[oe-commits] yanjun.zhu : squashfs: fix for CVE-2012-4024

git at git.openembedded.org git at git.openembedded.org
Tue Dec 4 18:04:43 UTC 2012 

Module: openembedded-core.git
Branch: master-next
Commit: 972ea6c674e10cf23bedbbc581b78baa3f7c7b9b
URL:    http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=972ea6c674e10cf23bedbbc581b78baa3f7c7b9b

Author: yanjun.zhu <yanjun.zhu at windriver.com>
Date:   Fri Nov 30 19:41:23 2012 +0800

squashfs: fix for CVE-2012-4024

Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123

Fix potential stack overflow in get_component() where an individual
pathname component in an extract file (specified on the command line
or in an extract file) could exceed the 1024 byte sized targname
allocated on the stack.

Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.

[YOCTO #3513]

Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>

---

 .../patches/squashfs-4.2-fix-CVE-2012-4024.patch   |   72 ++++++++++++++++++++
 .../squashfs-tools/squashfs-tools_4.2.bb           |    3 +
 2 files changed, 75 insertions(+), 0 deletions(-)

diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
new file mode 100644
index 0000000..8b9904f
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport
+
+Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
+squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
+
+Fix potential stack overflow in get_component() where an individual
+pathname component in an extract file (specified on the command line
+or in an extract file) could exceed the 1024 byte sized targname
+allocated on the stack.
+
+Fix by dynamically allocating targname rather than storing it as
+a fixed size on the stack.
+
+Signed-off-by: yanjun.zhu <yanjun.zhu at windriver.com>
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c	2012-11-29 17:04:08.000000000 +0800
++++ b/unsquashfs.c	2012-11-29 17:04:25.000000000 +0800
+@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
+ }
+ 
+ 
+-char *get_component(char *target, char *targname)
++char *get_component(char *target, char **targname)
+ {
++	char *start;
++
+ 	while(*target == '/')
+ 		target ++;
+ 
++	start = target;
+ 	while(*target != '/' && *target!= '\0')
+-		*targname ++ = *target ++;
++		target ++;
+ 
+-	*targname = '\0';
++	*targname = strndup(start, target - start);
+ 
+ 	return target;
+ }
+@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
+ 
+ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ {
+-	char targname[1024];
++	char *targname;
+ 	int i, error;
+ 
+ 	TRACE("add_path: adding \"%s\" extract file\n", target);
+ 
+-	target = get_component(target, targname);
++	target = get_component(target, &targname);
+ 
+ 	if(paths == NULL) {
+ 		paths = malloc(sizeof(struct pathname));
+@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
+ 			sizeof(struct path_entry));
+ 		if(paths->name == NULL)
+ 			EXIT_UNSQUASH("Out of memory in add_path\n");	
+-		paths->name[i].name = strdup(targname);
++		paths->name[i].name = targname;
+ 		paths->name[i].paths = NULL;
+ 		if(use_regex) {
+ 			paths->name[i].preg = malloc(sizeof(regex_t));
+@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
+ 		/*
+ 		 * existing matching entry
+ 		 */
++		free(targname);
++
+ 		if(paths->name[i].paths == NULL) {
+ 			/*
+ 			 * No sub-directory which means this is the leaf
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index c54081b..9922f1e 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
 DESCRIPTION = "Tools to manipulate Squashfs filesystems."
 SECTION = "base"
 LICENSE = "GPL-2 & PD"
+FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
 LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
                     file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
                    "
@@ -12,6 +13,8 @@ PR = "1"
 SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
            http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
           "
+SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
+           " 
 SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
 SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
 SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"

More information about the Openembedded-commits mailing list