summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>2015-06-10 14:58:38 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-06-23 11:47:40 +0100
commitdb34474679587502fe0b6a0a5cd72351e29991a2 (patch)
treef670f575f56e1424761713d73a71634b2a90e9e1
parent3886107521ed64d72afb93bfc123f2b81bc4e959 (diff)
downloadpoky-db34474679587502fe0b6a0a5cd72351e29991a2.tar.gz
rpm: Fix CVE-2013-6435
Backport to fix CVE-2013-6435. Description on [1] and original patch taken from [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 [2] https://bugzilla.redhat.com/attachment.cgi?id=956207 [YOCTO #7181] (From OE-Core rev: 6bf846ed5ccd1a4d01b36630708b2b9aa9e69ed5) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch109
-rw-r--r--meta/recipes-devtools/rpm/rpm_4.11.2.bb1
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
new file mode 100644
index 0000000000..b107e8f047
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
1From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
2From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
3Date: Wed, 10 Jun 2015 14:36:56 +0000
4Subject: [PATCH 2/2] rpm: CVE-2013-6435
5
6Upstream-Status: Backport
7
8Reference:
9https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
10
11Description:
12It was found that RPM wrote file contents to the target installation
13directory under a temporary name, and verified its cryptographic signature
14only after the temporary file has been written completely. Under certain
15conditions, the system interprets the unverified temporary file contents
16and extracts commands from it. This could allow an attacker to modify
17signed RPM files in such a way that they would execute code chosen
18by the attacker during package installation.
19
20Original Patch:
21https://bugzilla.redhat.com/attachment.cgi?id=956207
22
23Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
24---
25 lib/fsm.c | 2 +-
26 rpmio/rpmio.c | 18 ++++++++++++++----
27 2 files changed, 15 insertions(+), 5 deletions(-)
28
29diff --git a/lib/fsm.c b/lib/fsm.c
30index 1ee7e67..094eb1d 100644
31--- a/lib/fsm.c
32+++ b/lib/fsm.c
33@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
34 {
35 FD_t wfd = NULL;
36 const struct stat * st = &fsm->sb;
37- rpm_loff_t left = st->st_size;
38+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
39 const unsigned char * fidigest = NULL;
40 pgpHashAlgo digestalgo = 0;
41 int rc = 0;
42diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
43index cd223e8..0b12e31 100644
44--- a/rpmio/rpmio.c
45+++ b/rpmio/rpmio.c
46@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
47 * - bzopen: [1-9] is block size (modulo 100K)
48 * - bzopen: 's' is smallmode
49 * - HACK: '.' terminates, rest is type of I/O
50+ * - 'U' sets *mode to zero (no permissions) instead of 0666
51 */
52 static void cvtfmode (const char *m,
53 char *stdio, size_t nstdio,
54 char *other, size_t nother,
55- const char **end, int * f)
56+ const char **end, int *f, mode_t *mode)
57 {
58 int flags = 0;
59 char c;
60
61+ if (mode)
62+ *mode = 0666;
63+
64 switch (*m) {
65 case 'a':
66 flags |= O_WRONLY | O_CREAT | O_APPEND;
67@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
68 if (--nstdio > 0) *stdio++ = c;
69 continue;
70 break;
71+ case 'U':
72+ if (mode)
73+ *mode = 0;
74+ break;
75 default:
76 if (--nother > 0) *other++ = c;
77 continue;
78@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
79 if (fd == NULL || fmode == NULL)
80 return NULL;
81
82- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
83+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
84+ NULL);
85 if (stdio[0] == '\0')
86 return NULL;
87 zstdio[0] = '\0';
88@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
89 {
90 char stdio[20], other[20];
91 const char *end = NULL;
92- mode_t perms = 0666;
93+ mode_t perms;
94 int flags = 0;
95 FD_t fd;
96
97@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
98 return NULL;
99
100 stdio[0] = '\0';
101- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
102+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
103+ &perms);
104 if (stdio[0] == '\0')
105 return NULL;
106
107--
1081.8.4.5
109
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 7c402b6cfb..df9aafbaab 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
35 file://rpm-scriptetexechelp.patch \ 35 file://rpm-scriptetexechelp.patch \
36 file://pythondeps.sh \ 36 file://pythondeps.sh \
37 file://rpm-CVE-2014-8118.patch \ 37 file://rpm-CVE-2014-8118.patch \
38 file://rpm-CVE-2013-6435.patch \
38 " 39 "
39 40
40SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173" 41SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"