Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations, which place cache files into the /tmp folder, that is world-writeable. The recommendation would be to place them to a more secure folder. The recipe however does not install these example configurations, and as such it is not vulnerable either. Just to make sure, patch these folders to a non-tmp folder (and also install that folder, empty). Some more discussion about the vulnerability: https://bugzilla.suse.com/show_bug.cgi?id=48161 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../ez-ipupdate/ez-ipupdate_3.0.11b7.bb | 7 + .../ez-ipupdate/files/CVE-2003-0887.patch | 158 ++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb index 42ecf9bac4..7a392b2c23 100644 --- a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb +++ b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb @@ -10,8 +10,15 @@ SRC_URI = "http://sourceforge.net/projects/ez-ipupdate/files/${BPN}/${PV}/${BPN} file://conf_file.c.patch \ file://wformat.patch \ file://0001-ez-ipupdate-Include-time.h-for-time-API-prototype.patch \ + file://CVE-2003-0887.patch \ " SRC_URI[md5sum] = "525be4550b4461fdf105aed8e753b020" SRC_URI[sha256sum] = "a15ec0dc0b78ec7578360987c68e43a67bc8d3591cbf528a323588830ae22c20" inherit autotools pkgconfig + +do_install:append(){ + install -m 0744 -d ${D}${localstatedir}/lib/ez-ipupdate +} + +FILES:${PN} += "${localstatedir}/lib/ez-ipupdate" diff --git a/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch new file mode 100644 index 0000000000..813de6a4eb --- /dev/null +++ b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch @@ -0,0 +1,158 @@ +From cd8fa738b0ed3b5fb89ac00068fdc2e20c1b6169 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Mon, 2 Feb 2026 14:03:01 +0100 +Subject: [PATCH] CVE-2003-0887 + +The vulnerability is about exmaple config files placing cache files +into a world-writable directory (/tmp) instead of something more +secure. + +This patch changes this path to /var/lib/ez-ipupdate, which is +not world-writable by default. + +CVE: CVE-2003-0887 +Upstream-Status: Inactive-Upstrean [lastcommit: 2002]] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + example-dhs.conf | 2 +- + example-dyndns.conf | 2 +- + example-dyns.conf | 2 +- + example-easydns.conf | 2 +- + example-gnudip.conf | 2 +- + example-heipv6tb.conf | 2 +- + example-justlinux.conf | 2 +- + example-ods.conf | 2 +- + example-pgpow.conf | 2 +- + example-tzo.conf | 2 +- + 10 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/example-dhs.conf b/example-dhs.conf +index 3fe9a04..f976ae5 100755 +--- a/example-dhs.conf ++++ b/example-dhs.conf +@@ -11,7 +11,7 @@ host=mydomain.whatever.com + interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-dyndns.conf b/example-dyndns.conf +index f539dec..84b4807 100755 +--- a/example-dyndns.conf ++++ b/example-dyndns.conf +@@ -19,7 +19,7 @@ max-interval=2073600 + #cache-file=/etc/ez-ipupdate.cache.eth1 + + # for the mean time we'll just use a cache file in the temp directory +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-dyns.conf b/example-dyns.conf +index 868768d..856a4d7 100644 +--- a/example-dyns.conf ++++ b/example-dyns.conf +@@ -11,7 +11,7 @@ host=myhost + #interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-#cache-file=/tmp/ez-ipupdate.cache ++#cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-easydns.conf b/example-easydns.conf +index 0ff20da..15d9b78 100755 +--- a/example-easydns.conf ++++ b/example-easydns.conf +@@ -11,7 +11,7 @@ host=mydomain.whatever.com + interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-gnudip.conf b/example-gnudip.conf +index 3b2fb63..d09df1f 100755 +--- a/example-gnudip.conf ++++ b/example-gnudip.conf +@@ -15,7 +15,7 @@ max-interval=2073600 + #address=0.0.0.0 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-heipv6tb.conf b/example-heipv6tb.conf +index e31aa9c..3ebc822 100644 +--- a/example-heipv6tb.conf ++++ b/example-heipv6tb.conf +@@ -18,7 +18,7 @@ max-interval=2073600 + #cache-file=/etc/ez-ipupdate.cache.eth1 + + # for the mean time we'll just use a cache file in the temp directory +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-justlinux.conf b/example-justlinux.conf +index 0afeb2c..28b3327 100755 +--- a/example-justlinux.conf ++++ b/example-justlinux.conf +@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com + interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-ods.conf b/example-ods.conf +index d0ff889..7b16f2c 100755 +--- a/example-ods.conf ++++ b/example-ods.conf +@@ -11,7 +11,7 @@ host=mydomain.ods.org + interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-pgpow.conf b/example-pgpow.conf +index 29a92d6..81e351b 100755 +--- a/example-pgpow.conf ++++ b/example-pgpow.conf +@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com + interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it +diff --git a/example-tzo.conf b/example-tzo.conf +index 2a71db3..10b8dc4 100755 +--- a/example-tzo.conf ++++ b/example-tzo.conf +@@ -15,7 +15,7 @@ max-interval=2073600 + interface=eth1 + + # if you use run-as ensure the user has permission to write this file +-cache-file=/tmp/ez-ipupdate.cache ++cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache + + # uncomment this once you have everything working how you want and you are + # ready to have ez-ipupdate running in the background all the time. to stop it
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124059): https://lists.openembedded.org/g/openembedded-devel/message/124059 Mute This Topic: https://lists.openembedded.org/mt/117595801/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
