diff options
Diffstat (limited to 'meta/recipes-devtools/rpm/files/CVE-2021-20266.patch')
| -rw-r--r-- | meta/recipes-devtools/rpm/files/CVE-2021-20266.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch new file mode 100644 index 0000000000..f2fc47e321 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch | |||
| @@ -0,0 +1,109 @@ | |||
| 1 | From ebbf0f0133c498d229e94ecf2ed0b41d6e6a142a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Demi Marie Obenour <athena@invisiblethingslab.com> | ||
| 3 | Date: Mon, 8 Feb 2021 16:05:01 -0500 | ||
| 4 | Subject: [PATCH] hdrblobInit() needs bounds checks too | ||
| 5 | |||
| 6 | Users can pass untrusted data to hdrblobInit() and it must be robust | ||
| 7 | against this. | ||
| 8 | |||
| 9 | Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef | ||
| 10 | |||
| 11 | Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15] | ||
| 12 | CVE: CVE-2021-20266 | ||
| 13 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
| 14 | |||
| 15 | --- | ||
| 16 | lib/header.c | 48 +++++++++++++++++++++++++++++++----------------- | ||
| 17 | 1 file changed, 31 insertions(+), 17 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/lib/header.c b/lib/header.c | ||
| 20 | index 5b09f8352..ad5b6dc57 100644 | ||
| 21 | --- a/lib/header.c | ||
| 22 | +++ b/lib/header.c | ||
| 23 | @@ -11,6 +11,7 @@ | ||
| 24 | #include "system.h" | ||
| 25 | #include <netdb.h> | ||
| 26 | #include <errno.h> | ||
| 27 | +#include <inttypes.h> | ||
| 28 | #include <rpm/rpmtypes.h> | ||
| 29 | #include <rpm/rpmstring.h> | ||
| 30 | #include "lib/header_internal.h" | ||
| 31 | @@ -1890,6 +1891,25 @@ hdrblob hdrblobFree(hdrblob blob) | ||
| 32 | return NULL; | ||
| 33 | } | ||
| 34 | |||
| 35 | +static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl, | ||
| 36 | + char **emsg) { | ||
| 37 | + uint32_t il_max = HEADER_TAGS_MAX; | ||
| 38 | + uint32_t dl_max = HEADER_DATA_MAX; | ||
| 39 | + if (regionTag == RPMTAG_HEADERSIGNATURES) { | ||
| 40 | + il_max = 32; | ||
| 41 | + dl_max = 8192; | ||
| 42 | + } | ||
| 43 | + if (hdrchkRange(il_max, il)) { | ||
| 44 | + rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il); | ||
| 45 | + return RPMRC_FAIL; | ||
| 46 | + } | ||
| 47 | + if (hdrchkRange(dl_max, dl)) { | ||
| 48 | + rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl); | ||
| 49 | + return RPMRC_FAIL; | ||
| 50 | + } | ||
| 51 | + return RPMRC_OK; | ||
| 52 | +} | ||
| 53 | + | ||
| 54 | rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg) | ||
| 55 | { | ||
| 56 | int32_t block[4]; | ||
| 57 | @@ -1902,13 +1922,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl | ||
| 58 | size_t nb; | ||
| 59 | rpmRC rc = RPMRC_FAIL; /* assume failure */ | ||
| 60 | int xx; | ||
| 61 | - int32_t il_max = HEADER_TAGS_MAX; | ||
| 62 | - int32_t dl_max = HEADER_DATA_MAX; | ||
| 63 | - | ||
| 64 | - if (regionTag == RPMTAG_HEADERSIGNATURES) { | ||
| 65 | - il_max = 32; | ||
| 66 | - dl_max = 8192; | ||
| 67 | - } | ||
| 68 | |||
| 69 | memset(block, 0, sizeof(block)); | ||
| 70 | if ((xx = Freadall(fd, bs, blen)) != blen) { | ||
| 71 | @@ -1921,15 +1934,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl | ||
| 72 | goto exit; | ||
| 73 | } | ||
| 74 | il = ntohl(block[2]); | ||
| 75 | - if (hdrchkRange(il_max, il)) { | ||
| 76 | - rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il); | ||
| 77 | - goto exit; | ||
| 78 | - } | ||
| 79 | dl = ntohl(block[3]); | ||
| 80 | - if (hdrchkRange(dl_max, dl)) { | ||
| 81 | - rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl); | ||
| 82 | + if (hdrblobVerifyLengths(regionTag, il, dl, emsg)) | ||
| 83 | goto exit; | ||
| 84 | - } | ||
| 85 | |||
| 86 | nb = (il * sizeof(struct entryInfo_s)) + dl; | ||
| 87 | uc = sizeof(il) + sizeof(dl) + nb; | ||
| 88 | @@ -1973,11 +1980,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc, | ||
| 89 | struct hdrblob_s *blob, char **emsg) | ||
| 90 | { | ||
| 91 | rpmRC rc = RPMRC_FAIL; | ||
| 92 | - | ||
| 93 | memset(blob, 0, sizeof(*blob)); | ||
| 94 | + if (uc && uc < 8) { | ||
| 95 | + rasprintf(emsg, _("hdr length: BAD")); | ||
| 96 | + goto exit; | ||
| 97 | + } | ||
| 98 | + | ||
| 99 | blob->ei = (int32_t *) uh; /* discards const */ | ||
| 100 | - blob->il = ntohl(blob->ei[0]); | ||
| 101 | - blob->dl = ntohl(blob->ei[1]); | ||
| 102 | + blob->il = ntohl((uint32_t)(blob->ei[0])); | ||
| 103 | + blob->dl = ntohl((uint32_t)(blob->ei[1])); | ||
| 104 | + if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK) | ||
| 105 | + goto exit; | ||
| 106 | + | ||
| 107 | blob->pe = (entryInfo) &(blob->ei[2]); | ||
| 108 | blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) + | ||
| 109 | (blob->il * sizeof(*blob->pe)) + blob->dl; | ||