rpm: Fix CVE-2013-6435

Backport to fix CVE-2013-6435. Description on [1] and original patch taken from [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 [2] https://bugzilla.redhat.com/attachment.cgi?id=956207 [YOCTO #7181] (From OE-Core rev: 6bf846ed5ccd1a4d01b36630708b2b9aa9e69ed5) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> 2015-06-10 14:58:38 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-06-23 11:47:40 +0100
commit: db34474679587502fe0b6a0a5cd72351e29991a2 (patch)
tree: f670f575f56e1424761713d73a71634b2a90e9e1 /meta/recipes-devtools
parent: 3886107521ed64d72afb93bfc123f2b81bc4e959 (diff)
download: poky-db34474679587502fe0b6a0a5cd72351e29991a2.tar.gz
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
new file mode 100644
index 0000000000..b107e8f047
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
+From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 14:36:56 +0000
+Subject: [PATCH 2/2] rpm: CVE-2013-6435
+Upstream-Status: Backport
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+Description:
+It was found that RPM wrote file contents to the target installation
+directory under a temporary name, and verified its cryptographic signature
+only after the temporary file has been written completely. Under certain
+conditions, the system interprets the unverified temporary file contents
+and extracts commands from it. This could allow an attacker to modify
+signed RPM files in such a way that they would execute code chosen
+by the attacker during package installation.
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=956207
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/fsm.c     |  2 +-
+ rpmio/rpmio.c | 18 ++++++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 1ee7e67..094eb1d 100644
+--- a/lib/fsm.c
+++ b/lib/fsm.c
+@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
+ {
+     FD_t wfd = NULL;
+     const struct stat * st = &fsm->sb;
+-    rpm_loff_t left = st->st_size;
+    rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
+     const unsigned char * fidigest = NULL;
+     pgpHashAlgo digestalgo = 0;
+     int rc = 0;
+diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
+index cd223e8..0b12e31 100644
+--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
+@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
+  * - bzopen:   [1-9] is block size (modulo 100K)
+  * - bzopen:   's' is smallmode
+  * - HACK:     '.' terminates, rest is type of I/O
+ * -            'U' sets *mode to zero (no permissions) instead of 0666
+  */
+ static void cvtfmode (const char *m,
+                                char *stdio, size_t nstdio,
+                                char *other, size_t nother,
+-                               const char **end, int * f)
+                               const char **end, int *f, mode_t *mode)
+ {
+     int flags = 0;
+     char c;
+ 
+    if (mode)
+    *mode = 0666;
+
+     switch (*m) {
+     case 'a':
+        flags |= O_WRONLY | O_CREAT | O_APPEND;
+@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
+            if (--nstdio > 0) *stdio++ = c;
+            continue;
+            break;
+       case 'U':
+           if (mode)
+               *mode = 0;
+           break;
+        default:
+            if (--nother > 0) *other++ = c;
+            continue;
+@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
+     if (fd == NULL || fmode == NULL)
+        return NULL;
+ 
+-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
+    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
+        NULL);
+     if (stdio[0] == '\0')
+        return NULL;
+     zstdio[0] = '\0';
+@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
+ {
+     char stdio[20], other[20];
+     const char *end = NULL;
+-    mode_t perms = 0666;
+    mode_t perms;
+     int flags = 0;
+     FD_t fd;
+ 
+@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
+        return NULL;
+ 
+     stdio[0] = '\0';
+-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
+    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
+        &perms);
+     if (stdio[0] == '\0')
+        return NULL;
+ 
+-- 
+1.8.4.5
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 7c402b6cfb..df9aafbaab 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
            file://rpm-scriptetexechelp.patch \
            file://pythondeps.sh \
            file://rpm-CVE-2014-8118.patch \
+            file://rpm-CVE-2013-6435.patch \
           "
 SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
author	Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>	2015-06-10 14:58:38 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-06-23 11:47:40 +0100
commit	db34474679587502fe0b6a0a5cd72351e29991a2 (patch)
tree	f670f575f56e1424761713d73a71634b2a90e9e1 /meta/recipes-devtools
parent	3886107521ed64d72afb93bfc123f2b81bc4e959 (diff)
download	poky-db34474679587502fe0b6a0a5cd72351e29991a2.tar.gz

diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch new file mode 100644 index 0000000000..b107e8f047 --- /dev/null +++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
		1	From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
		2	From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
		3	Date: Wed, 10 Jun 2015 14:36:56 +0000
		4	Subject: [PATCH 2/2] rpm: CVE-2013-6435
		5
		6	Upstream-Status: Backport
		7
		8	Reference:
		9	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
		10
		11	Description:
		12	It was found that RPM wrote file contents to the target installation
		13	directory under a temporary name, and verified its cryptographic signature
		14	only after the temporary file has been written completely. Under certain
		15	conditions, the system interprets the unverified temporary file contents
		16	and extracts commands from it. This could allow an attacker to modify
		17	signed RPM files in such a way that they would execute code chosen
		18	by the attacker during package installation.
		19
		20	Original Patch:
		21	https://bugzilla.redhat.com/attachment.cgi?id=956207
		22
		23	Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
		24	---
		25	lib/fsm.c \| 2 +-
		26	rpmio/rpmio.c \| 18 ++++++++++++++----
		27	2 files changed, 15 insertions(+), 5 deletions(-)
		28
		29	diff --git a/lib/fsm.c b/lib/fsm.c
		30	index 1ee7e67..094eb1d 100644
		31	--- a/lib/fsm.c
		32	+++ b/lib/fsm.c
		33	@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
		34	{
		35	FD_t wfd = NULL;
		36	const struct stat * st = &fsm->sb;
		37	- rpm_loff_t left = st->st_size;
		38	+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
		39	const unsigned char * fidigest = NULL;
		40	pgpHashAlgo digestalgo = 0;
		41	int rc = 0;
		42	diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
		43	index cd223e8..0b12e31 100644
		44	--- a/rpmio/rpmio.c
		45	+++ b/rpmio/rpmio.c
		46	@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
		47	* - bzopen: [1-9] is block size (modulo 100K)
		48	* - bzopen: 's' is smallmode
		49	* - HACK: '.' terminates, rest is type of I/O
		50	+ * - 'U' sets *mode to zero (no permissions) instead of 0666
		51	*/
		52	static void cvtfmode (const char *m,
		53	char *stdio, size_t nstdio,
		54	char *other, size_t nother,
		55	- const char *end, int f)
		56	+ const char *end, int f, mode_t *mode)
		57	{
		58	int flags = 0;
		59	char c;
		60
		61	+ if (mode)
		62	+ *mode = 0666;
		63	+
		64	switch (*m) {
		65	case 'a':
		66	flags \|= O_WRONLY \| O_CREAT \| O_APPEND;
		67	@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
		68	if (--nstdio > 0) *stdio++ = c;
		69	continue;
		70	break;
		71	+ case 'U':
		72	+ if (mode)
		73	+ *mode = 0;
		74	+ break;
		75	default:
		76	if (--nother > 0) *other++ = c;
		77	continue;
		78	@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
		79	if (fd == NULL \|\| fmode == NULL)
		80	return NULL;
		81
		82	- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
		83	+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
		84	+ NULL);
		85	if (stdio[0] == '\0')
		86	return NULL;
		87	zstdio[0] = '\0';
		88	@@ -1436,7 +1445,7 @@ FD_t Fopen(const char path, const char fmode)
		89	{
		90	char stdio[20], other[20];
		91	const char *end = NULL;
		92	- mode_t perms = 0666;
		93	+ mode_t perms;
		94	int flags = 0;
		95	FD_t fd;
		96
		97	@@ -1444,7 +1453,8 @@ FD_t Fopen(const char path, const char fmode)
		98	return NULL;
		99
		100	stdio[0] = '\0';
		101	- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
		102	+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
		103	+ &perms);
		104	if (stdio[0] == '\0')
		105	return NULL;
		106
		107	--
		108	1.8.4.5
		109


diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb index 7c402b6cfb..df9aafbaab 100644 --- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb +++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
35	file://rpm-scriptetexechelp.patch \	35	file://rpm-scriptetexechelp.patch \
36	file://pythondeps.sh \	36	file://pythondeps.sh \
37	file://rpm-CVE-2014-8118.patch \	37	file://rpm-CVE-2014-8118.patch \
		38	file://rpm-CVE-2013-6435.patch \
38	"	39	"
39		40
40	SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"	41	SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"