[dizzy][PATCH 0/2] dizzy branch fixes

[dizzy][PATCH 0/2] dizzy branch fixes

[Paul Eggleton]

The following changes since commit 652008fd9dc909836819e5c6808c63643eff6db6:

  license.bbclass: canonicalise the licenses named with 'X+' (2014-11-05 12:02:29 +0000)

are available in the git repository at:

  git://git.openembedded.org/openembedded-core-contrib paule/dizzy-fixes
  http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=paule/dizzy-fixes

Saul Wold (2):
  wget: Fix for CVE-2014-4887
  readline: Patch for readline multikey dispatch issue

 .../readline-6.3/readline-dispatch-multikey.patch  | 32 +++++++++
 meta/recipes-core/readline/readline_6.3.bb         |  3 +-
 .../wget/wget-1.15/wget_cve-2014-4877.patch        | 78 ++++++++++++++++++++++
 meta/recipes-extended/wget/wget_1.15.bb            |  1 +
 4 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/readline/readline-6.3/readline-dispatch-multikey.patch
 create mode 100644 meta/recipes-extended/wget/wget-1.15/wget_cve-2014-4877.patch

-- 
1.9.3

[dizzy][PATCH 1/2] wget: Fix for CVE-2014-4887

[Paul Eggleton]

From: Saul Wold <sgw@linux.intel.com>

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
 .../wget/wget-1.15/wget_cve-2014-4877.patch        | 78 ++++++++++++++++++++++
 meta/recipes-extended/wget/wget_1.15.bb            |  1 +
 2 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-extended/wget/wget-1.15/wget_cve-2014-4877.patch

diff --git a/meta/recipes-extended/wget/wget-1.15/wget_cve-2014-4877.patch b/meta/recipes-extended/wget/wget-1.15/wget_cve-2014-4877.patch
new file mode 100644
index 0000000..bfcc36e
--- /dev/null
+++ b/meta/recipes-extended/wget/wget-1.15/wget_cve-2014-4877.patch
@@ -0,0 +1,78 @@
+From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
+From: Darshit Shah <darnir@gmail.com>
+Date: Sun, 07 Sep 2014 19:11:17 +0000
+Subject: CVE-2014-4877: Arbitrary Symlink Access
+
+Wget was susceptible to a symlink attack which could create arbitrary
+files, directories or symbolic links and set their permissions when
+retrieving a directory recursively through FTP. This commit changes the
+default settings in Wget such that Wget no longer creates local symbolic
+links, but rather traverses them and retrieves the pointed-to file in
+such a retrieval.
+
+The old behaviour can be attained by passing the --retr-symlinks=no
+option to the Wget invokation command.
+---
+diff --git a/doc/wget.texi b/doc/wget.texi
+index aef1f80..d7a4c94 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
+ 
+ @cindex symbolic links, retrieving
+ @item --retr-symlinks
+-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
+-link is encountered, the linked-to file is not downloaded.  Instead, a
+-matching symbolic link is created on the local filesystem.  The
+-pointed-to file will not be downloaded unless this recursive retrieval
+-would have encountered it separately and downloaded it anyway.
+-
+-When @samp{--retr-symlinks} is specified, however, symbolic links are
+-traversed and the pointed-to files are retrieved.  At this time, this
+-option does not cause Wget to traverse symlinks to directories and
+-recurse through them, but in the future it should be enhanced to do
+-this.
++By default, when retrieving @sc{ftp} directories recursively and a symbolic link
++is encountered, the symbolic link is traversed and the pointed-to files are
++retrieved.  Currently, Wget does not traverse symbolic links to directories to
++download them recursively, though this feature may be added in the future.
++
++When @samp{--retr-symlinks=no} is specified, the linked-to file is not
++downloaded.  Instead, a matching symbolic link is created on the local
++filesystem.  The pointed-to file will not be retrieved unless this recursive
++retrieval would have encountered it separately and downloaded it anyway.  This
++option poses a security risk where a malicious FTP Server may cause Wget to
++write to files outside of the intended directories through a specially crafted
++@sc{.listing} file.
+ 
+ Note that when retrieving a file (not a directory) because it was
+ specified on the command-line, rather than because it was recursed to,
+diff --git a/src/init.c b/src/init.c
+index 09557af..3bdaa48 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -366,6 +366,22 @@ defaults (void)
+ 
+   opt.dns_cache = true;
+   opt.ftp_pasv = true;
++  /* 2014-09-07  Darshit Shah  <darnir@gmail.com>
++   * opt.retr_symlinks is set to true by default. Creating symbolic links on the
++   * local filesystem pose a security threat by malicious FTP Servers that
++   * server a specially crafted .listing file akin to this:
++   *
++   * lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /
++   * drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU
++   *
++   * A .listing file in this fashion makes Wget susceptiple to a symlink attack
++   * wherein the attacker is able to create arbitrary files, directories and
++   * symbolic links on the target system and even set permissions.
++   *
++   * Hence, by default Wget attempts to retrieve the pointed-to files and does
++   * not create the symbolic links locally.
++   */
++  opt.retr_symlinks = true;
+ 
+ #ifdef HAVE_SSL
+   opt.check_cert = true;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/wget/wget_1.15.bb b/meta/recipes-extended/wget/wget_1.15.bb
index c2fcca7..5375e4e 100644
--- a/meta/recipes-extended/wget/wget_1.15.bb
+++ b/meta/recipes-extended/wget/wget_1.15.bb
@@ -1,5 +1,6 @@
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://fix_makefile.patch \
+           file://wget_cve-2014-4877.patch \
           "
 SRC_URI[md5sum] = "506df41295afc6486662cc47470b4618"
 SRC_URI[sha256sum] = "52126be8cf1bddd7536886e74c053ad7d0ed2aa89b4b630f76785bac21695fcd"
-- 
1.9.3

[dizzy][PATCH 2/2] readline: Patch for readline multikey dispatch issue

[Paul Eggleton]

From: Saul Wold <sgw@linux.intel.com>

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
---
 .../readline-6.3/readline-dispatch-multikey.patch  | 32 ++++++++++++++++++++++
 meta/recipes-core/readline/readline_6.3.bb         |  3 +-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/readline/readline-6.3/readline-dispatch-multikey.patch

diff --git a/meta/recipes-core/readline/readline-6.3/readline-dispatch-multikey.patch b/meta/recipes-core/readline/readline-6.3/readline-dispatch-multikey.patch
new file mode 100644
index 0000000..54d1ac6
--- /dev/null
+++ b/meta/recipes-core/readline/readline-6.3/readline-dispatch-multikey.patch
@@ -0,0 +1,32 @@
+From 8ef852a5be72c75e17f2510bea52455f809b56ce Mon Sep 17 00:00:00 2001
+From: Chet Ramey <chet.ramey@case.edu>
+Date: Fri, 28 Mar 2014 14:07:42 -0400
+Subject: [PATCH 04/10] Readline-6.3 patch 2
+
+Fixes multi-key issue identified in this thread:
+http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00010.html
+
+Upstream-Status: Backport
+
+Signed-off-by: Saul Wold <sgw@linux.intel.com>
+---
+ readline.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/readline.c b/readline.c
+index eb4eae3..abb29a0 100644
+--- a/readline.c
++++ b/readline.c
+@@ -744,7 +744,8 @@ _rl_dispatch_callback (cxt)
+     r = _rl_subseq_result (r, cxt->oldmap, cxt->okey, (cxt->flags & KSEQ_SUBSEQ));
+ 
+   RL_CHECK_SIGNALS ();
+-  if (r == 0)			/* success! */
++  /* We only treat values < 0 specially to simulate recursion. */
++  if (r >= 0 || (r == -1 && (cxt->flags & KSEQ_SUBSEQ) == 0))	/* success! or failure! */
+     {
+       _rl_keyseq_chain_dispose ();
+       RL_UNSETSTATE (RL_STATE_MULTIKEY);
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-core/readline/readline_6.3.bb b/meta/recipes-core/readline/readline_6.3.bb
index f02f197..55964a6 100644
--- a/meta/recipes-core/readline/readline_6.3.bb
+++ b/meta/recipes-core/readline/readline_6.3.bb
@@ -1,6 +1,7 @@
 require readline.inc
 
-SRC_URI += "file://readline63-003"
+SRC_URI += "file://readline63-003 \
+            file://readline-dispatch-multikey.patch"
 
 SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a"
 SRC_URI[archive.sha256sum] = "56ba6071b9462f980c5a72ab0023893b65ba6debb4eeb475d7a563dc65cafd43"
-- 
1.9.3