summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoryanjun.zhu <yanjun.zhu@windriver.com>2012-11-30 11:41:23 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2012-12-13 15:21:42 (GMT)
commitcde4273308ba38da164b96cfaa5efc4e3d0081ac (patch)
tree9b898869da157190031627488f298369e4a2a74f
parentbbd2e8e5178d52d7632df4e0fd94dfbe0cd4c9a2 (diff)
downloadpoky-cde4273308ba38da164b96cfaa5efc4e3d0081ac.tar.gz
squashfs: fix for CVE-2012-4024
Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p= squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123 Fix potential stack overflow in get_component() where an individual pathname component in an extract file (specified on the command line or in an extract file) could exceed the 1024 byte sized targname allocated on the stack. Fix by dynamically allocating targname rather than storing it as a fixed size on the stack. [YOCTO #3513] (From OE-Core rev: a45ec682748b0d6e5bb21af04d205edb5ef1360e) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch72
-rw-r--r--meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb3
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
new file mode 100644
index 0000000..8b9904f
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
1Upstream-Status: Backport
2
3Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
4squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
5
6Fix potential stack overflow in get_component() where an individual
7pathname component in an extract file (specified on the command line
8or in an extract file) could exceed the 1024 byte sized targname
9allocated on the stack.
10
11Fix by dynamically allocating targname rather than storing it as
12a fixed size on the stack.
13
14Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
15diff -urpN a/unsquashfs.c b/unsquashfs.c
16--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
17+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
18@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
19 }
20
21
22-char *get_component(char *target, char *targname)
23+char *get_component(char *target, char **targname)
24 {
25+ char *start;
26+
27 while(*target == '/')
28 target ++;
29
30+ start = target;
31 while(*target != '/' && *target!= '\0')
32- *targname ++ = *target ++;
33+ target ++;
34
35- *targname = '\0';
36+ *targname = strndup(start, target - start);
37
38 return target;
39 }
40@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
41
42 struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
43 {
44- char targname[1024];
45+ char *targname;
46 int i, error;
47
48 TRACE("add_path: adding \"%s\" extract file\n", target);
49
50- target = get_component(target, targname);
51+ target = get_component(target, &targname);
52
53 if(paths == NULL) {
54 paths = malloc(sizeof(struct pathname));
55@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
56 sizeof(struct path_entry));
57 if(paths->name == NULL)
58 EXIT_UNSQUASH("Out of memory in add_path\n");
59- paths->name[i].name = strdup(targname);
60+ paths->name[i].name = targname;
61 paths->name[i].paths = NULL;
62 if(use_regex) {
63 paths->name[i].preg = malloc(sizeof(regex_t));
64@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
65 /*
66 * existing matching entry
67 */
68+ free(targname);
69+
70 if(paths->name[i].paths == NULL) {
71 /*
72 * No sub-directory which means this is the leaf
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index c54081b..9922f1e 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
3DESCRIPTION = "Tools to manipulate Squashfs filesystems." 3DESCRIPTION = "Tools to manipulate Squashfs filesystems."
4SECTION = "base" 4SECTION = "base"
5LICENSE = "GPL-2 & PD" 5LICENSE = "GPL-2 & PD"
6FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
6LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ 7LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
7 file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \ 8 file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
8 " 9 "
@@ -12,6 +13,8 @@ PR = "1"
12SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \ 13SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
13 http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \ 14 http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
14 " 15 "
16SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
17 "
15SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852" 18SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
16SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96" 19SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
17SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759" 20SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"