From: Randy MacLeod <Randy.MacLeod@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [PATCH 1/3] lftp: update from 4.8.3 to 4.8.4
Date: Wed, 5 Sep 2018 14:15:06 -0400 [thread overview]
Message-ID: <20180905181508.9960-1-Randy.MacLeod@windriver.com> (raw)
Drop upstreamed CVE fix:
a27e07d9 mirror: prepend ./ to rm and chmod arguments to avoid URL recognition (fix #452)
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
---
.../lftp/files/CVE-2018-10916.patch | 82 -------------------
.../lftp/{lftp_4.8.3.bb => lftp_4.8.4.bb} | 5 +-
2 files changed, 2 insertions(+), 85 deletions(-)
delete mode 100644 meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
rename meta-networking/recipes-connectivity/lftp/{lftp_4.8.3.bb => lftp_4.8.4.bb} (87%)
diff --git a/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch b/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
deleted file mode 100644
index c0e87d942..000000000
--- a/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From a27e07d90a4608ceaf928b1babb27d4d803e1992 Mon Sep 17 00:00:00 2001
-From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
-Date: Tue, 31 Jul 2018 10:57:35 +0300
-Subject: [PATCH] mirror: prepend ./ to rm and chmod arguments to avoid URL
- recognition (fix #452)
-
-CVE: CVE-2018-10916
-Upstream-Status: Backport from v4.8.4
-
-Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
----
- src/MirrorJob.cc | 24 +++++++++---------------
- 1 file changed, 9 insertions(+), 15 deletions(-)
-
-diff --git a/src/MirrorJob.cc b/src/MirrorJob.cc
-index cf106c40..0be45431 100644
---- a/src/MirrorJob.cc
-+++ b/src/MirrorJob.cc
-@@ -1164,24 +1164,21 @@ int MirrorJob::Do()
- }
- continue;
- }
-+ bool use_rmdir = (file->TypeIs(file->DIRECTORY)
-+ && recursion_mode==RECURSION_NEVER);
- if(script)
- {
-- ArgV args("rm");
-- if(file->TypeIs(file->DIRECTORY))
-- {
-- if(recursion_mode==RECURSION_NEVER)
-- args.setarg(0,"rmdir");
-- else
-- args.Append("-r");
-- }
-+ ArgV args(use_rmdir?"rmdir":"rm");
-+ if(file->TypeIs(file->DIRECTORY) && !use_rmdir)
-+ args.Append("-r");
- args.Append(target_session->GetFileURL(file->name));
- xstring_ca cmd(args.CombineQuoted());
- fprintf(script,"%s\n",cmd.get());
- }
- if(!script_only)
- {
-- ArgV *args=new ArgV("rm");
-- args->Append(file->name);
-+ ArgV *args=new ArgV(use_rmdir?"rmdir":"rm");
-+ args->Append(dir_file(".",file->name));
- args->seek(1);
- rmJob *j=new rmJob(target_session->Clone(),args);
- args->CombineTo(j->cmdline);
-@@ -1189,10 +1186,7 @@ int MirrorJob::Do()
- if(file->TypeIs(file->DIRECTORY))
- {
- if(recursion_mode==RECURSION_NEVER)
-- {
-- args->setarg(0,"rmdir");
- j->Rmdir();
-- }
- else
- j->Recurse();
- }
-@@ -1258,7 +1252,7 @@ int MirrorJob::Do()
- if(!script_only)
- {
- ArgV *a=new ArgV("chmod");
-- a->Append(file->name);
-+ a->Append(dir_file(".",file->name));
- a->seek(1);
- ChmodJob *cj=new ChmodJob(target_session->Clone(),
- file->mode&~mode_mask,a);
-@@ -1380,7 +1374,7 @@ int MirrorJob::Do()
- if(!script_only)
- {
- ArgV *args=new ArgV("rm");
-- args->Append(file->name);
-+ args->Append(dir_file(".",file->name));
- args->seek(1);
- rmJob *j=new rmJob(source_session->Clone(),args);
- args->CombineTo(j->cmdline);
---
-2.13.3
-
diff --git a/meta-networking/recipes-connectivity/lftp/lftp_4.8.3.bb b/meta-networking/recipes-connectivity/lftp/lftp_4.8.4.bb
similarity index 87%
rename from meta-networking/recipes-connectivity/lftp/lftp_4.8.3.bb
rename to meta-networking/recipes-connectivity/lftp/lftp_4.8.4.bb
index e0b6bebad..bf793d91d 100644
--- a/meta-networking/recipes-connectivity/lftp/lftp_4.8.3.bb
+++ b/meta-networking/recipes-connectivity/lftp/lftp_4.8.4.bb
@@ -8,10 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRC_URI = "http://lftp.yar.ru/ftp/lftp-${PV}.tar.bz2 \
file://fix-gcc-6-conflicts-signbit.patch \
- file://CVE-2018-10916.patch \
"
-SRC_URI[md5sum] = "12b1fcbf13f41e9cdb0903fc670fa1f1"
-SRC_URI[sha256sum] = "c4159f056afee41866a6c2d639655bc351e6d3486bbe7758eaedb24f6a4239d5"
+SRC_URI[md5sum] = "a56b5047dbfda052df4c1dfd197aa092"
+SRC_URI[sha256sum] = "a853edbd075b008c315679c7882b6dcc6821ed2365d2ed843a412acd3d40da0e"
inherit autotools gettext pkgconfig
--
2.17.0
next reply other threads:[~2018-09-05 18:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 18:15 Randy MacLeod [this message]
2018-09-05 18:15 ` [PATCH 2/3] hwdata: 0.312 -> 0.315 Randy MacLeod
2018-09-05 18:15 ` [PATCH 3/3] vim/vim-tiny: upgrade 8.1.0172 -> 8.1.0347 Randy MacLeod
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180905181508.9960-1-Randy.MacLeod@windriver.com \
--to=randy.macleod@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox