CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)
This commit is contained in:
Cole Robinson
parent
d43799b0b3
commit
6fc6504bd8
@ -0,0 +1,50 @@
|
||||
From: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Date: Thu, 28 May 2015 14:12:26 +0300
|
||||
Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb
|
||||
config (CVE-2015-4037)
|
||||
|
||||
In this version I used mkdtemp(3) which is:
|
||||
|
||||
_BSD_SOURCE
|
||||
|| /* Since glibc 2.10: */
|
||||
(_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
|
||||
|
||||
(POSIX.1-2008), so should be available on systems we care about.
|
||||
|
||||
While at it, reset the resulting directory name within smb structure
|
||||
on error so cleanup function wont try to remove directory which we
|
||||
failed to create.
|
||||
|
||||
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Reviewed-by: Markus Armbruster <armbru@redhat.com>
|
||||
(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3)
|
||||
---
|
||||
net/slirp.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/net/slirp.c b/net/slirp.c
|
||||
index 9bbed74..3090c10 100644
|
||||
--- a/net/slirp.c
|
||||
+++ b/net/slirp.c
|
||||
@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s)
|
||||
static int slirp_smb(SlirpState* s, const char *exported_dir,
|
||||
struct in_addr vserver_addr)
|
||||
{
|
||||
- static int instance;
|
||||
char smb_conf[128];
|
||||
char smb_cmdline[128];
|
||||
struct passwd *passwd;
|
||||
@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
|
||||
return -1;
|
||||
}
|
||||
|
||||
- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
|
||||
- (long)getpid(), instance++);
|
||||
- if (mkdir(s->smb_dir, 0700) < 0) {
|
||||
+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
|
||||
+ if (!mkdtemp(s->smb_dir)) {
|
||||
error_report("could not create samba server dir '%s'", s->smb_dir);
|
||||
+ s->smb_dir[0] = 0;
|
||||
return -1;
|
||||
}
|
||||
snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");
|
||||
@ -40,7 +40,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.3.0
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -73,6 +73,9 @@ Patch0001: 0001-configure-Add-support-for-tcmalloc.patch
|
||||
# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access
|
||||
# (bz #1221152)
|
||||
Patch0002: 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
|
||||
# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz
|
||||
# #1222894)
|
||||
Patch0003: 0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -1187,6 +1190,9 @@ getent passwd qemu >/dev/null || \
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jun 05 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.0-7
|
||||
- CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)
|
||||
|
||||
* Mon Jun 1 2015 Daniel P. Berrange <berrange@redhat.com> - 2:2.3.0-6
|
||||
- Disable tcmalloc on arm since it currently hangs (rhbz #1226806)
|
||||
- Re-enable tests on arm
|
||||
|
||||
Loading…
Reference in New Issue
Block a user