From 017697ae1521404b0addf6f3d25ce7985b94ca5c Mon Sep 17 00:00:00 2001 From: Jan-Simon Möller Date: Wed, 17 Jun 2020 11:49:59 +0200 Subject: Remove outdated layers - meta-oem-extra-libs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As announced in https://lists.automotivelinux.org/g/agl-dev-community/topic/73194818#8265 the layer is outdated and will be removed. Signed-off-by: Jan-Simon Möller Change-Id: I65fee2a4fdca1ff97a7308c6d955a062c3830f62 --- .../recipes-core/libtar/files/CVE-2013-4420.patch | 113 --------------------- 1 file changed, 113 deletions(-) delete mode 100644 meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch (limited to 'meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch') diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch b/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch deleted file mode 100644 index 477d130f..00000000 --- a/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch +++ /dev/null @@ -1,113 +0,0 @@ -Author: Raphael Geissert -Bug-Debian: https://bugs.debian.org/731860 -Description: Avoid directory traversal when extracting archives - by skipping over leading slashes and any prefix containing ".." components. -Forwarded: yes - ---- a/lib/decode.c -+++ b/lib/decode.c -@@ -22,13 +22,42 @@ - # include - #endif - -+char * -+safer_name_suffix (char const *file_name) -+{ -+ char const *p, *t; -+ p = t = file_name; -+ while (*p == '/') t = ++p; -+ while (*p) -+ { -+ while (p[0] == '.' && p[0] == p[1] && p[2] == '/') -+ { -+ p += 3; -+ t = p; -+ } -+ /* advance pointer past the next slash */ -+ while (*p && (p++)[0] != '/'); -+ } -+ -+ if (!*t) -+ { -+ t = "."; -+ } -+ -+ if (t != file_name) -+ { -+ /* TODO: warn somehow that the path was modified */ -+ } -+ return (char*)t; -+} -+ - - /* determine full path name */ - char * - th_get_pathname(TAR *t) - { - if (t->th_buf.gnu_longname) -- return t->th_buf.gnu_longname; -+ return safer_name_suffix(t->th_buf.gnu_longname); - - /* allocate the th_pathname buffer if not already */ - if (t->th_pathname == NULL) -@@ -51,7 +80,7 @@ th_get_pathname(TAR *t) - } - - /* will be deallocated in tar_close() */ -- return t->th_pathname; -+ return safer_name_suffix(t->th_pathname); - } - - ---- a/lib/extract.c -+++ b/lib/extract.c -@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real - if (mkdirhier(dirname(filename)) == -1) - return -1; - libtar_hashptr_reset(&hp); -- if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t), -+ if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)), - (libtar_matchfunc_t)libtar_str_match) != 0) - { - lnp = (char *)libtar_hashptr_data(&hp); - linktgt = &lnp[strlen(lnp) + 1]; - } - else -- linktgt = th_get_linkname(t); -+ linktgt = safer_name_suffix(th_get_linkname(t)); - - #ifdef DEBUG - printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); -@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna - - #ifdef DEBUG - printf(" ==> extracting: %s (symlink to %s)\n", -- filename, th_get_linkname(t)); -+ filename, safer_name_suffix(th_get_linkname(t))); - #endif -- if (symlink(th_get_linkname(t), filename) == -1) -+ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) - { - #ifdef DEBUG - perror("symlink()"); ---- a/lib/internal.h -+++ b/lib/internal.h -@@ -21,3 +21,4 @@ - #define TLS_THREAD - #endif - -+char* safer_name_suffix(char const*); ---- a/lib/output.c -+++ b/lib/output.c -@@ -123,9 +123,9 @@ th_print_long_ls(TAR *t) - else - printf(" link to "); - if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL) -- printf("%s", t->th_buf.gnu_longlink); -+ printf("%s", safer_name_suffix(t->th_buf.gnu_longlink)); - else -- printf("%.100s", t->th_buf.linkname); -+ printf("%.100s", safer_name_suffix(t->th_buf.linkname)); - } - - putchar('\n'); -- cgit 1.2.3-korg