[v3] zip: fix security issues

Submitted by Edwin Plauchu on May 17, 2016, 7:25 p.m. | Patch ID: 122865

Details

Message ID 1463513111-4092-1-git-send-email-edwin.plauchu.camacho@linux.intel.com
State New
Headers show

Commit Message

Edwin Plauchu May 17, 2016, 7:25 p.m.
From: Edwin Plauchu <edwin.plauchu.camacho@intel.com>

This patch avoids zip recipe fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security).

[YOCTO #9552]

Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
---
 meta/conf/distro/include/security_flags.inc        |  1 -
 .../zip/zip-3.0/fix-security-format.patch          | 42 ++++++++++++++++++++++
 meta/recipes-extended/zip/zip.inc                  |  3 +-
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-extended/zip/zip-3.0/fix-security-format.patch

Patch hide | download patch | download mbox

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 7a91cec..bb1a398 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -107,7 +107,6 @@  SECURITY_STRINGFORMAT_pn-makedevs = ""
 SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
 SECURITY_STRINGFORMAT_pn-stat = ""
 SECURITY_STRINGFORMAT_pn-unzip = ""
-SECURITY_STRINGFORMAT_pn-zip = ""
 
 TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
diff --git a/meta/recipes-extended/zip/zip-3.0/fix-security-format.patch b/meta/recipes-extended/zip/zip-3.0/fix-security-format.patch
new file mode 100644
index 0000000..fe29d41
--- /dev/null
+++ b/meta/recipes-extended/zip/zip-3.0/fix-security-format.patch
@@ -0,0 +1,42 @@ 
+zip: Fixing security formatting issues
+
+Fix security formatting issues related to printing without NULL argument
+
+zip.c: In function 'help_extended':
+zip.c:1031:5: error: format not a string literal and no format arguments [-Werror=format-security]
+     printf(text[i]);
+     ^
+zip.c: In function 'version_info':
+zip.c:1228:5: error: format not a string literal and no format arguments [-Werror=format-security]
+     printf(cryptnote[i]);
+     ^
+
+[YOCTO #9552]
+[https://bugzilla.yoctoproject.org/show_bug.cgi?id=9552]
+
+Upstream-Status: Pending
+
+Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
+
+diff --git a/zip.c b/zip.c
+index 439821f..d7da768 100644
+--- a/zip.c
++++ b/zip.c
+@@ -1028,7 +1028,7 @@ local void help_extended()
+ 
+   for (i = 0; i < sizeof(text)/sizeof(char *); i++)
+   {
+-    printf(text[i]);
++    fputs(text[i],stdout);
+     putchar('\n');
+   }
+ #ifdef DOS
+@@ -1225,7 +1225,7 @@ local void version_info()
+             CR_MAJORVER, CR_MINORVER, CR_BETA_VER, CR_VERSION_DATE);
+   for (i = 0; i < sizeof(cryptnote)/sizeof(char *); i++)
+   {
+-    printf(cryptnote[i]);
++    fputs(cryptnote[i],stdout);
+     putchar('\n');
+   }
+   ++i;  /* crypt support means there IS at least one compilation option */
diff --git a/meta/recipes-extended/zip/zip.inc b/meta/recipes-extended/zip/zip.inc
index 6221c5e..21985a4 100644
--- a/meta/recipes-extended/zip/zip.inc
+++ b/meta/recipes-extended/zip/zip.inc
@@ -5,7 +5,8 @@  SECTION = "console/utils"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=04d43c5d70b496c032308106e26ae17d"
 
-SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/zip${@d.getVar('PV',1).replace('.', '')}.tgz"
+SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/zip${@d.getVar('PV',1).replace('.', '')}.tgz \
+            file://fix-security-format.patch"
 
 EXTRA_OEMAKE = "'CC=${CC}' 'BIND=${CC}' 'AS=${CC} -c' 'CPP=${CPP}' \
 		'CFLAGS=-I. -DUNIX ${CFLAGS}' 'INSTALL=install' \

Comments

Richard Purdie May 18, 2016, 7:47 p.m.
On Tue, 2016-05-17 at 14:25 -0500, Edwin Plauchu wrote:
> From: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
> 
> This patch avoids zip recipe fails to compile with compiler flags
> which elevate common string formatting issues into an error (-Wformat
> -Wformat-security -Werror=format-security).

In future please wrap the commit log as above and also, when sending a
series of patches like this, please don't allow them all to conflict.

In this case I could edit the patches by hand to make them apply as a
series but I shouldn't need to do that, it should be a series of 3,
with each one applying on top of the previous one.

The patches are in master-next and much improved over the original
versions, thanks.

Cheers,

Richard