2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
new file mode 100644
index 0000000000..8b9904fd56
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport
+Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
+squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
+Fix potential stack overflow in get_component() where an individual
+pathname component in an extract file (specified on the command line
+or in an extract file) could exceed the 1024 byte sized targname
+allocated on the stack.
+Fix by dynamically allocating targname rather than storing it as
+a fixed size on the stack.
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c      2012-11-29 17:04:08.000000000 +0800
+++ b/unsquashfs.c      2012-11-29 17:04:25.000000000 +0800
+@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
+ }
+ 
+ 
+-char *get_component(char *target, char *targname)
+char *get_component(char *target, char **targname)
+ {
+       char *start;
+
+        while(*target == '/')
+                target ++;
+ 
+       start = target;
+        while(*target != '/' && *target!= '\0')
+-               *targname ++ = *target ++;
+               target ++;
+ 
+-       *targname = '\0';
+       *targname = strndup(start, target - start);
+ 
+        return target;
+ }
+@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
+ 
+ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ {
+-       char targname[1024];
+       char *targname;
+        int i, error;
+ 
+        TRACE("add_path: adding \"%s\" extract file\n", target);
+ 
+-       target = get_component(target, targname);
+       target = get_component(target, &targname);
+ 
+        if(paths == NULL) {
+                paths = malloc(sizeof(struct pathname));
+@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
+                        sizeof(struct path_entry));
+                if(paths->name == NULL)
+                        EXIT_UNSQUASH("Out of memory in add_path\n");   
+-               paths->name[i].name = strdup(targname);
+               paths->name[i].name = targname;
+                paths->name[i].paths = NULL;
+                if(use_regex) {
+                        paths->name[i].preg = malloc(sizeof(regex_t));
+@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
+                /*
+                 * existing matching entry
+                 */
+               free(targname);
+
+                if(paths->name[i].paths == NULL) {
+                        /*
+                         * No sub-directory which means this is the leaf
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index c54081be9f..9922f1ef51 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
 DESCRIPTION = "Tools to manipulate Squashfs filesystems."
 SECTION = "base"
 LICENSE = "GPL-2 & PD"
+FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
 LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
                    file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
                   "
@@ -12,6 +13,8 @@ PR = "1"
 SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
           http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
          "
+SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
+           " 
 SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
 SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
 SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"

diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch new file mode 100644 index 0000000000..8b9904fd56 --- /dev/null +++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
		1	Upstream-Status: Backport
		2
		3	Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
		4	squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
		5
		6	Fix potential stack overflow in get_component() where an individual
		7	pathname component in an extract file (specified on the command line
		8	or in an extract file) could exceed the 1024 byte sized targname
		9	allocated on the stack.
		10
		11	Fix by dynamically allocating targname rather than storing it as
		12	a fixed size on the stack.
		13
		14	Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
		15	diff -urpN a/unsquashfs.c b/unsquashfs.c
		16	--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
		17	+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
		18	@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
		19	}
		20
		21
		22	-char get_component(char target, char *targname)
		23	+char get_component(char target, char **targname)
		24	{
		25	+ char *start;
		26	+
		27	while(*target == '/')
		28	target ++;
		29
		30	+ start = target;
		31	while(target != '/' && target!= '\0')
		32	- targname ++ = target ++;
		33	+ target ++;
		34
		35	- *targname = '\0';
		36	+ *targname = strndup(start, target - start);
		37
		38	return target;
		39	}
		40	@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
		41
		42	struct pathname add_path(struct pathname paths, char target, char alltarget)
		43	{
		44	- char targname[1024];
		45	+ char *targname;
		46	int i, error;
		47
		48	TRACE("add_path: adding \"%s\" extract file\n", target);
		49
		50	- target = get_component(target, targname);
		51	+ target = get_component(target, &targname);
		52
		53	if(paths == NULL) {
		54	paths = malloc(sizeof(struct pathname));
		55	@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
		56	sizeof(struct path_entry));
		57	if(paths->name == NULL)
		58	EXIT_UNSQUASH("Out of memory in add_path\n");
		59	- paths->name[i].name = strdup(targname);
		60	+ paths->name[i].name = targname;
		61	paths->name[i].paths = NULL;
		62	if(use_regex) {
		63	paths->name[i].preg = malloc(sizeof(regex_t));
		64	@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
		65	/*
		66	* existing matching entry
		67	*/
		68	+ free(targname);
		69	+
		70	if(paths->name[i].paths == NULL) {
		71	/*
		72	* No sub-directory which means this is the leaf


diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb index c54081be9f..9922f1ef51 100644 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
3	DESCRIPTION = "Tools to manipulate Squashfs filesystems."	3	DESCRIPTION = "Tools to manipulate Squashfs filesystems."
4	SECTION = "base"	4	SECTION = "base"
5	LICENSE = "GPL-2 & PD"	5	LICENSE = "GPL-2 & PD"
		6	FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
6	LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \	7	LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
7	file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \	8	file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
8	"	9	"
@@ -12,6 +13,8 @@ PR = "1"
12	SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
13	http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \	14	http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
14	"	15	"
		16	SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
		17	"
15	SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"	18	SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
16	SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"	19	SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
17	SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"	20	SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"