Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
dmidecode.28623
dmidecode-do-not-let-dump-bin-overwrite-an-exis...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch of Package dmidecode.28623
From: Jean Delvare <jdelvare@suse.de> Date: Mon, 20 Feb 2023 14:53:31 +0100 Subject: dmidecode: Do not let --dump-bin overwrite an existing file Git-commit: 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 Patch-mainline: 3.5 References: bsc#1210418 CVE-2023-30630 Make sure that the file passed to option --dump-bin does not already exist. In practice, it is rather unlikely that an honest user would want to overwrite an existing dump file, while this possibility could be used by a rogue user to corrupt a system file. Signed-off-by: Jean Delvare <jdelvare@suse.de> Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> --- dmidecode.c | 14 ++++++++++++-- man/dmidecode.8 | 1 + 2 files changed, 13 insertions(+), 2 deletions(-) --- a/dmidecode.c +++ b/dmidecode.c @@ -60,6 +60,7 @@ * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf */ +#include <fcntl.h> #include <stdio.h> #include <string.h> #include <strings.h> @@ -5152,13 +5153,22 @@ static void dmi_table_string(const struc static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, u32 table_len) { + int fd; FILE *f; - f = fopen(opt.dumpfile, "wb"); + fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); + if (fd == -1) + { + fprintf(stderr, "%s: ", opt.dumpfile); + perror("open"); + return -1; + } + + f = fdopen(fd, "wb"); if (!f) { fprintf(stderr, "%s: ", opt.dumpfile); - perror("fopen"); + perror("fdopen"); return -1; } --- a/man/dmidecode.8 +++ b/man/dmidecode.8 @@ -129,6 +129,7 @@ hexadecimal and \s-1ASCII\s0. This optio Do not decode the entries, instead dump the DMI data to a file in binary form. The generated file is suitable to pass to \fB--from-dump\fR later. +\fIFILE\fP must not exist. .TP .BR " " " " "--from-dump FILE" Read the DMI data from a binary file previously generated using
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor