Hi Kai,
I played around with the new meta-security-isafw layer and the cve-check-tool. In readline the cve CVE-2014-2524 is marked as 'missing' by the framework and I was confused to start with, since I saw that this commit was included. But after looking at the actual patch I realized that it only contains a report and not the patch itself. My question is if that is with purpose and due to some decision that the CVE isn't really causing any harm or if it's by mistake? BR Petter Petter Mabäcker Technux <pet...@technux.se> www.technux.se 2014-10-16 11:48 skrev Kai Kang: > The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 > allows local users to create or overwrite arbitrary files via a symlink > attack on a /var/tmp/rltrace.[PID] file. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2524 [1] > > Signed-off-by: Yue Tao <yue....@windriver.com> > Signed-off-by: Kai Kang <kai.k...@windriver.com> > --- > .../readline/readline-6.3/readline63-003 | 43 ++++++++++++++++++++++ > meta/recipes-core/readline/readline_6.3.bb | 2 + > 2 files changed, 45 insertions(+) > create mode 100644 meta/recipes-core/readline/readline-6.3/readline63-003 > > diff --git a/meta/recipes-core/readline/readline-6.3/readline63-003 b/meta/recipes-core/readline/readline-6.3/readline63-003 > new file mode 100644 > index 0000000..98a9d81 > --- /dev/null > +++ b/meta/recipes-core/readline/readline-6.3/readline63-003 > @@ -0,0 +1,43 @@ > +readline: Security Advisory - readline - CVE-2014-2524 > + > +Upstream-Status: Backport > + > +Signed-off-by: Yue Tao <yue....@windriver.com> > + > + READLINE PATCH REPORT > + ===================== > + > +Readline-Release: 6.3 > +Patch-ID: readline63-003 > + > +Bug-Reported-by: > +Bug-Reference-ID: > +Bug-Reference-URL: > + > +Bug-Description: > + > +There are debugging functions in the readline release that are theoretically > +exploitable as security problems. They are not public functions, but have > +global linkage. > + > +Patch (apply with `patch -p0'): > + > +*** ../readline-6.3/util.c 2013-09-02 13:36:12.000000000 -0400 > +--- util.c 2014-03-20 10:25:53.000000000 -0400 > +*************** > +*** 477,480 **** > +--- 479,483 ---- > + } > + > ++ #if defined (DEBUG) > + #if defined (USE_VARARGS) > + static FILE *_rl_tracefp; > +*************** > +*** 539,542 **** > +--- 542,546 ---- > + } > + #endif > ++ #endif /* DEBUG */ > + > + > + > diff --git a/meta/recipes-core/readline/readline_6.3.bb b/meta/recipes-core/readline/readline_6.3.bb > index aa30f66..2ae73ea 100644 > --- a/meta/recipes-core/readline/readline_6.3.bb > +++ b/meta/recipes-core/readline/readline_6.3.bb > @@ -1,5 +1,7 @@ > require readline.inc > > +SRC_URI_append = " file://readline63-003" > + > SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a" > SRC_URI[archive.sha256sum] = "56ba6071b9462f980c5a72ab0023893b65ba6debb4eeb475d7a563dc65cafd43" > > -- > 1.9.1 Links: ------ [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2524
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
