* [PATCH 0/2] Fixes rpm: CVE-2014-8118 & CVE-2013-6435
@ 2015-06-11 7:45 leonardo.sandoval.gonzalez
2015-06-11 7:45 ` [PATCH 1/2] rpm: Fix CVE-2014-8118 leonardo.sandoval.gonzalez
2015-06-11 7:45 ` [PATCH 2/2] rpm: Fix CVE-2013-6435 leonardo.sandoval.gonzalez
0 siblings, 2 replies; 3+ messages in thread
From: leonardo.sandoval.gonzalez @ 2015-06-11 7:45 UTC (permalink / raw)
To: openembedded-core
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Backport fixes for rpm: CVE-2014-8118 & CVE-2013-6435
These two patches only apply on RPM 4.11.2 (already present on RPM 5.4.*).
https://bugzilla.yoctoproject.org/show_bug.cgi?id=7181
The following changes since commit 062678c4ab88fa94ed38efa6520c3b4e2d88ca73:
sysvinit: Only enable recipe in builds where its applicable (2015-06-10 12:03:19 +0100)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib lsandov1/rpm-vulnerabilities
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=lsandov1/rpm-vulnerabilities
Leonardo Sandoval (2):
rpm: Fix CVE-2014-8118
rpm: Fix CVE-2013-6435
.../rpm/rpm/rpm-CVE-2013-6435.patch | 109 +++++++++++++++++++++
.../rpm/rpm/rpm-CVE-2014-8118.patch | 43 ++++++++
meta/recipes-devtools/rpm/rpm_4.11.2.bb | 2 +
3 files changed, 154 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
--
1.8.4.5
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] rpm: Fix CVE-2014-8118
2015-06-11 7:45 [PATCH 0/2] Fixes rpm: CVE-2014-8118 & CVE-2013-6435 leonardo.sandoval.gonzalez
@ 2015-06-11 7:45 ` leonardo.sandoval.gonzalez
2015-06-11 7:45 ` [PATCH 2/2] rpm: Fix CVE-2013-6435 leonardo.sandoval.gonzalez
1 sibling, 0 replies; 3+ messages in thread
From: leonardo.sandoval.gonzalez @ 2015-06-11 7:45 UTC (permalink / raw)
To: openembedded-core
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Backport patch to fix CVE-2014-8118. Description is on [1] and
original patch taken from [2].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1168715
[2] https://bugzilla.redhat.com/attachment.cgi?id=962159
[YOCTO #7181]
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
.../rpm/rpm/rpm-CVE-2014-8118.patch | 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_4.11.2.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
new file mode 100644
index 0000000..bf1795c
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
@@ -0,0 +1,43 @@
+From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 12:56:55 +0000
+Subject: [PATCH 1/2] rpm: CVE-2014-8118
+
+Upstream-Status: Backport
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=1168715
+
+Description:
+It was found that RPM could encounter an integer overflow,
+leading to a stack-based overflow, while parsing a crafted
+CPIO header in the payload section of an RPM file. This could
+allow an attacker to modify signed RPM files in such a way that
+they would execute code chosen by the attacker during package
+installation.
+
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=962159
+
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/cpio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 382eeb6..74ddd9c 100644
+--- a/lib/cpio.c
++++ b/lib/cpio.c
+@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
+ st->st_rdev = makedev(major, minor);
+
+ GET_NUM_FIELD(hdr.namesize, nameSize);
++ if (nameSize <= 0 || nameSize > 4096) {
++ return CPIOERR_BAD_HEADER;
++ }
+
+ *path = xmalloc(nameSize + 1);
+ read = Fread(*path, nameSize, 1, cpio->fd);
+--
+1.8.4.5
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 4e44bc4..7c402b6 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
file://fix_libdir.patch \
file://rpm-scriptetexechelp.patch \
file://pythondeps.sh \
+ file://rpm-CVE-2014-8118.patch \
"
SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
--
1.8.4.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] rpm: Fix CVE-2013-6435
2015-06-11 7:45 [PATCH 0/2] Fixes rpm: CVE-2014-8118 & CVE-2013-6435 leonardo.sandoval.gonzalez
2015-06-11 7:45 ` [PATCH 1/2] rpm: Fix CVE-2014-8118 leonardo.sandoval.gonzalez
@ 2015-06-11 7:45 ` leonardo.sandoval.gonzalez
1 sibling, 0 replies; 3+ messages in thread
From: leonardo.sandoval.gonzalez @ 2015-06-11 7:45 UTC (permalink / raw)
To: openembedded-core
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Backport to fix CVE-2013-6435. Description on [1] and original
patch taken from [2].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
[2] https://bugzilla.redhat.com/attachment.cgi?id=956207
[YOCTO #7181]
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
.../rpm/rpm/rpm-CVE-2013-6435.patch | 109 +++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_4.11.2.bb | 1 +
2 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
new file mode 100644
index 0000000..b107e8f
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
+From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 14:36:56 +0000
+Subject: [PATCH 2/2] rpm: CVE-2013-6435
+
+Upstream-Status: Backport
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+
+Description:
+It was found that RPM wrote file contents to the target installation
+directory under a temporary name, and verified its cryptographic signature
+only after the temporary file has been written completely. Under certain
+conditions, the system interprets the unverified temporary file contents
+and extracts commands from it. This could allow an attacker to modify
+signed RPM files in such a way that they would execute code chosen
+by the attacker during package installation.
+
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=956207
+
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/fsm.c | 2 +-
+ rpmio/rpmio.c | 18 ++++++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 1ee7e67..094eb1d 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
+ {
+ FD_t wfd = NULL;
+ const struct stat * st = &fsm->sb;
+- rpm_loff_t left = st->st_size;
++ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
+ const unsigned char * fidigest = NULL;
+ pgpHashAlgo digestalgo = 0;
+ int rc = 0;
+diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
+index cd223e8..0b12e31 100644
+--- a/rpmio/rpmio.c
++++ b/rpmio/rpmio.c
+@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
+ * - bzopen: [1-9] is block size (modulo 100K)
+ * - bzopen: 's' is smallmode
+ * - HACK: '.' terminates, rest is type of I/O
++ * - 'U' sets *mode to zero (no permissions) instead of 0666
+ */
+ static void cvtfmode (const char *m,
+ char *stdio, size_t nstdio,
+ char *other, size_t nother,
+- const char **end, int * f)
++ const char **end, int *f, mode_t *mode)
+ {
+ int flags = 0;
+ char c;
+
++ if (mode)
++ *mode = 0666;
++
+ switch (*m) {
+ case 'a':
+ flags |= O_WRONLY | O_CREAT | O_APPEND;
+@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
+ if (--nstdio > 0) *stdio++ = c;
+ continue;
+ break;
++ case 'U':
++ if (mode)
++ *mode = 0;
++ break;
+ default:
+ if (--nother > 0) *other++ = c;
+ continue;
+@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
+ if (fd == NULL || fmode == NULL)
+ return NULL;
+
+- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
++ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
++ NULL);
+ if (stdio[0] == '\0')
+ return NULL;
+ zstdio[0] = '\0';
+@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
+ {
+ char stdio[20], other[20];
+ const char *end = NULL;
+- mode_t perms = 0666;
++ mode_t perms;
+ int flags = 0;
+ FD_t fd;
+
+@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
+ return NULL;
+
+ stdio[0] = '\0';
+- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
++ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
++ &perms);
+ if (stdio[0] == '\0')
+ return NULL;
+
+--
+1.8.4.5
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 7c402b6..df9aafb 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
file://rpm-scriptetexechelp.patch \
file://pythondeps.sh \
file://rpm-CVE-2014-8118.patch \
+ file://rpm-CVE-2013-6435.patch \
"
SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
--
1.8.4.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-06-11 15:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-11 7:45 [PATCH 0/2] Fixes rpm: CVE-2014-8118 & CVE-2013-6435 leonardo.sandoval.gonzalez
2015-06-11 7:45 ` [PATCH 1/2] rpm: Fix CVE-2014-8118 leonardo.sandoval.gonzalez
2015-06-11 7:45 ` [PATCH 2/2] rpm: Fix CVE-2013-6435 leonardo.sandoval.gonzalez
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox