code.ossystems Code Review - openembedded-core.git/commit

patch: fix CVE-2018-1000156

* CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2018-1000156

* upstream tracking: https://savannah.gnu.org/bugs/index.php?53566

* Fix arbitrary command execution in ed-style patches:
  - src/pch.c (do_ed_script): Write ed script to a temporary file instead
    of piping it to ed: this will cause ed to abort on invalid commands
    instead of rejecting them and carrying on.
  - tests/ed-style: New test case.
  - tests/Makefile.am (TESTS): Add test case.

(From OE-Core rev: 6b6ae212837a07aaefd2b675b5b527fbce2a4270)

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>

author	Jackie Huang <jackie.huang@windriver.com>
	Wed, 11 Apr 2018 06:56:10 +0000 (14:56 +0800)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Thu, 3 May 2018 08:52:11 +0000 (09:52 +0100)
commit	413c54e0698589b17976e88fa7ab76e5dbac51aa
tree	0f9f4e5144ae76c55a8cbc95ea49836180cf76a9	tree \| snapshot
parent	e628af83e8d00ed3e3db318b323a9f5e48d35aae	commit \| diff

meta/recipes-devtools/patch/patch/0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/patch/patch/0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/patch/patch_2.7.6.bb		diff \| blob \| history