From a0745dce6bf173eb72bbaa174d0bf3e172ebb7f5 Mon Sep 17 00:00:00 2001
From: Kai Kang <kai.kang@windriver.com>
Date: Thu, 18 Nov 2021 09:53:36 +0800
Subject: squashfs-tools: fix CVE-2021-41072

Backport patches to fix CVE-2021-41072. And update context for verison
4.4 at same time.

CVE: CVE-2021-41072

Ref:
* https://nvd.nist.gov/vuln/detail/CVE-2021-41072

(From OE-Core rev: e95ccf6f7fe5a42fffcfa5e43087ff964622e26c)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../files/CVE-2021-41072-requisite-2.patch         | 109 +++++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072-requisite-2.patch

(limited to 'meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072-requisite-2.patch')

diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072-requisite-2.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072-requisite-2.patch
new file mode 100644
index 0000000000..0b80d07b3b
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-41072-requisite-2.patch
@@ -0,0 +1,109 @@
+The commit is required by the fix for CVE-2021-41072. Update context for
+version 4.4.
+
+Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/1993a4e]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 1993a4e7aeda04962bf26e84c15fba8b58837e10 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sun, 12 Sep 2021 20:09:13 +0100
+Subject: [PATCH] unsquashfs: dynamically allocate name
+
+Dynamically allocate name rather than store it
+directly in structure.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/unsquash-1.c    | 2 +-
+ squashfs-tools/unsquash-1234.c | 5 +++++
+ squashfs-tools/unsquash-2.c    | 2 +-
+ squashfs-tools/unsquash-3.c    | 2 +-
+ squashfs-tools/unsquash-4.c    | 2 +-
+ squashfs-tools/unsquashfs.h    | 2 +-
+ 6 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
+index 7598499..d0121c6 100644
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -303,7 +303,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
+index 0c8dfbb..ac46d9d 100644
+--- a/squashfs-tools/unsquash-1234.c
++++ b/squashfs-tools/unsquash-1234.c
+@@ -60,6 +60,11 @@ int check_name(char *name, int size)
+ 
+ void squashfs_closedir(struct dir *dir)
+ {
++	int i;
++
++	for(i = 0; i < dir->dir_count; i++)
++		free(dir->dirs[i].name);
++
+ 	free(dir->dirs);
+ 	free(dir);
+ }
+diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
+index 86f62ba..e847980 100644
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -404,7 +404,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
+index c04aa9e..8223f27 100644
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -431,7 +431,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index ff62dcc..1e199a7 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -367,7 +367,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
+index 5ecb2ab..583fbe4 100644
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -165,7 +165,7 @@ struct queue {
+ #define DIR_ENT_SIZE	16
+ 
+ struct dir_ent	{
+-	char		name[SQUASHFS_NAME_LEN + 1];
++	char		*name;
+ 	unsigned int	start_block;
+ 	unsigned int	offset;
+ 	unsigned int	type;
+-- 
+2.17.1
+
-- 
cgit v1.2.3-54-g00ecf