[OE-core] [warrior][PATCH v2] patch: fix CVE-2019-13638

Trevor Gamblin trevor.gamblin at windriver.com
Fri Aug 23 19:46:16 UTC 2019 

On 8/8/19 4:16 PM, Randy MacLeod wrote:
> On 8/8/19 10:26 AM, Trevor Gamblin wrote:
>> From: Trevor Gamblin <trevor.gamblin at windriver.com>
>>
>> Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
>> ---
>>   ...ke-ed-directly-instead-of-using-the-shell.patch | 44 
>> ++++++++++++++++++++++
>>   meta/recipes-devtools/patch/patch_2.7.6.bb         |  2 +
>>   2 files changed, 46 insertions(+)
>>   create mode 100644 
>> meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>>
>> diff --git 
>> a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch 
>> b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch 
>>
>> new file mode 100644
>> index 0000000..f60dfe8
>> --- /dev/null
>> +++ 
>> b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>> @@ -0,0 +1,44 @@
>> +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
>> +From: Andreas Gruenbacher <agruen at gnu.org>
>> +Date: Fri, 6 Apr 2018 19:36:15 +0200
>> +Subject: [PATCH] Invoke ed directly instead of using the shell
>> +
>> +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
>> +command to avoid quoting vulnerabilities.
>> +
>> +CVE: CVE-2019-13638
>> +Upstream-Status: 
>> Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
>> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
>> +
>> +---
>> + src/pch.c | 6 ++----
>> + 1 file changed, 2 insertions(+), 4 deletions(-)
>> +
>> +
>> +diff --git a/src/pch.c b/src/pch.c
>> +index 4fd5a05..16e001a 100644
>> +--- a/src/pch.c
>> ++++ b/src/pch.c
>> +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const 
>> *outname,
>> +         *outname_needs_removal = true;
>> +         copy_file (inname, outname, 0, exclusive, instat.st_mode, 
>> true);
>> +       }
>> +-    sprintf (buf, "%s %s%s", editor_program,
>> +-         verbosity == VERBOSE ? "" : "- ",
>> +-         outname);
>> +     fflush (stdout);
>> +
>> +     pid = fork();
>> +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const 
>> *outname,
>> +     else if (pid == 0)
>> +       {
>> +         dup2 (tmpfd, 0);
>> +-        execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
>> ++        assert (outname[0] != '!' && outname[0] != '-');
>> ++        execlp (editor_program, editor_program, "-", outname, 
>> (char  *) NULL);
>> +         _exit (2);
>> +       }
>> +     else
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb 
>> b/meta/recipes-devtools/patch/patch_2.7.6.bb
>> index 85b0db7..8908910 100644
>> --- a/meta/recipes-devtools/patch/patch_2.7.6.bb
>> +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
>> @@ -6,6 +6,8 @@ SRC_URI += 
>> "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
>> file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
>> file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
>> file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
>> +            file://CVE-2019-13636.patch \
>> + file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
>>   "
>
> Odd, you only added one patch but you changed two lines above.
> I assume this is due to a merge conflict that you incorrectly resolved.
>
> If you apply this commit on warrior, you see:
>
> WARNING: patch-2.7.6-r0 do_fetch: Failed to fetch URL 
> file://CVE-2019-13636.patch, attempting MIRRORS if available
> ERROR: patch-2.7.6-r0 do_fetch: Fetcher failure: Unable to find file 
> file://CVE-2019-13636.patch anywhere. The paths that were searched were:
>
> Fix and v3 please.

Patches are currently under review for both warrior 
<https://patchwork.openembedded.org/patch/163490/> and thud 
<https://patchwork.openembedded.org/patch/163495/> to add 
CVE-2019-13636. Would it be better to hold off on submitting my patch 
for CVE-2019-13638 to those branches, until the line

             file://CVE-2019-13636.patch \

is incorporated as part of those?

>
> ../Randy
>>     SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20190823/d49fc798/attachment-0001.html>

More information about the Openembedded-core mailing list