From d09ea40d7f5b59f37625e43973c363c07053fdfb Mon Sep 17 00:00:00 2001 From: Aníbal Limón Date: Mon, 24 Nov 2014 15:16:31 -0600 Subject: dpkg: Upgrade to 1.17.21 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove dpkg-1.17.4-CVE-2014-0471, dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127 and ignore_extra_fields patches that are already in upstream. Rebase no-vla-warning patch. Signed-off-by: Aníbal Limón Signed-off-by: Richard Purdie --- meta/recipes-devtools/dpkg/dpkg.inc | 3 +- .../dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch | 68 --------------- .../dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch | 97 ---------------------- .../dpkg/dpkg/ignore_extra_fields.patch | 21 ----- .../dpkg/dpkg/no-vla-warning.patch | 24 +++--- meta/recipes-devtools/dpkg/dpkg_1.17.21.bb | 19 +++++ meta/recipes-devtools/dpkg/dpkg_1.17.4.bb | 21 ----- 7 files changed, 32 insertions(+), 221 deletions(-) delete mode 100644 meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch delete mode 100644 meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch delete mode 100644 meta/recipes-devtools/dpkg/dpkg/ignore_extra_fields.patch create mode 100644 meta/recipes-devtools/dpkg/dpkg_1.17.21.bb delete mode 100644 meta/recipes-devtools/dpkg/dpkg_1.17.4.bb diff --git a/meta/recipes-devtools/dpkg/dpkg.inc b/meta/recipes-devtools/dpkg/dpkg.inc index 929906dfd8..c3c51ebe80 100644 --- a/meta/recipes-devtools/dpkg/dpkg.inc +++ b/meta/recipes-devtools/dpkg/dpkg.inc @@ -2,8 +2,7 @@ SUMMARY = "Package maintenance system from Debian" LICENSE = "GPLv2.0+" SECTION = "base" -SRC_URI = "${DEBIAN_MIRROR}/main/d/dpkg/dpkg_${PV}.tar.xz \ - file://ignore_extra_fields.patch" +SRC_URI = "${DEBIAN_MIRROR}/main/d/dpkg/dpkg_${PV}.tar.xz" DEPENDS = "zlib bzip2 perl ncurses" DEPENDS_class-native = "bzip2-replacement-native zlib-native virtual/update-alternatives-native gettext-native perl-native" diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch deleted file mode 100644 index e59c6661ea..0000000000 --- a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch +++ /dev/null @@ -1,68 +0,0 @@ -dpkg: Security Advisory - CVE-2014-3127 - -commit a12eb58959d0a10584a428f4a3103a49204c410f upstream - -dpkg 1.15.9 on Debian squeeze introduces support for the "C-style -encoded filenames" feature without recognizing that the squeeze patch -program lacks this feature, which triggers an interaction error that -allows remote attackers to conduct directory traversal attacks and -modify files outside of the intended directories via a crafted source -package. - -NOTE: this can be considered a release engineering problem in the -effort to fix CVE-2014-0471. - -Upstream-Status: Backport - -Signed-off-by: Wenlin Kang -Signed-off-by: Wenzong Fan -===================================================== -diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm ---- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:32:41.765446564 +0800 -+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:37:21.461446359 +0800 -@@ -324,31 +324,6 @@ - return $line; - } - --my %ESCAPE = (( -- 'a' => "\a", -- 'b' => "\b", -- 'f' => "\f", -- 'n' => "\n", -- 'r' => "\r", -- 't' => "\t", -- 'v' => "\cK", -- '\\' => '\\', -- '"' => '"', --), ( -- map { sprintf('%03o', $_) => chr($_) } (0..255) --)); -- --sub _unescape { -- my ($diff, $str) = @_; -- -- if (exists $ESCAPE{$str}) { -- return $ESCAPE{$str}; -- } else { -- error(_g('diff %s patches file with unknown escape sequence \\%s'), -- $diff, $str); -- } --} -- - # Fetch the header filename ignoring the optional timestamp - sub _fetch_filename { - my ($diff, $header) = @_; -@@ -358,12 +333,7 @@ - - # Is it a C-style string? - if ($header =~ m/^"/) { -- $header =~ m/^"((?:[^\\"]|\\.)*)"/; -- error(_g('diff %s patches file with unbalanced quote'), $diff) -- unless defined $1; -- -- $header = $1; -- $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg; -+ error(_g('diff %s patches file with C-style encoded filename'), $diff); - } else { - # Tab is the official separator, it's always used when - # filename contain spaces. Try it first, otherwise strip on space diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch deleted file mode 100644 index 195d309506..0000000000 --- a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch +++ /dev/null @@ -1,97 +0,0 @@ -dpkg: Security Advisory - CVE-2014-0471 - -commit a82651188476841d190c58693f95827d61959b51 upstream - -Directory traversal vulnerability in the unpacking functionality in -dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 -allows remote attackers to write arbitrary files via a crafted source -package, related to "C-style filename quoting." - -Upstream-Status: Backport - -Signed-off-by: Wenlin Kang -Signed-off-by: Wenzong Fan -=================================================== -diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm ---- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:24:07.422446284 +0800 -+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:41:37.746446314 +0800 -@@ -324,14 +324,53 @@ - return $line; - } - --# Strip timestamp --sub _strip_ts { -- my $header = shift; -- -- # Tab is the official separator, it's always used when -- # filename contain spaces. Try it first, otherwise strip on space -- # if there's no tab -- $header =~ s/\s.*// unless ($header =~ s/\t.*//); -+my %ESCAPE = (( -+ 'a' => "\a", -+ 'b' => "\b", -+ 'f' => "\f", -+ 'n' => "\n", -+ 'r' => "\r", -+ 't' => "\t", -+ 'v' => "\cK", -+ '\\' => '\\', -+ '"' => '"', -+), ( -+ map { sprintf('%03o', $_) => chr($_) } (0..255) -+)); -+ -+sub _unescape { -+ my ($diff, $str) = @_; -+ -+ if (exists $ESCAPE{$str}) { -+ return $ESCAPE{$str}; -+ } else { -+ error(_g('diff %s patches file with unknown escape sequence \\%s'), -+ $diff, $str); -+ } -+} -+ -+# Fetch the header filename ignoring the optional timestamp -+sub _fetch_filename { -+ my ($diff, $header) = @_; -+ -+ # Strip any leading spaces. -+ $header =~ s/^\s+//; -+ -+ # Is it a C-style string? -+ if ($header =~ m/^"/) { -+ $header =~ m/^"((?:[^\\"]|\\.)*)"/; -+ error(_g('diff %s patches file with unbalanced quote'), $diff) -+ unless defined $1; -+ -+ $header = $1; -+ $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg; -+ } else { -+ # Tab is the official separator, it's always used when -+ # filename contain spaces. Try it first, otherwise strip on space -+ # if there's no tab -+ $header =~ s/\s.*// unless $header =~ s/\t.*//; -+ } -+ - return $header; - } - -@@ -400,7 +439,7 @@ - unless(s/^--- //) { - error(_g("expected ^--- in line %d of diff `%s'"), $., $diff); - } -- $path{old} = $_ = _strip_ts($_); -+ $path{old} = $_ = _fetch_filename($diff, $_); - $fn{old} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/}; - if (/\.dpkg-orig$/) { - error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff); -@@ -412,7 +451,7 @@ - unless (s/^\+\+\+ //) { - error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.); - } -- $path{new} = $_ = _strip_ts($_); -+ $path{new} = $_ = _fetch_filename($diff, $_); - $fn{new} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/}; - - unless (defined $fn{old} or defined $fn{new}) { diff --git a/meta/recipes-devtools/dpkg/dpkg/ignore_extra_fields.patch b/meta/recipes-devtools/dpkg/dpkg/ignore_extra_fields.patch deleted file mode 100644 index 4e3eb97ed8..0000000000 --- a/meta/recipes-devtools/dpkg/dpkg/ignore_extra_fields.patch +++ /dev/null @@ -1,21 +0,0 @@ -Upstream-Status: Inappropriate [workaround] - -Index: dpkg-1.16.8/dpkg-deb/build.c -=================================================================== ---- dpkg-1.16.8.orig/dpkg-deb/build.c -+++ dpkg-1.16.8/dpkg-deb/build.c -@@ -340,13 +340,13 @@ check_new_pkg(const char *dir) - if (pkg->priority == pri_other) - warning(_("'%s' contains user-defined Priority value '%s'"), - controlfile, pkg->otherpriority); -- for (field = pkg->available.arbs; field; field = field->next) { -+ /*for (field = pkg->available.arbs; field; field = field->next) { - if (known_arbitrary_field(field)) - continue; - - warning(_("'%s' contains user-defined field '%s'"), controlfile, - field->name); -- } -+ }*/ - - free(controlfile); diff --git a/meta/recipes-devtools/dpkg/dpkg/no-vla-warning.patch b/meta/recipes-devtools/dpkg/dpkg/no-vla-warning.patch index 0e57dbc7fc..f660b18646 100644 --- a/meta/recipes-devtools/dpkg/dpkg/no-vla-warning.patch +++ b/meta/recipes-devtools/dpkg/dpkg/no-vla-warning.patch @@ -11,22 +11,22 @@ Upstream-Status: Pending Signed-off-by: Donn Seeley Signed-off-by: Robert Yang +Signed-off-by: Aníbal Limón --- m4/dpkg-compiler.m4 | 1 - 1 file changed, 1 deletion(-) diff --git a/m4/dpkg-compiler.m4 b/m4/dpkg-compiler.m4 -index f1c760b..500b5ad 100644 +index 53f67c6..6e66a43 100644 --- a/m4/dpkg-compiler.m4 +++ b/m4/dpkg-compiler.m4 -@@ -72,7 +72,6 @@ if test "x$enable_compiler_warnings" = "xyes"; then - DPKG_WARNING_ALL([-Wformat-security]) - DPKG_WARNING_ALL([-Wpointer-arith]) - DPKG_WARNING_ALL([-Wlogical-op]) -- DPKG_WARNING_ALL([-Wvla]) - DPKG_WARNING_ALL([-Winit-self]) - DPKG_WARNING_ALL([-Wwrite-strings]) - DPKG_WARNING_ALL([-Wcast-align]) --- -1.7.10.4 - +@@ -49,7 +49,6 @@ AC_DEFUN([DPKG_CHECK_COMPILER_WARNINGS], [ + DPKG_CHECK_COMPILER_FLAG([-Wformat-security]) + DPKG_CHECK_COMPILER_FLAG([-Wpointer-arith]) + DPKG_CHECK_COMPILER_FLAG([-Wlogical-op]) +- DPKG_CHECK_COMPILER_FLAG([-Wvla]) + DPKG_CHECK_COMPILER_FLAG([-Winit-self]) + DPKG_CHECK_COMPILER_FLAG([-Wwrite-strings]) + DPKG_CHECK_COMPILER_FLAG([-Wcast-align]) +--- +1.17.21 diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.21.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.21.bb new file mode 100644 index 0000000000..15c0277015 --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg_1.17.21.bb @@ -0,0 +1,19 @@ +require dpkg.inc +LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" + +SRC_URI += "file://noman.patch \ + file://check_snprintf.patch \ + file://check_version.patch \ + file://preinst.patch \ + file://fix-timestamps.patch \ + file://remove-tar-no-timestamp.patch \ + file://fix-abs-redefine.patch \ + file://arch_pm.patch \ + file://dpkg-configure.service \ + file://glibc2.5-sync_file_range.patch \ + file://no-vla-warning.patch \ + " + +SRC_URI[md5sum] = "765a96fd0180196613bbfa3c4aef0775" +SRC_URI[sha256sum] = "3ed776627181cb9c1c9ba33f94a6319084be2e9ec9c23dd61ce784c4f602cf05" + diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb deleted file mode 100644 index 83526f3c96..0000000000 --- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb +++ /dev/null @@ -1,21 +0,0 @@ -require dpkg.inc -LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" - -SRC_URI += "file://noman.patch \ - file://check_snprintf.patch \ - file://check_version.patch \ - file://preinst.patch \ - file://fix-timestamps.patch \ - file://remove-tar-no-timestamp.patch \ - file://fix-abs-redefine.patch \ - file://arch_pm.patch \ - file://dpkg-configure.service \ - file://glibc2.5-sync_file_range.patch \ - file://no-vla-warning.patch \ - file://dpkg-1.17.4-CVE-2014-0471.patch \ - file://dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch \ - " - -SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1" -SRC_URI[sha256sum] = "01cdc81c33e77c3d7c40df17e19171794542be7cf12e411381ffcaa8f87b1854" - -- cgit 1.2.3-korg