aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/squashfs-tools
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/squashfs-tools')
-rw-r--r--meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch72
-rw-r--r--meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb3
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
new file mode 100644
index 0000000000..8b9904fd56
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch
@@ -0,0 +1,72 @@
+Upstream-Status: Backport
+
+Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
+squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
+
+Fix potential stack overflow in get_component() where an individual
+pathname component in an extract file (specified on the command line
+or in an extract file) could exceed the 1024 byte sized targname
+allocated on the stack.
+
+Fix by dynamically allocating targname rather than storing it as
+a fixed size on the stack.
+
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+diff -urpN a/unsquashfs.c b/unsquashfs.c
+--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
++++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
+@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
+ }
+
+
+-char *get_component(char *target, char *targname)
++char *get_component(char *target, char **targname)
+ {
++ char *start;
++
+ while(*target == '/')
+ target ++;
+
++ start = target;
+ while(*target != '/' && *target!= '\0')
+- *targname ++ = *target ++;
++ target ++;
+
+- *targname = '\0';
++ *targname = strndup(start, target - start);
+
+ return target;
+ }
+@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
+
+ struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
+ {
+- char targname[1024];
++ char *targname;
+ int i, error;
+
+ TRACE("add_path: adding \"%s\" extract file\n", target);
+
+- target = get_component(target, targname);
++ target = get_component(target, &targname);
+
+ if(paths == NULL) {
+ paths = malloc(sizeof(struct pathname));
+@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
+ sizeof(struct path_entry));
+ if(paths->name == NULL)
+ EXIT_UNSQUASH("Out of memory in add_path\n");
+- paths->name[i].name = strdup(targname);
++ paths->name[i].name = targname;
+ paths->name[i].paths = NULL;
+ if(use_regex) {
+ paths->name[i].preg = malloc(sizeof(regex_t));
+@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
+ /*
+ * existing matching entry
+ */
++ free(targname);
++
+ if(paths->name[i].paths == NULL) {
+ /*
+ * No sub-directory which means this is the leaf
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
index c54081be9f..9922f1ef51 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb
@@ -3,6 +3,7 @@
DESCRIPTION = "Tools to manipulate Squashfs filesystems."
SECTION = "base"
LICENSE = "GPL-2 & PD"
+FILESEXTRAPATHS_prepend := "${THISDIR}/patches:"
LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \
"
@@ -12,6 +13,8 @@ PR = "1"
SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \
http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \
"
+SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \
+ "
SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852"
SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96"
SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"