ez-ipupdate: patch CVE-2003-0887

Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887 The vulnerability is about the default (example) configurations, which place cache files into the /tmp folder, that is world-writeable. The recommendation would be to place them to a more secure folder. The recipe however does not install these example configurations, and as such it is not vulnerable either. Just to make sure, patch these folders to a non-tmp folder (and also install that folder, empty). Some more discussion about the vulnerability: https://bugzilla.suse.com/show_bug.cgi?id=48161 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-02 02:49:12 +00:00 · 2026-02-02 21:22:32 +01:00 · 2026-02-02 21:22:32 +01:00 · dd81ffdb68
commit dd81ffdb68
parent e39458314e
2 changed files with 165 additions and 0 deletions
--- a/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb
+++ b/meta-networking/recipes-connectivity/ez-ipupdate/ez-ipupdate_3.0.11b7.bb
@ -10,8 +10,15 @@ SRC_URI = "http://sourceforge.net/projects/ez-ipupdate/files/${BPN}/${PV}/${BPN}
           file://conf_file.c.patch \
           file://wformat.patch \
           file://0001-ez-ipupdate-Include-time.h-for-time-API-prototype.patch \
           file://CVE-2003-0887.patch \
           "
 SRC_URI[md5sum] = "525be4550b4461fdf105aed8e753b020"
 SRC_URI[sha256sum] = "a15ec0dc0b78ec7578360987c68e43a67bc8d3591cbf528a323588830ae22c20"
 inherit autotools pkgconfig
 do_install:append(){
    install -m 0744 -d ${D}${localstatedir}/lib/ez-ipupdate
 }
 FILES:${PN} += "${localstatedir}/lib/ez-ipupdate"
--- a/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch
+++ b/meta-networking/recipes-connectivity/ez-ipupdate/files/CVE-2003-0887.patch
@ -0,0 +1,158 @@
 From cd8fa738b0ed3b5fb89ac00068fdc2e20c1b6169 Mon Sep 17 00:00:00 2001
 From: Gyorgy Sarvari <skandigraun@gmail.com>
 Date: Mon, 2 Feb 2026 14:03:01 +0100
 Subject: [PATCH] CVE-2003-0887
 The vulnerability is about exmaple config files placing cache files
 into a world-writable directory (/tmp) instead of something more
 secure.
 This patch changes this path to /var/lib/ez-ipupdate, which is
 not world-writable by default.
 CVE: CVE-2003-0887
 Upstream-Status: Inactive-Upstream [lastcommit: 2002]
 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 ---
 example-dhs.conf       | 2 +-
 example-dyndns.conf    | 2 +-
 example-dyns.conf      | 2 +-
 example-easydns.conf   | 2 +-
 example-gnudip.conf    | 2 +-
 example-heipv6tb.conf  | 2 +-
 example-justlinux.conf | 2 +-
 example-ods.conf       | 2 +-
 example-pgpow.conf     | 2 +-
 example-tzo.conf       | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)
 diff --git a/example-dhs.conf b/example-dhs.conf
 index 3fe9a04..f976ae5 100755
 --- a/example-dhs.conf
 +++ b/example-dhs.conf
@@ -11,7 +11,7 @@ host=mydomain.whatever.com
 interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-dyndns.conf b/example-dyndns.conf
 index f539dec..84b4807 100755
 --- a/example-dyndns.conf
 +++ b/example-dyndns.conf
@@ -19,7 +19,7 @@ max-interval=2073600
 #cache-file=/etc/ez-ipupdate.cache.eth1
 # for the mean time we'll just use a cache file in the temp directory
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-dyns.conf b/example-dyns.conf
 index 868768d..856a4d7 100644
 --- a/example-dyns.conf
 +++ b/example-dyns.conf
@@ -11,7 +11,7 @@ host=myhost
 #interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -#cache-file=/tmp/ez-ipupdate.cache
 +#cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-easydns.conf b/example-easydns.conf
 index 0ff20da..15d9b78 100755
 --- a/example-easydns.conf
 +++ b/example-easydns.conf
@@ -11,7 +11,7 @@ host=mydomain.whatever.com
 interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-gnudip.conf b/example-gnudip.conf
 index 3b2fb63..d09df1f 100755
 --- a/example-gnudip.conf
 +++ b/example-gnudip.conf
@@ -15,7 +15,7 @@ max-interval=2073600
 #address=0.0.0.0
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-heipv6tb.conf b/example-heipv6tb.conf
 index e31aa9c..3ebc822 100644
 --- a/example-heipv6tb.conf
 +++ b/example-heipv6tb.conf
@@ -18,7 +18,7 @@ max-interval=2073600
 #cache-file=/etc/ez-ipupdate.cache.eth1
 # for the mean time we'll just use a cache file in the temp directory
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-justlinux.conf b/example-justlinux.conf
 index 0afeb2c..28b3327 100755
 --- a/example-justlinux.conf
 +++ b/example-justlinux.conf
@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com
 interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-ods.conf b/example-ods.conf
 index d0ff889..7b16f2c 100755
 --- a/example-ods.conf
 +++ b/example-ods.conf
@@ -11,7 +11,7 @@ host=mydomain.ods.org
 interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-pgpow.conf b/example-pgpow.conf
 index 29a92d6..81e351b 100755
 --- a/example-pgpow.conf
 +++ b/example-pgpow.conf
@@ -11,7 +11,7 @@ host=mydomain.penguinpowered.com
 interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 diff --git a/example-tzo.conf b/example-tzo.conf
 index 2a71db3..10b8dc4 100755
 --- a/example-tzo.conf
 +++ b/example-tzo.conf
@@ -15,7 +15,7 @@ max-interval=2073600
 interface=eth1
 # if you use run-as ensure the user has permission to write this file
 -cache-file=/tmp/ez-ipupdate.cache
 +cache-file=/var/lib/ez-ipupdate/ez-ipupdate.cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it