diff options
author | Guillem Jover <guillem@debian.org> | 2014-06-17 04:25:51 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-06-17 10:23:53 +0100 |
commit | 4eea29a54a0d632f41b62568681777588a449d09 (patch) | |
tree | a29157f1a16f5ed3542467db6ee2b0d4dc61b989 /meta/recipes-devtools/dpkg/dpkg_1.17.4.bb | |
parent | c44d7b5cdedf5cd32f3223da50909351465a8afe (diff) | |
download | poky-4eea29a54a0d632f41b62568681777588a449d09.tar.gz |
dpkg: Security Advisory - CVE-2014-0471
v2 changes:
* update format for commit log
* add Upstream-Status for patch
commit a82651188476841d190c58693f95827d61959b51 upstream
Dkpkg::Source::Patch: Correctly parse C-style diff filenames
We need to strip the surrounding quotes, and unescape any escape
sequence, so that we check the same files that the patch program will
be using, otherwise a malicious package could overpass those checks,
and perform directory traversal attacks on source package unpacking.
Fixes: CVE-2014-0471
Reported-by: Jakub Wilk <jwilk@debian.org>
[drop the text for debian/changelog,because it's not suitable
for the veriosn]
(From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0)
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/dpkg/dpkg_1.17.4.bb')
-rw-r--r-- | meta/recipes-devtools/dpkg/dpkg_1.17.4.bb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb index 5507352a27..48e13948f0 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb | |||
@@ -12,6 +12,7 @@ SRC_URI += "file://noman.patch \ | |||
12 | file://dpkg-configure.service \ | 12 | file://dpkg-configure.service \ |
13 | file://glibc2.5-sync_file_range.patch \ | 13 | file://glibc2.5-sync_file_range.patch \ |
14 | file://no-vla-warning.patch \ | 14 | file://no-vla-warning.patch \ |
15 | file://dpkg-1.17.4-CVE-2014-0471.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1" | 18 | SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1" |