packages/util-linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!227 [sync] PR-220: wall: fix escape sequence Injection

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @openeuler-basic 
Signed-off-by: @openeuler-basic
This commit is contained in:
openeuler-ci-bot 2024-04-15 13:10:08 +00:00 committed by Gitee
commit d9245c91fe
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-CVE-2024-28085.patch Normal file
View File

@ -0,0 +1,29 @@
From 404b0781f52f7c045ca811b2dceec526408ac253 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 21 Mar 2024 11:16:20 +0100
Subject: [PATCH] wall: fix escape sequence Injection [CVE-2024-28085]
Let's use for all cases the same output function.
Reported-by: Skyler Ferrante <sjf5462@rit.edu>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
term-utils/wall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/term-utils/wall.c b/term-utils/wall.c
index f894a32f8..588d3a963 100644
--- a/term-utils/wall.c
+++ b/term-utils/wall.c
@@ -368,7 +368,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
int i;
for (i = 0; i < mvecsz; i++) {
- fputs(mvec[i], fs);
+ fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
if (i < mvecsz - 1)
fputc(' ', fs);
}
--
2.33.0

30
backport-tests-test_mkfds-netlink-pass-a-correct-file-descrip.patch Normal file
View File

@ -0,0 +1,30 @@
From acdba9c454506cdd29ac400df3f72bde4c74647d Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Wed, 3 Apr 2024 00:01:27 +0900
Subject: [PATCH] tests: (test_mkfds::netlink) pass a correct file descriptor
to bind(2)
Close #2901
The original code passed a closed file descriptor to bind(2).
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
tests/helpers/test_mkfds.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/helpers/test_mkfds.c b/tests/helpers/test_mkfds.c
index dd0a128a8..28ed3bffc 100644
--- a/tests/helpers/test_mkfds.c
+++ b/tests/helpers/test_mkfds.c
@@ -2293,6 +2293,7 @@ static void *make_netlink(const struct factory *factory, struct fdesc fdescs[],
err(EXIT_FAILURE, "failed to dup %d -> %d", sd, fdescs[0].fd);
}
close(sd);
+ sd = fdescs[0].fd;
}
struct sockaddr_nl nl;
--
2.33.0

10
util-linux.spec
View File

@ -3,7 +3,7 @@
Name: util-linux Name: util-linux
Version: 2.39.1 Version: 2.39.1
Release: 4 Release: 5
Summary: A random collection of Linux utilities Summary: A random collection of Linux utilities
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
@ -26,6 +26,8 @@ Patch6004: backport-fadvise-tests-factor-out-calls-to-fincore.patch
Patch6005: backport-fadvise-test-don-t-compare-fincore-page-counts.patch Patch6005: backport-fadvise-test-don-t-compare-fincore-page-counts.patch
Patch6006: backport-fadvise-test-test-with-64k-blocks.patch Patch6006: backport-fadvise-test-test-with-64k-blocks.patch
Patch6007: backport-tests-lsfd-mkfds-alter-the-L4-ports-for-avo.patch Patch6007: backport-tests-lsfd-mkfds-alter-the-L4-ports-for-avo.patch
Patch6008: backport-CVE-2024-28085.patch
Patch6009: backport-tests-test_mkfds-netlink-pass-a-correct-file-descrip.patch
Patch9000: SKIPPED-no-root-permissions-test.patch Patch9000: SKIPPED-no-root-permissions-test.patch
%ifarch sw_64 %ifarch sw_64
@ -410,6 +412,12 @@ fi
%endif %endif
%changelog %changelog
* Sun Apr 7 2024 zhangyao <zhangyao108@huawei.com> - 2.39.1-5
- Type:CVE
- CVE:CVE-2024-28085
- SUG:NA
- DESC:fix CVE-2024-28085 and solve test_mkfds::netlink failed
* Fri Dec 1 2023 jiahua.yu <jiahua.yu@shingroup.cn> - 2.39.1-4 * Fri Dec 1 2023 jiahua.yu <jiahua.yu@shingroup.cn> - 2.39.1-4
- Type:update - Type:update
- CVE:NA - CVE:NA