It looks like not all the parts required for fixing CVE-2011-5325 made it into oe-core master before the recipe was upgraded to the upstream fixed version.
The partial fix meant that symlinks deemed unsafe enough to delay were never actually realized. This backport from upstream fixes the problem. --- .../busybox/busybox/CVE-2011-5325-fix2.patch | 32 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.27.2.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch b/meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch new file mode 100644 index 0000000000..85218a7427 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2011-5325-fix2.patch @@ -0,0 +1,32 @@ +From d9503224c8a93a30b0c8627084b2744d3ee6f403 Mon Sep 17 00:00:00 2001 +From: Natanael Copa <[email protected]> +Date: Fri, 30 Mar 2018 20:18:12 +0200 +Subject: [PATCH] cpio: extract "unsafe" symlinks the same way tar/unzip does + +function old new delta +cpio_main 588 596 +8 + +Signed-off-by: Natanael Copa <[email protected]> +Signed-off-by: Denys Vlasenko <[email protected]> + +Upstream-Status: Backport from 1.29.0 [https://git.busybox.net/busybox/commit/?id=d9503224c8a93a30b0c8627084b2744d3ee6f403] + +--- + archival/cpio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/archival/cpio.c b/archival/cpio.c +index 1d6cbd1e2..308ec1b25 100644 +--- a/archival/cpio.c ++++ b/archival/cpio.c +@@ -508,6 +508,8 @@ int cpio_main(int argc UNUSED_PARAM, char **argv) + while (get_header_cpio(archive_handle) == EXIT_SUCCESS) + continue; + ++ create_symlinks_from_list(archive_handle->symlink_placeholders); ++ + if (archive_handle->cpio__blocks != (off_t)-1 + && !(opt & OPT_QUIET) + ) { +-- +2.20.1 diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 716a0650fc..b127e3d375 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb @@ -44,6 +44,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://makefile-libbb-race.patch \ file://CVE-2011-5325.patch \ file://CVE-2011-5325-fix.patch \ + file://CVE-2011-5325-fix2.patch \ file://CVE-2017-15873.patch \ file://busybox-CVE-2017-16544.patch \ file://busybox-fix-lzma-segfaults.patch \ -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
