patch: fix CVE-2018-1000156

* CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2018-1000156 * upstream tracking: https://savannah.gnu.org/bugs/index.php?53566 * Fix arbitrary command execution in ed-style patches: - src/pch.c (do_ed_script): Write ed script to a temporary file instead of piping it to ed: this will cause ed to abort on invalid commands instead of rejecting them and carrying on. - tests/ed-style: New test case. - tests/Makefile.am (TESTS): Add test case. (From OE-Core rev: 6b6ae212837a07aaefd2b675b5b527fbce2a4270) (From OE-Core rev: 413c54e0698589b17976e88fa7ab76e5dbac51aa) Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-24 02:19:39 +01:00 · 2018-04-11 14:56:10 +08:00
parent 4240011020
commit 95f831745c
3 changed files with 255 additions and 0 deletions
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -3,6 +3,8 @@ LICENSE = "GPLv3"

 SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0002-Fix-segfault-with-mangled-rename-patch.patch \
+            file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
+            file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
 "

 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"