1 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
new file mode 100644
index 0000000000..8b9904fd56
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport
+Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
+squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
+Fix potential stack overflow in get_component() where an individual
+pathname component in an extract file (specified on the command line
+or in an extract file) could exceed the 1024 byte sized targname
+allocated on the stack.
+Fix by dynamically allocating targname rather than storing it as
+a fixed size on the stack.
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c      2012-11-29 17:04:08.000000000 +0800
+++ b/unsquashfs.c      2012-11-29 17:04:25.000000000 +0800
+@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
+ }
+ 
+ 
+-char *get_component(char *target, char *targname)
+char *get_component(char *target, char **targname)
+ {
+       char *start;
+
+        while(*target == '/')
+                target ++;
+ 
+       start = target;
+        while(*target != '/' && *target!= '\0')
+-               *targname ++ = *target ++;
+               target ++;
+ 
+-       *targname = '\0';
+       *targname = strndup(start, target - start);
+ 
+        return target;
+ }
+@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
+ 
+ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ {
+-       char targname[1024];
+       char *targname;
+        int i, error;
+ 
+        TRACE("add_path: adding \"%s\" extract file\n", target);
+ 
+-       target = get_component(target, targname);
+       target = get_component(target, &targname);
+ 
+        if(paths == NULL) {
+                paths = malloc(sizeof(struct pathname));
+@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
+                        sizeof(struct path_entry));
+                if(paths->name == NULL)
+                        EXIT_UNSQUASH("Out of memory in add_path\n");   
+-               paths->name[i].name = strdup(targname);
+               paths->name[i].name = targname;
+                paths->name[i].paths = NULL;
+                if(use_regex) {
+                        paths->name[i].preg = malloc(sizeof(regex_t));
+@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
+                /*
+                 * existing matching entry
+                 */
+               free(targname);
+
+                if(paths->name[i].paths == NULL) {
+                        /*
+                         * No sub-directory which means this is the leaf

diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch new file mode 100644 index 0000000000..8b9904fd56 --- /dev/null +++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
	1	Upstream-Status: Backport
	2
	3	Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
	4	squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
	5
	6	Fix potential stack overflow in get_component() where an individual
	7	pathname component in an extract file (specified on the command line
	8	or in an extract file) could exceed the 1024 byte sized targname
	9	allocated on the stack.
	10
	11	Fix by dynamically allocating targname rather than storing it as
	12	a fixed size on the stack.
	13
	14	Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
	15	diff -urpN a/unsquashfs.c b/unsquashfs.c
	16	--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
	17	+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
	18	@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
	19	}
	20
	21
	22	-char get_component(char target, char *targname)
	23	+char get_component(char target, char **targname)
	24	{
	25	+ char *start;
	26	+
	27	while(*target == '/')
	28	target ++;
	29
	30	+ start = target;
	31	while(target != '/' && target!= '\0')
	32	- targname ++ = target ++;
	33	+ target ++;
	34
	35	- *targname = '\0';
	36	+ *targname = strndup(start, target - start);
	37
	38	return target;
	39	}
	40	@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
	41
	42	struct pathname add_path(struct pathname paths, char target, char alltarget)
	43	{
	44	- char targname[1024];
	45	+ char *targname;
	46	int i, error;
	47
	48	TRACE("add_path: adding \"%s\" extract file\n", target);
	49
	50	- target = get_component(target, targname);
	51	+ target = get_component(target, &targname);
	52
	53	if(paths == NULL) {
	54	paths = malloc(sizeof(struct pathname));
	55	@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
	56	sizeof(struct path_entry));
	57	if(paths->name == NULL)
	58	EXIT_UNSQUASH("Out of memory in add_path\n");
	59	- paths->name[i].name = strdup(targname);
	60	+ paths->name[i].name = targname;
	61	paths->name[i].paths = NULL;
	62	if(use_regex) {
	63	paths->name[i].preg = malloc(sizeof(regex_t));
	64	@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
	65	/*
	66	* existing matching entry
	67	*/
	68	+ free(targname);
	69	+
	70	if(paths->name[i].paths == NULL) {
	71	/*
	72	* No sub-directory which means this is the leaf