diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-08-21 09:44:45 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-08-22 22:48:26 +0100 |
commit | f326d31c4e16aa9b7f9dc0ca139f52594352cb85 (patch) | |
tree | ea76be812ecba90f48e6f8c2694c5736623469e3 | |
parent | 0f0c56c40c801df8cc21d946b82a1a90b8d617b4 (diff) | |
download | poky-f326d31c4e16aa9b7f9dc0ca139f52594352cb85.tar.gz |
patch: backport fixes
The original fix for CVE-2018-1000156 was incomplete. Backport more
fixes done later for a complete fix.
Also see:
https://savannah.gnu.org/bugs/index.php?53820
(From OE-Core rev: 9ea833b7d1655e042a513ea2225468c84f1c8bfb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch new file mode 100644 index 0000000000..9891526e4e --- /dev/null +++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001 | ||
2 | From: Jean Delvare <jdelvare@suse.de> | ||
3 | Date: Thu, 3 May 2018 14:31:55 +0200 | ||
4 | Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch | ||
5 | |||
6 | Now that we write ed-style patches to a temporary file before we | ||
7 | apply them, we need to ensure that the temporary file is removed | ||
8 | before we leave, even on fatal error. | ||
9 | |||
10 | * src/pch.c (do_ed_script): Use global TMPEDNAME instead of local | ||
11 | tmpname. Don't unlink the file directly, instead tag it for removal | ||
12 | at exit time. | ||
13 | * src/patch.c (cleanup): Unlink TMPEDNAME at exit. | ||
14 | |||
15 | This closes bug #53820: | ||
16 | https://savannah.gnu.org/bugs/index.php?53820 | ||
17 | |||
18 | Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") | ||
19 | |||
20 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee] | ||
21 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
22 | --- | ||
23 | src/common.h | 2 ++ | ||
24 | src/pch.c | 12 +++++------- | ||
25 | 2 files changed, 7 insertions(+), 7 deletions(-) | ||
26 | |||
27 | diff --git a/src/common.h b/src/common.h | ||
28 | index ec50b40..22238b5 100644 | ||
29 | --- a/src/common.h | ||
30 | +++ b/src/common.h | ||
31 | @@ -94,10 +94,12 @@ XTERN char const *origsuff; | ||
32 | XTERN char const * TMPINNAME; | ||
33 | XTERN char const * TMPOUTNAME; | ||
34 | XTERN char const * TMPPATNAME; | ||
35 | +XTERN char const * TMPEDNAME; | ||
36 | |||
37 | XTERN bool TMPINNAME_needs_removal; | ||
38 | XTERN bool TMPOUTNAME_needs_removal; | ||
39 | XTERN bool TMPPATNAME_needs_removal; | ||
40 | +XTERN bool TMPEDNAME_needs_removal; | ||
41 | |||
42 | #ifdef DEBUGGING | ||
43 | XTERN int debug; | ||
44 | diff --git a/src/pch.c b/src/pch.c | ||
45 | index 16e001a..c1a62cf 100644 | ||
46 | --- a/src/pch.c | ||
47 | +++ b/src/pch.c | ||
48 | @@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname, | ||
49 | file_offset beginning_of_this_line; | ||
50 | size_t chars_read; | ||
51 | FILE *tmpfp = 0; | ||
52 | - char const *tmpname; | ||
53 | int tmpfd; | ||
54 | pid_t pid; | ||
55 | |||
56 | @@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname, | ||
57 | invalid commands and treats the next line as a new command, which | ||
58 | can lead to arbitrary command execution. */ | ||
59 | |||
60 | - tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); | ||
61 | + tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0); | ||
62 | if (tmpfd == -1) | ||
63 | - pfatal ("Can't create temporary file %s", quotearg (tmpname)); | ||
64 | + pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME)); | ||
65 | + TMPEDNAME_needs_removal = true; | ||
66 | tmpfp = fdopen (tmpfd, "w+b"); | ||
67 | if (! tmpfp) | ||
68 | - pfatal ("Can't open stream for file %s", quotearg (tmpname)); | ||
69 | + pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME)); | ||
70 | } | ||
71 | |||
72 | for (;;) { | ||
73 | @@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname, | ||
74 | write_fatal (); | ||
75 | |||
76 | if (lseek (tmpfd, 0, SEEK_SET) == -1) | ||
77 | - pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); | ||
78 | - | ||
79 | + pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME)); | ||
80 | if (! dry_run && ! skip_rest_of_patch) { | ||
81 | int exclusive = *outname_needs_removal ? 0 : O_EXCL; | ||
82 | *outname_needs_removal = true; | ||
83 | @@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname, | ||
84 | } | ||
85 | |||
86 | fclose (tmpfp); | ||
87 | - safe_unlink (tmpname); | ||
88 | |||
89 | if (ofp) | ||
90 | { | ||
91 | -- | ||
92 | 2.17.0 | ||
93 | |||
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch new file mode 100644 index 0000000000..d6a219a1b1 --- /dev/null +++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jean Delvare <jdelvare@suse.de> | ||
3 | Date: Mon, 7 May 2018 15:14:45 +0200 | ||
4 | Subject: Don't leak temporary file on failed multi-file ed-style patch | ||
5 | |||
6 | The previous fix worked fine with single-file ed-style patches, but | ||
7 | would still leak temporary files in the case of multi-file ed-style | ||
8 | patch. Fix that case as well, and extend the test case to check for | ||
9 | it. | ||
10 | |||
11 | * src/patch.c (main): Unlink TMPEDNAME if needed before moving to | ||
12 | the next file in a patch. | ||
13 | |||
14 | This closes bug #53820: | ||
15 | https://savannah.gnu.org/bugs/index.php?53820 | ||
16 | |||
17 | Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") | ||
18 | Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch") | ||
19 | |||
20 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727] | ||
21 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
22 | --- | ||
23 | src/patch.c | 1 + | ||
24 | tests/ed-style | 31 +++++++++++++++++++++++++++++++ | ||
25 | 2 files changed, 32 insertions(+) | ||
26 | |||
27 | diff --git a/src/patch.c b/src/patch.c | ||
28 | index 9146597..81c7a02 100644 | ||
29 | --- a/src/patch.c | ||
30 | +++ b/src/patch.c | ||
31 | @@ -236,6 +236,7 @@ main (int argc, char **argv) | ||
32 | } | ||
33 | remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); | ||
34 | } | ||
35 | + remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal); | ||
36 | |||
37 | if (! skip_rest_of_patch && ! file_type) | ||
38 | { | ||
39 | diff --git a/tests/ed-style b/tests/ed-style | ||
40 | index 6b6ef9d..504e6e5 100644 | ||
41 | --- a/tests/ed-style | ||
42 | +++ b/tests/ed-style | ||
43 | @@ -38,3 +38,34 @@ EOF | ||
44 | check 'cat foo' <<EOF | ||
45 | foo | ||
46 | EOF | ||
47 | + | ||
48 | +# Test the case where one ed-style patch modifies several files | ||
49 | + | ||
50 | +cat > ed3.diff <<EOF | ||
51 | +--- foo | ||
52 | ++++ foo | ||
53 | +1c | ||
54 | +bar | ||
55 | +. | ||
56 | +--- baz | ||
57 | ++++ baz | ||
58 | +0a | ||
59 | +baz | ||
60 | +. | ||
61 | +EOF | ||
62 | + | ||
63 | +# Apparently we can't create a file with such a patch, while it works fine | ||
64 | +# when the file name is provided on the command line | ||
65 | +cat > baz <<EOF | ||
66 | +EOF | ||
67 | + | ||
68 | +check 'patch -e -i ed3.diff' <<EOF | ||
69 | +EOF | ||
70 | + | ||
71 | +check 'cat foo' <<EOF | ||
72 | +bar | ||
73 | +EOF | ||
74 | + | ||
75 | +check 'cat baz' <<EOF | ||
76 | +baz | ||
77 | +EOF | ||
78 | -- | ||
79 | cgit v1.0-41-gc330 | ||
80 | |||
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb index 8908910f74..5d7f55f8dc 100644 --- a/meta/recipes-devtools/patch/patch_2.7.6.bb +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb | |||
@@ -8,6 +8,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ | |||
8 | file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \ | 8 | file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \ |
9 | file://CVE-2019-13636.patch \ | 9 | file://CVE-2019-13636.patch \ |
10 | file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \ | 10 | file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \ |
11 | file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \ | ||
12 | file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \ | ||
11 | " | 13 | " |
12 | 14 | ||
13 | SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600" | 15 | SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600" |