diff options
Diffstat (limited to 'meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch')
| -rw-r--r-- | meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch | 68 |
1 files changed, 0 insertions, 68 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch deleted file mode 100644 index e59c666..0000000 --- a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471-CVE-2014-3127.patch +++ /dev/null @@ -1,68 +0,0 @@ -dpkg: Security Advisory - CVE-2014-3127 - -commit a12eb58959d0a10584a428f4a3103a49204c410f upstream - -dpkg 1.15.9 on Debian squeeze introduces support for the "C-style -encoded filenames" feature without recognizing that the squeeze patch -program lacks this feature, which triggers an interaction error that -allows remote attackers to conduct directory traversal attacks and -modify files outside of the intended directories via a crafted source -package. - -NOTE: this can be considered a release engineering problem in the -effort to fix CVE-2014-0471. - -Upstream-Status: Backport - -Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -===================================================== -diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm ---- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:32:41.765446564 +0800 -+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 16:37:21.461446359 +0800 -@@ -324,31 +324,6 @@ - return $line; - } - --my %ESCAPE = (( -- 'a' => "\a", -- 'b' => "\b", -- 'f' => "\f", -- 'n' => "\n", -- 'r' => "\r", -- 't' => "\t", -- 'v' => "\cK", -- '\\' => '\\', -- '"' => '"', --), ( -- map { sprintf('%03o', $_) => chr($_) } (0..255) --)); -- --sub _unescape { -- my ($diff, $str) = @_; -- -- if (exists $ESCAPE{$str}) { -- return $ESCAPE{$str}; -- } else { -- error(_g('diff %s patches file with unknown escape sequence \\%s'), -- $diff, $str); -- } --} -- - # Fetch the header filename ignoring the optional timestamp - sub _fetch_filename { - my ($diff, $header) = @_; -@@ -358,12 +333,7 @@ - - # Is it a C-style string? - if ($header =~ m/^"/) { -- $header =~ m/^"((?:[^\\"]|\\.)*)"/; -- error(_g('diff %s patches file with unbalanced quote'), $diff) -- unless defined $1; -- -- $header = $1; -- $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg; -+ error(_g('diff %s patches file with C-style encoded filename'), $diff); - } else { - # Tab is the official separator, it's always used when - # filename contain spaces. Try it first, otherwise strip on space |
