Re: [PATCH 1/1] rsync (GPLv2): fix security vulnerability CVE-2007-4091

From: Saul Wold <sgw@linux.intel.com>
To: Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 1/1] rsync (GPLv2): fix security vulnerability CVE-2007-4091
Date: Mon, 09 May 2011 22:05:41 -0700	[thread overview]
Message-ID: <4DC8C7A5.5090009@linux.intel.com> (raw)
In-Reply-To: <1865303E0DED764181A9D882DEF65FB6933502FCC3@shsmsx502.ccr.corp.intel.com>

On 05/09/2011 10:03 PM, He, Qing wrote:
>> -----Original Message-----
>> From: openembedded-core-bounces@lists.openembedded.org
>> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Saul
>> Wold
>> Sent: 2011年5月10日 13:02
>> To: Patches and discussions about the oe-core layer
>> Subject: Re: [OE-core] [PATCH 1/1] rsync (GPLv2): fix security vulnerability
>> CVE-2007-4091
>>
>> On 05/09/2011 07:54 PM, Dexuan Cui wrote:
>>> From: Dexuan Cui<dexuan.cui@intel.com>
>>>
>>> Added a patch to fix
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4091
>>>
>> This is missing a [YOCTO #bugid], please add and resend. (update branch
>> is OK).
> 
> Saul,
> 	Before the other two CVEs are specifically addressed, I don't think we can call a close on this bug.
> 
Yes, that's true, but it's important to know that this patch addresses a
part of that bug.

Sau!

> Thanks,
> Qing
> 
>>
>> Sau!
>>
>>> Signed-off-by: Dexuan Cui<dexuan.cui@intel.com>
>>> ---
>>>    .../rsync/rsync-2.6.9/rsync-2.6.9-fname-obo.patch  |   70
>> ++++++++++++++++++++
>>>    meta/recipes-devtools/rsync/rsync_2.6.9.bb         |    3 +-
>>>    2 files changed, 72 insertions(+), 1 deletions(-)
>>>    create mode 100644
>> meta/recipes-devtools/rsync/rsync-2.6.9/rsync-2.6.9-fname-obo.patch
>>>
>>> diff --git a/meta/recipes-devtools/rsync/rsync-2.6.9/rsync-2.6.9-fname-obo.patch
>> b/meta/recipes-devtools/rsync/rsync-2.6.9/rsync-2.6.9-fname-obo.patch
>>> new file mode 100644
>>> index 0000000..f054452
>>> --- /dev/null
>>> +++ b/meta/recipes-devtools/rsync/rsync-2.6.9/rsync-2.6.9-fname-obo.patch
>>> @@ -0,0 +1,70 @@
>>> +Upstream-Status: Backport [ The patch is rsync-2.6.9 specific ]
>>> +
>>> +The patch is from https://issues.rpath.com/browse/RPL-1647 and is used to
>>> +address http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4091
>>> +
>>> +Date:   Tue May 10 10:07:36 2011 +0800
>>> +Dexuan Cui<dexuan.cui@intel.com>
>>> +
>>> +diff --git a/sender.c b/sender.c
>>> +index 6fcaa65..053a8f1 100644
>>> +--- a/sender.c
>>> ++++ b/sender.c
>>> +@@ -123,6 +123,7 @@ void successful_send(int ndx)
>>> + 	char fname[MAXPATHLEN];
>>> + 	struct file_struct *file;
>>> + 	unsigned int offset;
>>> ++	size_t l = 0;
>>> +
>>> + 	if (ndx<   0 || ndx>= the_file_list->count)
>>> + 		return;
>>> +@@ -133,6 +134,20 @@ void successful_send(int ndx)
>>> + 				    file->dir.root, "/", NULL);
>>> + 	} else
>>> + 		offset = 0;
>>> ++
>>> ++	l = offset + 1;
>>> ++	if (file) {
>>> ++		if (file->dirname)
>>> ++			l += strlen(file->dirname);
>>> ++		if (file->basename)
>>> ++			l += strlen(file->basename);
>>> ++	}
>>> ++
>>> ++	if (l>= sizeof(fname)) {
>>> ++		rprintf(FERROR, "Overlong pathname\n");
>>> ++		exit_cleanup(RERR_FILESELECT);
>>> ++	}
>>> ++
>>> + 	f_name(file, fname + offset);
>>> + 	if (remove_source_files) {
>>> + 		if (do_unlink(fname) == 0) {
>>> +@@ -224,6 +239,7 @@ void send_files(struct file_list *flist, int f_out, int f_in)
>>> + 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
>>> + 	int f_xfer = write_batch<   0 ? batch_fd : f_out;
>>> + 	int i, j;
>>> ++	size_t l = 0;
>>> +
>>> + 	if (verbose>   2)
>>> + 		rprintf(FINFO, "send_files starting\n");
>>> +@@ -259,6 +275,20 @@ void send_files(struct file_list *flist, int f_out, int f_in)
>>> + 				fname[offset++] = '/';
>>> + 		} else
>>> + 			offset = 0;
>>> ++
>>> ++		l = offset + 1;
>>> ++		if (file) {
>>> ++			if (file->dirname)
>>> ++				l += strlen(file->dirname);
>>> ++			if (file->basename)
>>> ++				l += strlen(file->basename);
>>> ++		}
>>> ++
>>> ++		if (l>= sizeof(fname)) {
>>> ++			rprintf(FERROR, "Overlong pathname\n");
>>> ++			exit_cleanup(RERR_FILESELECT);
>>> ++		}
>>> ++
>>> + 		fname2 = f_name(file, fname + offset);
>>> +
>>> + 		if (verbose>   2)
>>> diff --git a/meta/recipes-devtools/rsync/rsync_2.6.9.bb
>> b/meta/recipes-devtools/rsync/rsync_2.6.9.bb
>>> index 4337982..17c18a4 100644
>>> --- a/meta/recipes-devtools/rsync/rsync_2.6.9.bb
>>> +++ b/meta/recipes-devtools/rsync/rsync_2.6.9.bb
>>> @@ -8,6 +8,7 @@ PRIORITY = "optional"
>>>    DEPENDS = "popt"
>>>
>>>    SRC_URI = "http://rsync.samba.org/ftp/rsync/src/rsync-${PV}.tar.gz \
>>> +           file://rsync-2.6.9-fname-obo.patch \
>>>               file://rsyncd.conf"
>>>
>>>    inherit autotools
>>> @@ -22,4 +23,4 @@ EXTRA_OEMAKE='STRIP=""'
>>>    LICENSE = "GPLv2+"
>>>    LIC_FILES_CHKSUM =
>> "file://COPYING;md5=6d5a9d4c4d3af25cd68fd83e8a8cb09c"
>>>
>>> -PR = "r2"
>>> +PR = "r3"
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core