Drop CVE patches that have been fixed in upstream poky/rocko

Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Martin Borg <martin.borg@enea.com> 2018-02-28 09:33:50 +0100
committer: Martin Borg <martin.borg@enea.com> 2018-02-28 09:33:50 +0100
commit: 495b231e8e0da5046b6b1803d372fe33d0b14be9 (patch)
tree: 63a15b7f1e71be9c3ab4f2ee829e9b59e2f0515f /recipes-devtools
parent: 75578eccbe6c1de6b437e1599fe674e6b7ee2db1 (diff)
download: meta-el-common-495b231e8e0da5046b6b1803d372fe33d0b14be9.tar.gz
3 files changed, 0 insertions, 279 deletions
diff --git a/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch
deleted file mode 100644
index b4c8df1..0000000
--- a/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-From 67f2bc55ec79926f3334eb2956a62719f824e85b Mon Sep 17 00:00:00 2001
-From: Sona Sarmadi <sona.sarmadi@enea.com>
-Date: Thu, 14 Dec 2017 10:21:01 +0100
-Subject: [PATCH]  build: Detect the required GNU patch
-This makes sure the perl module is using a directory traversal resistant
-patch implementation, currently that's only GNU patch.
-CVE: CVE-2017-8283
-Upstream-Status: Backport [remotes/origin/1.18.x: 8ba04d41c839318b5a024f6c5298848d3b54c723]
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- configure.ac                 |  1 +
- debian/changelog             |  5 +++++
- m4/dpkg-progs.m4             | 15 +++++++++++++++
- scripts/Dpkg.pm              | 13 ++++++++++++-
- scripts/Dpkg/Source/Patch.pm |  9 +++++----
- scripts/Makefile.am          |  4 +++-
- 6 files changed, 41 insertions(+), 6 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 3123d0c..0112d4d 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -61,6 +61,7 @@ AC_PROG_CC
- DPKG_C_C99
- AC_PROG_CXX
- DPKG_CXX_CXX11
-+DPKG_PROG_PATCH
- AC_CHECK_PROGS([DOXYGEN], [doxygen])
- AC_CHECK_PROG([HAVE_DOT], [dot], [YES], [NO])
- DPKG_PROG_PO4A
-diff --git a/debian/changelog b/debian/changelog
-index 695c55d..4b5b36b 100644
--- a/debian/changelog
-+++ b/debian/changelog
-@@ -1,3 +1,8 @@
-+    - Check that the detected patch is a GNU patch, so that we get a directory
-+      traversal resistant patch implementation. This fixes CVE-2017-8283 by
-+      delegating those checks to patch(1), so that we trap blank-indented
-+      diff hunks trying to escape from the source tree.
-+
- dpkg (1.18.10) unstable; urgency=medium
- 
-   [ Guillem Jover ]
-diff --git a/m4/dpkg-progs.m4 b/m4/dpkg-progs.m4
-index c59f595..577d50d 100644
--- a/m4/dpkg-progs.m4
-+++ b/m4/dpkg-progs.m4
-@@ -49,3 +49,18 @@ AC_ARG_VAR([TAR], [GNU tar program])
- AC_CHECK_PROGS([TAR], [gnutar gtar tar], [tar])
- AC_DEFINE_UNQUOTED([TAR], ["$TAR"], [GNU tar program])
- ])# DPKG_DEB_PROG_TAR
-+
-+# DPKG_PROG_PATCH
-+# ---------------
-+# Specify GNU patch program name to use by dpkg-source. On GNU systems this
-+# is usually simply patch, on BSD systems this is usually gpatch.
-+# Even though most invocations would work with other patch implementations,
-+# currently only GNU patch is directory traversal resistant.
-+AC_DEFUN([DPKG_PROG_PATCH], [
-+  AC_ARG_VAR([PATCH], [GNU patch program])
-+  AC_CHECK_PROGS([PATCH], [gpatch patch], [patch])
-+  AS_IF([! $PATCH --version 2>/dev/null | grep -q '^GNU patch'], [
-+    AC_MSG_ERROR([cannot find a GNU patch program])
-+  ])
-+  AC_DEFINE_UNQUOTED([PATCH], ["$PATCH"], [GNU patch program])
-+])# DPKG_PROG_PATCH
-diff --git a/scripts/Dpkg.pm b/scripts/Dpkg.pm
-index deecfb3..4905ab8 100644
--- a/scripts/Dpkg.pm
-+++ b/scripts/Dpkg.pm
-@@ -29,10 +29,11 @@ this system installation.
- use strict;
- use warnings;
- 
-our $VERSION = '1.01';
-+our $VERSION = '1.03';
- our @EXPORT_OK = qw(
-     $PROGNAME
-     $PROGVERSION
-+    $PROGPATCH
-     $CONFDIR
-     $ADMINDIR
-     $LIBDIR
-@@ -60,6 +61,11 @@ Contains the name of the current program.
- 
- Contains the version of the dpkg suite.
- 
-+=item $Dpkg::PROGPATCH
-+
-+Contains the name of the system GNU patch program (or another implementation
-+that is directory traversal resistant).
-+
- =item $Dpkg::CONFDIR
- 
- Contains the path to the dpkg system configuration directory.
-@@ -84,6 +90,7 @@ our ($PROGNAME) = $0 =~ m{(?:.*/)?([^/]*)};
- 
- # The following lines are automatically fixed at install time
- our $PROGVERSION = '1.18.x';
-+our $PROGPATCH = $ENV{DPKG_PROGPATCH} // 'patch';
- our $CONFDIR = '/etc/dpkg';
- our $ADMINDIR = '/var/lib/dpkg';
- our $LIBDIR = '.';
-@@ -100,6 +107,10 @@ our $pkgdatadir = $DATADIR;
- 
- =head1 CHANGES
- 
-+=head2 Version 1.03 (dpkg 1.18.10)
-+
-+New variable: $PROGPATCH.
-+
- =head2 Version 1.01 (dpkg 1.17.0)
- 
- New variables: $PROGNAME, $PROGVERSION, $CONFDIR, $ADMINDIR, $LIBDIR and
-diff --git a/scripts/Dpkg/Source/Patch.pm b/scripts/Dpkg/Source/Patch.pm
-index ee5e114..22e9d21 100644
--- a/scripts/Dpkg/Source/Patch.pm
-+++ b/scripts/Dpkg/Source/Patch.pm
-@@ -30,6 +30,7 @@ use File::Compare;
- use Fcntl ':mode';
- use Time::HiRes qw(stat);
- 
-+use Dpkg;
- use Dpkg::Gettext;
- use Dpkg::ErrorHandling;
- use Dpkg::IPC;
-@@ -582,7 +583,7 @@ sub apply {
-     $self->ensure_open('r');
-     my ($stdout, $stderr) = ('', '');
-     spawn(
-       exec => [ 'patch', @{$opts{options}} ],
-+       exec => [ $Dpkg::PROGPATCH, @{$opts{options}} ],
-        chdir => $destdir,
-        env => { LC_ALL => 'C', LANG => 'C', PATCH_GET => '0' },
-        delete_env => [ 'POSIXLY_CORRECT' ], # ensure expected patch behaviour
-@@ -595,7 +596,7 @@ sub apply {
-     if ($?) {
-        print { *STDOUT } $stdout;
-        print { *STDERR } $stderr;
-       subprocerr('LC_ALL=C patch ' . join(' ', @{$opts{options}}) .
-+       subprocerr("LC_ALL=C $Dpkg::PROGPATCH " . join(' ', @{$opts{options}}) .
-                   ' < ' . $self->get_filename());
-     }
-     $self->close();
-@@ -632,7 +633,7 @@ sub check_apply {
-     # Apply the patch
-     $self->ensure_open('r');
-     my $patch_pid = spawn(
-       exec => [ 'patch', @{$opts{options}} ],
-+       exec => [ $Dpkg::PROGPATCH, @{$opts{options}} ],
-        chdir => $destdir,
-        env => { LC_ALL => 'C', LANG => 'C', PATCH_GET => '0' },
-        delete_env => [ 'POSIXLY_CORRECT' ], # ensure expected patch behaviour
-@@ -642,7 +643,7 @@ sub check_apply {
-     );
-     wait_child($patch_pid, nocheck => 1);
-     my $exit = WEXITSTATUS($?);
-    subprocerr('patch --dry-run') unless WIFEXITED($?);
-+    subprocerr("$Dpkg::PROGPATCH --dry-run") unless WIFEXITED($?);
-     $self->close();
-     return ($exit == 0);
- }
-diff --git a/scripts/Makefile.am b/scripts/Makefile.am
-index 7b1ac36..84059c1 100644
--- a/scripts/Makefile.am
-+++ b/scripts/Makefile.am
-@@ -127,6 +127,7 @@ do_perl_subst = $(AM_V_GEN) \
-                    -e "s:\$$ADMINDIR[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]:\$$ADMINDIR='$(admindir)':" \
-                    -e "s:\$$LIBDIR[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]:\$$LIBDIR='$(pkglibdir)':" \
-                    -e "s:\$$DATADIR[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]:\$$DATADIR='$(pkgdatadir)':" \
-+                    -e "s:our \$$PROGPATCH = .*;:our \$$PROGPATCH = '$(PATCH)';:" \
-                    -e "s:\$$PROGVERSION[[:space:]]*=[[:space:]]*['\"][^'\"]*[\"']:\$$PROGVERSION='$(PACKAGE_VERSION)':"
- 
- do_shell_subst = $(AM_V_GEN) \
-@@ -187,7 +188,8 @@ coverage-clean:
-        rm -rf cover_db
- 
- TEST_ENV_VARS = \
-       DPKG_DATADIR=$(srcdir)/.. \
-+       DPKG_PROGPATCH=$(PATCH) \
-+        DPKG_DATADIR=$(srcdir)/.. \
-        DPKG_ORIGINS_DIR=$(srcdir)/t/origins
- TEST_COVERAGE = $(PERL_COVERAGE)
- 
-- 
-1.9.1
diff --git a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch
deleted file mode 100644
index 5632d8f..0000000
--- a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 57a3daba4d3dee1c33571e84f160aa1c67aece4c Mon Sep 17 00:00:00 2001
-From: Sona Sarmadi <sona.sarmadi@enea.com>
-Date: Thu, 14 Dec 2017 10:40:42 +0100
-Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case
-POSIX specifies that a diff hunk can be indented by spaces or tabs
-(while the original patch(1) by Larry Wall also accepts 'X'), as long
-as the amount of spaces is consistent for all subsequent lines. And as
-we are not checking for this condition at all, any such indented hunk
-can avoid the sanity checks performed by Dpkg::Source::Patch.
-On systems using GNU patch >= 2.7.5, this should, in principle, not be
-a problem anymore, as that implementation protects against directory
-traversal issue. But on other systems where the patch implementation
-does not perform such checks (such as the BSDs) this is an issue, so
-check for this in the test-suite.
-Those are arguably all security issues in these various patch
-implementations, but given that we are performing sanity checks and that
-those implementations are currently very lax, it seems prudent to do the
-heavy lifting ourselves and also take the possible blame too.
-Ref: test-case for CVE-2017-8283
-Upstream-Status: Backport
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- debian/changelog              | 3 +++
- scripts/Makefile.am           | 1 +
- scripts/t/Dpkg_Source_Patch.t | 6 +++++-
- 3 files changed, 9 insertions(+), 1 deletion(-)
-diff --git a/debian/changelog b/debian/changelog
-index 4b5b36b..596a59e 100644
--- a/debian/changelog
-+++ b/debian/changelog
-@@ -2,6 +2,9 @@
-       traversal resistant patch implementation. This fixes CVE-2017-8283 by
-       delegating those checks to patch(1), so that we trap blank-indented
-       diff hunks trying to escape from the source tree.
-+  * Test suite:
-+    - Add a test case for blank-indented patches which were the cause for
-+      CVE-2017-8283.
- 
- dpkg (1.18.10) unstable; urgency=medium
- 
-diff --git a/scripts/Makefile.am b/scripts/Makefile.am
-index 84059c1..6ce0ad6 100644
--- a/scripts/Makefile.am
-+++ b/scripts/Makefile.am
-@@ -275,6 +275,7 @@ test_data = \
-        t/Dpkg_Shlibs/spacesyms-o-map.pl \
-        t/Dpkg_Source_Patch/c-style.patch \
-        t/Dpkg_Source_Patch/ghost-hunk.patch \
-+       t/Dpkg_Source_Patch/indent-header.patch \
-        t/Dpkg_Source_Patch/index-+++.patch \
-        t/Dpkg_Source_Patch/index-alone.patch \
-        t/Dpkg_Source_Patch/index-inert.patch \
-diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
-index 258a9aa..30be77a 100644
--- a/scripts/t/Dpkg_Source_Patch.t
-+++ b/scripts/t/Dpkg_Source_Patch.t
-@@ -16,7 +16,7 @@
- use strict;
- use warnings;
- 
-use Test::More tests => 9;
-+use Test::More tests => 10;
- 
- use File::Path qw(make_path);
- 
-@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch',
- test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch',
-                   'Patch cannot escape using a disabling hunk');
- 
-+# This is CVE-2017-8283
-+test_patch_escape('indent-header', 'symlink', 'indent-header.patch',
-+                  'Patch cannot escape indented hunks');
-+
- 1;
-- 
-1.9.1
diff --git a/recipes-devtools/dpkg/dpkg_%.bbappend b/recipes-devtools/dpkg/dpkg_%.bbappend
deleted file mode 100644
index 65d380e..0000000
--- a/recipes-devtools/dpkg/dpkg_%.bbappend
+++ /dev/null
@@ -1,6 +0,0 @@
-# look for files in the layer first
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://CVE-2017-8283.patch \
-            file://test-case-for-CVE-2017-8283.patch \
-           "
author	Martin Borg <martin.borg@enea.com>	2018-02-28 09:33:50 +0100
committer	Martin Borg <martin.borg@enea.com>	2018-02-28 09:33:50 +0100
commit	495b231e8e0da5046b6b1803d372fe33d0b14be9 (patch)
tree	63a15b7f1e71be9c3ab4f2ee829e9b59e2f0515f /recipes-devtools
parent	75578eccbe6c1de6b437e1599fe674e6b7ee2db1 (diff)
download	meta-el-common-495b231e8e0da5046b6b1803d372fe33d0b14be9.tar.gz

diff --git a/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch deleted file mode 100644 index b4c8df1..0000000 --- a/recipes-devtools/dpkg/dpkg/CVE-2017-8283.patch +++ /dev/null
@@ -1,190 +0,0 @@
1	From 67f2bc55ec79926f3334eb2956a62719f824e85b Mon Sep 17 00:00:00 2001
2	From: Sona Sarmadi <sona.sarmadi@enea.com>
3	Date: Thu, 14 Dec 2017 10:21:01 +0100
4	Subject: [PATCH] build: Detect the required GNU patch
5
6	This makes sure the perl module is using a directory traversal resistant
7	patch implementation, currently that's only GNU patch.
8
9	CVE: CVE-2017-8283
10	Upstream-Status: Backport [remotes/origin/1.18.x: 8ba04d41c839318b5a024f6c5298848d3b54c723]
11
12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13	---
14	configure.ac \| 1 +
15	debian/changelog \| 5 +++++
16	m4/dpkg-progs.m4 \| 15 +++++++++++++++
17	scripts/Dpkg.pm \| 13 ++++++++++++-
18	scripts/Dpkg/Source/Patch.pm \| 9 +++++----
19	scripts/Makefile.am \| 4 +++-
20	6 files changed, 41 insertions(+), 6 deletions(-)
21
22	diff --git a/configure.ac b/configure.ac
23	index 3123d0c..0112d4d 100644
24	--- a/configure.ac
25	+++ b/configure.ac
26	@@ -61,6 +61,7 @@ AC_PROG_CC
27	DPKG_C_C99
28	AC_PROG_CXX
29	DPKG_CXX_CXX11
30	+DPKG_PROG_PATCH
31	AC_CHECK_PROGS([DOXYGEN], [doxygen])
32	AC_CHECK_PROG([HAVE_DOT], [dot], [YES], [NO])
33	DPKG_PROG_PO4A
34	diff --git a/debian/changelog b/debian/changelog
35	index 695c55d..4b5b36b 100644
36	--- a/debian/changelog
37	+++ b/debian/changelog
38	@@ -1,3 +1,8 @@
39	+ - Check that the detected patch is a GNU patch, so that we get a directory
40	+ traversal resistant patch implementation. This fixes CVE-2017-8283 by
41	+ delegating those checks to patch(1), so that we trap blank-indented
42	+ diff hunks trying to escape from the source tree.
43	+
44	dpkg (1.18.10) unstable; urgency=medium
45
46	[ Guillem Jover ]
47	diff --git a/m4/dpkg-progs.m4 b/m4/dpkg-progs.m4
48	index c59f595..577d50d 100644
49	--- a/m4/dpkg-progs.m4
50	+++ b/m4/dpkg-progs.m4
51	@@ -49,3 +49,18 @@ AC_ARG_VAR([TAR], [GNU tar program])
52	AC_CHECK_PROGS([TAR], [gnutar gtar tar], [tar])
53	AC_DEFINE_UNQUOTED([TAR], ["$TAR"], [GNU tar program])
54	])# DPKG_DEB_PROG_TAR
55	+
56	+# DPKG_PROG_PATCH
57	+# ---------------
58	+# Specify GNU patch program name to use by dpkg-source. On GNU systems this
59	+# is usually simply patch, on BSD systems this is usually gpatch.
60	+# Even though most invocations would work with other patch implementations,
61	+# currently only GNU patch is directory traversal resistant.
62	+AC_DEFUN([DPKG_PROG_PATCH], [
63	+ AC_ARG_VAR([PATCH], [GNU patch program])
64	+ AC_CHECK_PROGS([PATCH], [gpatch patch], [patch])
65	+ AS_IF([! $PATCH --version 2>/dev/null \| grep -q '^GNU patch'], [
66	+ AC_MSG_ERROR([cannot find a GNU patch program])
67	+ ])
68	+ AC_DEFINE_UNQUOTED([PATCH], ["$PATCH"], [GNU patch program])
69	+])# DPKG_PROG_PATCH
70	diff --git a/scripts/Dpkg.pm b/scripts/Dpkg.pm
71	index deecfb3..4905ab8 100644
72	--- a/scripts/Dpkg.pm
73	+++ b/scripts/Dpkg.pm
74	@@ -29,10 +29,11 @@ this system installation.
75	use strict;
76	use warnings;
77
78	-our $VERSION = '1.01';
79	+our $VERSION = '1.03';
80	our @EXPORT_OK = qw(
81	$PROGNAME
82	$PROGVERSION
83	+ $PROGPATCH
84	$CONFDIR
85	$ADMINDIR
86	$LIBDIR
87	@@ -60,6 +61,11 @@ Contains the name of the current program.
88
89	Contains the version of the dpkg suite.
90
91	+=item $Dpkg::PROGPATCH
92	+
93	+Contains the name of the system GNU patch program (or another implementation
94	+that is directory traversal resistant).
95	+
96	=item $Dpkg::CONFDIR
97
98	Contains the path to the dpkg system configuration directory.
99	@@ -84,6 +90,7 @@ our ($PROGNAME) = $0 =~ m{(?:./)?([^/])};
100
101	# The following lines are automatically fixed at install time
102	our $PROGVERSION = '1.18.x';
103	+our $PROGPATCH = $ENV{DPKG_PROGPATCH} // 'patch';
104	our $CONFDIR = '/etc/dpkg';
105	our $ADMINDIR = '/var/lib/dpkg';
106	our $LIBDIR = '.';
107	@@ -100,6 +107,10 @@ our $pkgdatadir = $DATADIR;
108
109	=head1 CHANGES
110
111	+=head2 Version 1.03 (dpkg 1.18.10)
112	+
113	+New variable: $PROGPATCH.
114	+
115	=head2 Version 1.01 (dpkg 1.17.0)
116
117	New variables: $PROGNAME, $PROGVERSION, $CONFDIR, $ADMINDIR, $LIBDIR and
118	diff --git a/scripts/Dpkg/Source/Patch.pm b/scripts/Dpkg/Source/Patch.pm
119	index ee5e114..22e9d21 100644
120	--- a/scripts/Dpkg/Source/Patch.pm
121	+++ b/scripts/Dpkg/Source/Patch.pm
122	@@ -30,6 +30,7 @@ use File::Compare;
123	use Fcntl ':mode';
124	use Time::HiRes qw(stat);
125
126	+use Dpkg;
127	use Dpkg::Gettext;
128	use Dpkg::ErrorHandling;
129	use Dpkg::IPC;
130	@@ -582,7 +583,7 @@ sub apply {
131	$self->ensure_open('r');
132	my ($stdout, $stderr) = ('', '');
133	spawn(
134	- exec => [ 'patch', @{$opts{options}} ],
135	+ exec => [ $Dpkg::PROGPATCH, @{$opts{options}} ],
136	chdir => $destdir,
137	env => { LC_ALL => 'C', LANG => 'C', PATCH_GET => '0' },
138	delete_env => [ 'POSIXLY_CORRECT' ], # ensure expected patch behaviour
139	@@ -595,7 +596,7 @@ sub apply {
140	if ($?) {
141	print { *STDOUT } $stdout;
142	print { *STDERR } $stderr;
143	- subprocerr('LC_ALL=C patch ' . join(' ', @{$opts{options}}) .
144	+ subprocerr("LC_ALL=C $Dpkg::PROGPATCH " . join(' ', @{$opts{options}}) .
145	' < ' . $self->get_filename());
146	}
147	$self->close();
148	@@ -632,7 +633,7 @@ sub check_apply {
149	# Apply the patch
150	$self->ensure_open('r');
151	my $patch_pid = spawn(
152	- exec => [ 'patch', @{$opts{options}} ],
153	+ exec => [ $Dpkg::PROGPATCH, @{$opts{options}} ],
154	chdir => $destdir,
155	env => { LC_ALL => 'C', LANG => 'C', PATCH_GET => '0' },
156	delete_env => [ 'POSIXLY_CORRECT' ], # ensure expected patch behaviour
157	@@ -642,7 +643,7 @@ sub check_apply {
158	);
159	wait_child($patch_pid, nocheck => 1);
160	my $exit = WEXITSTATUS($?);
161	- subprocerr('patch --dry-run') unless WIFEXITED($?);
162	+ subprocerr("$Dpkg::PROGPATCH --dry-run") unless WIFEXITED($?);
163	$self->close();
164	return ($exit == 0);
165	}
166	diff --git a/scripts/Makefile.am b/scripts/Makefile.am
167	index 7b1ac36..84059c1 100644
168	--- a/scripts/Makefile.am
169	+++ b/scripts/Makefile.am
170	@@ -127,6 +127,7 @@ do_perl_subst = $(AM_V_GEN) \
171	-e "s:\$$ADMINDIR[[:space:]]=[[:space:]]['\"][^'\"]*['\"]:\$$ADMINDIR='$(admindir)':" \
172	-e "s:\$$LIBDIR[[:space:]]=[[:space:]]['\"][^'\"]*['\"]:\$$LIBDIR='$(pkglibdir)':" \
173	-e "s:\$$DATADIR[[:space:]]=[[:space:]]['\"][^'\"]*['\"]:\$$DATADIR='$(pkgdatadir)':" \
174	+ -e "s:our \$$PROGPATCH = .*;:our \$$PROGPATCH = '$(PATCH)';:" \
175	-e "s:\$$PROGVERSION[[:space:]]=[[:space:]]['\"][^'\"]*[\"']:\$$PROGVERSION='$(PACKAGE_VERSION)':"
176
177	do_shell_subst = $(AM_V_GEN) \
178	@@ -187,7 +188,8 @@ coverage-clean:
179	rm -rf cover_db
180
181	TEST_ENV_VARS = \
182	- DPKG_DATADIR=$(srcdir)/.. \
183	+ DPKG_PROGPATCH=$(PATCH) \
184	+ DPKG_DATADIR=$(srcdir)/.. \
185	DPKG_ORIGINS_DIR=$(srcdir)/t/origins
186	TEST_COVERAGE = $(PERL_COVERAGE)
187
188	--
189	1.9.1
190


diff --git a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch deleted file mode 100644 index 5632d8f..0000000 --- a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch +++ /dev/null
@@ -1,83 +0,0 @@
1	From 57a3daba4d3dee1c33571e84f160aa1c67aece4c Mon Sep 17 00:00:00 2001
2	From: Sona Sarmadi <sona.sarmadi@enea.com>
3	Date: Thu, 14 Dec 2017 10:40:42 +0100
4	Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case
5
6	POSIX specifies that a diff hunk can be indented by spaces or tabs
7	(while the original patch(1) by Larry Wall also accepts 'X'), as long
8	as the amount of spaces is consistent for all subsequent lines. And as
9	we are not checking for this condition at all, any such indented hunk
10	can avoid the sanity checks performed by Dpkg::Source::Patch.
11
12	On systems using GNU patch >= 2.7.5, this should, in principle, not be
13	a problem anymore, as that implementation protects against directory
14	traversal issue. But on other systems where the patch implementation
15	does not perform such checks (such as the BSDs) this is an issue, so
16	check for this in the test-suite.
17
18	Those are arguably all security issues in these various patch
19	implementations, but given that we are performing sanity checks and that
20	those implementations are currently very lax, it seems prudent to do the
21	heavy lifting ourselves and also take the possible blame too.
22
23	Ref: test-case for CVE-2017-8283
24	Upstream-Status: Backport
25
26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
27	---
28	debian/changelog \| 3 +++
29	scripts/Makefile.am \| 1 +
30	scripts/t/Dpkg_Source_Patch.t \| 6 +++++-
31	3 files changed, 9 insertions(+), 1 deletion(-)
32
33	diff --git a/debian/changelog b/debian/changelog
34	index 4b5b36b..596a59e 100644
35	--- a/debian/changelog
36	+++ b/debian/changelog
37	@@ -2,6 +2,9 @@
38	traversal resistant patch implementation. This fixes CVE-2017-8283 by
39	delegating those checks to patch(1), so that we trap blank-indented
40	diff hunks trying to escape from the source tree.
41	+ * Test suite:
42	+ - Add a test case for blank-indented patches which were the cause for
43	+ CVE-2017-8283.
44
45	dpkg (1.18.10) unstable; urgency=medium
46
47	diff --git a/scripts/Makefile.am b/scripts/Makefile.am
48	index 84059c1..6ce0ad6 100644
49	--- a/scripts/Makefile.am
50	+++ b/scripts/Makefile.am
51	@@ -275,6 +275,7 @@ test_data = \
52	t/Dpkg_Shlibs/spacesyms-o-map.pl \
53	t/Dpkg_Source_Patch/c-style.patch \
54	t/Dpkg_Source_Patch/ghost-hunk.patch \
55	+ t/Dpkg_Source_Patch/indent-header.patch \
56	t/Dpkg_Source_Patch/index-+++.patch \
57	t/Dpkg_Source_Patch/index-alone.patch \
58	t/Dpkg_Source_Patch/index-inert.patch \
59	diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
60	index 258a9aa..30be77a 100644
61	--- a/scripts/t/Dpkg_Source_Patch.t
62	+++ b/scripts/t/Dpkg_Source_Patch.t
63	@@ -16,7 +16,7 @@
64	use strict;
65	use warnings;
66
67	-use Test::More tests => 9;
68	+use Test::More tests => 10;
69
70	use File::Path qw(make_path);
71
72	@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch',
73	test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch',
74	'Patch cannot escape using a disabling hunk');
75
76	+# This is CVE-2017-8283
77	+test_patch_escape('indent-header', 'symlink', 'indent-header.patch',
78	+ 'Patch cannot escape indented hunks');
79	+
80	1;
81	--
82	1.9.1
83


diff --git a/recipes-devtools/dpkg/dpkg_%.bbappend b/recipes-devtools/dpkg/dpkg_%.bbappend deleted file mode 100644 index 65d380e..0000000 --- a/recipes-devtools/dpkg/dpkg_%.bbappend +++ /dev/null
@@ -1,6 +0,0 @@
1	# look for files in the layer first
2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4	SRC_URI += "file://CVE-2017-8283.patch \
5	file://test-case-for-CVE-2017-8283.patch \
6	"