lftp: update from 4.8.3 to 4.8.4

Drop upstreamed CVE fix: a27e07d9 mirror: prepend ./ to rm and chmod arguments to avoid URL recognition (fix #452) Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-01 13:58:06 +00:00 · 2018-09-05 14:15:06 -04:00 · 2018-09-05 14:15:06 -04:00 · f83a6cfe66
commit f83a6cfe66
parent 005093bac5
2 changed files with 2 additions and 85 deletions
--- a/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
+++ b/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
@ -1,82 +0,0 @@
-From a27e07d90a4608ceaf928b1babb27d4d803e1992 Mon Sep 17 00:00:00 2001
-From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
-Date: Tue, 31 Jul 2018 10:57:35 +0300
-Subject: [PATCH] mirror: prepend ./ to rm and chmod arguments to avoid URL
- recognition (fix #452)
-
-CVE: CVE-2018-10916
-Upstream-Status: Backport from v4.8.4
-
-Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
- src/MirrorJob.cc | 24 +++++++++---------------
- 1 file changed, 9 insertions(+), 15 deletions(-)
-
-diff --git a/src/MirrorJob.cc b/src/MirrorJob.cc
-index cf106c40..0be45431 100644
--- a/src/MirrorJob.cc
-+++ b/src/MirrorJob.cc
-@@ -1164,24 +1164,21 @@ int   MirrorJob::Do()
- 	    }
- 	    continue;
- 	 }
-+	 bool use_rmdir = (file->TypeIs(file->DIRECTORY)
-+			   && recursion_mode==RECURSION_NEVER);
- 	 if(script)
- 	 {
-	    ArgV args("rm");
-	    if(file->TypeIs(file->DIRECTORY))
-	    {
-	       if(recursion_mode==RECURSION_NEVER)
-		  args.setarg(0,"rmdir");
-	       else
-		  args.Append("-r");
-	    }
-+	    ArgV args(use_rmdir?"rmdir":"rm");
-+	    if(file->TypeIs(file->DIRECTORY) && !use_rmdir)
-+	       args.Append("-r");
- 	    args.Append(target_session->GetFileURL(file->name));
- 	    xstring_ca cmd(args.CombineQuoted());
- 	    fprintf(script,"%s\n",cmd.get());
- 	 }
- 	 if(!script_only)
- 	 {
-	    ArgV *args=new ArgV("rm");
-	    args->Append(file->name);
-+	    ArgV *args=new ArgV(use_rmdir?"rmdir":"rm");
-+	    args->Append(dir_file(".",file->name));
- 	    args->seek(1);
- 	    rmJob *j=new rmJob(target_session->Clone(),args);
- 	    args->CombineTo(j->cmdline);
-@@ -1189,10 +1186,7 @@ int   MirrorJob::Do()
- 	    if(file->TypeIs(file->DIRECTORY))
- 	    {
- 	       if(recursion_mode==RECURSION_NEVER)
-	       {
-		  args->setarg(0,"rmdir");
- 		  j->Rmdir();
-	       }
- 	       else
- 		  j->Recurse();
- 	    }
-@@ -1258,7 +1252,7 @@ int   MirrorJob::Do()
- 	 if(!script_only)
- 	 {
- 	    ArgV *a=new ArgV("chmod");
-	    a->Append(file->name);
-+	    a->Append(dir_file(".",file->name));
- 	    a->seek(1);
- 	    ChmodJob *cj=new ChmodJob(target_session->Clone(),
- 				 file->mode&~mode_mask,a);
-@@ -1380,7 +1374,7 @@ int   MirrorJob::Do()
- 	 if(!script_only)
- 	 {
- 	    ArgV *args=new ArgV("rm");
-	    args->Append(file->name);
-+	    args->Append(dir_file(".",file->name));
- 	    args->seek(1);
- 	    rmJob *j=new rmJob(source_session->Clone(),args);
- 	    args->CombineTo(j->cmdline);
-- 
-2.13.3
-
--- a/meta-networking/recipes-connectivity/lftp/lftp_4.8.4.bb
+++ b/meta-networking/recipes-connectivity/lftp/lftp_4.8.4.bb
@ -8,10 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

 SRC_URI = "http://lftp.yar.ru/ftp/lftp-${PV}.tar.bz2 \
           file://fix-gcc-6-conflicts-signbit.patch \
-           file://CVE-2018-10916.patch \
          "
-SRC_URI[md5sum] = "12b1fcbf13f41e9cdb0903fc670fa1f1"
-SRC_URI[sha256sum] = "c4159f056afee41866a6c2d639655bc351e6d3486bbe7758eaedb24f6a4239d5"
+SRC_URI[md5sum] = "a56b5047dbfda052df4c1dfd197aa092"
+SRC_URI[sha256sum] = "a853edbd075b008c315679c7882b6dcc6821ed2365d2ed843a412acd3d40da0e"

 inherit autotools gettext pkgconfig