2 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 7cf436783d..f62220a51d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2020-7039-2.patch \
           file://CVE-2020-7039-3.patch \
           file://0001-Add-enable-disable-udev.patch \
+           file://CVE-2020-7211.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
new file mode 100644
index 0000000000..11be4c92e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
@@ -0,0 +1,46 @@
+From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 13 Jan 2020 17:44:31 +0530
+Subject: [PATCH] slirp: tftp: restrict relative path access
+tftp restricts relative or directory path access on Linux systems.
+Apply same restrictions on Windows systems too. It helps to avoid
+directory traversal issue.
+Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch]
+CVE: CVE-2020-7211
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ slirp/src/tftp.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
+index 093c2e0..e52e71b 100644
+--- a/slirp/src/tftp.c
+++ b/slirp/src/tftp.c
+@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     k += 6; /* skipping octet */
+ 
+     /* do sanity checks on the filename */
+-    if (!strncmp(req_fname, "../", 3) ||
+-        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
+    if (
+#ifdef G_OS_WIN32
+        strstr(req_fname, "..\\") ||
+        req_fname[strlen(req_fname) - 1] == '\\' ||
+#endif
+        strstr(req_fname, "../") ||
+        req_fname[strlen(req_fname) - 1] == '/') {
+         tftp_send_error(spt, 2, "Access violation", tp);
+         return;
+     }
+-- 
+2.24.1

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 7cf436783d..f62220a51d 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -34,6 +34,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
34	file://CVE-2020-7039-2.patch \	34	file://CVE-2020-7039-2.patch \
35	file://CVE-2020-7039-3.patch \	35	file://CVE-2020-7039-3.patch \
36	file://0001-Add-enable-disable-udev.patch \	36	file://0001-Add-enable-disable-udev.patch \
		37	file://CVE-2020-7211.patch \
37	"	38	"
38	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	39	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
39		40


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch new file mode 100644 index 0000000000..11be4c92e7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
@@ -0,0 +1,46 @@
		1	From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Mon, 13 Jan 2020 17:44:31 +0530
		4	Subject: [PATCH] slirp: tftp: restrict relative path access
		5
		6	tftp restricts relative or directory path access on Linux systems.
		7	Apply same restrictions on Windows systems too. It helps to avoid
		8	directory traversal issue.
		9
		10	Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
		11	Reported-by: Peter Maydell <peter.maydell@linaro.org>
		12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		13	Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
		14	Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
		15
		16	Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch]
		17	CVE: CVE-2020-7211
		18	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		19
		20	---
		21	slirp/src/tftp.c \| 9 +++++++--
		22	1 file changed, 7 insertions(+), 2 deletions(-)
		23
		24	diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
		25	index 093c2e0..e52e71b 100644
		26	--- a/slirp/src/tftp.c
		27	+++ b/slirp/src/tftp.c
		28	@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp slirp, struct sockaddr_storage srcsas,
		29	k += 6; /* skipping octet */
		30
		31	/* do sanity checks on the filename */
		32	- if (!strncmp(req_fname, "../", 3) \|\|
		33	- req_fname[strlen(req_fname) - 1] == '/' \|\| strstr(req_fname, "/../")) {
		34	+ if (
		35	+#ifdef G_OS_WIN32
		36	+ strstr(req_fname, "..\\") \|\|
		37	+ req_fname[strlen(req_fname) - 1] == '\\' \|\|
		38	+#endif
		39	+ strstr(req_fname, "../") \|\|
		40	+ req_fname[strlen(req_fname) - 1] == '/') {
		41	tftp_send_error(spt, 2, "Access violation", tp);
		42	return;
		43	}
		44	--
		45	2.24.1
		46