rpm: Fix CVE-2014-8118

Backport patch to fix CVE-2014-8118. Description is on [1] and original patch taken from [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1168715 [2] https://bugzilla.redhat.com/attachment.cgi?id=962159 [YOCTO #7181] (From OE-Core rev: 0a1f924157cb75d0f67cf534762c89dc8656d352) (From OE-Core rev: f61750cfc3dd14a72b1ade4274b1a577136111fe) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> 2015-06-10 14:55:14 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 20:54:34 +0100
commit: abd315bc0547fd4ca1619a50e32f71e7458b2262 (patch)
tree: a573d6dcd299c5e52a8cfc04df22e6e2fef22c9c /meta
parent: 1e6d9873749d75ada0ff7a60411b91170fd09179 (diff)
download: poky-abd315bc0547fd4ca1619a50e32f71e7458b2262.tar.gz
2 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
new file mode 100644
index 0000000000..bf1795ca49
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
@@ -0,0 +1,43 @@
+From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 12:56:55 +0000
+Subject: [PATCH 1/2] rpm: CVE-2014-8118
+Upstream-Status: Backport
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=1168715
+Description:
+It was found that RPM could encounter an integer overflow,
+leading to a stack-based overflow, while parsing a crafted
+CPIO header in the payload section of an RPM file.  This could
+allow an attacker to modify signed RPM files in such a way that
+they would execute code chosen by the attacker during package
+installation.
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=962159
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/cpio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 382eeb6..74ddd9c 100644
+--- a/lib/cpio.c
+++ b/lib/cpio.c
+@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
+     st->st_rdev = makedev(major, minor);
+ 
+     GET_NUM_FIELD(hdr.namesize, nameSize);
+    if (nameSize <= 0 || nameSize > 4096) {
+        return CPIOERR_BAD_HEADER;
+    }
+ 
+     *path = xmalloc(nameSize + 1);
+     read = Fread(*path, nameSize, 1, cpio->fd);
+-- 
+1.8.4.5
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 86a14fae50..86a5fbb4c6 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
            file://fix_libdir.patch \
            file://rpm-scriptetexechelp.patch \
            file://pythondeps.sh \
+            file://rpm-CVE-2014-8118.patch \
           "
 SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
author	Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>	2015-06-10 14:55:14 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 20:54:34 +0100
commit	abd315bc0547fd4ca1619a50e32f71e7458b2262 (patch)
tree	a573d6dcd299c5e52a8cfc04df22e6e2fef22c9c /meta
parent	1e6d9873749d75ada0ff7a60411b91170fd09179 (diff)
download	poky-abd315bc0547fd4ca1619a50e32f71e7458b2262.tar.gz

diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch new file mode 100644 index 0000000000..bf1795ca49 --- /dev/null +++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
@@ -0,0 +1,43 @@
		1	From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
		2	From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
		3	Date: Wed, 10 Jun 2015 12:56:55 +0000
		4	Subject: [PATCH 1/2] rpm: CVE-2014-8118
		5
		6	Upstream-Status: Backport
		7
		8	Reference:
		9	https://bugzilla.redhat.com/show_bug.cgi?id=1168715
		10
		11	Description:
		12	It was found that RPM could encounter an integer overflow,
		13	leading to a stack-based overflow, while parsing a crafted
		14	CPIO header in the payload section of an RPM file. This could
		15	allow an attacker to modify signed RPM files in such a way that
		16	they would execute code chosen by the attacker during package
		17	installation.
		18
		19	Original Patch:
		20	https://bugzilla.redhat.com/attachment.cgi?id=962159
		21
		22	Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
		23	---
		24	lib/cpio.c \| 3 +++
		25	1 file changed, 3 insertions(+)
		26
		27	diff --git a/lib/cpio.c b/lib/cpio.c
		28	index 382eeb6..74ddd9c 100644
		29	--- a/lib/cpio.c
		30	+++ b/lib/cpio.c
		31	@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
		32	st->st_rdev = makedev(major, minor);
		33
		34	GET_NUM_FIELD(hdr.namesize, nameSize);
		35	+ if (nameSize <= 0 \|\| nameSize > 4096) {
		36	+ return CPIOERR_BAD_HEADER;
		37	+ }
		38
		39	*path = xmalloc(nameSize + 1);
		40	read = Fread(*path, nameSize, 1, cpio->fd);
		41	--
		42	1.8.4.5
		43


diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb index 86a14fae50..86a5fbb4c6 100644 --- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb +++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
34	file://fix_libdir.patch \	34	file://fix_libdir.patch \
35	file://rpm-scriptetexechelp.patch \	35	file://rpm-scriptetexechelp.patch \
36	file://pythondeps.sh \	36	file://pythondeps.sh \
		37	file://rpm-CVE-2014-8118.patch \
37	"	38	"
38		39
39	SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"	40	SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"