summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/cpio/cpio-2.12
Commit message (Collapse)AuthorAgeFilesLines
* cpio: fix crash when appending to archivesRoss Burton2019-01-081-0/+87
| | | | | | | | | | | | | | | The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory bug when appending to an existing archive, which is an operation we perform when building an image. (From OE-Core rev: 046e3e1fca925febf47b3fdd5d4e9ee2e1fad868) (From OE-Core rev: 2ff6ab2e2944c6a53523b4b1611e1d22f6393500) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cpio: fix CVE-2016-2037Andre McCurdy2018-06-151-0/+346
| | | | | | | | | | | | | | | | | | | | | | | | "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file." https://nvd.nist.gov/vuln/detail/CVE-2016-2037 Note that there appear to be two versions of this fix. The original patch posted to the bug-cpio mailing list [1] is used by Debian [2], but apparently causes regression [3]. The patch accepted to the upstream git repo [4] seems to be the most complete fix. [1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html [2] https://security-tracker.debian.org/tracker/CVE-2016-2037 [3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html [4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b (From OE-Core rev: f170288ac706126e69a504a14d564b2e5c3513e4) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Add "CVE:" tag to current patches in OE-coreMariano Lopez2016-01-111-0/+1
| | | | | | | | | | | | | | The currnet patches in OE-core doesn't have the "CVE:" tag, now part of the policy of the patches. This is patch add this tag to several patches. There might be patches that I miss; the tag can be added in the future. (From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cpio: update to 2.12Alexander Kanavin2015-12-162-0/+207
Drop backported patches: Fix-symlink-bad-length-test-for-64-bit-architectures.patch fix-memory-overrun.patch fix-testcase-symlink-bad-lengths.patch 0001-fix-testcase-of-symlink-bad-length.patch statdef.patch is fixing code that doesn't exist anymore. The problem handled by remove-gets.patch has been fixed differently. The CVE-2015-1197 has been ignored by upstream and had to be rebased: http://lists.gnu.org/archive/html/bug-cpio/2015-09/msg00007.html (From OE-Core rev: feeaa86eb8b1071d56eb6d7ad7120aa389c736a0) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-19 12:05:38 +0000