diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-04-14 12:41:17 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-21 09:08:59 +0100 |
commit | 27aba0a8d91a67e85f6c8ab44e41ff4205224505 (patch) | |
tree | cc3c14b547abd7216b168f6ce1303ae9c7b09c11 | |
parent | 901a28b66176a63b1b3bb2a1f65fa0bc12f712c9 (diff) | |
download | poky-27aba0a8d91a67e85f6c8ab44e41ff4205224505.tar.gz |
Screen: fix for Security Advisory CVE-2009-1214
GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.
(From OE-Core rev: 25a212d0154906e7a05075d015dbc1cfdfabb73a)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch | 86 | ||||
-rw-r--r-- | meta/recipes-extended/screen/screen_4.0.3.bb | 1 |
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch new file mode 100644 index 0000000000..104fa82dd6 --- /dev/null +++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch | |||
@@ -0,0 +1,86 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | The patch to fix CVE-2009-1214 | ||
4 | A security flaw was found in the screen utility in the way it used to create | ||
5 | one particular temporary file. An attacker could use this flaw to perform | ||
6 | a symlink attack. | ||
7 | Fix race condition creating temporary file | ||
8 | |||
9 | Reference: | ||
10 | https://bugzilla.redhat.com/show_bug.cgi?id=492104 | ||
11 | |||
12 | Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com> | ||
13 | --- | ||
14 | fileio.c | 48 ++++++++++++++++++++++++++++++++---------------- | ||
15 | 1 file changed, 32 insertions(+), 16 deletions(-) | ||
16 | |||
17 | --- a/fileio.c | ||
18 | +++ b/fileio.c | ||
19 | @@ -414,6 +414,14 @@ int dump; | ||
20 | } | ||
21 | public = !strcmp(fn, DEFAULT_BUFFERFILE); | ||
22 | # ifdef HAVE_LSTAT | ||
23 | + /* | ||
24 | + * Note: In the time between lstat() and open()/remove() below are | ||
25 | + * called, the file can be created/removed/modified. Therefore the | ||
26 | + * information lstat() returns is taken into consideration, but not | ||
27 | + * relied upon. In particular, the open()/remove() calls can fail, and | ||
28 | + * the code must account for that. Symlink attack could be mounted if | ||
29 | + * the code is changed carelessly. --rdancer 2009-01-11 | ||
30 | + */ | ||
31 | exists = !lstat(fn, &stb); | ||
32 | if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1)) | ||
33 | { | ||
34 | @@ -432,28 +440,36 @@ int dump; | ||
35 | #ifdef COPY_PASTE | ||
36 | if (dump == DUMP_EXCHANGE && public) | ||
37 | { | ||
38 | + /* | ||
39 | + * Setting umask to zero is a bad idea -- the user surely doesn't | ||
40 | + * expect a publicly readable file in a publicly readable directory | ||
41 | + * --rdancer 2009-01-11 | ||
42 | + */ | ||
43 | + /* | ||
44 | old_umask = umask(0); | ||
45 | + */ | ||
46 | # ifdef HAVE_LSTAT | ||
47 | if (exists) | ||
48 | - { | ||
49 | - if ((fd = open(fn, O_WRONLY, 0666)) >= 0) | ||
50 | - { | ||
51 | - if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino) | ||
52 | - ftruncate(fd, 0); | ||
53 | - else | ||
54 | - { | ||
55 | - close(fd); | ||
56 | - fd = -1; | ||
57 | - } | ||
58 | - } | ||
59 | - } | ||
60 | - else | ||
61 | - fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666); | ||
62 | - f = fd >= 0 ? fdopen(fd, mode) : 0; | ||
63 | + if (remove(fn) == -1) | ||
64 | + { | ||
65 | + /* Error */ | ||
66 | + debug2("WriteFile: File exists and remove(%s) failed: %s\n", | ||
67 | + fn, strerror(errno)); | ||
68 | + UserReturn(0); | ||
69 | + } | ||
70 | # else | ||
71 | - f = fopen(fn, mode); | ||
72 | + (void) remove(fn); | ||
73 | # endif | ||
74 | + /* | ||
75 | + * No r/w permissions for anybody but the user, as the file may be in | ||
76 | + * a public directory -- if the user chooses, they can chmod the file | ||
77 | + * afterwards. --rdancer 2008-01-11 | ||
78 | + */ | ||
79 | + fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600); | ||
80 | + f = fd >= 0 ? fdopen(fd, mode) : 0; | ||
81 | + /* | ||
82 | umask(old_umask); | ||
83 | + */ | ||
84 | } | ||
85 | else | ||
86 | #endif /* COPY_PASTE */ | ||
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb index 5850560fe4..a0aa15c0d3 100644 --- a/meta/recipes-extended/screen/screen_4.0.3.bb +++ b/meta/recipes-extended/screen/screen_4.0.3.bb | |||
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \ | |||
20 | ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \ | 20 | ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \ |
21 | file://configure.patch \ | 21 | file://configure.patch \ |
22 | file://fix-parallel-make.patch \ | 22 | file://fix-parallel-make.patch \ |
23 | file://screen-4.0.3-CVE-2009-1214.patch \ | ||
23 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" | 24 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" |
24 | 25 | ||
25 | PAM_SRC_URI = "file://screen.pam" | 26 | PAM_SRC_URI = "file://screen.pam" |