mirror of
https://git.yoctoproject.org/poky
synced 2026-03-01 21:09:39 +01:00
201cfa33fe
Directory traversal vulnerability as described by https://nvd.nist.gov/vuln/detail/CVE-2018-1000073. (From OE-Core rev: 1a0a1785766c12003e3f8848852af84cae203e6b) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
35 lines
988 B
Diff
35 lines
988 B
Diff
From 1b931fc03b819b9a0214be3eaca844ef534175e2 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Claudius <jclaudius@mozilla.com>
|
|
Date: Wed, 7 Feb 2018 23:54:52 -0500
|
|
Subject: [PATCH] Non-working patch for deducing symlinked base-dirs
|
|
|
|
---
|
|
CVE: CVE-2018-1000073
|
|
|
|
Fixed in ruby 2.7.6.
|
|
|
|
Upstream-Status: Backport [github.com/rubygems/rubygems/commit/1b931fc...]
|
|
|
|
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
|
|
|
---
|
|
lib/rubygems/package.rb | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
|
|
index dede959..cb9c74a 100644
|
|
--- a/lib/rubygems/package.rb
|
|
+++ b/lib/rubygems/package.rb
|
|
@@ -421,6 +421,8 @@ EOM
|
|
destination_dir = File.expand_path destination_dir
|
|
|
|
destination = File.join destination_dir, filename
|
|
+ destination = File.realpath destination if
|
|
+ File.respond_to? :realpath
|
|
destination = File.expand_path destination
|
|
|
|
raise Gem::Package::PathError.new(destination, destination_dir) unless
|
|
--
|
|
1.7.9.5
|
|
|