aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2014-04-14 12:41:17 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-29 13:42:10 +0100
commitf61238b9431e6470d7e76f8c37c51cebe069514a (patch)
treed6cbe32bb082a3b602bce9cfd8b4fd2d46576b9f
parent6a8a9903de24cc7e1f27b1f7202bd4157719327c (diff)
downloadopenembedded-core-contrib-f61238b9431e6470d7e76f8c37c51cebe069514a.tar.gz
openembedded-core-contrib-f61238b9431e6470d7e76f8c37c51cebe069514a.tar.bz2
openembedded-core-contrib-f61238b9431e6470d7e76f8c37c51cebe069514a.zip
Screen: fix for Security Advisory CVE-2009-1214
GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with world-readable permissions, which might allow local users to obtain sensitive session information. (From OE-Core rev: 25a212d0154906e7a05075d015dbc1cfdfabb73a) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-extended/screen/screen_4.0.3.bb
-rw-r--r--meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch86
-rw-r--r--meta/recipes-extended/screen/screen_4.0.3.bb1
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
new file mode 100644
index 0000000000..104fa82dd6
--- /dev/null
+++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
@@ -0,0 +1,86 @@
+Upstream-Status: Backport
+
+The patch to fix CVE-2009-1214
+A security flaw was found in the screen utility in the way it used to create
+one particular temporary file. An attacker could use this flaw to perform
+a symlink attack.
+Fix race condition creating temporary file
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=492104
+
+Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com>
+---
+ fileio.c | 48 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -414,6 +414,14 @@ int dump;
+ }
+ public = !strcmp(fn, DEFAULT_BUFFERFILE);
+ # ifdef HAVE_LSTAT
++ /*
++ * Note: In the time between lstat() and open()/remove() below are
++ * called, the file can be created/removed/modified. Therefore the
++ * information lstat() returns is taken into consideration, but not
++ * relied upon. In particular, the open()/remove() calls can fail, and
++ * the code must account for that. Symlink attack could be mounted if
++ * the code is changed carelessly. --rdancer 2009-01-11
++ */
+ exists = !lstat(fn, &stb);
+ if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1))
+ {
+@@ -432,28 +440,36 @@ int dump;
+ #ifdef COPY_PASTE
+ if (dump == DUMP_EXCHANGE && public)
+ {
++ /*
++ * Setting umask to zero is a bad idea -- the user surely doesn't
++ * expect a publicly readable file in a publicly readable directory
++ * --rdancer 2009-01-11
++ */
++ /*
+ old_umask = umask(0);
++ */
+ # ifdef HAVE_LSTAT
+ if (exists)
+- {
+- if ((fd = open(fn, O_WRONLY, 0666)) >= 0)
+- {
+- if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino)
+- ftruncate(fd, 0);
+- else
+- {
+- close(fd);
+- fd = -1;
+- }
+- }
+- }
+- else
+- fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666);
+- f = fd >= 0 ? fdopen(fd, mode) : 0;
++ if (remove(fn) == -1)
++ {
++ /* Error */
++ debug2("WriteFile: File exists and remove(%s) failed: %s\n",
++ fn, strerror(errno));
++ UserReturn(0);
++ }
+ # else
+- f = fopen(fn, mode);
++ (void) remove(fn);
+ # endif
++ /*
++ * No r/w permissions for anybody but the user, as the file may be in
++ * a public directory -- if the user chooses, they can chmod the file
++ * afterwards. --rdancer 2008-01-11
++ */
++ fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600);
++ f = fd >= 0 ? fdopen(fd, mode) : 0;
++ /*
+ umask(old_umask);
++ */
+ }
+ else
+ #endif /* COPY_PASTE */
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb
index d83dda03c2..81790987fa 100644
--- a/meta/recipes-extended/screen/screen_4.0.3.bb
+++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \
file://configure.patch \
file://fix-parallel-make.patch \
+ file://screen-4.0.3-CVE-2009-1214.patch \
${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
PAM_SRC_URI = "file://screen.pam"