[PATCH 0/2]screen: backport two patches to fix CVE bugs

[PATCH 0/2]screen: backport two patches to fix CVE bugs

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

The following changes since commit 7db1f38607829ca34e21cd328613706a56f7ee98:

  subversion: fix for Security Advisory CVE-2013-4277 (2014-05-16 13:43:06 +0800)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib roy/screen
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/screen

Yue Tao (2):
  Screen: fix for Security Advisory CVE-2009-1214
  screen: fix for Security Advisory CVE-2009-1215

 .../screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch  |   27 ++++++
 .../screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch  |   86 ++++++++++++++++++++
 meta/recipes-extended/screen/screen_4.0.3.bb       |    2 +
 3 files changed, 115 insertions(+)
 create mode 100644 meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch
 create mode 100644 meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch

-- 
1.7.10.4

[PATCH 1/2] Screen: fix for Security Advisory CVE-2009-1214

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch  |   86 ++++++++++++++++++++
 meta/recipes-extended/screen/screen_4.0.3.bb       |    1 +
 2 files changed, 87 insertions(+)
 create mode 100644 meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch

diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
new file mode 100644
index 0000000..104fa82
--- /dev/null
+++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
@@ -0,0 +1,86 @@
+Upstream-Status: Backport
+
+The patch to fix CVE-2009-1214
+A security flaw was found in the screen utility in the way it used to create
+one particular temporary file. An attacker could use this flaw to perform
+a symlink attack. 
+Fix race condition creating temporary file
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=492104
+
+Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com>
+---
+ fileio.c |   48 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -414,6 +414,14 @@ int dump;
+ 	}
+       public = !strcmp(fn, DEFAULT_BUFFERFILE);
+ # ifdef HAVE_LSTAT
++      /*
++       * Note: In the time between lstat() and open()/remove() below are
++       * called, the file can be created/removed/modified.  Therefore the
++       * information lstat() returns is taken into consideration, but not
++       * relied upon.  In particular, the open()/remove() calls can fail, and
++       * the code must account for that.  Symlink attack could be mounted if
++       * the code is changed carelessly.  --rdancer 2009-01-11
++       */
+       exists = !lstat(fn, &stb);
+       if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1))
+ 	{
+@@ -432,28 +440,36 @@ int dump;
+ #ifdef COPY_PASTE
+       if (dump == DUMP_EXCHANGE && public)
+ 	{
++	  /*
++	   * Setting umask to zero is a bad idea -- the user surely doesn't
++	   * expect a publicly readable file in a publicly readable directory 
++	   * --rdancer 2009-01-11
++	   */
++	  /*
+           old_umask = umask(0);
++	   */
+ # ifdef HAVE_LSTAT
+ 	  if (exists)
+-	    {
+-	      if ((fd = open(fn, O_WRONLY, 0666)) >= 0)
+-		{
+-		  if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino)
+-		    ftruncate(fd, 0);
+-		  else
+-		    {
+-		      close(fd);
+-		      fd = -1;
+-		    }
+-		}
+-	    }
+-	  else
+-	    fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666);
+-	  f = fd >= 0 ? fdopen(fd, mode) : 0;
++	      if (remove(fn) == -1)
++	        {
++		  /* Error */
++		  debug2("WriteFile: File exists and remove(%s) failed: %s\n",
++			  fn, strerror(errno));
++		  UserReturn(0);
++	        }
+ # else
+-          f = fopen(fn, mode);
++	  (void) remove(fn);
+ # endif
++	  /*
++	   * No r/w permissions for anybody but the user, as the file may be in
++	   * a public directory -- if the user chooses, they can chmod the file
++	   * afterwards. --rdancer 2008-01-11
++	   */
++	  fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600);
++	  f = fd >= 0 ? fdopen(fd, mode) : 0;
++	  /*
+           umask(old_umask);
++	   */
+ 	}
+       else
+ #endif /* COPY_PASTE */
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb
index 5850560..a0aa15c 100644
--- a/meta/recipes-extended/screen/screen_4.0.3.bb
+++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
            ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \
            file://configure.patch \
            file://fix-parallel-make.patch \
+           file://screen-4.0.3-CVE-2009-1214.patch \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
 
 PAM_SRC_URI = "file://screen.pam"
-- 
1.7.10.4

[PATCH 2/2] screen: fix for Security Advisory CVE-2009-1215

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

Race condition in GNU screen 4.0.3 allows local users to create or
overwrite arbitrary files via a symlink attack on the
/tmp/screen-exchange temporary file.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch  |   27 ++++++++++++++++++++
 meta/recipes-extended/screen/screen_4.0.3.bb       |    1 +
 2 files changed, 28 insertions(+)
 create mode 100644 meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch

diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch
new file mode 100644
index 0000000..538a8fa
--- /dev/null
+++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch
@@ -0,0 +1,27 @@
+Upstream-Status: Backport
+
+This patch is a backport from screen_4.0.3-11+lenny1.diff 
+to fix CVE-2009-1215.
+
+Signed-off-by:  Shenbo Huang<shenbo.huang@windriver.com)
+---
+	properly by keeping the umask instead of dropping
+	the 'public exchange file' concept. Modify dpatch 22.
+	<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123>
+---
+ fileio.c |    5 -----
+ 1 file changed, 5 deletions(-)
+--- a/fileio.c
++++ b/fileio.c
+@@ -365,11 +365,6 @@ int dump;
+   char *mode = "w";
+ #ifdef COPY_PASTE
+   int public = 0;
+-# ifdef _MODE_T
+-  mode_t old_umask;
+-# else
+-  int old_umask;
+-# endif
+ # ifdef HAVE_LSTAT
+   struct stat stb, stb2;
+   int fd, exists = 0;
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb
index a0aa15c..c5218ec 100644
--- a/meta/recipes-extended/screen/screen_4.0.3.bb
+++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
            file://configure.patch \
            file://fix-parallel-make.patch \
            file://screen-4.0.3-CVE-2009-1214.patch \
+           file://screen-4.0.2-CVE-2009-1215.patch \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
 
 PAM_SRC_URI = "file://screen.pam"
-- 
1.7.10.4