CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-04 16:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

util-linux: fix CVE-2014-9114

Browse Source 
Backport a patch to fix CVE-2014-9114.
The patch has been integrated in util-linux-2.26.

[YOCTO #7180]

Hand applied do to version differencses.

(From OE-Core rev: de0c751f57de118bba808f85fa255bb2d99ed9cb)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster 2015-04-08 08:08:36 -07:00 committed by Richard Purdie
parent 8e7d7e5c3a
commit e8a260c9b8
2 changed files with 177 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
meta/recipes-core/util-linux/util-linux/CVE-2014-9114.patch Normal file
View File

@ -0,0 +1,176 @@
Upstream-Status: Backport
This patch is for CVE-2014-9114.
This patch should be removed once util-linux is upgraded to 2.26.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 27 Nov 2014 13:39:35 +0100
Subject: [PATCH] libblkid: care about unsafe chars in cache
The high-level libblkid API uses /run/blkid/blkid.tab cache to
store probing results. The cache format is
<device NAME="value" ...>devname</device>
and unfortunately the cache code does not escape quotation marks:
# mkfs.ext4 -L 'AAA"BBB'
# cat /run/blkid/blkid.tab
...
<device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
such string is later incorrectly parsed and blkid(8) returns
nonsenses. And for use-cases like
# eval $(blkid -o export /dev/sdb1)
it's also insecure.
Note that mount, udevd and blkid -p are based on low-level libblkid
API, it bypass the cache and directly read data from the devices.
The current udevd upstream does not depend on blkid(8) output at all,
it's directly linked with the library and all unsafe chars are encoded by
\x<hex> notation.
# mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
# udevadm info --export-db | grep LABEL
...
E: ID_FS_LABEL=X__/tmp/foo___
E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
Signed-off-by: Karel Zak <kzak@redhat.com>
---
libblkid/src/read.c | 21 ++++++++++++++++++---
libblkid/src/save.c | 22 +++++++++++++++++++++-
misc-utils/blkid.8 | 5 ++++-
misc-utils/blkid.c | 4 ++--
4 files changed, 45 insertions(+), 7 deletions(-)
Index: util-linux-2.24.2/libblkid/src/save.c
===================================================================
--- util-linux-2.24.2.orig/libblkid/src/save.c
+++ util-linux-2.24.2/libblkid/src/save.c
@@ -26,6 +26,21 @@
#include "blkidP.h"
+
+static void save_quoted(const char *data, FILE *file)
+{
+ const char *p;
+
+ fputc('"', file);
+ for (p = data; p && *p; p++) {
+ if ((unsigned char) *p == 0x22 || /* " */
+ (unsigned char) *p == 0x5c) /* \ */
+ fputc('\\', file);
+
+ fputc(*p, file);
+ }
+ fputc('"', file);
+}
static int save_dev(blkid_dev dev, FILE *file)
{
struct list_head *p;
@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE
if (dev->bid_pri)
fprintf(file, " PRI=\"%d\"", dev->bid_pri);
+
list_for_each(p, &dev->bid_tags) {
blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
+
+ fputc(' ', file); /* space between tags */
+ fputs(tag->bit_name, file); /* tag NAME */
+ fputc('=', file); /* separator between NAME and VALUE */
+ save_quoted(tag->bit_val, file); /* tag "VALUE" */
}
fprintf(file, ">%s</device>\n", dev->bid_name);
Index: util-linux-2.24.2/misc-utils/blkid.8
===================================================================
--- util-linux-2.24.2.orig/misc-utils/blkid.8
+++ util-linux-2.24.2/misc-utils/blkid.8
@@ -193,7 +193,10 @@ partitions. This output format is \fBDE
.TP
.B export
print key=value pairs for easy import into the environment; this output format
-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
+
+The non-printing characters are encoded by ^ and M- notation and all
+potentially unsafe characters are escaped.
.RE
.TP
.BI \-O " offset"
Index: util-linux-2.24.2/misc-utils/blkid.c
===================================================================
--- util-linux-2.24.2.orig/misc-utils/blkid.c
+++ util-linux-2.24.2/misc-utils/blkid.c
@@ -306,7 +306,7 @@ static void print_value(int output, int
printf("DEVNAME=%s\n", devname);
fputs(name, stdout);
fputs("=", stdout);
- safe_print(value, valsz, NULL);
+ safe_print(value, valsz, " \\\"'$`<>");
fputs("\n", stdout);
} else {
@@ -314,7 +314,7 @@ static void print_value(int output, int
printf("%s: ", devname);
fputs(name, stdout);
fputs("=\"", stdout);
- safe_print(value, valsz, "\"");
+ safe_print(value, valsz, "\"\\");
fputs("\" ", stdout);
}
}
Index: util-linux-2.24.2/libblkid/src/read.c
===================================================================
--- util-linux-2.24.2.orig/libblkid/src/read.c
+++ util-linux-2.24.2/libblkid/src/read.c
@@ -252,8 +252,23 @@ static int parse_token(char **name, char
*value = skip_over_blank(*value + 1);
if (**value == '"') {
- end = strchr(*value + 1, '"');
- if (!end) {
+ char *p = end = *value + 1;
+
+ /* convert 'foo\"bar' to 'foo"bar' */
+ while (*p) {
+ if (*p == '\\') {
+ p++;
+ *end = *p;
+ } else {
+ *end = *p;
+ if (*p == '"')
+ break;
+ }
+ p++;
+ end = ++p;
+ }
+
+ if (*end != '"') {
DBG(READ, blkid_debug("unbalanced quotes at: %s", *value));
*cp = *value;
return -BLKID_ERR_CACHE;
@@ -261,11 +276,11 @@ static int parse_token(char **name, char
(*value)++;
*end = '\0';
end++;
+ end = ++p;
} else {
end = skip_over_word(*value);
if (*end) {
*end = '\0';
- end++;
}
}
*cp = end;

1
meta/recipes-core/util-linux/util-linux_2.24.2.bb
View File

@ -16,6 +16,7 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
file://fix-configure.patch \
file://fix-parallel-build.patch \
file://util-linux-ensure-the-existence-of-directory-for-PAT.patch \
file://CVE-2014-9114.patch \
${OLDHOST} \
"