code.ossystems Code Review - openembedded-core.git/commit

coreutils: CVE-2017-18018

CVE-2017-18018-1:
doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
  flag of chown/chgrp states that it is the default mode of
  operation. Document that this is only the case when operating
  non-recursively.

CVE-2017-18018-2:
doc: warn about following symlinks recursively in chown/chgrp
In both chown and chgrp (which shares its code with chown), operating
on symlinks recursively has a window of vulnerability where the
destination user or group can change the target of the operation.
Warn about combining the --dereference, --recursive, and -L flags.

* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
(node chown invocation): Add it to --dereference and -L.
(node chgrp invocation): Likewise.

Affects coreutils <= 8.29

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
	Wed, 22 Aug 2018 11:41:41 +0000 (17:11 +0530)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Wed, 29 Aug 2018 14:22:27 +0000 (15:22 +0100)
commit	a523bc6a2ff7d5b5415a789de02fb055ccd2c077
tree	bb27959631a41610f3fcfd1c352a2241ad17c8d5	tree \| snapshot
parent	00da7bad24cf78c9dba091b9e480515f25886b48	commit \| diff

meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch	[new file with mode: 0644]	blob
meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch	[new file with mode: 0644]	blob
meta/recipes-core/coreutils/coreutils_8.29.bb		diff \| blob \| history