summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2015-04-08 08:08:36 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-17 22:39:30 +0100
commite8a260c9b8c3f63253da18a44a41146069fd05bd (patch)
tree07cf0f6325108ee17c7a0d0708e90b735e0cf697
parent8e7d7e5c3a6f29cfbb281defab007bb8197cd75c (diff)
downloadpoky-e8a260c9b8c3f63253da18a44a41146069fd05bd.tar.gz
poky-e8a260c9b8c3f63253da18a44a41146069fd05bd.tar.bz2
poky-e8a260c9b8c3f63253da18a44a41146069fd05bd.zip
util-linux: fix CVE-2014-9114
Backport a patch to fix CVE-2014-9114. The patch has been integrated in util-linux-2.26. [YOCTO #7180] Hand applied do to version differencses. (From OE-Core rev: de0c751f57de118bba808f85fa255bb2d99ed9cb) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch176
-rw-r--r--meta/recipes-core/util-linux/util-linux_2.24.2.bb1
2 files changed, 177 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch b/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch
new file mode 100644
index 0000000000..46c5e8ecb7
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch
@@ -0,0 +1,176 @@
+Upstream-Status: Backport
+
+This patch is for CVE-2014-9114.
+This patch should be removed once util-linux is upgraded to 2.26.
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 27 Nov 2014 13:39:35 +0100
+Subject: [PATCH] libblkid: care about unsafe chars in cache
+
+The high-level libblkid API uses /run/blkid/blkid.tab cache to
+store probing results. The cache format is
+
+ <device NAME="value" ...>devname</device>
+
+and unfortunately the cache code does not escape quotation marks:
+
+ # mkfs.ext4 -L 'AAA"BBB'
+
+ # cat /run/blkid/blkid.tab
+ ...
+ <device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
+
+such string is later incorrectly parsed and blkid(8) returns
+nonsenses. And for use-cases like
+
+ # eval $(blkid -o export /dev/sdb1)
+
+it's also insecure.
+
+Note that mount, udevd and blkid -p are based on low-level libblkid
+API, it bypass the cache and directly read data from the devices.
+
+The current udevd upstream does not depend on blkid(8) output at all,
+it's directly linked with the library and all unsafe chars are encoded by
+\x<hex> notation.
+
+ # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
+ # udevadm info --export-db | grep LABEL
+ ...
+ E: ID_FS_LABEL=X__/tmp/foo___
+ E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/read.c | 21 ++++++++++++++++++---
+ libblkid/src/save.c | 22 +++++++++++++++++++++-
+ misc-utils/blkid.8 | 5 ++++-
+ misc-utils/blkid.c | 4 ++--
+ 4 files changed, 45 insertions(+), 7 deletions(-)
+
+Index: util-linux-2.24.2/libblkid/src/save.c
+===================================================================
+--- util-linux-2.24.2.orig/libblkid/src/save.c
++++ util-linux-2.24.2/libblkid/src/save.c
+@@ -26,6 +26,21 @@
+
+ #include "blkidP.h"
+
++
++static void save_quoted(const char *data, FILE *file)
++{
++ const char *p;
++
++ fputc('"', file);
++ for (p = data; p && *p; p++) {
++ if ((unsigned char) *p == 0x22 || /* " */
++ (unsigned char) *p == 0x5c) /* \ */
++ fputc('\\', file);
++
++ fputc(*p, file);
++ }
++ fputc('"', file);
++}
+ static int save_dev(blkid_dev dev, FILE *file)
+ {
+ struct list_head *p;
+@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE
+
+ if (dev->bid_pri)
+ fprintf(file, " PRI=\"%d\"", dev->bid_pri);
++
+ list_for_each(p, &dev->bid_tags) {
+ blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
+- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
++
++ fputc(' ', file); /* space between tags */
++ fputs(tag->bit_name, file); /* tag NAME */
++ fputc('=', file); /* separator between NAME and VALUE */
++ save_quoted(tag->bit_val, file); /* tag "VALUE" */
+ }
+ fprintf(file, ">%s</device>\n", dev->bid_name);
+
+Index: util-linux-2.24.2/misc-utils/blkid.8
+===================================================================
+--- util-linux-2.24.2.orig/misc-utils/blkid.8
++++ util-linux-2.24.2/misc-utils/blkid.8
+@@ -193,7 +193,10 @@ partitions. This output format is \fBDE
+ .TP
+ .B export
+ print key=value pairs for easy import into the environment; this output format
+-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
++is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
++
++The non-printing characters are encoded by ^ and M- notation and all
++potentially unsafe characters are escaped.
+ .RE
+ .TP
+ .BI \-O " offset"
+Index: util-linux-2.24.2/misc-utils/blkid.c
+===================================================================
+--- util-linux-2.24.2.orig/misc-utils/blkid.c
++++ util-linux-2.24.2/misc-utils/blkid.c
+@@ -306,7 +306,7 @@ static void print_value(int output, int
+ printf("DEVNAME=%s\n", devname);
+ fputs(name, stdout);
+ fputs("=", stdout);
+- safe_print(value, valsz, NULL);
++ safe_print(value, valsz, " \\\"'$`<>");
+ fputs("\n", stdout);
+
+ } else {
+@@ -314,7 +314,7 @@ static void print_value(int output, int
+ printf("%s: ", devname);
+ fputs(name, stdout);
+ fputs("=\"", stdout);
+- safe_print(value, valsz, "\"");
++ safe_print(value, valsz, "\"\\");
+ fputs("\" ", stdout);
+ }
+ }
+Index: util-linux-2.24.2/libblkid/src/read.c
+===================================================================
+--- util-linux-2.24.2.orig/libblkid/src/read.c
++++ util-linux-2.24.2/libblkid/src/read.c
+@@ -252,8 +252,23 @@ static int parse_token(char **name, char
+ *value = skip_over_blank(*value + 1);
+
+ if (**value == '"') {
+- end = strchr(*value + 1, '"');
+- if (!end) {
++ char *p = end = *value + 1;
++
++ /* convert 'foo\"bar' to 'foo"bar' */
++ while (*p) {
++ if (*p == '\\') {
++ p++;
++ *end = *p;
++ } else {
++ *end = *p;
++ if (*p == '"')
++ break;
++ }
++ p++;
++ end = ++p;
++ }
++
++ if (*end != '"') {
+ DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
+ *cp = *value;
+ return -BLKID_ERR_CACHE;
+@@ -261,11 +276,11 @@ static int parse_token(char **name, char
+ (*value)++;
+ *end = '\0';
+ end++;
++ end = ++p;
+ } else {
+ end = skip_over_word(*value);
+ if (*end) {
+ *end = '\0';
+- end++;
+ }
+ }
+ *cp = end;
diff --git a/meta/recipes-core/util-linux/util-linux_2.24.2.bb b/meta/recipes-core/util-linux/util-linux_2.24.2.bb
index ed753e48b3..bc92afd209 100644
--- a/meta/recipes-core/util-linux/util-linux_2.24.2.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.24.2.bb
@@ -16,6 +16,7 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
file://fix-configure.patch \
file://fix-parallel-build.patch \
file://util-linux-ensure-the-existence-of-directory-for-PAT.patch \
+ file://CVE-2014-9114.patch \
${OLDHOST} \
"