diff options
author | Robert Yang <liezhi.yang@windriver.com> | 2016-04-05 23:58:40 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-04-06 22:57:25 +0100 |
commit | 476eeeae0fdde0cd4952b8c4501813b316c8a330 (patch) | |
tree | 222c5676cf5b53fcced6a0ec9e819241113a4d7c /meta/recipes-devtools | |
parent | 3d56864fd3ea190a2fa203bba37aa4125919e676 (diff) | |
download | poky-476eeeae0fdde0cd4952b8c4501813b316c8a330.tar.gz |
rpm: remove two unused patch
They are already in the source:
rpm-CVE-2013-6435.patch
rpm-CVE-2014-8118.patch
(From OE-Core rev: 8bed58160316c84bb4c4e866058f695c4402b95e)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch | 110 | ||||
-rw-r--r-- | meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch | 44 |
2 files changed, 0 insertions, 154 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch deleted file mode 100644 index a2691f6da8..0000000000 --- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch +++ /dev/null | |||
@@ -1,110 +0,0 @@ | |||
1 | From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> | ||
3 | Date: Wed, 10 Jun 2015 14:36:56 +0000 | ||
4 | Subject: [PATCH 2/2] rpm: CVE-2013-6435 | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2013-6435 | ||
8 | |||
9 | Reference: | ||
10 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 | ||
11 | |||
12 | Description: | ||
13 | It was found that RPM wrote file contents to the target installation | ||
14 | directory under a temporary name, and verified its cryptographic signature | ||
15 | only after the temporary file has been written completely. Under certain | ||
16 | conditions, the system interprets the unverified temporary file contents | ||
17 | and extracts commands from it. This could allow an attacker to modify | ||
18 | signed RPM files in such a way that they would execute code chosen | ||
19 | by the attacker during package installation. | ||
20 | |||
21 | Original Patch: | ||
22 | https://bugzilla.redhat.com/attachment.cgi?id=956207 | ||
23 | |||
24 | Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> | ||
25 | --- | ||
26 | lib/fsm.c | 2 +- | ||
27 | rpmio/rpmio.c | 18 ++++++++++++++---- | ||
28 | 2 files changed, 15 insertions(+), 5 deletions(-) | ||
29 | |||
30 | diff --git a/lib/fsm.c b/lib/fsm.c | ||
31 | index 1ee7e67..094eb1d 100644 | ||
32 | --- a/lib/fsm.c | ||
33 | +++ b/lib/fsm.c | ||
34 | @@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest) | ||
35 | { | ||
36 | FD_t wfd = NULL; | ||
37 | const struct stat * st = &fsm->sb; | ||
38 | - rpm_loff_t left = st->st_size; | ||
39 | + rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix); | ||
40 | const unsigned char * fidigest = NULL; | ||
41 | pgpHashAlgo digestalgo = 0; | ||
42 | int rc = 0; | ||
43 | diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c | ||
44 | index cd223e8..0b12e31 100644 | ||
45 | --- a/rpmio/rpmio.c | ||
46 | +++ b/rpmio/rpmio.c | ||
47 | @@ -1309,15 +1309,19 @@ int Fclose(FD_t fd) | ||
48 | * - bzopen: [1-9] is block size (modulo 100K) | ||
49 | * - bzopen: 's' is smallmode | ||
50 | * - HACK: '.' terminates, rest is type of I/O | ||
51 | + * - 'U' sets *mode to zero (no permissions) instead of 0666 | ||
52 | */ | ||
53 | static void cvtfmode (const char *m, | ||
54 | char *stdio, size_t nstdio, | ||
55 | char *other, size_t nother, | ||
56 | - const char **end, int * f) | ||
57 | + const char **end, int *f, mode_t *mode) | ||
58 | { | ||
59 | int flags = 0; | ||
60 | char c; | ||
61 | |||
62 | + if (mode) | ||
63 | + *mode = 0666; | ||
64 | + | ||
65 | switch (*m) { | ||
66 | case 'a': | ||
67 | flags |= O_WRONLY | O_CREAT | O_APPEND; | ||
68 | @@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m, | ||
69 | if (--nstdio > 0) *stdio++ = c; | ||
70 | continue; | ||
71 | break; | ||
72 | + case 'U': | ||
73 | + if (mode) | ||
74 | + *mode = 0; | ||
75 | + break; | ||
76 | default: | ||
77 | if (--nother > 0) *other++ = c; | ||
78 | continue; | ||
79 | @@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd)); | ||
80 | if (fd == NULL || fmode == NULL) | ||
81 | return NULL; | ||
82 | |||
83 | - cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL); | ||
84 | + cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL, | ||
85 | + NULL); | ||
86 | if (stdio[0] == '\0') | ||
87 | return NULL; | ||
88 | zstdio[0] = '\0'; | ||
89 | @@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode) | ||
90 | { | ||
91 | char stdio[20], other[20]; | ||
92 | const char *end = NULL; | ||
93 | - mode_t perms = 0666; | ||
94 | + mode_t perms; | ||
95 | int flags = 0; | ||
96 | FD_t fd; | ||
97 | |||
98 | @@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode) | ||
99 | return NULL; | ||
100 | |||
101 | stdio[0] = '\0'; | ||
102 | - cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags); | ||
103 | + cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags, | ||
104 | + &perms); | ||
105 | if (stdio[0] == '\0') | ||
106 | return NULL; | ||
107 | |||
108 | -- | ||
109 | 1.8.4.5 | ||
110 | |||
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch deleted file mode 100644 index 985f150f0f..0000000000 --- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001 | ||
2 | From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> | ||
3 | Date: Wed, 10 Jun 2015 12:56:55 +0000 | ||
4 | Subject: [PATCH 1/2] rpm: CVE-2014-8118 | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2014-8118 | ||
8 | |||
9 | Reference: | ||
10 | https://bugzilla.redhat.com/show_bug.cgi?id=1168715 | ||
11 | |||
12 | Description: | ||
13 | It was found that RPM could encounter an integer overflow, | ||
14 | leading to a stack-based overflow, while parsing a crafted | ||
15 | CPIO header in the payload section of an RPM file. This could | ||
16 | allow an attacker to modify signed RPM files in such a way that | ||
17 | they would execute code chosen by the attacker during package | ||
18 | installation. | ||
19 | |||
20 | Original Patch: | ||
21 | https://bugzilla.redhat.com/attachment.cgi?id=962159 | ||
22 | |||
23 | Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> | ||
24 | --- | ||
25 | lib/cpio.c | 3 +++ | ||
26 | 1 file changed, 3 insertions(+) | ||
27 | |||
28 | diff --git a/lib/cpio.c b/lib/cpio.c | ||
29 | index 382eeb6..74ddd9c 100644 | ||
30 | --- a/lib/cpio.c | ||
31 | +++ b/lib/cpio.c | ||
32 | @@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st) | ||
33 | st->st_rdev = makedev(major, minor); | ||
34 | |||
35 | GET_NUM_FIELD(hdr.namesize, nameSize); | ||
36 | + if (nameSize <= 0 || nameSize > 4096) { | ||
37 | + return CPIOERR_BAD_HEADER; | ||
38 | + } | ||
39 | |||
40 | *path = xmalloc(nameSize + 1); | ||
41 | read = Fread(*path, nameSize, 1, cpio->fd); | ||
42 | -- | ||
43 | 1.8.4.5 | ||
44 | |||