[OE-core] [warrior][PATCH v2] patch: fix CVE-2019-13638

Randy MacLeod randy.macleod at windriver.com
Thu Aug 8 20:16:28 UTC 2019


On 8/8/19 10:26 AM, Trevor Gamblin wrote:
> From: Trevor Gamblin <trevor.gamblin at windriver.com>
> 
> Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> ---
>   ...ke-ed-directly-instead-of-using-the-shell.patch | 44 ++++++++++++++++++++++
>   meta/recipes-devtools/patch/patch_2.7.6.bb         |  2 +
>   2 files changed, 46 insertions(+)
>   create mode 100644 meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
> 
> diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
> new file mode 100644
> index 0000000..f60dfe8
> --- /dev/null
> +++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
> @@ -0,0 +1,44 @@
> +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
> +From: Andreas Gruenbacher <agruen at gnu.org>
> +Date: Fri, 6 Apr 2018 19:36:15 +0200
> +Subject: [PATCH] Invoke ed directly instead of using the shell
> +
> +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
> +command to avoid quoting vulnerabilities.
> +
> +CVE: CVE-2019-13638
> +Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> +
> +---
> + src/pch.c | 6 ++----
> + 1 file changed, 2 insertions(+), 4 deletions(-)
> +
> +
> +diff --git a/src/pch.c b/src/pch.c
> +index 4fd5a05..16e001a 100644
> +--- a/src/pch.c
> ++++ b/src/pch.c
> +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
> + 	    *outname_needs_removal = true;
> + 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
> + 	  }
> +-	sprintf (buf, "%s %s%s", editor_program,
> +-		 verbosity == VERBOSE ? "" : "- ",
> +-		 outname);
> + 	fflush (stdout);
> +
> + 	pid = fork();
> +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
> + 	else if (pid == 0)
> + 	  {
> + 	    dup2 (tmpfd, 0);
> +-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
> ++	    assert (outname[0] != '!' && outname[0] != '-');
> ++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
> + 	    _exit (2);
> + 	  }
> + 	else
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
> index 85b0db7..8908910 100644
> --- a/meta/recipes-devtools/patch/patch_2.7.6.bb
> +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
> @@ -6,6 +6,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
>               file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
>               file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
>               file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
> +            file://CVE-2019-13636.patch \
> +            file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
>   "

Odd, you only added one patch but you changed two lines above.
I assume this is due to a merge conflict that you incorrectly resolved.

If you apply this commit on warrior, you see:

WARNING: patch-2.7.6-r0 do_fetch: Failed to fetch URL 
file://CVE-2019-13636.patch, attempting MIRRORS if available
ERROR: patch-2.7.6-r0 do_fetch: Fetcher failure: Unable to find file 
file://CVE-2019-13636.patch anywhere. The paths that were searched were:

Fix and v3 please.

../Randy
>   
>   SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
> 


-- 
# Randy MacLeod
# Wind River Linux


More information about the Openembedded-core mailing list