summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-08-12 13:00:03 (GMT)
committerSona Sarmadi <sona.sarmadi@enea.com>2015-08-12 13:00:03 (GMT)
commit07b699ab37025d33af04fb20236ec5eca02f6018 (patch)
tree1c62ed2efaa2b54feaa7cb2227cd53ee84226812
parent03a7b1cc92344992b6048b6a0a5f0682de7ecc2a (diff)
downloadpoky-07b699ab37025d33af04fb20236ec5eca02f6018.tar.gz
cpio: fix CVE-2015-1197
Fixes directory traversal vulnerability via symlinks Initial report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669 Upstream report: https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch154
-rw-r--r--meta/recipes-extended/cpio/cpio_2.11.bb1
2 files changed, 155 insertions, 0 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch b/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch
new file mode 100644
index 0000000..b54afb8
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.11/cpio-CVE-2015-1197.patch
@@ -0,0 +1,154 @@
1Description: CVE-2015-1197
2 Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
3 Upstream is dormant or no longer existing. To restore the old
4 behaviour use --extract-over-symlinks (Closes: #774669)
5 This issue has been discovered by Alexander Cherepanov.
6Author: Vitezslav Cizek <vcizek@suse.cz>
7Bug-Debian: https://bugs.debian.org/774669
8
9Upstream-Status: Backport
10
11Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
12
13--- cpio-2.11+dfsg.orig/doc/cpio.1
14+++ cpio-2.11+dfsg/doc/cpio.1
15@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
16 [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
17 [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
18 [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
19+[\-\-extract\-over\-symlinks]
20 [\-\-help] [\-\-version] [pattern...] [< archive]
21
22 .B cpio
23--- cpio-2.11+dfsg.orig/src/copyin.c
24+++ cpio-2.11+dfsg/src/copyin.c
25@@ -700,6 +700,51 @@ copyin_link (struct cpio_file_stat *file
26 free (link_name);
27 }
28
29+
30+static int
31+path_contains_symlink(char *path)
32+{
33+ struct stat st;
34+ char *slash;
35+ char *nextslash;
36+
37+ /* we got NULL pointer or empty string */
38+ if (!path || !*path) {
39+ return false;
40+ }
41+
42+ slash = path;
43+
44+ while ((nextslash = strchr(slash + 1, '/')) != NULL) {
45+ slash = nextslash;
46+ *slash = '\0';
47+
48+ if (lstat(path, &st) != 0) {
49+ if (errno == ELOOP) {
50+ /* ELOOP - too many symlinks */
51+ *slash = '/';
52+ return true;
53+ } else if (errno == ENOMEM) {
54+ /* No memory for lstat - terminate */
55+ xalloc_die();
56+ } else {
57+ /* cannot lstat path - give up */
58+ *slash = '/';
59+ return false;
60+ }
61+ }
62+
63+ if (S_ISLNK(st.st_mode)) {
64+ *slash = '/';
65+ return true;
66+ }
67+
68+ *slash = '/';
69+ }
70+
71+ return false;
72+}
73+
74 static void
75 copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
76 {
77@@ -1471,6 +1516,23 @@ process_copy_in ()
78 {
79 /* Copy the input file into the directory structure. */
80
81+ /* Can we write files over symlinks? */
82+ if (!extract_over_symlinks)
83+ {
84+ if (path_contains_symlink(file_hdr.c_name))
85+ {
86+ /* skip the file */
87+ /*
88+ fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
89+ tape_toss_input (in_file_des, file_hdr.c_filesize);
90+ tape_skip_padding (in_file_des, file_hdr.c_filesize);
91+ continue;
92+ */
93+ /* terminate */
94+ error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
95+ }
96+ }
97+
98 /* Do we need to rename the file? */
99 if (rename_flag || rename_batch_file)
100 {
101--- cpio-2.11+dfsg.orig/src/extern.h
102+++ cpio-2.11+dfsg/src/extern.h
103@@ -95,6 +95,7 @@ extern char input_is_special;
104 extern char output_is_special;
105 extern char input_is_seekable;
106 extern char output_is_seekable;
107+extern bool extract_over_symlinks;
108 extern int (*xstat) ();
109 extern void (*copy_function) ();
110
111--- cpio-2.11+dfsg.orig/src/global.c
112+++ cpio-2.11+dfsg/src/global.c
113@@ -187,6 +187,9 @@ bool to_stdout_option = false;
114 /* The name this program was run with. */
115 char *program_name;
116
117+/* Extract files over symbolic links */
118+bool extract_over_symlinks;
119+
120 /* A pointer to either lstat or stat, depending on whether
121 dereferencing of symlinks is done for input files. */
122 int (*xstat) ();
123--- cpio-2.11+dfsg.orig/src/main.c
124+++ cpio-2.11+dfsg/src/main.c
125@@ -57,7 +57,8 @@ enum cpio_options {
126 FORCE_LOCAL_OPTION,
127 DEBUG_OPTION,
128 BLOCK_SIZE_OPTION,
129- TO_STDOUT_OPTION
130+ TO_STDOUT_OPTION,
131+ EXTRACT_OVER_SYMLINKS
132 };
133
134 const char *program_authors[] =
135@@ -222,6 +223,8 @@ static struct argp_option options[] = {
136 N_("Create leading directories where needed"), GRID+1 },
137 {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
138 N_("Do not change the ownership of the files"), GRID+1 },
139+ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
140+ N_("Force writing over symbolic links"), GRID+1 },
141 {"unconditional", 'u', NULL, 0,
142 N_("Replace all files unconditionally"), GRID+1 },
143 {"sparse", SPARSE_OPTION, NULL, 0,
144@@ -412,6 +415,10 @@ crc newc odc bin ustar tar (all-caps als
145 no_chown_flag = true;
146 break;
147
148+ case EXTRACT_OVER_SYMLINKS: /* --extract-over-symlinks */
149+ extract_over_symlinks = true;
150+ break;
151+
152 case 'o': /* Copy-out mode. */
153 if (copy_function != 0)
154 error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
diff --git a/meta/recipes-extended/cpio/cpio_2.11.bb b/meta/recipes-extended/cpio/cpio_2.11.bb
index 0220e8c..b248bb7 100644
--- a/meta/recipes-extended/cpio/cpio_2.11.bb
+++ b/meta/recipes-extended/cpio/cpio_2.11.bb
@@ -7,6 +7,7 @@ PR = "r4"
7 7
8SRC_URI += "file://remove-gets.patch \ 8SRC_URI += "file://remove-gets.patch \
9 file://fix-memory-overrun.patch \ 9 file://fix-memory-overrun.patch \
10 file://cpio-CVE-2015-1197.patch \
10 " 11 "
11 12
12SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c" 13SRC_URI[md5sum] = "1112bb6c45863468b5496ba128792f6c"