diff options
| author | Guillem Jover <guillem@debian.org> | 2014-06-17 04:25:51 -0400 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-10 15:05:51 +0100 |
| commit | c75316fc256d229cfad45cd57328920993d93d8d (patch) | |
| tree | 9b37211442b68552c102947107b0575655466adb /meta/lib/oe/manifest.py | |
| parent | 9b3a2d0716540dae72376a8c2e418b244a85c0cb (diff) | |
| download | openembedded-core-c75316fc256d229cfad45cd57328920993d93d8d.tar.gz openembedded-core-c75316fc256d229cfad45cd57328920993d93d8d.tar.bz2 openembedded-core-c75316fc256d229cfad45cd57328920993d93d8d.zip | |
dpkg: Security Advisory - CVE-2014-0471
v2 changes:
* update format for commit log
* add Upstream-Status for patch
commit a82651188476841d190c58693f95827d61959b51 upstream
Dkpkg::Source::Patch: Correctly parse C-style diff filenames
We need to strip the surrounding quotes, and unescape any escape
sequence, so that we check the same files that the patch program will
be using, otherwise a malicious package could overpass those checks,
and perform directory traversal attacks on source package unpacking.
Fixes: CVE-2014-0471
Reported-by: Jakub Wilk <jwilk@debian.org>
[drop the text for debian/changelog,because it's not suitable
for the veriosn]
(From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0)
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe/manifest.py')
0 files changed, 0 insertions, 0 deletions