squashfs: fix for CVE-2012-4024

Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p= squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123 Fix potential stack overflow in get_component() where an individual pathname component in an extract file (specified on the command line or in an extract file) could exceed the 1024 byte sized targname allocated on the stack. Fix by dynamically allocating targname rather than storing it as a fixed size on the stack. [YOCTO #3513] Fixes denzil [YOCTO #3520] (From OE-Core rev: d35560f33f257bd12a07c7c0be770319086d6ad9) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: yanjun.zhu <yanjun.zhu@windriver.com> 2012-11-30 19:41:23 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2012-12-07 15:58:20 +0000
commit: a6f0dcbe7d8149865896d8917d4962da95f491ba (patch)
tree: ff5f02d572d0c1c7eea4f93bf78dc0476bbcb4b3 /meta/recipes-devtools
parent: cf796f8908985b9eb7adb35f4a93850130c781bc (diff)
download: poky-a6f0dcbe7d8149865896d8917d4962da95f491ba.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
new file mode 100644
index 0000000000..8b9904fd56
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport
+Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
+squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
+Fix potential stack overflow in get_component() where an individual
+pathname component in an extract file (specified on the command line
+or in an extract file) could exceed the 1024 byte sized targname
+allocated on the stack.
+Fix by dynamically allocating targname rather than storing it as
+a fixed size on the stack.
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c      2012-11-29 17:04:08.000000000 +0800
+++ b/unsquashfs.c      2012-11-29 17:04:25.000000000 +0800
+@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
+ }
+ 
+ 
+-char *get_component(char *target, char *targname)
+char *get_component(char *target, char **targname)
+ {
+       char *start;
+
+        while(*target == '/')
+                target ++;
+ 
+       start = target;
+        while(*target != '/' && *target!= '\0')
+-               *targname ++ = *target ++;
+               target ++;
+ 
+-       *targname = '\0';
+       *targname = strndup(start, target - start);
+ 
+        return target;
+ }
+@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
+ 
+ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ {
+-       char targname[1024];
+       char *targname;
+        int i, error;
+ 
+        TRACE("add_path: adding \"%s\" extract file\n", target);
+ 
+-       target = get_component(target, targname);
+       target = get_component(target, &targname);
+ 
+        if(paths == NULL) {
+                paths = malloc(sizeof(struct pathname));
+@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
+                        sizeof(struct path_entry));
+                if(paths->name == NULL)
+                        EXIT_UNSQUASH("Out of memory in add_path\n");   
+-               paths->name[i].name = strdup(targname);
+               paths->name[i].name = targname;
+                paths->name[i].paths = NULL;
+                if(use_regex) {
+                        paths->name[i].preg = malloc(sizeof(regex_t));
+@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
+                /*
+                 * existing matching entry
+                 */
+               free(targname);
+
+                if(paths->name[i].paths == NULL) {
+                        /*
+                         * No sub-directory which means this is the leaf
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index c54081be9f..9922f1ef51 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
 DESCRIPTION = "Tools to manipulate Squashfs filesystems."
 SECTION = "base"
 LICENSE = "GPL-2 & PD"
+FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
 LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
                    file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
                   "
@@ -12,6 +13,8 @@ PR = "1"
 SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
           http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
          "
+SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
+           " 
 SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
 SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
 SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"
author	yanjun.zhu <yanjun.zhu@windriver.com>	2012-11-30 19:41:23 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2012-12-07 15:58:20 +0000
commit	a6f0dcbe7d8149865896d8917d4962da95f491ba (patch)
tree	ff5f02d572d0c1c7eea4f93bf78dc0476bbcb4b3 /meta/recipes-devtools
parent	cf796f8908985b9eb7adb35f4a93850130c781bc (diff)
download	poky-a6f0dcbe7d8149865896d8917d4962da95f491ba.tar.gz

diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch new file mode 100644 index 0000000000..8b9904fd56 --- /dev/null +++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
		1	Upstream-Status: Backport
		2
		3	Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
		4	squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
		5
		6	Fix potential stack overflow in get_component() where an individual
		7	pathname component in an extract file (specified on the command line
		8	or in an extract file) could exceed the 1024 byte sized targname
		9	allocated on the stack.
		10
		11	Fix by dynamically allocating targname rather than storing it as
		12	a fixed size on the stack.
		13
		14	Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
		15	diff -urpN a/unsquashfs.c b/unsquashfs.c
		16	--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
		17	+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
		18	@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
		19	}
		20
		21
		22	-char get_component(char target, char *targname)
		23	+char get_component(char target, char **targname)
		24	{
		25	+ char *start;
		26	+
		27	while(*target == '/')
		28	target ++;
		29
		30	+ start = target;
		31	while(target != '/' && target!= '\0')
		32	- targname ++ = target ++;
		33	+ target ++;
		34
		35	- *targname = '\0';
		36	+ *targname = strndup(start, target - start);
		37
		38	return target;
		39	}
		40	@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
		41
		42	struct pathname add_path(struct pathname paths, char target, char alltarget)
		43	{
		44	- char targname[1024];
		45	+ char *targname;
		46	int i, error;
		47
		48	TRACE("add_path: adding \"%s\" extract file\n", target);
		49
		50	- target = get_component(target, targname);
		51	+ target = get_component(target, &targname);
		52
		53	if(paths == NULL) {
		54	paths = malloc(sizeof(struct pathname));
		55	@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
		56	sizeof(struct path_entry));
		57	if(paths->name == NULL)
		58	EXIT_UNSQUASH("Out of memory in add_path\n");
		59	- paths->name[i].name = strdup(targname);
		60	+ paths->name[i].name = targname;
		61	paths->name[i].paths = NULL;
		62	if(use_regex) {
		63	paths->name[i].preg = malloc(sizeof(regex_t));
		64	@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
		65	/*
		66	* existing matching entry
		67	*/
		68	+ free(targname);
		69	+
		70	if(paths->name[i].paths == NULL) {
		71	/*
		72	* No sub-directory which means this is the leaf


diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb index c54081be9f..9922f1ef51 100644 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
3	DESCRIPTION = "Tools to manipulate Squashfs filesystems."	3	DESCRIPTION = "Tools to manipulate Squashfs filesystems."
4	SECTION = "base"	4	SECTION = "base"
5	LICENSE = "GPL-2 & PD"	5	LICENSE = "GPL-2 & PD"
		6	FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
6	LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \	7	LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
7	file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \	8	file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
8	"	9	"
@@ -12,6 +13,8 @@ PR = "1"
12	SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
13	http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \	14	http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
14	"	15	"
		16	SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
		17	"
15	SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"	18	SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
16	SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"	19	SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
17	SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"	20	SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"