ez-ipupdate: patch CVE-2003-0887

Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887 The vulnerability is about the default (example) configurations, which place cache files into the /tmp folder, that is world-writeable. The recommendation would be to place them to a more secure folder. The recipe however does not install these example configurations, and as such it is not vulnerable either. Just to make sure, patch these folders to a non-tmp folder (and also install that folder, empty). Some more discussion about the vulnerability: https://bugzilla.suse.com/show_bug.cgi?id=48161 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-02 21:22:32 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-02-02 19:54:39 -0800
commit: dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad (patch)
tree: 3200775a374f11ea083c9ea5e4691af3d5a02a64 /meta-networking/recipes-connectivity
parent: e39458314e804c28cd87b6ca47adad8337e4ac43 (diff)
download: meta-openembedded-dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad.tar.gz
2 files changed, 165 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb
index 42ecf9bac4..7a392b2c23 100644
--- a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb
+++ b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb
@@ -10,8 +10,15 @@ SRC_URI = "http://sourceforge.net/projects/ez-ipupdate/files/${BPN}/${PV}/${BPN}
           file://conf_file.c.patch \
           file://wformat.patch \
           file://0001-ez-ipupdate-Include-time.h-for-time-API-prototype.patch \
+           file://CVE-2003-0887.patch \
           "
 SRC_URI[md5sum] = "525be4550b4461fdf105aed8e753b020"
 SRC_URI[sha256sum] = "a15ec0dc0b78ec7578360987c68e43a67bc8d3591cbf528a323588830ae22c20"
 inherit autotools pkgconfig
+do_install:append(){
+    install -m 0744 -d ${D}${localstatedir}/lib/ez-ipupdate
+}
+FILES:${PN} += "${localstatedir}/lib/ez-ipupdate"
diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch
new file mode 100644
index 0000000000..53aa355008
--- /dev/null
+++ b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch
@@ -0,0 +1,158 @@
+From cd8fa738b0ed3b5fb89ac00068fdc2e20c1b6169 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 2 Feb 2026 14:03:01 +0100
+Subject: [PATCH] CVE-2003-0887
+The vulnerability is about exmaple config files placing cache files
+into a world-writable directory (/tmp) instead of something more
+secure.
+This patch changes this path to /var/lib/ez-ipupdate, which is
+not world-writable by default.
+CVE: CVE-2003-0887
+Upstream-Status: Inactive-Upstream [lastcommit: 2002]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ example-dhs.conf       | 2 +-
+ example-dyndns.conf    | 2 +-
+ example-dyns.conf      | 2 +-
+ example-easydns.conf   | 2 +-
+ example-gnudip.conf    | 2 +-
+ example-heipv6tb.conf  | 2 +-
+ example-justlinux.conf | 2 +-
+ example-ods.conf       | 2 +-
+ example-pgpow.conf     | 2 +-
+ example-tzo.conf       | 2 +-
+ 10 files changed, 10 insertions(+), 10 deletions(-)
+diff --git a/example-dhs.conf b/example-dhs.conf
+index 3fe9a04..f976ae5 100755
+--- a/example-dhs.conf
+++ b/example-dhs.conf
+@@ -11,7 +11,7 @@ host=mydomain.whatever.com
+ interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-dyndns.conf b/example-dyndns.conf
+index f539dec..84b4807 100755
+--- a/example-dyndns.conf
+++ b/example-dyndns.conf
+@@ -19,7 +19,7 @@ max-interval=2073600
+ #cache-file=/etc/ez-ipupdate.cache.eth1
+ 
+ # for the mean time we'll just use a cache file in the temp directory
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-dyns.conf b/example-dyns.conf
+index 868768d..856a4d7 100644
+--- a/example-dyns.conf
+++ b/example-dyns.conf
+@@ -11,7 +11,7 @@ host=myhost
+ #interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-#cache-file=/tmp/ez-ipupdate.cache
+#cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-easydns.conf b/example-easydns.conf
+index 0ff20da..15d9b78 100755
+--- a/example-easydns.conf
+++ b/example-easydns.conf
+@@ -11,7 +11,7 @@ host=mydomain.whatever.com
+ interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-gnudip.conf b/example-gnudip.conf
+index 3b2fb63..d09df1f 100755
+--- a/example-gnudip.conf
+++ b/example-gnudip.conf
+@@ -15,7 +15,7 @@ max-interval=2073600
+ #address=0.0.0.0
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-heipv6tb.conf b/example-heipv6tb.conf
+index e31aa9c..3ebc822 100644
+--- a/example-heipv6tb.conf
+++ b/example-heipv6tb.conf
+@@ -18,7 +18,7 @@ max-interval=2073600
+ #cache-file=/etc/ez-ipupdate.cache.eth1
+ 
+ # for the mean time we'll just use a cache file in the temp directory
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-justlinux.conf b/example-justlinux.conf
+index 0afeb2c..28b3327 100755
+--- a/example-justlinux.conf
+++ b/example-justlinux.conf
+@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com
+ interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-ods.conf b/example-ods.conf
+index d0ff889..7b16f2c 100755
+--- a/example-ods.conf
+++ b/example-ods.conf
+@@ -11,7 +11,7 @@ host=mydomain.ods.org
+ interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-pgpow.conf b/example-pgpow.conf
+index 29a92d6..81e351b 100755
+--- a/example-pgpow.conf
+++ b/example-pgpow.conf
+@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com
+ interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
+diff --git a/example-tzo.conf b/example-tzo.conf
+index 2a71db3..10b8dc4 100755
+--- a/example-tzo.conf
+++ b/example-tzo.conf
+@@ -15,7 +15,7 @@ max-interval=2073600
+ interface=eth1
+ 
+ # if you use run-as ensure the user has permission to write this file
+-cache-file=/tmp/ez-ipupdate.cache
+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
+ 
+ # uncomment this once you have everything working how you want and you are
+ # ready to have ez-ipupdate running in the background all the time. to stop it
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-02 21:22:32 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-02-02 19:54:39 -0800
commit	dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad (patch)
tree	3200775a374f11ea083c9ea5e4691af3d5a02a64 /meta-networking/recipes-connectivity
parent	e39458314e804c28cd87b6ca47adad8337e4ac43 (diff)
download	meta-openembedded-dd81ffdb685bd9c2ce1b27d0e5ff3f8e5551e3ad.tar.gz

diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb index 42ecf9bac4..7a392b2c23 100644 --- a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb +++ b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb
@@ -10,8 +10,15 @@ SRC_URI = "http://sourceforge.net/projects/ez-ipupdate/files/${BPN}/${PV}/${BPN}
10	file://conf_file.c.patch \	10	file://conf_file.c.patch \
11	file://wformat.patch \	11	file://wformat.patch \
12	file://0001-ez-ipupdate-Include-time.h-for-time-API-prototype.patch \	12	file://0001-ez-ipupdate-Include-time.h-for-time-API-prototype.patch \
		13	file://CVE-2003-0887.patch \
13	"	14	"
14	SRC_URI[md5sum] = "525be4550b4461fdf105aed8e753b020"	15	SRC_URI[md5sum] = "525be4550b4461fdf105aed8e753b020"
15	SRC_URI[sha256sum] = "a15ec0dc0b78ec7578360987c68e43a67bc8d3591cbf528a323588830ae22c20"	16	SRC_URI[sha256sum] = "a15ec0dc0b78ec7578360987c68e43a67bc8d3591cbf528a323588830ae22c20"
16		17
17	inherit autotools pkgconfig	18	inherit autotools pkgconfig
		19
		20	do_install:append(){
		21	install -m 0744 -d ${D}${localstatedir}/lib/ez-ipupdate
		22	}
		23
		24	FILES:${PN} += "${localstatedir}/lib/ez-ipupdate"


diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch new file mode 100644 index 0000000000..53aa355008 --- /dev/null +++ b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch
@@ -0,0 +1,158 @@
		1	From cd8fa738b0ed3b5fb89ac00068fdc2e20c1b6169 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Mon, 2 Feb 2026 14:03:01 +0100
		4	Subject: [PATCH] CVE-2003-0887
		5
		6	The vulnerability is about exmaple config files placing cache files
		7	into a world-writable directory (/tmp) instead of something more
		8	secure.
		9
		10	This patch changes this path to /var/lib/ez-ipupdate, which is
		11	not world-writable by default.
		12
		13	CVE: CVE-2003-0887
		14	Upstream-Status: Inactive-Upstream [lastcommit: 2002]
		15	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		16	---
		17	example-dhs.conf \| 2 +-
		18	example-dyndns.conf \| 2 +-
		19	example-dyns.conf \| 2 +-
		20	example-easydns.conf \| 2 +-
		21	example-gnudip.conf \| 2 +-
		22	example-heipv6tb.conf \| 2 +-
		23	example-justlinux.conf \| 2 +-
		24	example-ods.conf \| 2 +-
		25	example-pgpow.conf \| 2 +-
		26	example-tzo.conf \| 2 +-
		27	10 files changed, 10 insertions(+), 10 deletions(-)
		28
		29	diff --git a/example-dhs.conf b/example-dhs.conf
		30	index 3fe9a04..f976ae5 100755
		31	--- a/example-dhs.conf
		32	+++ b/example-dhs.conf
		33	@@ -11,7 +11,7 @@ host=mydomain.whatever.com
		34	interface=eth1
		35
		36	# if you use run-as ensure the user has permission to write this file
		37	-cache-file=/tmp/ez-ipupdate.cache
		38	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		39
		40	# uncomment this once you have everything working how you want and you are
		41	# ready to have ez-ipupdate running in the background all the time. to stop it
		42	diff --git a/example-dyndns.conf b/example-dyndns.conf
		43	index f539dec..84b4807 100755
		44	--- a/example-dyndns.conf
		45	+++ b/example-dyndns.conf
		46	@@ -19,7 +19,7 @@ max-interval=2073600
		47	#cache-file=/etc/ez-ipupdate.cache.eth1
		48
		49	# for the mean time we'll just use a cache file in the temp directory
		50	-cache-file=/tmp/ez-ipupdate.cache
		51	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		52
		53	# uncomment this once you have everything working how you want and you are
		54	# ready to have ez-ipupdate running in the background all the time. to stop it
		55	diff --git a/example-dyns.conf b/example-dyns.conf
		56	index 868768d..856a4d7 100644
		57	--- a/example-dyns.conf
		58	+++ b/example-dyns.conf
		59	@@ -11,7 +11,7 @@ host=myhost
		60	#interface=eth1
		61
		62	# if you use run-as ensure the user has permission to write this file
		63	-#cache-file=/tmp/ez-ipupdate.cache
		64	+#cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		65
		66	# uncomment this once you have everything working how you want and you are
		67	# ready to have ez-ipupdate running in the background all the time. to stop it
		68	diff --git a/example-easydns.conf b/example-easydns.conf
		69	index 0ff20da..15d9b78 100755
		70	--- a/example-easydns.conf
		71	+++ b/example-easydns.conf
		72	@@ -11,7 +11,7 @@ host=mydomain.whatever.com
		73	interface=eth1
		74
		75	# if you use run-as ensure the user has permission to write this file
		76	-cache-file=/tmp/ez-ipupdate.cache
		77	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		78
		79	# uncomment this once you have everything working how you want and you are
		80	# ready to have ez-ipupdate running in the background all the time. to stop it
		81	diff --git a/example-gnudip.conf b/example-gnudip.conf
		82	index 3b2fb63..d09df1f 100755
		83	--- a/example-gnudip.conf
		84	+++ b/example-gnudip.conf
		85	@@ -15,7 +15,7 @@ max-interval=2073600
		86	#address=0.0.0.0
		87
		88	# if you use run-as ensure the user has permission to write this file
		89	-cache-file=/tmp/ez-ipupdate.cache
		90	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		91
		92	# uncomment this once you have everything working how you want and you are
		93	# ready to have ez-ipupdate running in the background all the time. to stop it
		94	diff --git a/example-heipv6tb.conf b/example-heipv6tb.conf
		95	index e31aa9c..3ebc822 100644
		96	--- a/example-heipv6tb.conf
		97	+++ b/example-heipv6tb.conf
		98	@@ -18,7 +18,7 @@ max-interval=2073600
		99	#cache-file=/etc/ez-ipupdate.cache.eth1
		100
		101	# for the mean time we'll just use a cache file in the temp directory
		102	-cache-file=/tmp/ez-ipupdate.cache
		103	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		104
		105	# uncomment this once you have everything working how you want and you are
		106	# ready to have ez-ipupdate running in the background all the time. to stop it
		107	diff --git a/example-justlinux.conf b/example-justlinux.conf
		108	index 0afeb2c..28b3327 100755
		109	--- a/example-justlinux.conf
		110	+++ b/example-justlinux.conf
		111	@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com
		112	interface=eth1
		113
		114	# if you use run-as ensure the user has permission to write this file
		115	-cache-file=/tmp/ez-ipupdate.cache
		116	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		117
		118	# uncomment this once you have everything working how you want and you are
		119	# ready to have ez-ipupdate running in the background all the time. to stop it
		120	diff --git a/example-ods.conf b/example-ods.conf
		121	index d0ff889..7b16f2c 100755
		122	--- a/example-ods.conf
		123	+++ b/example-ods.conf
		124	@@ -11,7 +11,7 @@ host=mydomain.ods.org
		125	interface=eth1
		126
		127	# if you use run-as ensure the user has permission to write this file
		128	-cache-file=/tmp/ez-ipupdate.cache
		129	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		130
		131	# uncomment this once you have everything working how you want and you are
		132	# ready to have ez-ipupdate running in the background all the time. to stop it
		133	diff --git a/example-pgpow.conf b/example-pgpow.conf
		134	index 29a92d6..81e351b 100755
		135	--- a/example-pgpow.conf
		136	+++ b/example-pgpow.conf
		137	@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com
		138	interface=eth1
		139
		140	# if you use run-as ensure the user has permission to write this file
		141	-cache-file=/tmp/ez-ipupdate.cache
		142	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		143
		144	# uncomment this once you have everything working how you want and you are
		145	# ready to have ez-ipupdate running in the background all the time. to stop it
		146	diff --git a/example-tzo.conf b/example-tzo.conf
		147	index 2a71db3..10b8dc4 100755
		148	--- a/example-tzo.conf
		149	+++ b/example-tzo.conf
		150	@@ -15,7 +15,7 @@ max-interval=2073600
		151	interface=eth1
		152
		153	# if you use run-as ensure the user has permission to write this file
		154	-cache-file=/tmp/ez-ipupdate.cache
		155	+cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
		156
		157	# uncomment this once you have everything working how you want and you are
		158	# ready to have ez-ipupdate running in the background all the time. to stop it