librepo: missing path validation in repomd.xml may lead to directory traversal
Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600] CVE: CVE-2020-14352 Signed-off-by: Minjae Kim <flower...@gmail.com> --- .../librepo/librepo/CVE-2020-14352.patch | 55 +++++++++++++++++++ .../librepo/librepo_1.11.2.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch diff --git a/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch new file mode 100644 index 0000000000..8f4c5b73bc --- /dev/null +++ b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch @@ -0,0 +1,55 @@ +From 6027d68337b537bf9a68cf810cf9b8e40dac22f8 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jro...@redhat.com> +Date: Wed, 12 Aug 2020 08:35:28 +0200 +Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639) + += changelog = +msg: Validate path read from repomd.xml +type: security +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639 + +Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600] +CVE: CVE-2020-14352 +Signed-off-by: Minjae Kim <flower...@gmail.com> +--- + librepo/yum.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/librepo/yum.c b/librepo/yum.c +index 3059188..529257b 100644 +--- a/librepo/yum.c ++++ b/librepo/yum.c +@@ -23,6 +23,7 @@ + #define BITS_IN_BYTE 8 + + #include <stdio.h> ++#include <libgen.h> + #include <assert.h> + #include <stdlib.h> + #include <errno.h> +@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle, + continue; + + char *location_href = record->location_href; ++ ++ char *dest_dir = realpath(handle->destdir, NULL); ++ path = lr_pathconcat(handle->destdir, record->location_href, NULL); ++ char *requested_dir = realpath(dirname(path), NULL); ++ lr_free(path); ++ if (!g_str_has_prefix(requested_dir, dest_dir)) { ++ g_debug("%s: Invalid path: %s", __func__, location_href); ++ g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href); ++ g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free); ++ free(requested_dir); ++ free(dest_dir); ++ return FALSE; ++ } ++ free(requested_dir); ++ free(dest_dir); ++ + gboolean is_zchunk = FALSE; + #ifdef WITH_ZCHUNK + if (handle->cachedir && record->header_checksum) +-- +2.17.1 + diff --git a/meta/recipes-devtools/librepo/librepo_1.11.2.bb b/meta/recipes-devtools/librepo/librepo_1.11.2.bb index 6a0a59f865..b1d97eba53 100644 --- a/meta/recipes-devtools/librepo/librepo_1.11.2.bb +++ b/meta/recipes-devtools/librepo/librepo_1.11.2.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "git://github.com/rpm-software-management/librepo.git \ file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \ file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \ + file://CVE-2020-14352.patch \ " SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba" -- 2.24.3 (Apple Git-128)
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#148882): https://lists.openembedded.org/g/openembedded-core/message/148882 Mute This Topic: https://lists.openembedded.org/mt/81049478/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
