diff options
author | Minjae Kim <flowergom@gmail.com> | 2021-03-03 20:53:07 +0900 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-03-10 00:22:50 +0000 |
commit | 2e58b9e3960948695eb5e9556e1da10d47442f6a (patch) | |
tree | bc50bae1582f78a929646578c12470ff813e55f3 /meta | |
parent | f7e5b0002559b093fc2299faf86f4b2d6144cce8 (diff) | |
download | poky-2e58b9e3960948695eb5e9556e1da10d47442f6a.tar.gz |
librepo: fix CVE-2020-14352
librepo: missing path validation in repomd.xml may lead to directory traversal
Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600]
CVE: CVE-2020-14352
(From OE-Core rev: f0df1ff1de6ca9a239d7eafd335b753d6a6e6471)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch | 55 | ||||
-rw-r--r-- | meta/recipes-devtools/librepo/librepo_1.11.2.bb | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch new file mode 100644 index 0000000000..8f4c5b73bc --- /dev/null +++ b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 6027d68337b537bf9a68cf810cf9b8e40dac22f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jaroslav Rohel <jrohel@redhat.com> | ||
3 | Date: Wed, 12 Aug 2020 08:35:28 +0200 | ||
4 | Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639) | ||
5 | |||
6 | = changelog = | ||
7 | msg: Validate path read from repomd.xml | ||
8 | type: security | ||
9 | resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639 | ||
10 | |||
11 | Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600] | ||
12 | CVE: CVE-2020-14352 | ||
13 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
14 | --- | ||
15 | librepo/yum.c | 17 +++++++++++++++++ | ||
16 | 1 file changed, 17 insertions(+) | ||
17 | |||
18 | diff --git a/librepo/yum.c b/librepo/yum.c | ||
19 | index 3059188..529257b 100644 | ||
20 | --- a/librepo/yum.c | ||
21 | +++ b/librepo/yum.c | ||
22 | @@ -23,6 +23,7 @@ | ||
23 | #define BITS_IN_BYTE 8 | ||
24 | |||
25 | #include <stdio.h> | ||
26 | +#include <libgen.h> | ||
27 | #include <assert.h> | ||
28 | #include <stdlib.h> | ||
29 | #include <errno.h> | ||
30 | @@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle, | ||
31 | continue; | ||
32 | |||
33 | char *location_href = record->location_href; | ||
34 | + | ||
35 | + char *dest_dir = realpath(handle->destdir, NULL); | ||
36 | + path = lr_pathconcat(handle->destdir, record->location_href, NULL); | ||
37 | + char *requested_dir = realpath(dirname(path), NULL); | ||
38 | + lr_free(path); | ||
39 | + if (!g_str_has_prefix(requested_dir, dest_dir)) { | ||
40 | + g_debug("%s: Invalid path: %s", __func__, location_href); | ||
41 | + g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href); | ||
42 | + g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free); | ||
43 | + free(requested_dir); | ||
44 | + free(dest_dir); | ||
45 | + return FALSE; | ||
46 | + } | ||
47 | + free(requested_dir); | ||
48 | + free(dest_dir); | ||
49 | + | ||
50 | gboolean is_zchunk = FALSE; | ||
51 | #ifdef WITH_ZCHUNK | ||
52 | if (handle->cachedir && record->header_checksum) | ||
53 | -- | ||
54 | 2.17.1 | ||
55 | |||
diff --git a/meta/recipes-devtools/librepo/librepo_1.11.2.bb b/meta/recipes-devtools/librepo/librepo_1.11.2.bb index 6a0a59f865..b1d97eba53 100644 --- a/meta/recipes-devtools/librepo/librepo_1.11.2.bb +++ b/meta/recipes-devtools/librepo/librepo_1.11.2.bb | |||
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" | |||
6 | SRC_URI = "git://github.com/rpm-software-management/librepo.git \ | 6 | SRC_URI = "git://github.com/rpm-software-management/librepo.git \ |
7 | file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \ | 7 | file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \ |
8 | file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \ | 8 | file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \ |
9 | file://CVE-2020-14352.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba" | 12 | SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba" |