From: millert <millert@openbsd.org>
Date: Wed, 25 Jan 2023 19:06:50 +0000 (+0000)
Subject: Fix CVE-2023-24056, unbounded variable expansion in pkg-config.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=99a8c03ea500ea834cd0ac62431ef4196ce6a0f2;p=openbsd

Fix CVE-2023-24056, unbounded variable expansion in pkg-config.
We now die with an error when trying to expand a variable that is
already longer than 64K.  This was never a buffer overflow in our
pkg-config, but rather an unbounded memory allocation that would
eventually run up against resource limits.  OK sthen@ jasper@
---

diff --git a/usr.bin/pkg-config/OpenBSD/PkgConfig.pm b/usr.bin/pkg-config/OpenBSD/PkgConfig.pm
index 6df6d7bcbd4..757d1c8b49d 100644
--- a/usr.bin/pkg-config/OpenBSD/PkgConfig.pm
+++ b/usr.bin/pkg-config/OpenBSD/PkgConfig.pm
@@ -1,5 +1,5 @@
 # ex:ts=8 sw=4:
-# $OpenBSD: PkgConfig.pm,v 1.8 2019/12/08 14:22:14 espie Exp $
+# $OpenBSD: PkgConfig.pm,v 1.9 2023/01/25 19:06:50 millert Exp $
 #
 # Copyright (c) 2006 Marc Espie <espie@openbsd.org>
 #
@@ -221,6 +221,10 @@ sub expanded
 	# Expand all variables, unless the returned value is defined as an
 	# as an unexpandable variable (such as with --defined-variable).
 	while ($v =~ m/\$\{(.*?)\}/) {
+	    # Limit the expanded variable size if 64K to prevent a
+	    # malicious .pc file from consuming too much memory.
+	    die "Variable expansion overflow" if length($v) > 64 * 1024;
+
 	    unless (defined &$get_value($1)) {
 		$v =~ s/\$\{(.*?)\}/$extra->{$1}/g;
 		last;