1 files changed, 176 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch b/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch
new file mode 100644
index 0000000000..46c5e8ecb7
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch
@@ -0,0 +1,176 @@
+Upstream-Status: Backport
+This patch is for CVE-2014-9114.
+This patch should be removed once util-linux is upgraded to 2.26.
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 27 Nov 2014 13:39:35 +0100
+Subject: [PATCH] libblkid: care about unsafe chars in cache
+The high-level libblkid API uses /run/blkid/blkid.tab cache to
+store probing results. The cache format is
+   <device NAME="value" ...>devname</device>
+and unfortunately the cache code does not escape quotation marks:
+   # mkfs.ext4 -L 'AAA"BBB'
+   # cat /run/blkid/blkid.tab
+   ...
+   <device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
+such string is later incorrectly parsed and blkid(8) returns
+nonsenses. And for use-cases like
+   # eval $(blkid -o export /dev/sdb1)
+it's also insecure.
+Note that mount, udevd and blkid -p are based on low-level libblkid
+API, it bypass the cache and directly read data from the devices.
+The current udevd upstream does not depend on blkid(8) output at all,
+it's directly linked with the library and all unsafe chars are encoded by
+\x<hex> notation.
+   # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
+   # udevadm info --export-db | grep LABEL
+   ...
+   E: ID_FS_LABEL=X__/tmp/foo___
+   E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/read.c | 21 ++++++++++++++++++---
+ libblkid/src/save.c | 22 +++++++++++++++++++++-
+ misc-utils/blkid.8  |  5 ++++-
+ misc-utils/blkid.c  |  4 ++--
+ 4 files changed, 45 insertions(+), 7 deletions(-)
+Index: util-linux-2.24.2/libblkid/src/save.c
+===================================================================
+--- util-linux-2.24.2.orig/libblkid/src/save.c
+++ util-linux-2.24.2/libblkid/src/save.c
+@@ -26,6 +26,21 @@
+ 
+ #include "blkidP.h"
+ 
+
+static void save_quoted(const char *data, FILE *file)
+{
+       const char *p;
+
+       fputc('"', file);
+       for (p = data; p && *p; p++) {
+               if ((unsigned char) *p == 0x22 ||               /* " */
+                   (unsigned char) *p == 0x5c)                 /* \ */
+                       fputc('\\', file);
+
+               fputc(*p, file);
+       }
+       fputc('"', file);
+}
+ static int save_dev(blkid_dev dev, FILE *file)
+ {
+        struct list_head *p;
+@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE
+ 
+        if (dev->bid_pri)
+                fprintf(file, " PRI=\"%d\"", dev->bid_pri);
+
+        list_for_each(p, &dev->bid_tags) {
+                blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
+-               fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
+
+               fputc(' ', file);                       /* space between tags */
+               fputs(tag->bit_name, file);             /* tag NAME */
+               fputc('=', file);                       /* separator between NAME and VALUE */
+               save_quoted(tag->bit_val, file);        /* tag "VALUE" */
+        }
+        fprintf(file, ">%s</device>\n", dev->bid_name);
+ 
+Index: util-linux-2.24.2/misc-utils/blkid.8
+===================================================================
+--- util-linux-2.24.2.orig/misc-utils/blkid.8
+++ util-linux-2.24.2/misc-utils/blkid.8
+@@ -193,7 +193,10 @@ partitions.  This output format is \fBDE
+ .TP
+ .B export
+ print key=value pairs for easy import into the environment; this output format
+-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
+
+The non-printing characters are encoded by ^ and M- notation and all
+potentially unsafe characters are escaped.
+ .RE
+ .TP
+ .BI \-O " offset"
+Index: util-linux-2.24.2/misc-utils/blkid.c
+===================================================================
+--- util-linux-2.24.2.orig/misc-utils/blkid.c
+++ util-linux-2.24.2/misc-utils/blkid.c
+@@ -306,7 +306,7 @@ static void print_value(int output, int
+                        printf("DEVNAME=%s\n", devname);
+                fputs(name, stdout);
+                fputs("=", stdout);
+-               safe_print(value, valsz, NULL);
+               safe_print(value, valsz, " \\\"'$`<>");
+                fputs("\n", stdout);
+ 
+        } else {
+@@ -314,7 +314,7 @@ static void print_value(int output, int
+                        printf("%s: ", devname);
+                fputs(name, stdout);
+                fputs("=\"", stdout);
+-               safe_print(value, valsz, "\"");
+               safe_print(value, valsz, "\"\\");
+                fputs("\" ", stdout);
+        }
+ }
+Index: util-linux-2.24.2/libblkid/src/read.c
+===================================================================
+--- util-linux-2.24.2.orig/libblkid/src/read.c
+++ util-linux-2.24.2/libblkid/src/read.c
+@@ -252,8 +252,23 @@ static int parse_token(char **name, char
+        *value = skip_over_blank(*value + 1);
+ 
+        if (**value == '"') {
+-               end = strchr(*value + 1, '"');
+-               if (!end) {
+      char *p = end = *value + 1;
+
+      /* convert 'foo\"bar'  to 'foo"bar' */
+      while (*p) {
+          if (*p == '\\') {
+              p++;
+              *end = *p;
+          } else {
+              *end = *p;
+              if (*p == '"')
+                  break;
+          }
+          p++;
+          end = ++p;
+      }
+
+      if (*end != '"') {
+                        DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
+                        *cp = *value;
+                        return -BLKID_ERR_CACHE;
+@@ -261,11 +276,11 @@ static int parse_token(char **name, char
+                (*value)++;
+                *end = '\0';
+                end++;
+               end = ++p;
+        } else {
+                end = skip_over_word(*value);
+                if (*end) {
+                        *end = '\0';
+-                       end++;
+                }
+        }
+        *cp = end;

diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch b/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch new file mode 100644 index 0000000000..46c5e8ecb7 --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch
@@ -0,0 +1,176 @@
	1	Upstream-Status: Backport
	2
	3	This patch is for CVE-2014-9114.
	4	This patch should be removed once util-linux is upgraded to 2.26.
	5
	6	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
	7
	8	From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001
	9	From: Karel Zak <kzak@redhat.com>
	10	Date: Thu, 27 Nov 2014 13:39:35 +0100
	11	Subject: [PATCH] libblkid: care about unsafe chars in cache
	12
	13	The high-level libblkid API uses /run/blkid/blkid.tab cache to
	14	store probing results. The cache format is
	15
	16	<device NAME="value" ...>devname</device>
	17
	18	and unfortunately the cache code does not escape quotation marks:
	19
	20	# mkfs.ext4 -L 'AAA"BBB'
	21
	22	# cat /run/blkid/blkid.tab
	23	...
	24	<device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
	25
	26	such string is later incorrectly parsed and blkid(8) returns
	27	nonsenses. And for use-cases like
	28
	29	# eval $(blkid -o export /dev/sdb1)
	30
	31	it's also insecure.
	32
	33	Note that mount, udevd and blkid -p are based on low-level libblkid
	34	API, it bypass the cache and directly read data from the devices.
	35
	36	The current udevd upstream does not depend on blkid(8) output at all,
	37	it's directly linked with the library and all unsafe chars are encoded by
	38	\x<hex> notation.
	39
	40	# mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
	41	# udevadm info --export-db \| grep LABEL
	42	...
	43	E: ID_FS_LABEL=X__/tmp/foo___
	44	E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
	45
	46	Signed-off-by: Karel Zak <kzak@redhat.com>
	47	---
	48	libblkid/src/read.c \| 21 ++++++++++++++++++---
	49	libblkid/src/save.c \| 22 +++++++++++++++++++++-
	50	misc-utils/blkid.8 \| 5 ++++-
	51	misc-utils/blkid.c \| 4 ++--
	52	4 files changed, 45 insertions(+), 7 deletions(-)
	53
	54	Index: util-linux-2.24.2/libblkid/src/save.c
	55	===================================================================
	56	--- util-linux-2.24.2.orig/libblkid/src/save.c
	57	+++ util-linux-2.24.2/libblkid/src/save.c
	58	@@ -26,6 +26,21 @@
	59
	60	#include "blkidP.h"
	61
	62	+
	63	+static void save_quoted(const char data, FILE file)
	64	+{
	65	+ const char *p;
	66	+
	67	+ fputc('"', file);
	68	+ for (p = data; p && *p; p++) {
	69	+ if ((unsigned char) p == 0x22 \|\| / " */
	70	+ (unsigned char) p == 0x5c) / \ */
	71	+ fputc('\\', file);
	72	+
	73	+ fputc(*p, file);
	74	+ }
	75	+ fputc('"', file);
	76	+}
	77	static int save_dev(blkid_dev dev, FILE *file)
	78	{
	79	struct list_head *p;
	80	@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE
	81
	82	if (dev->bid_pri)
	83	fprintf(file, " PRI=\"%d\"", dev->bid_pri);
	84	+
	85	list_for_each(p, &dev->bid_tags) {
	86	blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
	87	- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
	88	+
	89	+ fputc(' ', file); /* space between tags */
	90	+ fputs(tag->bit_name, file); /* tag NAME */
	91	+ fputc('=', file); /* separator between NAME and VALUE */
	92	+ save_quoted(tag->bit_val, file); /* tag "VALUE" */
	93	}
	94	fprintf(file, ">%s</device>\n", dev->bid_name);
	95
	96	Index: util-linux-2.24.2/misc-utils/blkid.8
	97	===================================================================
	98	--- util-linux-2.24.2.orig/misc-utils/blkid.8
	99	+++ util-linux-2.24.2/misc-utils/blkid.8
	100	@@ -193,7 +193,10 @@ partitions. This output format is \fBDE
	101	.TP
	102	.B export
	103	print key=value pairs for easy import into the environment; this output format
	104	-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
	105	+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
	106	+
	107	+The non-printing characters are encoded by ^ and M- notation and all
	108	+potentially unsafe characters are escaped.
	109	.RE
	110	.TP
	111	.BI \-O " offset"
	112	Index: util-linux-2.24.2/misc-utils/blkid.c
	113	===================================================================
	114	--- util-linux-2.24.2.orig/misc-utils/blkid.c
	115	+++ util-linux-2.24.2/misc-utils/blkid.c
	116	@@ -306,7 +306,7 @@ static void print_value(int output, int
	117	printf("DEVNAME=%s\n", devname);
	118	fputs(name, stdout);
	119	fputs("=", stdout);
	120	- safe_print(value, valsz, NULL);
	121	+ safe_print(value, valsz, " \\\"'$`<>");
	122	fputs("\n", stdout);
	123
	124	} else {
	125	@@ -314,7 +314,7 @@ static void print_value(int output, int
	126	printf("%s: ", devname);
	127	fputs(name, stdout);
	128	fputs("=\"", stdout);
	129	- safe_print(value, valsz, "\"");
	130	+ safe_print(value, valsz, "\"\\");
	131	fputs("\" ", stdout);
	132	}
	133	}
	134	Index: util-linux-2.24.2/libblkid/src/read.c
	135	===================================================================
	136	--- util-linux-2.24.2.orig/libblkid/src/read.c
	137	+++ util-linux-2.24.2/libblkid/src/read.c
	138	@@ -252,8 +252,23 @@ static int parse_token(char **name, char
	139	value = skip_over_blank(value + 1);
	140
	141	if (**value == '"') {
	142	- end = strchr(*value + 1, '"');
	143	- if (!end) {
	144	+ char p = end = value + 1;
	145	+
	146	+ /* convert 'foo\"bar' to 'foo"bar' */
	147	+ while (*p) {
	148	+ if (*p == '\\') {
	149	+ p++;
	150	+ end = p;
	151	+ } else {
	152	+ end = p;
	153	+ if (*p == '"')
	154	+ break;
	155	+ }
	156	+ p++;
	157	+ end = ++p;
	158	+ }
	159	+
	160	+ if (*end != '"') {
	161	DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
	162	cp = value;
	163	return -BLKID_ERR_CACHE;
	164	@@ -261,11 +276,11 @@ static int parse_token(char **name, char
	165	(*value)++;
	166	*end = '\0';
	167	end++;
	168	+ end = ++p;
	169	} else {
	170	end = skip_over_word(*value);
	171	if (*end) {
	172	*end = '\0';
	173	- end++;
	174	}
	175	}
	176	*cp = end;