[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: [OE-core] [PATCH] librepo: fix CVE-2020-14352
From: "Minjae Kim" <flowergom () gmail ! com>
Date: 2021-02-28 12:50:22
Message-ID: 20210228125022.1211-1-flowergom () gmail ! com
[Download RAW message or body]
Content-Transfer-Encoding: 8bit
librepo: missing path validation in repomd.xml may lead to directory traversal
Upstream-Status: Acepted \
[https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600]
CVE: CVE-2020-14352
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
.../librepo/librepo/CVE-2020-14352.patch | 55 +++++++++++++++++++
.../librepo/librepo_1.11.2.bb | 1 +
2 files changed, 56 insertions(+)
create mode 100644 meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch
diff --git a/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch \
b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch new file mode 100644
index 0000000000..8f4c5b73bc
--- /dev/null
+++ b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch
@@ -0,0 +1,55 @@
+From 6027d68337b537bf9a68cf810cf9b8e40dac22f8 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Wed, 12 Aug 2020 08:35:28 +0200
+Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
+
+= changelog =
+msg: Validate path read from repomd.xml
+type: security
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639
+
+Upstream-Status: Acepted \
[https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600]
+CVE: CVE-2020-14352
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ librepo/yum.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/librepo/yum.c b/librepo/yum.c
+index 3059188..529257b 100644
+--- a/librepo/yum.c
++++ b/librepo/yum.c
+@@ -23,6 +23,7 @@
+ #define BITS_IN_BYTE 8
+
+ #include <stdio.h>
++#include <libgen.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
+ continue;
+
+ char *location_href = record->location_href;
++
++ char *dest_dir = realpath(handle->destdir, NULL);
++ path = lr_pathconcat(handle->destdir, record->location_href, NULL);
++ char *requested_dir = realpath(dirname(path), NULL);
++ lr_free(path);
++ if (!g_str_has_prefix(requested_dir, dest_dir)) {
++ g_debug("%s: Invalid path: %s", __func__, location_href);
++ g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", \
location_href); ++ g_slist_free_full(*targets, (GDestroyNotify) \
lr_downloadtarget_free); ++ free(requested_dir);
++ free(dest_dir);
++ return FALSE;
++ }
++ free(requested_dir);
++ free(dest_dir);
++
+ gboolean is_zchunk = FALSE;
+ #ifdef WITH_ZCHUNK
+ if (handle->cachedir && record->header_checksum)
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/librepo/librepo_1.11.2.bb \
b/meta/recipes-devtools/librepo/librepo_1.11.2.bb index 6a0a59f865..b1d97eba53 100644
--- a/meta/recipes-devtools/librepo/librepo_1.11.2.bb
+++ b/meta/recipes-devtools/librepo/librepo_1.11.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = \
"file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = \
"git://github.com/rpm-software-management/librepo.git \
file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \
file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \
+ file://CVE-2020-14352.patch \
"
SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba"
--
2.24.3 (Apple Git-128)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148737): https://lists.openembedded.org/g/openembedded-core/message/148737
Mute This Topic: https://lists.openembedded.org/mt/80971340/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic