patch: backport fixes

The original fix for CVE-2018-1000156 was incomplete. Backport more fixes done later for a complete fix. Also see: https://savannah.gnu.org/bugs/index.php?53820 (From OE-Core rev: 1a3527231d3c0fa42d16c5b1980c07d68105fea2) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-08-21 09:58:18 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-09-30 16:44:42 +0100
commit: a110e1f58653fac65da234e63ca91584bf178b5e (patch)
tree: 453e9fa31280145a89039f3e8de928c6ce32612e
parent: 729064626e21f959659632279adbeff28decc679 (diff)
download: poky-a110e1f58653fac65da234e63ca91584bf178b5e.tar.gz
3 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 0000000000..9891526e4e
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
+From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 3 May 2018 14:31:55 +0200
+Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
+Now that we write ed-style patches to a temporary file before we
+apply them, we need to ensure that the temporary file is removed
+before we leave, even on fatal error.
+* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+  tmpname. Don't unlink the file directly, instead tag it for removal
+  at exit time.
+* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/common.h |  2 ++
+ src/pch.c    | 12 +++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/src/common.h b/src/common.h
+index ec50b40..22238b5 100644
+--- a/src/common.h
+++ b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
+XTERN char const * TMPEDNAME;
+ 
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
+XTERN bool TMPEDNAME_needs_removal;
+ 
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/pch.c b/src/pch.c
+index 16e001a..c1a62cf 100644
+--- a/src/pch.c
+++ b/src/pch.c
+@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
+     file_offset beginning_of_this_line;
+     size_t chars_read;
+     FILE *tmpfp = 0;
+-    char const *tmpname;
+     int tmpfd;
+     pid_t pid;
+ 
+@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
+           invalid commands and treats the next line as a new command, which
+           can lead to arbitrary command execution.  */
+ 
+-       tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
+       tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+        if (tmpfd == -1)
+-         pfatal ("Can't create temporary file %s", quotearg (tmpname));
+        pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
+        TMPEDNAME_needs_removal = true;
+        tmpfp = fdopen (tmpfd, "w+b");
+        if (! tmpfp)
+-         pfatal ("Can't open stream for file %s", quotearg (tmpname));
+        pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+       }
+ 
+     for (;;) {
+@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
+       write_fatal ();
+ 
+     if (lseek (tmpfd, 0, SEEK_SET) == -1)
+-      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+-
+        pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
+     if (! dry_run && ! skip_rest_of_patch) {
+        int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+        *outname_needs_removal = true;
+@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
+     }
+ 
+     fclose (tmpfp);
+-    safe_unlink (tmpname);
+ 
+     if (ofp)
+       {
+-- 
+2.17.0
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 0000000000..d6a219a1b1
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
+From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 7 May 2018 15:14:45 +0200
+Subject: Don't leak temporary file on failed multi-file ed-style patch
+The previous fix worked fine with single-file ed-style patches, but
+would still leak temporary files in the case of multi-file ed-style
+patch. Fix that case as well, and extend the test case to check for
+it.
+* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
+  the next file in a patch.
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/patch.c    |  1 +
+ tests/ed-style | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+diff --git a/src/patch.c b/src/patch.c
+index 9146597..81c7a02 100644
+--- a/src/patch.c
+++ b/src/patch.c
+@@ -236,6 +236,7 @@ main (int argc, char **argv)
+            }
+          remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+        }
+      remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+ 
+       if (! skip_rest_of_patch && ! file_type)
+        {
+diff --git a/tests/ed-style b/tests/ed-style
+index 6b6ef9d..504e6e5 100644
+--- a/tests/ed-style
+++ b/tests/ed-style
+@@ -38,3 +38,34 @@ EOF
+ check 'cat foo' <<EOF
+ foo
+ EOF
+
+# Test the case where one ed-style patch modifies several files
+
+cat > ed3.diff <<EOF
+--- foo
++++ foo
+1c
+bar
+.
+--- baz
++++ baz
+0a
+baz
+.
+EOF
+
+# Apparently we can't create a file with such a patch, while it works fine
+# when the file name is provided on the command line
+cat > baz <<EOF
+EOF
+
+check 'patch -e -i ed3.diff' <<EOF
+EOF
+
+check 'cat foo' <<EOF
+bar
+EOF
+
+check 'cat baz' <<EOF
+baz
+EOF
+-- 
+cgit v1.0-41-gc330
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8908910f74..5d7f55f8dc 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -8,6 +8,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
            file://CVE-2019-13636.patch \
            file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
+            file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
+            file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
 "
 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
author	Anuj Mittal <anuj.mittal@intel.com>	2019-08-21 09:58:18 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-09-30 16:44:42 +0100
commit	a110e1f58653fac65da234e63ca91584bf178b5e (patch)
tree	453e9fa31280145a89039f3e8de928c6ce32612e
parent	729064626e21f959659632279adbeff28decc679 (diff)
download	poky-a110e1f58653fac65da234e63ca91584bf178b5e.tar.gz

diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch new file mode 100644 index 0000000000..9891526e4e --- /dev/null +++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
		1	From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
		2	From: Jean Delvare <jdelvare@suse.de>
		3	Date: Thu, 3 May 2018 14:31:55 +0200
		4	Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
		5
		6	Now that we write ed-style patches to a temporary file before we
		7	apply them, we need to ensure that the temporary file is removed
		8	before we leave, even on fatal error.
		9
		10	* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
		11	tmpname. Don't unlink the file directly, instead tag it for removal
		12	at exit time.
		13	* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
		14
		15	This closes bug #53820:
		16	https://savannah.gnu.org/bugs/index.php?53820
		17
		18	Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
		19
		20	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
		21	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		22	---
		23	src/common.h \| 2 ++
		24	src/pch.c \| 12 +++++-------
		25	2 files changed, 7 insertions(+), 7 deletions(-)
		26
		27	diff --git a/src/common.h b/src/common.h
		28	index ec50b40..22238b5 100644
		29	--- a/src/common.h
		30	+++ b/src/common.h
		31	@@ -94,10 +94,12 @@ XTERN char const *origsuff;
		32	XTERN char const * TMPINNAME;
		33	XTERN char const * TMPOUTNAME;
		34	XTERN char const * TMPPATNAME;
		35	+XTERN char const * TMPEDNAME;
		36
		37	XTERN bool TMPINNAME_needs_removal;
		38	XTERN bool TMPOUTNAME_needs_removal;
		39	XTERN bool TMPPATNAME_needs_removal;
		40	+XTERN bool TMPEDNAME_needs_removal;
		41
		42	#ifdef DEBUGGING
		43	XTERN int debug;
		44	diff --git a/src/pch.c b/src/pch.c
		45	index 16e001a..c1a62cf 100644
		46	--- a/src/pch.c
		47	+++ b/src/pch.c
		48	@@ -2392,7 +2392,6 @@ do_ed_script (char const inname, char const outname,
		49	file_offset beginning_of_this_line;
		50	size_t chars_read;
		51	FILE *tmpfp = 0;
		52	- char const *tmpname;
		53	int tmpfd;
		54	pid_t pid;
		55
		56	@@ -2404,12 +2403,13 @@ do_ed_script (char const inname, char const outname,
		57	invalid commands and treats the next line as a new command, which
		58	can lead to arbitrary command execution. */
		59
		60	- tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR \| O_BINARY, 0);
		61	+ tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR \| O_BINARY, 0);
		62	if (tmpfd == -1)
		63	- pfatal ("Can't create temporary file %s", quotearg (tmpname));
		64	+ pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
		65	+ TMPEDNAME_needs_removal = true;
		66	tmpfp = fdopen (tmpfd, "w+b");
		67	if (! tmpfp)
		68	- pfatal ("Can't open stream for file %s", quotearg (tmpname));
		69	+ pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
		70	}
		71
		72	for (;;) {
		73	@@ -2449,8 +2449,7 @@ do_ed_script (char const inname, char const outname,
		74	write_fatal ();
		75
		76	if (lseek (tmpfd, 0, SEEK_SET) == -1)
		77	- pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
		78	-
		79	+ pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
		80	if (! dry_run && ! skip_rest_of_patch) {
		81	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
		82	*outname_needs_removal = true;
		83	@@ -2482,7 +2481,6 @@ do_ed_script (char const inname, char const outname,
		84	}
		85
		86	fclose (tmpfp);
		87	- safe_unlink (tmpname);
		88
		89	if (ofp)
		90	{
		91	--
		92	2.17.0
		93


diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch new file mode 100644 index 0000000000..d6a219a1b1 --- /dev/null +++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
		1	From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
		2	From: Jean Delvare <jdelvare@suse.de>
		3	Date: Mon, 7 May 2018 15:14:45 +0200
		4	Subject: Don't leak temporary file on failed multi-file ed-style patch
		5
		6	The previous fix worked fine with single-file ed-style patches, but
		7	would still leak temporary files in the case of multi-file ed-style
		8	patch. Fix that case as well, and extend the test case to check for
		9	it.
		10
		11	* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
		12	the next file in a patch.
		13
		14	This closes bug #53820:
		15	https://savannah.gnu.org/bugs/index.php?53820
		16
		17	Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
		18	Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
		19
		20	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
		21	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		22	---
		23	src/patch.c \| 1 +
		24	tests/ed-style \| 31 +++++++++++++++++++++++++++++++
		25	2 files changed, 32 insertions(+)
		26
		27	diff --git a/src/patch.c b/src/patch.c
		28	index 9146597..81c7a02 100644
		29	--- a/src/patch.c
		30	+++ b/src/patch.c
		31	@@ -236,6 +236,7 @@ main (int argc, char **argv)
		32	}
		33	remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
		34	}
		35	+ remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
		36
		37	if (! skip_rest_of_patch && ! file_type)
		38	{
		39	diff --git a/tests/ed-style b/tests/ed-style
		40	index 6b6ef9d..504e6e5 100644
		41	--- a/tests/ed-style
		42	+++ b/tests/ed-style
		43	@@ -38,3 +38,34 @@ EOF
		44	check 'cat foo' <<EOF
		45	foo
		46	EOF
		47	+
		48	+# Test the case where one ed-style patch modifies several files
		49	+
		50	+cat > ed3.diff <<EOF
		51	+--- foo
		52	++++ foo
		53	+1c
		54	+bar
		55	+.
		56	+--- baz
		57	++++ baz
		58	+0a
		59	+baz
		60	+.
		61	+EOF
		62	+
		63	+# Apparently we can't create a file with such a patch, while it works fine
		64	+# when the file name is provided on the command line
		65	+cat > baz <<EOF
		66	+EOF
		67	+
		68	+check 'patch -e -i ed3.diff' <<EOF
		69	+EOF
		70	+
		71	+check 'cat foo' <<EOF
		72	+bar
		73	+EOF
		74	+
		75	+check 'cat baz' <<EOF
		76	+baz
		77	+EOF
		78	--
		79	cgit v1.0-41-gc330
		80


diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb index 8908910f74..5d7f55f8dc 100644 --- a/meta/recipes-devtools/patch/patch_2.7.6.bb +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -8,6 +8,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
8	file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \	8	file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
9	file://CVE-2019-13636.patch \	9	file://CVE-2019-13636.patch \
10	file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \	10	file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
		11	file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
		12	file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
11	"	13	"
12		14
13	SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"	15	SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"