diff --git a/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch new file mode 100644 index 0000000..8b9904f --- /dev/null +++ b/meta/recipes-devtools/squashfs-tools/patches/squashfs-4.2-fix-CVE-2012-4024.patch @@ -0,0 +1,72 @@ +Upstream-Status: Backport + +Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p= +squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123 + +Fix potential stack overflow in get_component() where an individual +pathname component in an extract file (specified on the command line +or in an extract file) could exceed the 1024 byte sized targname +allocated on the stack. + +Fix by dynamically allocating targname rather than storing it as +a fixed size on the stack. + +Signed-off-by: yanjun.zhu +diff -urpN a/unsquashfs.c b/unsquashfs.c +--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800 ++++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800 +@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir) + } + + +-char *get_component(char *target, char *targname) ++char *get_component(char *target, char **targname) + { ++ char *start; ++ + while(*target == '/') + target ++; + ++ start = target; + while(*target != '/' && *target!= '\0') +- *targname ++ = *target ++; ++ target ++; + +- *targname = '\0'; ++ *targname = strndup(start, target - start); + + return target; + } +@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths) + + struct pathname *add_path(struct pathname *paths, char *target, char *alltarget) + { +- char targname[1024]; ++ char *targname; + int i, error; + + TRACE("add_path: adding \"%s\" extract file\n", target); + +- target = get_component(target, targname); ++ target = get_component(target, &targname); + + if(paths == NULL) { + paths = malloc(sizeof(struct pathname)); +@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam + sizeof(struct path_entry)); + if(paths->name == NULL) + EXIT_UNSQUASH("Out of memory in add_path\n"); +- paths->name[i].name = strdup(targname); ++ paths->name[i].name = targname; + paths->name[i].paths = NULL; + if(use_regex) { + paths->name[i].preg = malloc(sizeof(regex_t)); +@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam + /* + * existing matching entry + */ ++ free(targname); ++ + if(paths->name[i].paths == NULL) { + /* + * No sub-directory which means this is the leaf diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb index c54081b..9922f1e 100644 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb +++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.2.bb @@ -3,6 +3,7 @@ DESCRIPTION = "Tools to manipulate Squashfs filesystems." SECTION = "base" LICENSE = "GPL-2 & PD" +FILESEXTRAPATHS_prepend := "${THISDIR}/patches:" LIC_FILES_CHKSUM = "file://../COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ file://../../7zC.txt;beginline=12;endline=16;md5=2056cd6d919ebc3807602143c7449a7c \ " @@ -12,6 +13,8 @@ PR = "1" SRC_URI = "${SOURCEFORGE_MIRROR}/squashfs/squashfs${PV}.tar.gz;name=squashfs \ http://downloads.sourceforge.net/sevenzip/lzma465.tar.bz2;name=lzma \ " +SRC_URI += "file://squashfs-4.2-fix-CVE-2012-4024.patch \ + " SRC_URI[squashfs.md5sum] = "1b7a781fb4cf8938842279bd3e8ee852" SRC_URI[squashfs.sha256sum] = "d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96" SRC_URI[lzma.md5sum] = "29d5ffd03a5a3e51aef6a74e9eafb759"