From 2c595497e43fadd83ea155f632ba69a31fe923fa Mon Sep 17 00:00:00 2001
From: tte_zheng_wenlong <wenlong_zheng_za@mail.toyota.co.jp>
Date: Thu, 20 Oct 2016 16:17:50 +0900
Subject: Add software packages for oem needs library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These recipes is support software packages for oem needs.
The librarys include:
    boost, fixesproto, imagemagick, iptables, Xorg-macros
    zlib, eglibc(glibc), libcurl, libgif, libneon, mongoose
    fuse, protocol buffers, bsdiff, module-init-tools
    libcroco, libtiff, librsvg, libpcap, libtar
You can add these librarys by feature 'agl-oem-extra-libs'
source meta-agl/scripts/aglsetup.sh -m porter agl-demo [agl-appfw-smack] [agl-devel] [agl-netboot] agl-oem-extra-libs

v2[jsmoeller]:
- change to ImageMagick recipe (generalize configure append and add dependency)
- readd libtar with tarball taken from debian as original git is n/a

v3[tte_zheng_wenlong]
- add libtar and libtar-dev in packagegroup-ivi-common-core-os-commonlibs.bbappend
- modify README.md to explain build command.

v4[tte_zheng_wenlong]
- modify mongoose license from GPLv2 to MIT.
- delete [] for agl-oem-extra-libs for README.md

Change-Id: I1f9d2f1c023f332d528918c3f730ee0360a1f497
Signed-off-by: tte_zheng_wenlong <wenlong_zheng_za@mail.toyota.co.jp>
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
---
 .../recipes-core/libtar/files/CVE-2013-4420.patch  | 113 +++++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch

(limited to 'meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch')

diff --git a/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch b/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch
new file mode 100644
index 00000000..477d130f
--- /dev/null
+++ b/meta-oem-extra-libs/recipes-core/libtar/files/CVE-2013-4420.patch
@@ -0,0 +1,113 @@
+Author: Raphael Geissert <geissert@debian.org>
+Bug-Debian: https://bugs.debian.org/731860
+Description: Avoid directory traversal when extracting archives 
+ by skipping over leading slashes and any prefix containing ".." components.
+Forwarded: yes
+
+--- a/lib/decode.c
++++ b/lib/decode.c
+@@ -22,13 +22,42 @@
+ # include <string.h>
+ #endif
+ 
++char *
++safer_name_suffix (char const *file_name)
++{
++	char const *p, *t;
++	p = t = file_name;
++	while (*p == '/') t = ++p;
++	while (*p)
++	{
++		while (p[0] == '.' && p[0] == p[1] && p[2] == '/')
++		{
++			p += 3;
++			t = p;
++		}
++		/* advance pointer past the next slash */
++		while (*p && (p++)[0] != '/');
++	}
++
++	if (!*t)
++	{
++		t = ".";
++	}
++
++	if (t != file_name)
++	{
++		/* TODO: warn somehow that the path was modified */
++	}
++	return (char*)t;
++}
++
+ 
+ /* determine full path name */
+ char *
+ th_get_pathname(TAR *t)
+ {
+ 	if (t->th_buf.gnu_longname)
+-		return t->th_buf.gnu_longname;
++		return safer_name_suffix(t->th_buf.gnu_longname);
+ 
+ 	/* allocate the th_pathname buffer if not already */
+ 	if (t->th_pathname == NULL)
+@@ -51,7 +80,7 @@ th_get_pathname(TAR *t)
+ 	}
+ 
+ 	/* will be deallocated in tar_close() */
+-	return t->th_pathname;
++	return safer_name_suffix(t->th_pathname);
+ }
+ 
+ 
+--- a/lib/extract.c
++++ b/lib/extract.c
+@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real
+ 	if (mkdirhier(dirname(filename)) == -1)
+ 		return -1;
+ 	libtar_hashptr_reset(&hp);
+-	if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t),
++	if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)),
+ 			       (libtar_matchfunc_t)libtar_str_match) != 0)
+ 	{
+ 		lnp = (char *)libtar_hashptr_data(&hp);
+ 		linktgt = &lnp[strlen(lnp) + 1];
+ 	}
+ 	else
+-		linktgt = th_get_linkname(t);
++		linktgt = safer_name_suffix(th_get_linkname(t));
+ 
+ #ifdef DEBUG
+ 	printf("  ==> extracting: %s (link to %s)\n", filename, linktgt);
+@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna
+ 
+ #ifdef DEBUG
+ 	printf("  ==> extracting: %s (symlink to %s)\n",
+-	       filename, th_get_linkname(t));
++	       filename, safer_name_suffix(th_get_linkname(t)));
+ #endif
+-	if (symlink(th_get_linkname(t), filename) == -1)
++	if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)
+ 	{
+ #ifdef DEBUG
+ 		perror("symlink()");
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -21,3 +21,4 @@
+ #define TLS_THREAD
+ #endif
+ 
++char* safer_name_suffix(char const*);
+--- a/lib/output.c
++++ b/lib/output.c
+@@ -123,9 +123,9 @@ th_print_long_ls(TAR *t)
+ 		else
+ 			printf(" link to ");
+ 		if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL)
+-			printf("%s", t->th_buf.gnu_longlink);
++			printf("%s", safer_name_suffix(t->th_buf.gnu_longlink));
+ 		else
+-			printf("%.100s", t->th_buf.linkname);
++			printf("%.100s", safer_name_suffix(t->th_buf.linkname));
+ 	}
+ 
+ 	putchar('\n');
-- 
cgit 1.2.3-korg