diff options
| author | Armin Kuster <akuster@mvista.com> | 2019-05-29 11:14:38 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
| commit | f2961d88af7fa7345f40b1dc3b0edc926c5a2304 (patch) | |
| tree | 60f354217ea7bdffa7cc9678ab64f65561408908 /meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch | |
| parent | cd7f7bf38584be1df287e77e78bbdf659a07c385 (diff) | |
| download | poky-f2961d88af7fa7345f40b1dc3b0edc926c5a2304.tar.gz | |
qemu: Several CVE fixes
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:
These issues affect qemu < 3.1.0
Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364
(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch new file mode 100644 index 0000000000..644459e5af --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
| 3 | Date: Mon, 3 Dec 2018 11:10:45 +0100 | ||
| 4 | Subject: [PATCH] usb-mtp: outlaw slashes in filenames | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | Slash is unix directory separator, so they are not allowed in filenames. | ||
| 10 | Note this also stops the classic escape via "../". | ||
| 11 | |||
| 12 | Fixes: CVE-2018-16867 | ||
| 13 | Reported-by: Michael Hanselmann <public@hansmi.ch> | ||
| 14 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
| 15 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
| 16 | Message-id: 20181203101045.27976-3-kraxel@redhat.com | ||
| 17 | (cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6) | ||
| 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
| 19 | |||
| 20 | Upstream-Status: Backport | ||
| 21 | CVE: CVE-2018-16867 | ||
| 22 | Affects: < 3.1.0 | ||
| 23 | |||
| 24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 25 | |||
| 26 | --- | ||
| 27 | hw/usb/dev-mtp.c | 6 ++++++ | ||
| 28 | 1 file changed, 6 insertions(+) | ||
| 29 | |||
| 30 | diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c | ||
| 31 | index 1ded7ac..899c8a3 100644 | ||
| 32 | --- a/hw/usb/dev-mtp.c | ||
| 33 | +++ b/hw/usb/dev-mtp.c | ||
| 34 | @@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s) | ||
| 35 | |||
| 36 | utf16_to_str(dataset->length, dataset->filename, filename); | ||
| 37 | |||
| 38 | + if (strchr(filename, '/')) { | ||
| 39 | + usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, | ||
| 40 | + 0, 0, 0, 0); | ||
| 41 | + return; | ||
| 42 | + } | ||
| 43 | + | ||
| 44 | o = usb_mtp_object_lookup_name(p, filename, dataset->length); | ||
| 45 | if (o != NULL) { | ||
| 46 | next_handle = o->handle; | ||
| 47 | -- | ||
| 48 | 2.7.4 | ||
| 49 | |||