From: Saul Wold <sgw@linux.intel.com>
To: "yanjun.zhu" <yanjun.zhu@windriver.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [oe][PATCH 1/1] squashfs: fix for CVE-2012-4024
Date: Thu, 29 Nov 2012 09:49:17 -0800 [thread overview]
Message-ID: <50B7A01D.2060508@linux.intel.com> (raw)
In-Reply-To: <1354180448-14858-1-git-send-email-yanjun.zhu@windriver.com>
On 11/29/2012 01:14 AM, yanjun.zhu wrote:
> From: "yanjun.zhu" <yanjun.zhu@windriver.com>
>
> Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
> squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
>
> Fix potential stack overflow in get_component() where an individual
> pathname component in an extract file (specified on the command line
> or in an extract file) could exceed the 1024 byte sized targname
> allocated on the stack.
>
> Fix by dynamically allocating targname rather than storing it as
> a fixed size on the stack.
>
> [YOCTO #3513]
>
> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
> ---
> .../patches/squashfs-4.2-fix-CVE-2012-4024.patch | 58 ++++++++++++++++++++++
> .../squashfs-tools/squashfs-tools_4.2.bb | 3 ++
> 2 files changed, 61 insertions(+)
> create mode 100644 meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
>
> diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
> new file mode 100644
> index 0000000..10f6bb2
> --- /dev/null
> +++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
Thank you for your work on the the CVE updates, please make sure you
also let the Danny Stable maintainer know if these are for Danny also.
You also need to add Signed-off-by and Upstream-Status to the patch.
Thanks
Sau!
> @@ -0,0 +1,58 @@
> +diff -urpN a/unsquashfs.c b/unsquashfs.c
> +--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
> ++++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
> +@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
> + }
> +
> +
> +-char *get_component(char *target, char *targname)
> ++char *get_component(char *target, char **targname)
> + {
> ++ char *start;
> ++
> + while(*target == '/')
> + target ++;
> +
> ++ start = target;
> + while(*target != '/' && *target!= '\0')
> +- *targname ++ = *target ++;
> ++ target ++;
> +
> +- *targname = '\0';
> ++ *targname = strndup(start, target - start);
> +
> + return target;
> + }
> +@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
> +
> + struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
> + {
> +- char targname[1024];
> ++ char *targname;
> + int i, error;
> +
> + TRACE("add_path: adding \"%s\" extract file\n", target);
> +
> +- target = get_component(target, targname);
> ++ target = get_component(target, &targname);
> +
> + if(paths == NULL) {
> + paths = malloc(sizeof(struct pathname));
> +@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
> + sizeof(struct path_entry));
> + if(paths->name == NULL)
> + EXIT_UNSQUASH("Out of memory in add_path\n");
> +- paths->name[i].name = strdup(targname);
> ++ paths->name[i].name = targname;
> + paths->name[i].paths = NULL;
> + if(use_regex) {
> + paths->name[i].preg = malloc(sizeof(regex_t));
> +@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
> + /*
> + * existing matching entry
> + */
> ++ free(targname);
> ++
> + if(paths->name[i].paths == NULL) {
> + /*
> + * No sub-directory which means this is the leaf
> diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
> index c54081b..9922f1e 100644
> --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
> +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
> @@ -3,6 +3,7 @@
> DESCRIPTION = "Tools to manipulate Squashfs filesystems."
> SECTION = "base"
> LICENSE = "GPL-2 & PD"
> +FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
> LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
> file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
> "
> @@ -12,6 +13,8 @@ PR = "1"
> SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
> http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
> "
> +SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
> + "
> SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
> SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
> SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"
>
next prev parent reply other threads:[~2012-11-29 18:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <3513>
2012-11-29 9:14 ` [oe][PATCH 1/1] squashfs: fix for CVE-2012-4024 yanjun.zhu
2012-11-29 17:49 ` Saul Wold [this message]
2012-11-30 11:41 ` [PATCH " yanjun.zhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B7A01D.2060508@linux.intel.com \
--to=sgw@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=yanjun.zhu@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox