diff options
| author | Gustavo Zacarias <gustavo@zacarias.com.ar> | 2016-03-03 09:58:05 -0300 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2016-03-03 15:05:59 +0100 |
| commit | 527b7b1153c37ad081d7d31cf5280995b09e0005 (patch) | |
| tree | c7026a7981b4484b4d92fde218fdf08d38f03287 | |
| parent | 89ffdd42e2adffe3e1ccdb43a379332b2f8140bc (diff) | |
| download | buildroot-527b7b1153c37ad081d7d31cf5280995b09e0005.tar.gz buildroot-527b7b1153c37ad081d7d31cf5280995b09e0005.zip | |
cpio: add security patch to fix CVE-2016-2037
Fixes:
CVE-2016-2037 - The cpio_safer_name_suffix function in util.c in cpio
2.11 allows remote attackers to cause a denial of service (out-of-bounds
write) via a crafted cpio file.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
| -rw-r--r-- | package/cpio/0001-fix-CVE-2016-2037.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/package/cpio/0001-fix-CVE-2016-2037.patch b/package/cpio/0001-fix-CVE-2016-2037.patch new file mode 100644 index 0000000000..aec2ccb8e5 --- /dev/null +++ b/package/cpio/0001-fix-CVE-2016-2037.patch @@ -0,0 +1,51 @@ +From: Pavel Raiskup +Subject: [Bug-cpio] [PATCH] fix 1-byte out-of-bounds write +Date: Tue, 26 Jan 2016 23:17:54 +0100 + +Other calls to cpio_safer_name_suffix seem to be safe. + +* src/copyin.c (process_copy_in): Make sure that file_hdr.c_name +has at least two bytes allocated. +* src/util.c (cpio_safer_name_suffix): Document that use of this +function requires to be careful. + +Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> +--- +Patch status: fetched/submitted +URL: https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html + + src/copyin.c | 2 ++ + src/util.c | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/copyin.c b/src/copyin.c +index cde911e..032d35f 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -1385,6 +1385,8 @@ process_copy_in () + break; + } + ++ if (file_hdr.c_namesize <= 1) ++ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); + cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, + false); + +diff --git a/src/util.c b/src/util.c +index 6ff6032..2763ac1 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1411,7 +1411,10 @@ set_file_times (int fd, + } + + /* Do we have to ignore absolute paths, and if so, does the filename +- have an absolute path? */ ++ have an absolute path? ++ Before calling this function make sure that the allocated NAME buffer has ++ capacity at least 2 bytes to allow us to store the "." string inside. */ ++ + void + cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + bool strip_leading_dots) +-- +2.5.0 |
