]> code.ossystems Code Review - openembedded-core.git/commitdiff
Code Review / openembedded-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 25a212d)
screen: fix for Security Advisory CVE-2009-1215
authorYue Tao <Yue.Tao@windriver.com>
Mon, 14 Apr 2014 05:01:16 +0000 (13:01 +0800)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Wed, 21 May 2014 08:08:09 +0000 (09:08 +0100)
Race condition in GNU screen 4.0.3 allows local users to create or
overwrite arbitrary files via a symlink attack on the
/tmp/screen-exchange temporary file.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch [new file with mode: 0644] patch | blob
meta/recipes-extended/screen/screen_4.0.3.bb patch | blob | history

diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch
new file mode 100644 (file)
index 0000000..538a8fa
--- /dev/null
+++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.2-CVE-2009-1215.patch
@@ -0,0 +1,27 @@
+Upstream-Status: Backport
+
+This patch is a backport from screen_4.0.3-11+lenny1.diff 
+to fix CVE-2009-1215.
+
+Signed-off-by:  Shenbo Huang<shenbo.huang@windriver.com)
+---
+       properly by keeping the umask instead of dropping
+       the 'public exchange file' concept. Modify dpatch 22.
+       <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521123>
+---
+ fileio.c |    5 -----
+ 1 file changed, 5 deletions(-)
+--- a/fileio.c
++++ b/fileio.c
+@@ -365,11 +365,6 @@ int dump;
+   char *mode = "w";
+ #ifdef COPY_PASTE
+   int public = 0;
+-# ifdef _MODE_T
+-  mode_t old_umask;
+-# else
+-  int old_umask;
+-# endif
+ # ifdef HAVE_LSTAT
+   struct stat stb, stb2;
+   int fd, exists = 0;
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb
index a0aa15c0d3f87db2e21648720e12d6af6659a13f..c5218ec1dbd88148f4b57ac04ee0533ef5f796db 100644 (file)
--- a/meta/recipes-extended/screen/screen_4.0.3.bb
+++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
            file://configure.patch \
            file://fix-parallel-make.patch \
            file://screen-4.0.3-CVE-2009-1214.patch \
+           file://screen-4.0.2-CVE-2009-1215.patch \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
 
 PAM_SRC_URI = "file://screen.pam"
Mirror of the official openembedded-core repository