Screen: fix for Security Advisory CVE-2009-1214

GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with world-readable permissions, which might allow local users to obtain sensitive session information. (From OE-Core rev: 25a212d0154906e7a05075d015dbc1cfdfabb73a) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2014-04-14 12:41:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-21 09:08:59 +0100
commit: 27aba0a8d91a67e85f6c8ab44e41ff4205224505 (patch)
tree: cc3c14b547abd7216b168f6ce1303ae9c7b09c11 /meta/recipes-extended/screen
parent: 901a28b66176a63b1b3bb2a1f65fa0bc12f712c9 (diff)
download: poky-27aba0a8d91a67e85f6c8ab44e41ff4205224505.tar.gz
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
new file mode 100644
index 0000000000..104fa82dd6
--- /dev/null
+++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
@@ -0,0 +1,86 @@
+Upstream-Status: Backport
+The patch to fix CVE-2009-1214
+A security flaw was found in the screen utility in the way it used to create
+one particular temporary file. An attacker could use this flaw to perform
+a symlink attack. 
+Fix race condition creating temporary file
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=492104
+Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com>
+---
+ fileio.c |   48 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+--- a/fileio.c
+++ b/fileio.c
+@@ -414,6 +414,14 @@ int dump;
+        }
+       public = !strcmp(fn, DEFAULT_BUFFERFILE);
+ # ifdef HAVE_LSTAT
+      /*
+       * Note: In the time between lstat() and open()/remove() below are
+       * called, the file can be created/removed/modified.  Therefore the
+       * information lstat() returns is taken into consideration, but not
+       * relied upon.  In particular, the open()/remove() calls can fail, and
+       * the code must account for that.  Symlink attack could be mounted if
+       * the code is changed carelessly.  --rdancer 2009-01-11
+       */
+       exists = !lstat(fn, &stb);
+       if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1))
+        {
+@@ -432,28 +440,36 @@ int dump;
+ #ifdef COPY_PASTE
+       if (dump == DUMP_EXCHANGE && public)
+        {
+         /*
+          * Setting umask to zero is a bad idea -- the user surely doesn't
+          * expect a publicly readable file in a publicly readable directory 
+          * --rdancer 2009-01-11
+          */
+         /*
+           old_umask = umask(0);
+          */
+ # ifdef HAVE_LSTAT
+          if (exists)
+-           {
+-             if ((fd = open(fn, O_WRONLY, 0666)) >= 0)
+-               {
+-                 if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino)
+-                   ftruncate(fd, 0);
+-                 else
+-                   {
+-                     close(fd);
+-                     fd = -1;
+-                   }
+-               }
+-           }
+-         else
+-           fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666);
+-         f = fd >= 0 ? fdopen(fd, mode) : 0;
+             if (remove(fn) == -1)
+               {
+                 /* Error */
+                 debug2("WriteFile: File exists and remove(%s) failed: %s\n",
+                         fn, strerror(errno));
+                 UserReturn(0);
+               }
+ # else
+-          f = fopen(fn, mode);
+         (void) remove(fn);
+ # endif
+         /*
+          * No r/w permissions for anybody but the user, as the file may be in
+          * a public directory -- if the user chooses, they can chmod the file
+          * afterwards. --rdancer 2008-01-11
+          */
+         fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600);
+         f = fd >= 0 ? fdopen(fd, mode) : 0;
+         /*
+           umask(old_umask);
+          */
+        }
+       else
+ #endif /* COPY_PASTE */
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb
index 5850560fe4..a0aa15c0d3 100644
--- a/meta/recipes-extended/screen/screen_4.0.3.bb
+++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
           ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \
           file://configure.patch \
           file://fix-parallel-make.patch \
+           file://screen-4.0.3-CVE-2009-1214.patch \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
 PAM_SRC_URI = "file://screen.pam"
author	Yue Tao <Yue.Tao@windriver.com>	2014-04-14 12:41:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-05-21 09:08:59 +0100
commit	27aba0a8d91a67e85f6c8ab44e41ff4205224505 (patch)
tree	cc3c14b547abd7216b168f6ce1303ae9c7b09c11 /meta/recipes-extended/screen
parent	901a28b66176a63b1b3bb2a1f65fa0bc12f712c9 (diff)
download	poky-27aba0a8d91a67e85f6c8ab44e41ff4205224505.tar.gz

diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch new file mode 100644 index 0000000000..104fa82dd6 --- /dev/null +++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
@@ -0,0 +1,86 @@
		1	Upstream-Status: Backport
		2
		3	The patch to fix CVE-2009-1214
		4	A security flaw was found in the screen utility in the way it used to create
		5	one particular temporary file. An attacker could use this flaw to perform
		6	a symlink attack.
		7	Fix race condition creating temporary file
		8
		9	Reference:
		10	https://bugzilla.redhat.com/show_bug.cgi?id=492104
		11
		12	Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com>
		13	---
		14	fileio.c \| 48 ++++++++++++++++++++++++++++++++----------------
		15	1 file changed, 32 insertions(+), 16 deletions(-)
		16
		17	--- a/fileio.c
		18	+++ b/fileio.c
		19	@@ -414,6 +414,14 @@ int dump;
		20	}
		21	public = !strcmp(fn, DEFAULT_BUFFERFILE);
		22	# ifdef HAVE_LSTAT
		23	+ /*
		24	+ * Note: In the time between lstat() and open()/remove() below are
		25	+ * called, the file can be created/removed/modified. Therefore the
		26	+ * information lstat() returns is taken into consideration, but not
		27	+ * relied upon. In particular, the open()/remove() calls can fail, and
		28	+ * the code must account for that. Symlink attack could be mounted if
		29	+ * the code is changed carelessly. --rdancer 2009-01-11
		30	+ */
		31	exists = !lstat(fn, &stb);
		32	if (public && exists && (S_ISLNK(stb.st_mode) \|\| stb.st_nlink > 1))
		33	{
		34	@@ -432,28 +440,36 @@ int dump;
		35	#ifdef COPY_PASTE
		36	if (dump == DUMP_EXCHANGE && public)
		37	{
		38	+ /*
		39	+ * Setting umask to zero is a bad idea -- the user surely doesn't
		40	+ * expect a publicly readable file in a publicly readable directory
		41	+ * --rdancer 2009-01-11
		42	+ */
		43	+ /*
		44	old_umask = umask(0);
		45	+ */
		46	# ifdef HAVE_LSTAT
		47	if (exists)
		48	- {
		49	- if ((fd = open(fn, O_WRONLY, 0666)) >= 0)
		50	- {
		51	- if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino)
		52	- ftruncate(fd, 0);
		53	- else
		54	- {
		55	- close(fd);
		56	- fd = -1;
		57	- }
		58	- }
		59	- }
		60	- else
		61	- fd = open(fn, O_WRONLY\|O_CREAT\|O_EXCL, 0666);
		62	- f = fd >= 0 ? fdopen(fd, mode) : 0;
		63	+ if (remove(fn) == -1)
		64	+ {
		65	+ /* Error */
		66	+ debug2("WriteFile: File exists and remove(%s) failed: %s\n",
		67	+ fn, strerror(errno));
		68	+ UserReturn(0);
		69	+ }
		70	# else
		71	- f = fopen(fn, mode);
		72	+ (void) remove(fn);
		73	# endif
		74	+ /*
		75	+ * No r/w permissions for anybody but the user, as the file may be in
		76	+ * a public directory -- if the user chooses, they can chmod the file
		77	+ * afterwards. --rdancer 2008-01-11
		78	+ */
		79	+ fd = open(fn, O_WRONLY\|O_CREAT\|O_EXCL, 0600);
		80	+ f = fd >= 0 ? fdopen(fd, mode) : 0;
		81	+ /*
		82	umask(old_umask);
		83	+ */
		84	}
		85	else
		86	#endif /* COPY_PASTE */


diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb index 5850560fe4..a0aa15c0d3 100644 --- a/meta/recipes-extended/screen/screen_4.0.3.bb +++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
20	${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \	20	${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \
21	file://configure.patch \	21	file://configure.patch \
22	file://fix-parallel-make.patch \	22	file://fix-parallel-make.patch \
		23	file://screen-4.0.3-CVE-2009-1214.patch \
23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"	24	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
24		25
25	PAM_SRC_URI = "file://screen.pam"	26	PAM_SRC_URI = "file://screen.pam"