summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorGuillem Jover <guillem@debian.org>2014-06-17 04:25:51 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-06-17 10:23:53 +0100
commit4eea29a54a0d632f41b62568681777588a449d09 (patch)
treea29157f1a16f5ed3542467db6ee2b0d4dc61b989 /meta
parentc44d7b5cdedf5cd32f3223da50909351465a8afe (diff)
downloadpoky-4eea29a54a0d632f41b62568681777588a449d09.tar.gz
dpkg: Security Advisory - CVE-2014-0471
v2 changes: * update format for commit log * add Upstream-Status for patch commit a82651188476841d190c58693f95827d61959b51 upstream Dkpkg::Source::Patch: Correctly parse C-style diff filenames We need to strip the surrounding quotes, and unescape any escape sequence, so that we check the same files that the patch program will be using, otherwise a malicious package could overpass those checks, and perform directory traversal attacks on source package unpacking. Fixes: CVE-2014-0471 Reported-by: Jakub Wilk <jwilk@debian.org> [drop the text for debian/changelog,because it's not suitable for the veriosn] (From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0) Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch97
-rw-r--r--meta/recipes-devtools/dpkg/dpkg_1.17.4.bb1
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch
new file mode 100644
index 0000000000..195d309506
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch
@@ -0,0 +1,97 @@
1dpkg: Security Advisory - CVE-2014-0471
2
3commit a82651188476841d190c58693f95827d61959b51 upstream
4
5Directory traversal vulnerability in the unpacking functionality in
6dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8
7allows remote attackers to write arbitrary files via a crafted source
8package, related to "C-style filename quoting."
9
10Upstream-Status: Backport
11
12Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
13Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14===================================================
15diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
16--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:24:07.422446284 +0800
17+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:41:37.746446314 +0800
18@@ -324,14 +324,53 @@
19 return $line;
20 }
21
22-# Strip timestamp
23-sub _strip_ts {
24- my $header = shift;
25-
26- # Tab is the official separator, it's always used when
27- # filename contain spaces. Try it first, otherwise strip on space
28- # if there's no tab
29- $header =~ s/\s.*// unless ($header =~ s/\t.*//);
30+my %ESCAPE = ((
31+ 'a' => "\a",
32+ 'b' => "\b",
33+ 'f' => "\f",
34+ 'n' => "\n",
35+ 'r' => "\r",
36+ 't' => "\t",
37+ 'v' => "\cK",
38+ '\\' => '\\',
39+ '"' => '"',
40+), (
41+ map { sprintf('%03o', $_) => chr($_) } (0..255)
42+));
43+
44+sub _unescape {
45+ my ($diff, $str) = @_;
46+
47+ if (exists $ESCAPE{$str}) {
48+ return $ESCAPE{$str};
49+ } else {
50+ error(_g('diff %s patches file with unknown escape sequence \\%s'),
51+ $diff, $str);
52+ }
53+}
54+
55+# Fetch the header filename ignoring the optional timestamp
56+sub _fetch_filename {
57+ my ($diff, $header) = @_;
58+
59+ # Strip any leading spaces.
60+ $header =~ s/^\s+//;
61+
62+ # Is it a C-style string?
63+ if ($header =~ m/^"/) {
64+ $header =~ m/^"((?:[^\\"]|\\.)*)"/;
65+ error(_g('diff %s patches file with unbalanced quote'), $diff)
66+ unless defined $1;
67+
68+ $header = $1;
69+ $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg;
70+ } else {
71+ # Tab is the official separator, it's always used when
72+ # filename contain spaces. Try it first, otherwise strip on space
73+ # if there's no tab
74+ $header =~ s/\s.*// unless $header =~ s/\t.*//;
75+ }
76+
77 return $header;
78 }
79
80@@ -400,7 +439,7 @@
81 unless(s/^--- //) {
82 error(_g("expected ^--- in line %d of diff `%s'"), $., $diff);
83 }
84- $path{old} = $_ = _strip_ts($_);
85+ $path{old} = $_ = _fetch_filename($diff, $_);
86 $fn{old} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/};
87 if (/\.dpkg-orig$/) {
88 error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff);
89@@ -412,7 +451,7 @@
90 unless (s/^\+\+\+ //) {
91 error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.);
92 }
93- $path{new} = $_ = _strip_ts($_);
94+ $path{new} = $_ = _fetch_filename($diff, $_);
95 $fn{new} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/};
96
97 unless (defined $fn{old} or defined $fn{new}) {
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
index 5507352a27..48e13948f0 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://noman.patch \
12 file://dpkg-configure.service \ 12 file://dpkg-configure.service \
13 file://glibc2.5-sync_file_range.patch \ 13 file://glibc2.5-sync_file_range.patch \
14 file://no-vla-warning.patch \ 14 file://no-vla-warning.patch \
15 file://dpkg-1.17.4-CVE-2014-0471.patch \
15 " 16 "
16 17
17SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1" 18SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"