diff options
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch')
-rw-r--r-- | external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch new file mode 100644 index 00000000..644459e5 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch @@ -0,0 +1,49 @@ +From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 Dec 2018 11:10:45 +0100 +Subject: [PATCH] usb-mtp: outlaw slashes in filenames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Slash is unix directory separator, so they are not allowed in filenames. +Note this also stops the classic escape via "../". + +Fixes: CVE-2018-16867 +Reported-by: Michael Hanselmann <public@hansmi.ch> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 20181203101045.27976-3-kraxel@redhat.com +(cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6) +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +CVE: CVE-2018-16867 +Affects: < 3.1.0 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/usb/dev-mtp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 1ded7ac..899c8a3 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s) + + utf16_to_str(dataset->length, dataset->filename, filename); + ++ if (strchr(filename, '/')) { ++ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, ++ 0, 0, 0, 0); ++ return; ++ } ++ + o = usb_mtp_object_lookup_name(p, filename, dataset->length); + if (o != NULL) { + next_handle = o->handle; +-- +2.7.4 + |