summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorChee Yang Lee <chee.yang.lee@intel.com>2020-03-23 15:20:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-03-24 16:39:40 +0000
commite4b609e5c161d4a11fef35dd490e5f9a5fb2f42c (patch)
tree5754bc3186d90395c436fd19df20acbd288d1dea /meta/recipes-devtools
parent60f199d4a23d888b1aecd62f70f11e8b5844d5c8 (diff)
downloadpoky-e4b609e5c161d4a11fef35dd490e5f9a5fb2f42c.tar.gz
qemu/slirp: fix CVE-2020-7211
fix CVE-2020-7211 for qemu slirp submodule see : https://www.openwall.com/lists/oss-security/2020/01/17/2 https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 (From OE-Core rev: 31362d739834377ac4ab880029c3e3dda0cd7698) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch46
2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 7cf436783d..f62220a51d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34 file://CVE-2020-7039-2.patch \ 34 file://CVE-2020-7039-2.patch \
35 file://CVE-2020-7039-3.patch \ 35 file://CVE-2020-7039-3.patch \
36 file://0001-Add-enable-disable-udev.patch \ 36 file://0001-Add-enable-disable-udev.patch \
37 file://CVE-2020-7211.patch \
37 " 38 "
38UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39 40
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
new file mode 100644
index 0000000000..11be4c92e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
@@ -0,0 +1,46 @@
1From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 13 Jan 2020 17:44:31 +0530
4Subject: [PATCH] slirp: tftp: restrict relative path access
5
6tftp restricts relative or directory path access on Linux systems.
7Apply same restrictions on Windows systems too. It helps to avoid
8directory traversal issue.
9
10Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
11Reported-by: Peter Maydell <peter.maydell@linaro.org>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
14Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
15
16Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch]
17CVE: CVE-2020-7211
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19
20---
21 slirp/src/tftp.c | 9 +++++++--
22 1 file changed, 7 insertions(+), 2 deletions(-)
23
24diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
25index 093c2e0..e52e71b 100644
26--- a/slirp/src/tftp.c
27+++ b/slirp/src/tftp.c
28@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
29 k += 6; /* skipping octet */
30
31 /* do sanity checks on the filename */
32- if (!strncmp(req_fname, "../", 3) ||
33- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
34+ if (
35+#ifdef G_OS_WIN32
36+ strstr(req_fname, "..\\") ||
37+ req_fname[strlen(req_fname) - 1] == '\\' ||
38+#endif
39+ strstr(req_fname, "../") ||
40+ req_fname[strlen(req_fname) - 1] == '/') {
41 tftp_send_error(spt, 2, "Access violation", tp);
42 return;
43 }
44--
452.24.1
46