patch: fix CVE-2019-13638

(From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781) (From OE-Core rev: 308c44fd8f1d7d348c6c7cf9054f9c8403d8e8bd) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 555b0642579c00c41bc3daab9cef08452f9834d5) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Trevor Gamblin <trevor.gamblin@windriver.com> 2019-08-21 09:58:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:52:28 +0100
commit: 6fc3dc1af5b1edefc260102ff9ff3228c7a498d7 (patch)
tree: 1c34a7c753e8be98c98fca365db272881b29c80d
parent: d59f2b0a74f6d114466f9b94395c59cf1bb2f7ca (diff)
download: poky-6fc3dc1af5b1edefc260102ff9ff3228c7a498d7.tar.gz
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 0000000000..f60dfe879a
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+CVE: CVE-2019-13638
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
+++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+            *outname_needs_removal = true;
+            copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+          }
+-       sprintf (buf, "%s %s%s", editor_program,
+-                verbosity == VERBOSE ? "" : "- ",
+-                outname);
+        fflush (stdout);
+ 
+        pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+        else if (pid == 0)
+          {
+            dup2 (tmpfd, 0);
+-           execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
+           assert (outname[0] != '!' && outname[0] != '-');
+           execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+            _exit (2);
+          }
+        else
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8cf20a3597..8908910f74 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
            file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
            file://CVE-2019-13636.patch \
+            file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
 "
 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
author	Trevor Gamblin <trevor.gamblin@windriver.com>	2019-08-21 09:58:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:52:28 +0100
commit	6fc3dc1af5b1edefc260102ff9ff3228c7a498d7 (patch)
tree	1c34a7c753e8be98c98fca365db272881b29c80d
parent	d59f2b0a74f6d114466f9b94395c59cf1bb2f7ca (diff)
download	poky-6fc3dc1af5b1edefc260102ff9ff3228c7a498d7.tar.gz

diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch new file mode 100644 index 0000000000..f60dfe879a --- /dev/null +++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
		1	From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
		2	From: Andreas Gruenbacher <agruen@gnu.org>
		3	Date: Fri, 6 Apr 2018 19:36:15 +0200
		4	Subject: [PATCH] Invoke ed directly instead of using the shell
		5
		6	* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
		7	command to avoid quoting vulnerabilities.
		8
		9	CVE: CVE-2019-13638
		10	Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
		11	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
		12
		13	---
		14	src/pch.c \| 6 ++----
		15	1 file changed, 2 insertions(+), 4 deletions(-)
		16
		17
		18	diff --git a/src/pch.c b/src/pch.c
		19	index 4fd5a05..16e001a 100644
		20	--- a/src/pch.c
		21	+++ b/src/pch.c
		22	@@ -2459,9 +2459,6 @@ do_ed_script (char const inname, char const outname,
		23	*outname_needs_removal = true;
		24	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
		25	}
		26	- sprintf (buf, "%s %s%s", editor_program,
		27	- verbosity == VERBOSE ? "" : "- ",
		28	- outname);
		29	fflush (stdout);
		30
		31	pid = fork();
		32	@@ -2470,7 +2467,8 @@ do_ed_script (char const inname, char const outname,
		33	else if (pid == 0)
		34	{
		35	dup2 (tmpfd, 0);
		36	- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
		37	+ assert (outname[0] != '!' && outname[0] != '-');
		38	+ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
		39	_exit (2);
		40	}
		41	else
		42	--
		43	2.7.4
		44


diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb index 8cf20a3597..8908910f74 100644 --- a/meta/recipes-devtools/patch/patch_2.7.6.bb +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
7	file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \	7	file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
8	file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \	8	file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
9	file://CVE-2019-13636.patch \	9	file://CVE-2019-13636.patch \
		10	file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
10	"	11	"
11		12
12	SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"	13	SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"