patch: fix CVE-2015-1196

A directory traversal flaw was reported in patch:

References:
http://www.openwall.com/lists/oss-security/2015/01/18/6
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
https://bugzilla.redhat.com/show_bug.cgi?id=1182154

[YOCTO #7182]

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-devtools/patch/patch.inc b/meta/recipes-devtools/patch/patch.inc
index 332b97a85e6d162430ddf1cf49a5fc7af54fa041..d306403cc47eaa4040e610924234d01251308d53 100644 (file)
--- a/meta/recipes-devtools/patch/patch.inc
+++ b/meta/recipes-devtools/patch/patch.inc
@@ -4,7 +4,10 @@ produced by the diff program and applies those differences to one or more \
 original files, producing patched versions."
 SECTION = "utils"
 
-SRC_URI = "${GNU_MIRROR}/patch/patch-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/patch/patch-${PV}.tar.gz \
+        file://patch-CVE-2015-1196.patch \
+        "
+
 S = "${WORKDIR}/patch-${PV}"
 
 inherit autotools update-alternatives