summaryrefslogtreecommitdiffstats
path: root/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
diff options
context:
space:
mode:
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch')
-rw-r--r--external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch89
1 files changed, 0 insertions, 89 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
deleted file mode 100644
index 9f2c5d3e..00000000
--- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 13 Dec 2018 13:25:11 +0100
-Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
-
-Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
-While being at it also add O_CLOEXEC.
-
-usb-mtp only handles regular files and directories and ignores
-everything else, so users should not see a difference.
-
-Because qemu ignores symlinks, carrying out a successful symlink attack
-requires swapping an existing file or directory below rootdir for a
-symlink and winning the race against the inotify notification to qemu.
-
-Fixes: CVE-2018-16872
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: Bandan Das <bsd@redhat.com>
-Reported-by: Michael Hanselmann <public@hansmi.ch>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Michael Hanselmann <public@hansmi.ch>
-Message-id: 20181213122511.13853-1-kraxel@redhat.com
-(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
-Upstream-Status: Backport
-CVE: CVE-2018-16872
-Affects: < 3.1.0
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- hw/usb/dev-mtp.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
-index 899c8a3..f4223fb 100644
---- a/hw/usb/dev-mtp.c
-+++ b/hw/usb/dev-mtp.c
-@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
- {
- struct dirent *entry;
- DIR *dir;
-+ int fd;
-
- if (o->have_children) {
- return;
- }
- o->have_children = true;
-
-- dir = opendir(o->path);
-+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
-+ if (fd < 0) {
-+ return;
-+ }
-+ dir = fdopendir(fd);
- if (!dir) {
- return;
- }
-@@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
-
- trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
-
-- d->fd = open(o->path, O_RDONLY);
-+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
- if (d->fd == -1) {
- usb_mtp_data_free(d);
- return NULL;
-@@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
- c->argv[1], c->argv[2]);
-
- d = usb_mtp_data_alloc(c);
-- d->fd = open(o->path, O_RDONLY);
-+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
- if (d->fd == -1) {
- usb_mtp_data_free(d);
- return NULL;
-@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s)
- 0, 0, 0, 0);
- goto done;
- }
-- d->fd = open(path, O_CREAT | O_WRONLY, mask);
-+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
- if (d->fd == -1) {
- usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
- 0, 0, 0, 0);
---
-2.7.4
-