From f4c5d9a3a6ee2d974e55aec4b1602a368dbacf72 Mon Sep 17 00:00:00 2001 From: Yogita Urade Date: Fri, 28 Jul 2023 10:01:09 +0000 Subject: dmidecode: fix CVE-2023-30630 Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. References: https://nvd.nist.gov/vuln/detail/CVE-2023-30630 https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html Backport: fixes fuzz in the CVE-2023-30630_2.patch in kirkstone (From OE-Core rev: 4f83427a0a01e8285c9eb42d2a635d1ff7b23779) Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman (cherry picked from commit f92e59a0894145a828dc9ac74bf8c7a9355e0587) Signed-off-by: Dhairya Nagodra Signed-off-by: Steve Sakoman --- meta/recipes-devtools/dmidecode/dmidecode_3.3.bb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'meta/recipes-devtools/dmidecode/dmidecode_3.3.bb') diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb index 23540b2703..b99c2ea99d 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ file://0001-Committing-changes-from-do_unpack_extra.patch \ + file://CVE-2023-30630_1.patch \ + file://CVE-2023-30630_2.patch \ + file://CVE-2023-30630_3.patch \ + file://CVE-2023-30630_4.patch \ " COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" -- cgit v1.2.3-54-g00ecf