PAGE* yr_arena_page_for_address( + YR_ARENA* arena, + void* address) + { +@@ -184,7 +184,7 @@ static int _yr_arena_make_ptr_relocatable( + // If the arena must be relocatable. + assert(arena->flags & ARENA_FLAGS_RELOCATABLE); + +- page = _yr_arena_page_for_address(arena, base); ++ page = yr_arena_page_for_address(arena, base); + + assert(page != NULL); + +@@ -361,7 +361,7 @@ void* yr_arena_next_address( + { + YR_ARENA_PAGE* page; + +- page = _yr_arena_page_for_address(arena, address); ++ page = yr_arena_page_for_address(arena, address); + + assert(page != NULL); + +@@ -482,7 +482,7 @@ int yr_arena_coalesce( + + if (reloc_target != NULL) + { +- page = _yr_arena_page_for_address(arena, reloc_target); ++ page = yr_arena_page_for_address(arena, reloc_target); + assert(page != NULL); + *reloc_address = page->new_address + (reloc_target - page->address); + } +diff --git libyara/exec.c libyara/exec.c +index a0cf138d..9f0ba8fa 100644 +--- libyara/exec.c ++++ libyarexec.c +@@ -246,6 +246,10 @@ int yr_execute_code( + start_time = yr_stopwatch_elapsed_us(&context->stopwatch); + #endif + ++ #if PARANOID_EXEC ++ memset(mem, 0, MEM_SIZE * sizeof(mem[0])); ++ #endif ++ + while(!stop) + { + opcode = *ip; +@@ -779,6 +783,13 @@ int yr_execute_code( + + case OP_COUNT: + pop(r1); ++ ++ #if PARANOID_EXEC ++ // Make sure that the string pointer is within the rules arena. ++ if (yr_arena_page_for_address(context->rules->arena, r1.p) == NULL) ++ return ERROR_INTERNAL_FATAL_ERROR; ++ #endif ++ + r1.i = r1.s->matches[tidx].count; + push(r1); + break; +diff --git libyara/include/yara/arena.h libyara/include/yara/arena.h +index 51f2d8cf..a42e594b 100644 +--- libyara/include/yara/arena.h ++++ libyarinclude/yara/arena.h +@@ -101,6 +101,11 @@ void* yr_arena_base_address( + YR_ARENA* arena); + + ++YR_ARENA_PAGE* yr_arena_page_for_address( ++ YR_ARENA* arena, ++ void* address); ++ ++ + void* yr_arena_next_address( + YR_ARENA* arena, + void* address, diff --git a/srcpkgs/yara/template b/srcpkgs/yara/template index 39cca9408ac..8882886efda 100644 --- a/srcpkgs/yara/template +++ b/srcpkgs/yara/template @@ -1,7 +1,7 @@ # Template file for 'yara' pkgname=yara version=3.8.1 -revision=3 +revision=4 build_style=gnu-configure configure_args="--enable-magic --enable-cuckoo" hostmakedepends="automake libtool"