2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
new file mode 100644
index 0000000000..e59c6661ea
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
@@ -0,0 +1,68 @@
+dpkg: Security Advisory - CVE-2014-3127
+commit a12eb58959d0a10584a428f4a3103a49204c410f upstream
+dpkg 1.15.9 on Debian squeeze introduces support for the "C-style
+encoded filenames" feature without recognizing that the squeeze patch
+program lacks this feature, which triggers an interaction error that
+allows remote attackers to conduct directory traversal attacks and
+modify files outside of the intended directories via a crafted source
+package.
+NOTE: this can be considered a release engineering problem in the
+effort to fix CVE-2014-0471.
+Upstream-Status: Backport
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+=====================================================
+diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
+--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm        2014-06-05 16:32:41.765446564 +0800
+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm    2014-06-05 16:37:21.461446359 +0800
+@@ -324,31 +324,6 @@
+     return $line;
+ }
+ 
+-my %ESCAPE = ((
+-    'a' => "\a",
+-    'b' => "\b",
+-    'f' => "\f",
+-    'n' => "\n",
+-    'r' => "\r",
+-    't' => "\t",
+-    'v' => "\cK",
+-    '\\' => '\\',
+-    '"' => '"',
+-), (
+-    map { sprintf('%03o', $_) => chr($_) } (0..255)
+-));
+-
+-sub _unescape {
+-    my ($diff, $str) = @_;
+-
+-    if (exists $ESCAPE{$str}) {
+-        return $ESCAPE{$str};
+-    } else {
+-        error(_g('diff %s patches file with unknown escape sequence \\%s'),
+-              $diff, $str);
+-    }
+-}
+-
+ # Fetch the header filename ignoring the optional timestamp
+ sub _fetch_filename {
+     my ($diff, $header) = @_;
+@@ -358,12 +333,7 @@
+ 
+     # Is it a C-style string?
+     if ($header =~ m/^"/) {
+-        $header =~ m/^"((?:[^\\"]|\\.)*)"/;
+-        error(_g('diff %s patches file with unbalanced quote'), $diff)
+-            unless defined $1;
+-
+-        $header = $1;
+-        $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg;
+       error(_g('diff %s patches file with C-style encoded filename'), $diff);
+     } else {
+         # Tab is the official separator, it's always used when
+         # filename contain spaces. Try it first, otherwise strip on space
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
index 48e13948f0..83526f3c96 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://noman.patch \
            file://glibc2.5-sync_file_range.patch \
            file://no-vla-warning.patch \
            file://dpkg-1.17.4-CVE-2014-0471.patch \
+            file://dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch \
           "
 SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"

diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch new file mode 100644 index 0000000000..e59c6661ea --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch
@@ -0,0 +1,68 @@
		1	dpkg: Security Advisory - CVE-2014-3127
		2
		3	commit a12eb58959d0a10584a428f4a3103a49204c410f upstream
		4
		5	dpkg 1.15.9 on Debian squeeze introduces support for the "C-style
		6	encoded filenames" feature without recognizing that the squeeze patch
		7	program lacks this feature, which triggers an interaction error that
		8	allows remote attackers to conduct directory traversal attacks and
		9	modify files outside of the intended directories via a crafted source
		10	package.
		11
		12	NOTE: this can be considered a release engineering problem in the
		13	effort to fix CVE-2014-0471.
		14
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
		18	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		19	=====================================================
		20	diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
		21	--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:32:41.765446564 +0800
		22	+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:37:21.461446359 +0800
		23	@@ -324,31 +324,6 @@
		24	return $line;
		25	}
		26
		27	-my %ESCAPE = ((
		28	- 'a' => "\a",
		29	- 'b' => "\b",
		30	- 'f' => "\f",
		31	- 'n' => "\n",
		32	- 'r' => "\r",
		33	- 't' => "\t",
		34	- 'v' => "\cK",
		35	- '\\' => '\\',
		36	- '"' => '"',
		37	-), (
		38	- map { sprintf('%03o', $_) => chr($_) } (0..255)
		39	-));
		40	-
		41	-sub _unescape {
		42	- my ($diff, $str) = @_;
		43	-
		44	- if (exists $ESCAPE{$str}) {
		45	- return $ESCAPE{$str};
		46	- } else {
		47	- error(_g('diff %s patches file with unknown escape sequence \\%s'),
		48	- $diff, $str);
		49	- }
		50	-}
		51	-
		52	# Fetch the header filename ignoring the optional timestamp
		53	sub _fetch_filename {
		54	my ($diff, $header) = @_;
		55	@@ -358,12 +333,7 @@
		56
		57	# Is it a C-style string?
		58	if ($header =~ m/^"/) {
		59	- $header =~ m/^"((?:[^\\"]\|\\.)*)"/;
		60	- error(_g('diff %s patches file with unbalanced quote'), $diff)
		61	- unless defined $1;
		62	-
		63	- $header = $1;
		64	- $header =~ s/\\([0-3][0-7]{2}\|.)/_unescape($diff, $1)/eg;
		65	+ error(_g('diff %s patches file with C-style encoded filename'), $diff);
		66	} else {
		67	# Tab is the official separator, it's always used when
		68	# filename contain spaces. Try it first, otherwise strip on space


diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb index 48e13948f0..83526f3c96 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://noman.patch \
13	file://glibc2.5-sync_file_range.patch \	13	file://glibc2.5-sync_file_range.patch \
14	file://no-vla-warning.patch \	14	file://no-vla-warning.patch \
15	file://dpkg-1.17.4-CVE-2014-0471.patch \	15	file://dpkg-1.17.4-CVE-2014-0471.patch \
		16	file://dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch \
16	"	17	"
17		18
18	SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"	19	SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"