summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-08-21 09:44:45 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-08-22 22:48:26 +0100
commitf326d31c4e16aa9b7f9dc0ca139f52594352cb85 (patch)
treeea76be812ecba90f48e6f8c2694c5736623469e3
parent0f0c56c40c801df8cc21d946b82a1a90b8d617b4 (diff)
downloadpoky-f326d31c4e16aa9b7f9dc0ca139f52594352cb85.tar.gz
patch: backport fixes
The original fix for CVE-2018-1000156 was incomplete. Backport more fixes done later for a complete fix. Also see: https://savannah.gnu.org/bugs/index.php?53820 (From OE-Core rev: 9ea833b7d1655e042a513ea2225468c84f1c8bfb) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch93
-rw-r--r--meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch80
-rw-r--r--meta/recipes-devtools/patch/patch_2.7.6.bb2
3 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 0000000000..9891526e4e
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
1From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Thu, 3 May 2018 14:31:55 +0200
4Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
5
6Now that we write ed-style patches to a temporary file before we
7apply them, we need to ensure that the temporary file is removed
8before we leave, even on fatal error.
9
10* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
11 tmpname. Don't unlink the file directly, instead tag it for removal
12 at exit time.
13* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
14
15This closes bug #53820:
16https://savannah.gnu.org/bugs/index.php?53820
17
18Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
19
20Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
21Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
22---
23 src/common.h | 2 ++
24 src/pch.c | 12 +++++-------
25 2 files changed, 7 insertions(+), 7 deletions(-)
26
27diff --git a/src/common.h b/src/common.h
28index ec50b40..22238b5 100644
29--- a/src/common.h
30+++ b/src/common.h
31@@ -94,10 +94,12 @@ XTERN char const *origsuff;
32 XTERN char const * TMPINNAME;
33 XTERN char const * TMPOUTNAME;
34 XTERN char const * TMPPATNAME;
35+XTERN char const * TMPEDNAME;
36
37 XTERN bool TMPINNAME_needs_removal;
38 XTERN bool TMPOUTNAME_needs_removal;
39 XTERN bool TMPPATNAME_needs_removal;
40+XTERN bool TMPEDNAME_needs_removal;
41
42 #ifdef DEBUGGING
43 XTERN int debug;
44diff --git a/src/pch.c b/src/pch.c
45index 16e001a..c1a62cf 100644
46--- a/src/pch.c
47+++ b/src/pch.c
48@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
49 file_offset beginning_of_this_line;
50 size_t chars_read;
51 FILE *tmpfp = 0;
52- char const *tmpname;
53 int tmpfd;
54 pid_t pid;
55
56@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
57 invalid commands and treats the next line as a new command, which
58 can lead to arbitrary command execution. */
59
60- tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
61+ tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
62 if (tmpfd == -1)
63- pfatal ("Can't create temporary file %s", quotearg (tmpname));
64+ pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
65+ TMPEDNAME_needs_removal = true;
66 tmpfp = fdopen (tmpfd, "w+b");
67 if (! tmpfp)
68- pfatal ("Can't open stream for file %s", quotearg (tmpname));
69+ pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
70 }
71
72 for (;;) {
73@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
74 write_fatal ();
75
76 if (lseek (tmpfd, 0, SEEK_SET) == -1)
77- pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
78-
79+ pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
80 if (! dry_run && ! skip_rest_of_patch) {
81 int exclusive = *outname_needs_removal ? 0 : O_EXCL;
82 *outname_needs_removal = true;
83@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
84 }
85
86 fclose (tmpfp);
87- safe_unlink (tmpname);
88
89 if (ofp)
90 {
91--
922.17.0
93
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 0000000000..d6a219a1b1
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
1From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Mon, 7 May 2018 15:14:45 +0200
4Subject: Don't leak temporary file on failed multi-file ed-style patch
5
6The previous fix worked fine with single-file ed-style patches, but
7would still leak temporary files in the case of multi-file ed-style
8patch. Fix that case as well, and extend the test case to check for
9it.
10
11* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
12 the next file in a patch.
13
14This closes bug #53820:
15https://savannah.gnu.org/bugs/index.php?53820
16
17Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
18Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
19
20Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
21Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
22---
23 src/patch.c | 1 +
24 tests/ed-style | 31 +++++++++++++++++++++++++++++++
25 2 files changed, 32 insertions(+)
26
27diff --git a/src/patch.c b/src/patch.c
28index 9146597..81c7a02 100644
29--- a/src/patch.c
30+++ b/src/patch.c
31@@ -236,6 +236,7 @@ main (int argc, char **argv)
32 }
33 remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
34 }
35+ remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
36
37 if (! skip_rest_of_patch && ! file_type)
38 {
39diff --git a/tests/ed-style b/tests/ed-style
40index 6b6ef9d..504e6e5 100644
41--- a/tests/ed-style
42+++ b/tests/ed-style
43@@ -38,3 +38,34 @@ EOF
44 check 'cat foo' <<EOF
45 foo
46 EOF
47+
48+# Test the case where one ed-style patch modifies several files
49+
50+cat > ed3.diff <<EOF
51+--- foo
52++++ foo
53+1c
54+bar
55+.
56+--- baz
57++++ baz
58+0a
59+baz
60+.
61+EOF
62+
63+# Apparently we can't create a file with such a patch, while it works fine
64+# when the file name is provided on the command line
65+cat > baz <<EOF
66+EOF
67+
68+check 'patch -e -i ed3.diff' <<EOF
69+EOF
70+
71+check 'cat foo' <<EOF
72+bar
73+EOF
74+
75+check 'cat baz' <<EOF
76+baz
77+EOF
78--
79cgit v1.0-41-gc330
80
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8908910f74..5d7f55f8dc 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -8,6 +8,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
8 file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \ 8 file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
9 file://CVE-2019-13636.patch \ 9 file://CVE-2019-13636.patch \
10 file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \ 10 file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
11 file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
12 file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
11" 13"
12 14
13SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600" 15SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"