diff options
Diffstat (limited to 'meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch')
-rw-r--r-- | meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch | 97 |
1 files changed, 0 insertions, 97 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch deleted file mode 100644 index 195d309506..0000000000 --- a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch +++ /dev/null @@ -1,97 +0,0 @@ -dpkg: Security Advisory - CVE-2014-0471 - -commit a82651188476841d190c58693f95827d61959b51 upstream - -Directory traversal vulnerability in the unpacking functionality in -dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 -allows remote attackers to write arbitrary files via a crafted source -package, related to "C-style filename quoting." - -Upstream-Status: Backport - -Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -=================================================== -diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm ---- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:24:07.422446284 +0800 -+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:41:37.746446314 +0800 -@@ -324,14 +324,53 @@ - return $line; - } - --# Strip timestamp --sub _strip_ts { -- my $header = shift; -- -- # Tab is the official separator, it's always used when -- # filename contain spaces. Try it first, otherwise strip on space -- # if there's no tab -- $header =~ s/\s.*// unless ($header =~ s/\t.*//); -+my %ESCAPE = (( -+ 'a' => "\a", -+ 'b' => "\b", -+ 'f' => "\f", -+ 'n' => "\n", -+ 'r' => "\r", -+ 't' => "\t", -+ 'v' => "\cK", -+ '\\' => '\\', -+ '"' => '"', -+), ( -+ map { sprintf('%03o', $_) => chr($_) } (0..255) -+)); -+ -+sub _unescape { -+ my ($diff, $str) = @_; -+ -+ if (exists $ESCAPE{$str}) { -+ return $ESCAPE{$str}; -+ } else { -+ error(_g('diff %s patches file with unknown escape sequence \\%s'), -+ $diff, $str); -+ } -+} -+ -+# Fetch the header filename ignoring the optional timestamp -+sub _fetch_filename { -+ my ($diff, $header) = @_; -+ -+ # Strip any leading spaces. -+ $header =~ s/^\s+//; -+ -+ # Is it a C-style string? -+ if ($header =~ m/^"/) { -+ $header =~ m/^"((?:[^\\"]|\\.)*)"/; -+ error(_g('diff %s patches file with unbalanced quote'), $diff) -+ unless defined $1; -+ -+ $header = $1; -+ $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg; -+ } else { -+ # Tab is the official separator, it's always used when -+ # filename contain spaces. Try it first, otherwise strip on space -+ # if there's no tab -+ $header =~ s/\s.*// unless $header =~ s/\t.*//; -+ } -+ - return $header; - } - -@@ -400,7 +439,7 @@ - unless(s/^--- //) { - error(_g("expected ^--- in line %d of diff `%s'"), $., $diff); - } -- $path{old} = $_ = _strip_ts($_); -+ $path{old} = $_ = _fetch_filename($diff, $_); - $fn{old} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/}; - if (/\.dpkg-orig$/) { - error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff); -@@ -412,7 +451,7 @@ - unless (s/^\+\+\+ //) { - error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.); - } -- $path{new} = $_ = _strip_ts($_); -+ $path{new} = $_ = _fetch_filename($diff, $_); - $fn{new} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/}; - - unless (defined $fn{old} or defined $fn{new}) { |