rpm: Fix CVE-2013-6435

Backport to fix CVE-2013-6435. Description on [1] and original patch taken from [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 [2] https://bugzilla.redhat.com/attachment.cgi?id=956207 [YOCTO #7181] (From OE-Core rev: 6bf846ed5ccd1a4d01b36630708b2b9aa9e69ed5) (From OE-Core rev: 74d4895c4d30a45af5856228a00810bd14e5e071) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> 2015-06-10 14:58:38 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-07-20 20:54:34 +0100
commit: bf3ee430a45e7584865da062159f2522cca840e6 (patch)
tree: 93a94038c350926d8c7db12307c0648e9e421ced /meta
parent: abd315bc0547fd4ca1619a50e32f71e7458b2262 (diff)
download: poky-bf3ee430a45e7584865da062159f2522cca840e6.tar.gz
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
new file mode 100644
index 0000000000..b107e8f047
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
+From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 14:36:56 +0000
+Subject: [PATCH 2/2] rpm: CVE-2013-6435
+Upstream-Status: Backport
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+Description:
+It was found that RPM wrote file contents to the target installation
+directory under a temporary name, and verified its cryptographic signature
+only after the temporary file has been written completely. Under certain
+conditions, the system interprets the unverified temporary file contents
+and extracts commands from it. This could allow an attacker to modify
+signed RPM files in such a way that they would execute code chosen
+by the attacker during package installation.
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=956207
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/fsm.c     |  2 +-
+ rpmio/rpmio.c | 18 ++++++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 1ee7e67..094eb1d 100644
+--- a/lib/fsm.c
+++ b/lib/fsm.c
+@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
+ {
+     FD_t wfd = NULL;
+     const struct stat * st = &fsm->sb;
+-    rpm_loff_t left = st->st_size;
+    rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
+     const unsigned char * fidigest = NULL;
+     pgpHashAlgo digestalgo = 0;
+     int rc = 0;
+diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
+index cd223e8..0b12e31 100644
+--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
+@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
+  * - bzopen:   [1-9] is block size (modulo 100K)
+  * - bzopen:   's' is smallmode
+  * - HACK:     '.' terminates, rest is type of I/O
+ * -            'U' sets *mode to zero (no permissions) instead of 0666
+  */
+ static void cvtfmode (const char *m,
+                                char *stdio, size_t nstdio,
+                                char *other, size_t nother,
+-                               const char **end, int * f)
+                               const char **end, int *f, mode_t *mode)
+ {
+     int flags = 0;
+     char c;
+ 
+    if (mode)
+    *mode = 0666;
+
+     switch (*m) {
+     case 'a':
+        flags |= O_WRONLY | O_CREAT | O_APPEND;
+@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
+            if (--nstdio > 0) *stdio++ = c;
+            continue;
+            break;
+       case 'U':
+           if (mode)
+               *mode = 0;
+           break;
+        default:
+            if (--nother > 0) *other++ = c;
+            continue;
+@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
+     if (fd == NULL || fmode == NULL)
+        return NULL;
+ 
+-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
+    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
+        NULL);
+     if (stdio[0] == '\0')
+        return NULL;
+     zstdio[0] = '\0';
+@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
+ {
+     char stdio[20], other[20];
+     const char *end = NULL;
+-    mode_t perms = 0666;
+    mode_t perms;
+     int flags = 0;
+     FD_t fd;
+ 
+@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
+        return NULL;
+ 
+     stdio[0] = '\0';
+-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
+    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
+        &perms);
+     if (stdio[0] == '\0')
+        return NULL;
+ 
+-- 
+1.8.4.5
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 86a5fbb4c6..7c67b696a3 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
            file://rpm-scriptetexechelp.patch \
            file://pythondeps.sh \
            file://rpm-CVE-2014-8118.patch \
+            file://rpm-CVE-2013-6435.patch \
           "
 SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
author	Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>	2015-06-10 14:58:38 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-07-20 20:54:34 +0100
commit	bf3ee430a45e7584865da062159f2522cca840e6 (patch)
tree	93a94038c350926d8c7db12307c0648e9e421ced /meta
parent	abd315bc0547fd4ca1619a50e32f71e7458b2262 (diff)
download	poky-bf3ee430a45e7584865da062159f2522cca840e6.tar.gz

diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch new file mode 100644 index 0000000000..b107e8f047 --- /dev/null +++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
		1	From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
		2	From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
		3	Date: Wed, 10 Jun 2015 14:36:56 +0000
		4	Subject: [PATCH 2/2] rpm: CVE-2013-6435
		5
		6	Upstream-Status: Backport
		7
		8	Reference:
		9	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
		10
		11	Description:
		12	It was found that RPM wrote file contents to the target installation
		13	directory under a temporary name, and verified its cryptographic signature
		14	only after the temporary file has been written completely. Under certain
		15	conditions, the system interprets the unverified temporary file contents
		16	and extracts commands from it. This could allow an attacker to modify
		17	signed RPM files in such a way that they would execute code chosen
		18	by the attacker during package installation.
		19
		20	Original Patch:
		21	https://bugzilla.redhat.com/attachment.cgi?id=956207
		22
		23	Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
		24	---
		25	lib/fsm.c \| 2 +-
		26	rpmio/rpmio.c \| 18 ++++++++++++++----
		27	2 files changed, 15 insertions(+), 5 deletions(-)
		28
		29	diff --git a/lib/fsm.c b/lib/fsm.c
		30	index 1ee7e67..094eb1d 100644
		31	--- a/lib/fsm.c
		32	+++ b/lib/fsm.c
		33	@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
		34	{
		35	FD_t wfd = NULL;
		36	const struct stat * st = &fsm->sb;
		37	- rpm_loff_t left = st->st_size;
		38	+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
		39	const unsigned char * fidigest = NULL;
		40	pgpHashAlgo digestalgo = 0;
		41	int rc = 0;
		42	diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
		43	index cd223e8..0b12e31 100644
		44	--- a/rpmio/rpmio.c
		45	+++ b/rpmio/rpmio.c
		46	@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
		47	* - bzopen: [1-9] is block size (modulo 100K)
		48	* - bzopen: 's' is smallmode
		49	* - HACK: '.' terminates, rest is type of I/O
		50	+ * - 'U' sets *mode to zero (no permissions) instead of 0666
		51	*/
		52	static void cvtfmode (const char *m,
		53	char *stdio, size_t nstdio,
		54	char *other, size_t nother,
		55	- const char *end, int f)
		56	+ const char *end, int f, mode_t *mode)
		57	{
		58	int flags = 0;
		59	char c;
		60
		61	+ if (mode)
		62	+ *mode = 0666;
		63	+
		64	switch (*m) {
		65	case 'a':
		66	flags \|= O_WRONLY \| O_CREAT \| O_APPEND;
		67	@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
		68	if (--nstdio > 0) *stdio++ = c;
		69	continue;
		70	break;
		71	+ case 'U':
		72	+ if (mode)
		73	+ *mode = 0;
		74	+ break;
		75	default:
		76	if (--nother > 0) *other++ = c;
		77	continue;
		78	@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
		79	if (fd == NULL \|\| fmode == NULL)
		80	return NULL;
		81
		82	- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
		83	+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
		84	+ NULL);
		85	if (stdio[0] == '\0')
		86	return NULL;
		87	zstdio[0] = '\0';
		88	@@ -1436,7 +1445,7 @@ FD_t Fopen(const char path, const char fmode)
		89	{
		90	char stdio[20], other[20];
		91	const char *end = NULL;
		92	- mode_t perms = 0666;
		93	+ mode_t perms;
		94	int flags = 0;
		95	FD_t fd;
		96
		97	@@ -1444,7 +1453,8 @@ FD_t Fopen(const char path, const char fmode)
		98	return NULL;
		99
		100	stdio[0] = '\0';
		101	- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
		102	+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
		103	+ &perms);
		104	if (stdio[0] == '\0')
		105	return NULL;
		106
		107	--
		108	1.8.4.5
		109


diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb index 86a5fbb4c6..7c67b696a3 100644 --- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb +++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
35	file://rpm-scriptetexechelp.patch \	35	file://rpm-scriptetexechelp.patch \
36	file://pythondeps.sh \	36	file://pythondeps.sh \
37	file://rpm-CVE-2014-8118.patch \	37	file://rpm-CVE-2014-8118.patch \
		38	file://rpm-CVE-2013-6435.patch \
38	"	39	"
39		40
40	SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"	41	SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"