1 files changed, 49 insertions, 0 deletions

diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch
new file mode 100644
index 00000000..644459e5
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch
@@ -0,0 +1,49 @@
+From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 Dec 2018 11:10:45 +0100
+Subject: [PATCH] usb-mtp: outlaw slashes in filenames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Slash is unix directory separator, so they are not allowed in filenames.
+Note this also stops the classic escape via "../".
+
+Fixes: CVE-2018-16867
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20181203101045.27976-3-kraxel@redhat.com
+(cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2018-16867
+Affects: < 3.1.0
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/dev-mtp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 1ded7ac..899c8a3 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s)
+ 
+     utf16_to_str(dataset->length, dataset->filename, filename);
+ 
++    if (strchr(filename, '/')) {
++        usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
++                             0, 0, 0, 0);
++        return;
++    }
++
+     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
+     if (o != NULL) {
+         next_handle = o->handle;
+-- 
+2.7.4
+