diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2017-10-03 17:38:53 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-05 22:33:21 +0000 |
commit | e79e852db0d7a234d63e7b4d6475ea2a558846de (patch) | |
tree | a6bf355505558963e119da114dff9b855add7ec4 | |
parent | 3bbc1577d92d2e56354a34a774e702418c82c2aa (diff) | |
download | poky-e79e852db0d7a234d63e7b4d6475ea2a558846de.tar.gz |
busybox: Fix CVE-2011-5325
(From OE-Core rev: b1c25a68bfcf8309557867eb533b50ce489bc06e)
Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com>
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rwxr-xr-x | meta/recipes-core/busybox/busybox/CVE-2011-5325.patch | 481 | ||||
-rw-r--r-- | meta/recipes-core/busybox/busybox_1.27.2.bb | 1 |
2 files changed, 482 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch b/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch new file mode 100755 index 0000000000..0926107bea --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2011-5325.patch | |||
@@ -0,0 +1,481 @@ | |||
1 | busybox-1.27.2: Fix CVE-2011-5325 | ||
2 | |||
3 | [No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=8411 | ||
4 | |||
5 | libarchive: do not extract unsafe symlinks | ||
6 | |||
7 | Prevent unsafe links extracting unless env variable $EXTRACT_UNSAFE_SYMLINKS=1 | ||
8 | is not set. Untarring file with -C DESTDIR parameter could be extracted with | ||
9 | unwanted symlinks. This doesn't feel right, and IIRC GNU tar doesn't do that. | ||
10 | Include necessary changes from previous commits. | ||
11 | |||
12 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7] | ||
13 | CVE: CVE-2011-5325 | ||
14 | bug: 8411 | ||
15 | Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com> | ||
16 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
17 | |||
18 | diff --git a/archival/libarchive/Kbuild.src b/archival/libarchive/Kbuild.src | ||
19 | index 942e755..e1a8a75 100644 | ||
20 | --- a/archival/libarchive/Kbuild.src | ||
21 | +++ b/archival/libarchive/Kbuild.src | ||
22 | @@ -12,6 +12,8 @@ COMMON_FILES:= \ | ||
23 | data_extract_all.o \ | ||
24 | data_extract_to_stdout.o \ | ||
25 | \ | ||
26 | + unsafe_symlink_target.o \ | ||
27 | +\ | ||
28 | filter_accept_all.o \ | ||
29 | filter_accept_list.o \ | ||
30 | filter_accept_reject_list.o \ | ||
31 | diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c | ||
32 | index 1830ffb..b828b65 100644 | ||
33 | --- a/archival/libarchive/data_extract_all.c | ||
34 | +++ b/archival/libarchive/data_extract_all.c | ||
35 | @@ -128,10 +128,9 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) | ||
36 | res = link(hard_link, dst_name); | ||
37 | if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) { | ||
38 | /* shared message */ | ||
39 | - bb_perror_msg("can't create %slink " | ||
40 | - "%s to %s", "hard", | ||
41 | - dst_name, | ||
42 | - hard_link); | ||
43 | + bb_perror_msg("can't create %slink '%s' to '%s'", | ||
44 | + "hard", dst_name, hard_link | ||
45 | + ); | ||
46 | } | ||
47 | /* Hardlinks have no separate mode/ownership, skip chown/chmod */ | ||
48 | goto ret; | ||
49 | @@ -178,15 +177,17 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle) | ||
50 | case S_IFLNK: | ||
51 | /* Symlink */ | ||
52 | //TODO: what if file_header->link_target == NULL (say, corrupted tarball?) | ||
53 | - res = symlink(file_header->link_target, dst_name); | ||
54 | - if (res != 0 | ||
55 | - && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET) | ||
56 | - ) { | ||
57 | - /* shared message */ | ||
58 | - bb_perror_msg("can't create %slink " | ||
59 | - "%s to %s", "sym", | ||
60 | - dst_name, | ||
61 | - file_header->link_target); | ||
62 | + if (!unsafe_symlink_target(file_header->link_target)) { | ||
63 | + res = symlink(file_header->link_target, dst_name); | ||
64 | + if (res != 0 | ||
65 | + && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET) | ||
66 | + ) { | ||
67 | + /* shared message */ | ||
68 | + bb_perror_msg("can't create %slink '%s' to '%s'", | ||
69 | + "sym", | ||
70 | + dst_name, file_header->link_target | ||
71 | + ); | ||
72 | + } | ||
73 | } | ||
74 | break; | ||
75 | case S_IFSOCK: | ||
76 | diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c | ||
77 | new file mode 100644 | ||
78 | index 0000000..ee46e28 | ||
79 | --- /dev/null | ||
80 | +++ b/archival/libarchive/unsafe_symlink_target.c | ||
81 | @@ -0,0 +1,48 @@ | ||
82 | +/* vi: set sw=4 ts=4: */ | ||
83 | +/* | ||
84 | + * Licensed under GPLv2 or later, see file LICENSE in this source tree. | ||
85 | + */ | ||
86 | +#include "libbb.h" | ||
87 | +#include "bb_archive.h" | ||
88 | + | ||
89 | +int FAST_FUNC unsafe_symlink_target(const char *target) | ||
90 | +{ | ||
91 | + const char *dot; | ||
92 | + | ||
93 | + if (target[0] == '/') { | ||
94 | + const char *var; | ||
95 | +unsafe: | ||
96 | + var = getenv("EXTRACT_UNSAFE_SYMLINKS"); | ||
97 | + if (var) { | ||
98 | + if (LONE_CHAR(var, '1')) | ||
99 | + return 0; /* pretend it's safe */ | ||
100 | + return 1; /* "UNSAFE!" */ | ||
101 | + } | ||
102 | + bb_error_msg("skipping unsafe symlink to '%s' in archive," | ||
103 | + " set %s=1 to extract", | ||
104 | + target, | ||
105 | + "EXTRACT_UNSAFE_SYMLINKS" | ||
106 | + ); | ||
107 | + /* Prevent further messages */ | ||
108 | + setenv("EXTRACT_UNSAFE_SYMLINKS", "0", 0); | ||
109 | + return 1; /* "UNSAFE!" */ | ||
110 | + } | ||
111 | + | ||
112 | + dot = target; | ||
113 | + for (;;) { | ||
114 | + dot = strchr(dot, '.'); | ||
115 | + if (!dot) | ||
116 | + return 0; /* safe target */ | ||
117 | + | ||
118 | + /* Is it a path component starting with ".."? */ | ||
119 | + if ((dot[1] == '.') | ||
120 | + && (dot == target || dot[-1] == '/') | ||
121 | + /* Is it exactly ".."? */ | ||
122 | + && (dot[2] == '/' || dot[2] == '\0') | ||
123 | + ) { | ||
124 | + goto unsafe; | ||
125 | + } | ||
126 | + /* NB: it can even be trailing ".", should only add 1 */ | ||
127 | + dot += 1; | ||
128 | + } | ||
129 | +} | ||
130 | \ No newline at end of file | ||
131 | diff --git a/archival/unzip.c b/archival/unzip.c | ||
132 | index 9037262..270e261 100644 | ||
133 | --- a/archival/unzip.c | ||
134 | +++ b/archival/unzip.c | ||
135 | @@ -335,6 +335,44 @@ static void unzip_create_leading_dirs(const char *fn) | ||
136 | free(name); | ||
137 | } | ||
138 | |||
139 | +static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn) | ||
140 | +{ | ||
141 | + char *target; | ||
142 | + | ||
143 | + if (zip->fmt.ucmpsize > 0xfff) /* no funny business please */ | ||
144 | + bb_error_msg_and_die("bad archive"); | ||
145 | + | ||
146 | + if (zip->fmt.method == 0) { | ||
147 | + /* Method 0 - stored (not compressed) */ | ||
148 | + target = xzalloc(zip->fmt.ucmpsize + 1); | ||
149 | + xread(zip_fd, target, zip->fmt.ucmpsize); | ||
150 | + } else { | ||
151 | +#if 1 | ||
152 | + bb_error_msg_and_die("compressed symlink is not supported"); | ||
153 | +#else | ||
154 | + transformer_state_t xstate; | ||
155 | + init_transformer_state(&xstate); | ||
156 | + xstate.mem_output_size_max = zip->fmt.ucmpsize; | ||
157 | + /* ...unpack... */ | ||
158 | + if (!xstate.mem_output_buf) | ||
159 | + WTF(); | ||
160 | + target = xstate.mem_output_buf; | ||
161 | + target = xrealloc(target, xstate.mem_output_size + 1); | ||
162 | + target[xstate.mem_output_size] = '\0'; | ||
163 | +#endif | ||
164 | + } | ||
165 | + if (!unsafe_symlink_target(target)) { | ||
166 | +//TODO: libbb candidate | ||
167 | + if (symlink(target, dst_fn)) { | ||
168 | + /* shared message */ | ||
169 | + bb_perror_msg_and_die("can't create %slink '%s' to '%s'", | ||
170 | + "sym", dst_fn, target | ||
171 | + ); | ||
172 | + } | ||
173 | + } | ||
174 | + free(target); | ||
175 | +} | ||
176 | + | ||
177 | static void unzip_extract(zip_header_t *zip, int dst_fd) | ||
178 | { | ||
179 | transformer_state_t xstate; | ||
180 | @@ -813,7 +851,7 @@ int unzip_main(int argc, char **argv) | ||
181 | } | ||
182 | check_file: | ||
183 | /* Extract file */ | ||
184 | - if (stat(dst_fn, &stat_buf) == -1) { | ||
185 | + if (lstat(dst_fn, &stat_buf) == -1) { | ||
186 | /* File does not exist */ | ||
187 | if (errno != ENOENT) { | ||
188 | bb_perror_msg_and_die("can't stat '%s'", dst_fn); | ||
189 | @@ -834,6 +872,7 @@ int unzip_main(int argc, char **argv) | ||
190 | goto do_open_and_extract; | ||
191 | printf("replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ", dst_fn); | ||
192 | my_fgets80(key_buf); | ||
193 | +//TODO: redo lstat + ISREG check! user input could have taken a long time! | ||
194 | |||
195 | switch (key_buf[0]) { | ||
196 | case 'A': | ||
197 | @@ -842,7 +881,8 @@ int unzip_main(int argc, char **argv) | ||
198 | do_open_and_extract: | ||
199 | unzip_create_leading_dirs(dst_fn); | ||
200 | #if ENABLE_FEATURE_UNZIP_CDF | ||
201 | - dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode); | ||
202 | + if (!S_ISLNK(file_mode)) | ||
203 | + dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode); | ||
204 | #else | ||
205 | dst_fd = xopen(dst_fn, O_WRONLY | O_CREAT | O_TRUNC); | ||
206 | #endif | ||
207 | @@ -852,10 +892,18 @@ int unzip_main(int argc, char **argv) | ||
208 | ? " extracting: %s\n" | ||
209 | : */ " inflating: %s\n", dst_fn); | ||
210 | } | ||
211 | - unzip_extract(&zip, dst_fd); | ||
212 | - if (dst_fd != STDOUT_FILENO) { | ||
213 | - /* closing STDOUT is potentially bad for future business */ | ||
214 | - close(dst_fd); | ||
215 | +#if ENABLE_FEATURE_UNZIP_CDF | ||
216 | + if (S_ISLNK(file_mode)) { | ||
217 | + if (dst_fd != STDOUT_FILENO) /* no -p */ | ||
218 | + unzip_extract_symlink(&zip, dst_fn); | ||
219 | + } else | ||
220 | +#endif | ||
221 | + { | ||
222 | + unzip_extract(&zip, dst_fd); | ||
223 | + if (dst_fd != STDOUT_FILENO) { | ||
224 | + /* closing STDOUT is potentially bad for future business */ | ||
225 | + close(dst_fd); | ||
226 | + }; | ||
227 | } | ||
228 | break; | ||
229 | |||
230 | diff --git a/coreutils/link.c b/coreutils/link.c | ||
231 | index ac3ef85..aab249d 100644 | ||
232 | --- a/coreutils/link.c | ||
233 | +++ b/coreutils/link.c | ||
234 | @@ -32,9 +32,8 @@ int link_main(int argc UNUSED_PARAM, char **argv) | ||
235 | argv += optind; | ||
236 | if (link(argv[0], argv[1]) != 0) { | ||
237 | /* shared message */ | ||
238 | - bb_perror_msg_and_die("can't create %slink " | ||
239 | - "%s to %s", "hard", | ||
240 | - argv[1], argv[0] | ||
241 | + bb_perror_msg_and_die("can't create %slink '%s' to '%s'", | ||
242 | + "hard", argv[1], argv[0] | ||
243 | ); | ||
244 | } | ||
245 | return EXIT_SUCCESS; | ||
246 | diff --git a/include/bb_archive.h b/include/bb_archive.h | ||
247 | index 2b9c5f0..1e4da3c 100644 | ||
248 | --- a/include/bb_archive.h | ||
249 | +++ b/include/bb_archive.h | ||
250 | @@ -196,6 +196,7 @@ void seek_by_jump(int fd, off_t amount) FAST_FUNC; | ||
251 | void seek_by_read(int fd, off_t amount) FAST_FUNC; | ||
252 | |||
253 | const char *strip_unsafe_prefix(const char *str) FAST_FUNC; | ||
254 | +int unsafe_symlink_target(const char *target) FAST_FUNC; | ||
255 | |||
256 | void data_align(archive_handle_t *archive_handle, unsigned boundary) FAST_FUNC; | ||
257 | const llist_t *find_list_entry(const llist_t *list, const char *filename) FAST_FUNC; | ||
258 | diff --git a/libbb/copy_file.c b/libbb/copy_file.c | ||
259 | index 23c0f83..be90066 100644 | ||
260 | --- a/libbb/copy_file.c | ||
261 | +++ b/libbb/copy_file.c | ||
262 | @@ -371,7 +371,10 @@ int FAST_FUNC copy_file(const char *source, const char *dest, int flags) | ||
263 | int r = symlink(lpath, dest); | ||
264 | free(lpath); | ||
265 | if (r < 0) { | ||
266 | - bb_perror_msg("can't create symlink '%s'", dest); | ||
267 | + /* shared message */ | ||
268 | + bb_perror_msg("can't create %slink '%s' to '%s'", | ||
269 | + "sym", dest, lpath | ||
270 | + ); | ||
271 | return -1; | ||
272 | } | ||
273 | if (flags & FILEUTILS_PRESERVE_STATUS) | ||
274 | diff --git a/testsuite/tar.tests b/testsuite/tar.tests | ||
275 | index 9f7ce15..b7cd74c 100755 | ||
276 | --- a/testsuite/tar.tests | ||
277 | +++ b/testsuite/tar.tests | ||
278 | @@ -10,9 +10,6 @@ unset LC_COLLATE | ||
279 | unset LC_ALL | ||
280 | umask 022 | ||
281 | |||
282 | -rm -rf tar.tempdir 2>/dev/null | ||
283 | -mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
284 | - | ||
285 | # testing "test name" "script" "expected result" "file input" "stdin" | ||
286 | |||
287 | testing "Empty file is not a tarball" '\ | ||
288 | @@ -53,6 +50,7 @@ dd if=/dev/zero bs=512 count=20 2>/dev/null | tar xvf - 2>&1; echo $? | ||
289 | "" "" | ||
290 | SKIP= | ||
291 | |||
292 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
293 | # "tar cf test.tar input input_dir/ input_hard1 input_hard2 input_hard1 input_dir/ input": | ||
294 | # GNU tar 1.26 records as hardlinks: | ||
295 | # input_hard2 -> input_hard1 | ||
296 | @@ -64,7 +62,6 @@ SKIP= | ||
297 | # We also don't use "hrw-r--r--" notation for hardlinks in "tar tv" listing. | ||
298 | optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES | ||
299 | testing "tar hardlinks and repeated files" '\ | ||
300 | -rm -rf input_* test.tar 2>/dev/null | ||
301 | >input_hard1 | ||
302 | ln input_hard1 input_hard2 | ||
303 | mkdir input_dir | ||
304 | @@ -95,10 +92,11 @@ drwxr-xr-x input_dir | ||
305 | " \ | ||
306 | "" "" | ||
307 | SKIP= | ||
308 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
309 | |||
310 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
311 | optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES | ||
312 | testing "tar hardlinks mode" '\ | ||
313 | -rm -rf input_* test.tar 2>/dev/null | ||
314 | >input_hard1 | ||
315 | chmod 741 input_hard1 | ||
316 | ln input_hard1 input_hard2 | ||
317 | @@ -128,10 +126,11 @@ Ok: 0 | ||
318 | " \ | ||
319 | "" "" | ||
320 | SKIP= | ||
321 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
322 | |||
323 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
324 | optional FEATURE_TAR_CREATE FEATURE_LS_SORTFILES | ||
325 | testing "tar symlinks mode" '\ | ||
326 | -rm -rf input_* test.tar 2>/dev/null | ||
327 | >input_file | ||
328 | chmod 741 input_file | ||
329 | ln -s input_file input_soft | ||
330 | @@ -159,10 +158,11 @@ lrwxrwxrwx input_file | ||
331 | " \ | ||
332 | "" "" | ||
333 | SKIP= | ||
334 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
335 | |||
336 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
337 | optional FEATURE_TAR_CREATE FEATURE_TAR_LONG_OPTIONS | ||
338 | testing "tar --overwrite" "\ | ||
339 | -rm -rf input_* test.tar 2>/dev/null | ||
340 | ln input input_hard | ||
341 | tar cf test.tar input_hard | ||
342 | echo WRONG >input | ||
343 | @@ -174,12 +174,13 @@ Ok | ||
344 | " \ | ||
345 | "Ok\n" "" | ||
346 | SKIP= | ||
347 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
348 | |||
349 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
350 | test x"$SKIP_KNOWN_BUGS" = x"" && { | ||
351 | # Needs to be run under non-root for meaningful test | ||
352 | optional FEATURE_TAR_CREATE | ||
353 | testing "tar writing into read-only dir" '\ | ||
354 | -rm -rf input_* test.tar 2>/dev/null | ||
355 | mkdir input_dir | ||
356 | >input_dir/input_file | ||
357 | chmod 550 input_dir | ||
358 | @@ -201,7 +202,9 @@ dr-xr-x--- input_dir | ||
359 | "" "" | ||
360 | SKIP= | ||
361 | } | ||
362 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
363 | |||
364 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
365 | # Had a bug where on extract autodetect first "switched off" -z | ||
366 | # and then failed to recognize .tgz extension | ||
367 | optional FEATURE_TAR_CREATE FEATURE_SEAMLESS_GZ GUNZIP | ||
368 | @@ -217,7 +220,9 @@ Ok | ||
369 | " \ | ||
370 | "" "" | ||
371 | SKIP= | ||
372 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
373 | |||
374 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
375 | # Do we detect XZ-compressed data (even w/o .tar.xz or txz extension)? | ||
376 | # (the uuencoded hello_world.txz contains one empty file named "hello_world") | ||
377 | optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_XZ | ||
378 | @@ -236,7 +241,9 @@ AAAEWVo= | ||
379 | ==== | ||
380 | " | ||
381 | SKIP= | ||
382 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
383 | |||
384 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
385 | # On extract, everything up to and including last ".." component is stripped | ||
386 | optional FEATURE_TAR_CREATE | ||
387 | testing "tar strips /../ on extract" "\ | ||
388 | @@ -255,7 +262,9 @@ Ok | ||
389 | " \ | ||
390 | "" "" | ||
391 | SKIP= | ||
392 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
393 | |||
394 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
395 | # attack.tar.bz2 has symlink pointing to a system file | ||
396 | # followed by a regular file with the same name | ||
397 | # containing "root::0:0::/root:/bin/sh": | ||
398 | @@ -270,6 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2 | ||
399 | testing "tar does not extract into symlinks" "\ | ||
400 | >>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$? | ||
401 | " "\ | ||
402 | +tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract | ||
403 | 0 | ||
404 | " \ | ||
405 | "" "\ | ||
406 | @@ -281,12 +291,15 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI= | ||
407 | ==== | ||
408 | " | ||
409 | SKIP= | ||
410 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
411 | + | ||
412 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
413 | # And same with -k | ||
414 | optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2 | ||
415 | testing "tar -k does not extract into symlinks" "\ | ||
416 | >>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$? | ||
417 | " "\ | ||
418 | -tar: can't open 'passwd': File exists | ||
419 | +tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract | ||
420 | 0 | ||
421 | " \ | ||
422 | "" "\ | ||
423 | @@ -298,7 +311,9 @@ l4/V8LDoe90yiWJhOJvIypgEfxdyRThQkBVn/bI= | ||
424 | ==== | ||
425 | " | ||
426 | SKIP= | ||
427 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
428 | |||
429 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
430 | optional UNICODE_SUPPORT FEATURE_TAR_GNU_EXTENSIONS FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT | ||
431 | testing "Pax-encoded UTF8 names and symlinks" '\ | ||
432 | tar xvf ../tar.utf8.tar.bz2 2>&1; echo $? | ||
433 | @@ -309,17 +324,45 @@ rm -rf etc usr | ||
434 | ' "\ | ||
435 | etc/ssl/certs/3b2716e5.0 | ||
436 | etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem | ||
437 | +tar: skipping unsafe symlink to '/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract | ||
438 | etc/ssl/certs/f80cc7f6.0 | ||
439 | usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt | ||
440 | 0 | ||
441 | etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem | ||
442 | -etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt | ||
443 | etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem | ||
444 | " \ | ||
445 | "" "" | ||
446 | SKIP= | ||
447 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
448 | |||
449 | - | ||
450 | -cd .. && rm -rf tar.tempdir || exit 1 | ||
451 | +mkdir tar.tempdir && cd tar.tempdir || exit 1 | ||
452 | +optional UUDECODE FEATURE_SEAMLESS_BZ2 FEATURE_TAR_AUTODETECT | ||
453 | +testing "Symlink attack: create symlink and then write through it" '\ | ||
454 | +exec 2>&1 | ||
455 | +uudecode -o input && tar xvf input; echo $? | ||
456 | +ls /tmp/bb_test_evilfile | ||
457 | +ls bb_test_evilfile | ||
458 | +ls symlink/bb_test_evilfile | ||
459 | +' "\ | ||
460 | +anything.txt | ||
461 | +symlink | ||
462 | +tar: skipping unsafe symlink to '/tmp' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract | ||
463 | +symlink/bb_test_evilfile | ||
464 | +0 | ||
465 | +ls: /tmp/bb_test_evilfile: No such file or directory | ||
466 | +ls: bb_test_evilfile: No such file or directory | ||
467 | +symlink/bb_test_evilfile | ||
468 | +" \ | ||
469 | +"" "\ | ||
470 | +begin-base64 644 tar_symlink_attack.tar.bz2 | ||
471 | +QlpoOTFBWSZTWZgs7bQAALT/hMmQAFBAAf+AEMAGJPPv32AAAIAIMAC5thlR | ||
472 | +omAjAmCMADQT1BqNE0AEwAAjAEwElTKeo9NTR6h6gaeoA0DQNLVdwZZ5iNTk | ||
473 | +AQwCAV6S00QFJYhrlfFkVCEDEGtgNVqYrI0uK3ggnt30gqk4e1TTQm5QIAKa | ||
474 | +SJqzRGSFLMmOloHSAcvLiFxxRiQtQZF+qPxbo173ZDISOAoNoPN4PQPhBhKS | ||
475 | +n8fYaKlioCTzL2oXYczyUUIP4u5IpwoSEwWdtoA= | ||
476 | +==== | ||
477 | +" | ||
478 | +SKIP= | ||
479 | +cd .. || exit 1; rm -rf tar.tempdir 2>/dev/null | ||
480 | |||
481 | exit $FAILCOUNT | ||
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 47b4f48761..575127ec42 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb | |||
@@ -42,6 +42,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
42 | file://rcK \ | 42 | file://rcK \ |
43 | file://runlevel \ | 43 | file://runlevel \ |
44 | file://makefile-libbb-race.patch \ | 44 | file://makefile-libbb-race.patch \ |
45 | file://CVE-2011-5325.patch \ | ||
45 | " | 46 | " |
46 | SRC_URI_append_libc-musl = " file://musl.cfg " | 47 | SRC_URI_append_libc-musl = " file://musl.cfg " |
47 | 48 | ||