[OE-core] [PATCH] busybox: Include complete fix for CVE-2011-5325
Mike Crowe
mac at mcrowe.com
Wed Jun 26 14:21:08 UTC 2019
It looks like not all the parts required for fixing CVE-2011-5325 made
it into oe-core master before the recipe was upgraded to the upstream
fixed version.
The partial fix meant that symlinks deemed unsafe enough to delay were
never actually realized. This backport from upstream fixes the
problem.
---
.../busybox/busybox/CVE-2011-5325-fix2.patch | 32 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.27.2.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch b/meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch
new file mode 100644
index 0000000000..85218a7427
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch
@@ -0,0 +1,32 @@
+From d9503224c8a93a30b0c8627084b2744d3ee6f403 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa at alpinelinux.org>
+Date: Fri, 30 Mar 2018 20:18:12 +0200
+Subject: [PATCH] cpio: extract "unsafe" symlinks the same way tar/unzip does
+
+function old new delta
+cpio_main 588 596 +8
+
+Signed-off-by: Natanael Copa <ncopa at alpinelinux.org>
+Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
+
+Upstream-Status: Backport from 1.29.0 [https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403]
+
+---
+ archival/cpio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/archival/cpio.c b/archival/cpio.c
+index 1d6cbd1e2..308ec1b25 100644
+--- a/archival/cpio.c
++++ b/archival/cpio.c
+@@ -508,6 +508,8 @@ int cpio_main(int argc UNUSED_PARAM, char **argv)
+ while (get_header_cpio(archive_handle) == EXIT_SUCCESS)
+ continue;
+
++ create_symlinks_from_list(archive_handle->symlink_placeholders);
++
+ if (archive_handle->cpio__blocks != (off_t)-1
+ && !(opt & OPT_QUIET)
+ ) {
+--
+2.20.1
diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb
index 716a0650fc..b127e3d375 100644
--- a/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://makefile-libbb-race.patch \
file://CVE-2011-5325.patch \
file://CVE-2011-5325-fix.patch \
+ file://CVE-2011-5325-fix2.patch \
file://CVE-2017-15873.patch \
file://busybox-CVE-2017-16544.patch \
file://busybox-fix-lzma-segfaults.patch \
--
2.20.1
More information about the Openembedded-core
mailing list