1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
new file mode 100644
index 0000000000..e59c6661ea
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
@@ -0,0 +1,68 @@
+dpkg: Security Advisory - CVE-2014-3127
+commit a12eb58959d0a10584a428f4a3103a49204c410f upstream
+dpkg 1.15.9 on Debian squeeze introduces support for the "C-style
+encoded filenames" feature without recognizing that the squeeze patch
+program lacks this feature, which triggers an interaction error that
+allows remote attackers to conduct directory traversal attacks and
+modify files outside of the intended directories via a crafted source
+package.
+NOTE: this can be considered a release engineering problem in the
+effort to fix CVE-2014-0471.
+Upstream-Status: Backport
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+=====================================================
+diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
+--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm        2014-06-05 16:32:41.765446564 +0800
+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm    2014-06-05 16:37:21.461446359 +0800
+@@ -324,31 +324,6 @@
+     return $line;
+ }
+ 
+-my %ESCAPE = ((
+-    'a' => "\a",
+-    'b' => "\b",
+-    'f' => "\f",
+-    'n' => "\n",
+-    'r' => "\r",
+-    't' => "\t",
+-    'v' => "\cK",
+-    '\\' => '\\',
+-    '"' => '"',
+-), (
+-    map { sprintf('%03o', $_) => chr($_) } (0..255)
+-));
+-
+-sub _unescape {
+-    my ($diff, $str) = @_;
+-
+-    if (exists $ESCAPE{$str}) {
+-        return $ESCAPE{$str};
+-    } else {
+-        error(_g('diff %s patches file with unknown escape sequence \\%s'),
+-              $diff, $str);
+-    }
+-}
+-
+ # Fetch the header filename ignoring the optional timestamp
+ sub _fetch_filename {
+     my ($diff, $header) = @_;
+@@ -358,12 +333,7 @@
+ 
+     # Is it a C-style string?
+     if ($header =~ m/^"/) {
+-        $header =~ m/^"((?:[^\\"]|\\.)*)"/;
+-        error(_g('diff %s patches file with unbalanced quote'), $diff)
+-            unless defined $1;
+-
+-        $header = $1;
+-        $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg;
+       error(_g('diff %s patches file with C-style encoded filename'), $diff);
+     } else {
+         # Tab is the official separator, it's always used when
+         # filename contain spaces. Try it first, otherwise strip on space

diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch new file mode 100644 index 0000000000..e59c6661ea --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
@@ -0,0 +1,68 @@
	1	dpkg: Security Advisory - CVE-2014-3127
	2
	3	commit a12eb58959d0a10584a428f4a3103a49204c410f upstream
	4
	5	dpkg 1.15.9 on Debian squeeze introduces support for the "C-style
	6	encoded filenames" feature without recognizing that the squeeze patch
	7	program lacks this feature, which triggers an interaction error that
	8	allows remote attackers to conduct directory traversal attacks and
	9	modify files outside of the intended directories via a crafted source
	10	package.
	11
	12	NOTE: this can be considered a release engineering problem in the
	13	effort to fix CVE-2014-0471.
	14
	15	Upstream-Status: Backport
	16
	17	Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
	18	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	19	=====================================================
	20	diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
	21	--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:32:41.765446564 +0800
	22	+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:37:21.461446359 +0800
	23	@@ -324,31 +324,6 @@
	24	return $line;
	25	}
	26
	27	-my %ESCAPE = ((
	28	- 'a' => "\a",
	29	- 'b' => "\b",
	30	- 'f' => "\f",
	31	- 'n' => "\n",
	32	- 'r' => "\r",
	33	- 't' => "\t",
	34	- 'v' => "\cK",
	35	- '\\' => '\\',
	36	- '"' => '"',
	37	-), (
	38	- map { sprintf('%03o', $_) => chr($_) } (0..255)
	39	-));
	40	-
	41	-sub _unescape {
	42	- my ($diff, $str) = @_;
	43	-
	44	- if (exists $ESCAPE{$str}) {
	45	- return $ESCAPE{$str};
	46	- } else {
	47	- error(_g('diff %s patches file with unknown escape sequence \\%s'),
	48	- $diff, $str);
	49	- }
	50	-}
	51	-
	52	# Fetch the header filename ignoring the optional timestamp
	53	sub _fetch_filename {
	54	my ($diff, $header) = @_;
	55	@@ -358,12 +333,7 @@
	56
	57	# Is it a C-style string?
	58	if ($header =~ m/^"/) {
	59	- $header =~ m/^"((?:[^\\"]\|\\.)*)"/;
	60	- error(_g('diff %s patches file with unbalanced quote'), $diff)
	61	- unless defined $1;
	62	-
	63	- $header = $1;
	64	- $header =~ s/\\([0-3][0-7]{2}\|.)/_unescape($diff, $1)/eg;
	65	+ error(_g('diff %s patches file with C-style encoded filename'), $diff);
	66	} else {
	67	# Tab is the official separator, it's always used when
	68	# filename contain spaces. Try it first, otherwise strip on space