diff options
| author | Yue Tao <Yue.Tao@windriver.com> | 2014-04-14 12:41:17 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-29 13:43:28 +0100 |
| commit | cd7e7addd7a7b94257d834e705a7ff810932e16b (patch) | |
| tree | c48126d421e2f8604095b2950f155d6c09ec8cbe /meta/recipes-extended | |
| parent | ac9725acc58ddfbf0f612a59614198af5c79b060 (diff) | |
| download | poky-cd7e7addd7a7b94257d834e705a7ff810932e16b.tar.gz | |
Screen: fix for Security Advisory CVE-2009-1214
GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.
(From OE-Core rev: 25a212d0154906e7a05075d015dbc1cfdfabb73a)
(From OE-Core rev: f61238b9431e6470d7e76f8c37c51cebe069514a)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-extended/screen/screen_4.0.3.bb
Diffstat (limited to 'meta/recipes-extended')
| -rw-r--r-- | meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch | 86 | ||||
| -rw-r--r-- | meta/recipes-extended/screen/screen_4.0.3.bb | 1 |
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch new file mode 100644 index 0000000000..104fa82dd6 --- /dev/null +++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch | |||
| @@ -0,0 +1,86 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | |||
| 3 | The patch to fix CVE-2009-1214 | ||
| 4 | A security flaw was found in the screen utility in the way it used to create | ||
| 5 | one particular temporary file. An attacker could use this flaw to perform | ||
| 6 | a symlink attack. | ||
| 7 | Fix race condition creating temporary file | ||
| 8 | |||
| 9 | Reference: | ||
| 10 | https://bugzilla.redhat.com/show_bug.cgi?id=492104 | ||
| 11 | |||
| 12 | Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com> | ||
| 13 | --- | ||
| 14 | fileio.c | 48 ++++++++++++++++++++++++++++++++---------------- | ||
| 15 | 1 file changed, 32 insertions(+), 16 deletions(-) | ||
| 16 | |||
| 17 | --- a/fileio.c | ||
| 18 | +++ b/fileio.c | ||
| 19 | @@ -414,6 +414,14 @@ int dump; | ||
| 20 | } | ||
| 21 | public = !strcmp(fn, DEFAULT_BUFFERFILE); | ||
| 22 | # ifdef HAVE_LSTAT | ||
| 23 | + /* | ||
| 24 | + * Note: In the time between lstat() and open()/remove() below are | ||
| 25 | + * called, the file can be created/removed/modified. Therefore the | ||
| 26 | + * information lstat() returns is taken into consideration, but not | ||
| 27 | + * relied upon. In particular, the open()/remove() calls can fail, and | ||
| 28 | + * the code must account for that. Symlink attack could be mounted if | ||
| 29 | + * the code is changed carelessly. --rdancer 2009-01-11 | ||
| 30 | + */ | ||
| 31 | exists = !lstat(fn, &stb); | ||
| 32 | if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1)) | ||
| 33 | { | ||
| 34 | @@ -432,28 +440,36 @@ int dump; | ||
| 35 | #ifdef COPY_PASTE | ||
| 36 | if (dump == DUMP_EXCHANGE && public) | ||
| 37 | { | ||
| 38 | + /* | ||
| 39 | + * Setting umask to zero is a bad idea -- the user surely doesn't | ||
| 40 | + * expect a publicly readable file in a publicly readable directory | ||
| 41 | + * --rdancer 2009-01-11 | ||
| 42 | + */ | ||
| 43 | + /* | ||
| 44 | old_umask = umask(0); | ||
| 45 | + */ | ||
| 46 | # ifdef HAVE_LSTAT | ||
| 47 | if (exists) | ||
| 48 | - { | ||
| 49 | - if ((fd = open(fn, O_WRONLY, 0666)) >= 0) | ||
| 50 | - { | ||
| 51 | - if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino) | ||
| 52 | - ftruncate(fd, 0); | ||
| 53 | - else | ||
| 54 | - { | ||
| 55 | - close(fd); | ||
| 56 | - fd = -1; | ||
| 57 | - } | ||
| 58 | - } | ||
| 59 | - } | ||
| 60 | - else | ||
| 61 | - fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666); | ||
| 62 | - f = fd >= 0 ? fdopen(fd, mode) : 0; | ||
| 63 | + if (remove(fn) == -1) | ||
| 64 | + { | ||
| 65 | + /* Error */ | ||
| 66 | + debug2("WriteFile: File exists and remove(%s) failed: %s\n", | ||
| 67 | + fn, strerror(errno)); | ||
| 68 | + UserReturn(0); | ||
| 69 | + } | ||
| 70 | # else | ||
| 71 | - f = fopen(fn, mode); | ||
| 72 | + (void) remove(fn); | ||
| 73 | # endif | ||
| 74 | + /* | ||
| 75 | + * No r/w permissions for anybody but the user, as the file may be in | ||
| 76 | + * a public directory -- if the user chooses, they can chmod the file | ||
| 77 | + * afterwards. --rdancer 2008-01-11 | ||
| 78 | + */ | ||
| 79 | + fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600); | ||
| 80 | + f = fd >= 0 ? fdopen(fd, mode) : 0; | ||
| 81 | + /* | ||
| 82 | umask(old_umask); | ||
| 83 | + */ | ||
| 84 | } | ||
| 85 | else | ||
| 86 | #endif /* COPY_PASTE */ | ||
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb index d83dda03c2..81790987fa 100644 --- a/meta/recipes-extended/screen/screen_4.0.3.bb +++ b/meta/recipes-extended/screen/screen_4.0.3.bb | |||
| @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \ | |||
| 20 | ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \ | 20 | ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \ |
| 21 | file://configure.patch \ | 21 | file://configure.patch \ |
| 22 | file://fix-parallel-make.patch \ | 22 | file://fix-parallel-make.patch \ |
| 23 | file://screen-4.0.3-CVE-2009-1214.patch \ | ||
| 23 | ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" | 24 | ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" |
| 24 | 25 | ||
| 25 | PAM_SRC_URI = "file://screen.pam" | 26 | PAM_SRC_URI = "file://screen.pam" |