diff options
author | Robert Yang <liezhi.yang@windriver.com> | 2015-03-26 02:18:09 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-03-29 23:07:14 +0100 |
commit | af18ce070bd1c73f3619d6370928fe7e2e06ff5e (patch) | |
tree | 8c57514834a01deff418d953c431be66a1ca6e4e /meta | |
parent | 4c389880dc9c6221344f7aed221fe8356e8c2056 (diff) | |
download | openembedded-core-af18ce070bd1c73f3619d6370928fe7e2e06ff5e.tar.gz openembedded-core-af18ce070bd1c73f3619d6370928fe7e2e06ff5e.tar.bz2 openembedded-core-af18ce070bd1c73f3619d6370928fe7e2e06ff5e.zip |
cpio: fix CVE-2015-1197
Additional directory traversal vulnerability via symlinks
cpio CVE-2015-1197
Initial report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
Upstream report:
https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
And fix the indent in SRC_URI.
[YOCTO #7182]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch | 154 | ||||
-rw-r--r-- | meta/recipes-extended/cpio/cpio_2.11.bb | 3 |
2 files changed, 156 insertions, 1 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch b/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch new file mode 100644 index 0000000000..b54afb867f --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch @@ -0,0 +1,154 @@ +Description: CVE-2015-1197 + Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197. + Upstream is dormant or no longer existing. To restore the old + behaviour use --extract-over-symlinks (Closes: #774669) + This issue has been discovered by Alexander Cherepanov. +Author: Vitezslav Cizek <vcizek@suse.cz> +Bug-Debian: https://bugs.debian.org/774669 + +Upstream-Status: Backport + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> + +--- cpio-2.11+dfsg.orig/doc/cpio.1 ++++ cpio-2.11+dfsg/doc/cpio.1 +@@ -22,6 +22,7 @@ cpio \- copy files to and from archives + [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message] + [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse] + [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command] ++[\-\-extract\-over\-symlinks] + [\-\-help] [\-\-version] [pattern...] [< archive] + + .B cpio +--- cpio-2.11+dfsg.orig/src/copyin.c ++++ cpio-2.11+dfsg/src/copyin.c +@@ -700,6 +700,51 @@ copyin_link (struct cpio_file_stat *file + free (link_name); + } + ++ ++static int ++path_contains_symlink(char *path) ++{ ++ struct stat st; ++ char *slash; ++ char *nextslash; ++ ++ /* we got NULL pointer or empty string */ ++ if (!path || !*path) { ++ return false; ++ } ++ ++ slash = path; ++ ++ while ((nextslash = strchr(slash + 1, '/')) != NULL) { ++ slash = nextslash; ++ *slash = '\0'; ++ ++ if (lstat(path, &st) != 0) { ++ if (errno == ELOOP) { ++ /* ELOOP - too many symlinks */ ++ *slash = '/'; ++ return true; ++ } else if (errno == ENOMEM) { ++ /* No memory for lstat - terminate */ ++ xalloc_die(); ++ } else { ++ /* cannot lstat path - give up */ ++ *slash = '/'; ++ return false; ++ } ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ *slash = '/'; ++ return true; ++ } ++ ++ *slash = '/'; ++ } ++ ++ return false; ++} ++ + static void + copyin_file (struct cpio_file_stat *file_hdr, int in_file_des) + { +@@ -1471,6 +1516,23 @@ process_copy_in () + { + /* Copy the input file into the directory structure. */ + ++ /* Can we write files over symlinks? */ ++ if (!extract_over_symlinks) ++ { ++ if (path_contains_symlink(file_hdr.c_name)) ++ { ++ /* skip the file */ ++ /* ++ fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name); ++ tape_toss_input (in_file_des, file_hdr.c_filesize); ++ tape_skip_padding (in_file_des, file_hdr.c_filesize); ++ continue; ++ */ ++ /* terminate */ ++ error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name); ++ } ++ } ++ + /* Do we need to rename the file? */ + if (rename_flag || rename_batch_file) + { +--- cpio-2.11+dfsg.orig/src/extern.h ++++ cpio-2.11+dfsg/src/extern.h +@@ -95,6 +95,7 @@ extern char input_is_special; + extern char output_is_special; + extern char input_is_seekable; + extern char output_is_seekable; ++extern bool extract_over_symlinks; + extern int (*xstat) (); + extern void (*copy_function) (); + +--- cpio-2.11+dfsg.orig/src/global.c ++++ cpio-2.11+dfsg/src/global.c +@@ -187,6 +187,9 @@ bool to_stdout_option = false; + /* The name this program was run with. */ + char *program_name; + ++/* Extract files over symbolic links */ ++bool extract_over_symlinks; ++ + /* A pointer to either lstat or stat, depending on whether + dereferencing of symlinks is done for input files. */ + int (*xstat) (); +--- cpio-2.11+dfsg.orig/src/main.c ++++ cpio-2.11+dfsg/src/main.c +@@ -57,7 +57,8 @@ enum cpio_options { + FORCE_LOCAL_OPTION, + DEBUG_OPTION, + BLOCK_SIZE_OPTION, +- TO_STDOUT_OPTION ++ TO_STDOUT_OPTION, ++ EXTRACT_OVER_SYMLINKS + }; + + const char *program_authors[] = +@@ -222,6 +223,8 @@ static struct argp_option options[] = { + N_("Create leading directories where needed"), GRID+1 }, + {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0, + N_("Do not change the ownership of the files"), GRID+1 }, ++ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0, ++ N_("Force writing over symbolic links"), GRID+1 }, + {"unconditional", 'u', NULL, 0, + N_("Replace all files unconditionally"), GRID+1 }, + {"sparse", SPARSE_OPTION, NULL, 0, +@@ -412,6 +415,10 @@ crc newc odc bin ustar tar (all-caps als + no_chown_flag = true; + break; + ++ case EXTRACT_OVER_SYMLINKS: /* --extract-over-symlinks */ ++ extract_over_symlinks = true; ++ break; ++ + case 'o': /* Copy-out mode. */ + if (copy_function != 0) + error (PAXEXIT_FAILURE, 0, _("Mode already defined")); diff --git a/meta/recipes-extended/cpio/cpio_2.11.bb b/meta/recipes-extended/cpio/cpio_2.11.bb index c42db6f352..053888f1c0 100644 --- a/meta/recipes-extended/cpio/cpio_2.11.bb +++ b/meta/recipes-extended/cpio/cpio_2.11.bb @@ -6,7 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" PR = "r5" SRC_URI += "file://remove-gets.patch \ - file://fix-memory-overrun.patch \ + file://fix-memory-overrun.patch \ + file://cpio-CVE-2015-1197.patch \ " SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c" |