diff options
Diffstat (limited to 'meta/recipes-devtools/rpm/files/CVE-2021-20266.patch')
-rw-r--r-- | meta/recipes-devtools/rpm/files/CVE-2021-20266.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch new file mode 100644 index 0000000000..f2fc47e321 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From ebbf0f0133c498d229e94ecf2ed0b41d6e6a142a Mon Sep 17 00:00:00 2001 | ||
2 | From: Demi Marie Obenour <athena@invisiblethingslab.com> | ||
3 | Date: Mon, 8 Feb 2021 16:05:01 -0500 | ||
4 | Subject: [PATCH] hdrblobInit() needs bounds checks too | ||
5 | |||
6 | Users can pass untrusted data to hdrblobInit() and it must be robust | ||
7 | against this. | ||
8 | |||
9 | Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15] | ||
12 | CVE: CVE-2021-20266 | ||
13 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
14 | |||
15 | --- | ||
16 | lib/header.c | 48 +++++++++++++++++++++++++++++++----------------- | ||
17 | 1 file changed, 31 insertions(+), 17 deletions(-) | ||
18 | |||
19 | diff --git a/lib/header.c b/lib/header.c | ||
20 | index 5b09f8352..ad5b6dc57 100644 | ||
21 | --- a/lib/header.c | ||
22 | +++ b/lib/header.c | ||
23 | @@ -11,6 +11,7 @@ | ||
24 | #include "system.h" | ||
25 | #include <netdb.h> | ||
26 | #include <errno.h> | ||
27 | +#include <inttypes.h> | ||
28 | #include <rpm/rpmtypes.h> | ||
29 | #include <rpm/rpmstring.h> | ||
30 | #include "lib/header_internal.h" | ||
31 | @@ -1890,6 +1891,25 @@ hdrblob hdrblobFree(hdrblob blob) | ||
32 | return NULL; | ||
33 | } | ||
34 | |||
35 | +static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl, | ||
36 | + char **emsg) { | ||
37 | + uint32_t il_max = HEADER_TAGS_MAX; | ||
38 | + uint32_t dl_max = HEADER_DATA_MAX; | ||
39 | + if (regionTag == RPMTAG_HEADERSIGNATURES) { | ||
40 | + il_max = 32; | ||
41 | + dl_max = 8192; | ||
42 | + } | ||
43 | + if (hdrchkRange(il_max, il)) { | ||
44 | + rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il); | ||
45 | + return RPMRC_FAIL; | ||
46 | + } | ||
47 | + if (hdrchkRange(dl_max, dl)) { | ||
48 | + rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl); | ||
49 | + return RPMRC_FAIL; | ||
50 | + } | ||
51 | + return RPMRC_OK; | ||
52 | +} | ||
53 | + | ||
54 | rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg) | ||
55 | { | ||
56 | int32_t block[4]; | ||
57 | @@ -1902,13 +1922,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl | ||
58 | size_t nb; | ||
59 | rpmRC rc = RPMRC_FAIL; /* assume failure */ | ||
60 | int xx; | ||
61 | - int32_t il_max = HEADER_TAGS_MAX; | ||
62 | - int32_t dl_max = HEADER_DATA_MAX; | ||
63 | - | ||
64 | - if (regionTag == RPMTAG_HEADERSIGNATURES) { | ||
65 | - il_max = 32; | ||
66 | - dl_max = 8192; | ||
67 | - } | ||
68 | |||
69 | memset(block, 0, sizeof(block)); | ||
70 | if ((xx = Freadall(fd, bs, blen)) != blen) { | ||
71 | @@ -1921,15 +1934,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl | ||
72 | goto exit; | ||
73 | } | ||
74 | il = ntohl(block[2]); | ||
75 | - if (hdrchkRange(il_max, il)) { | ||
76 | - rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il); | ||
77 | - goto exit; | ||
78 | - } | ||
79 | dl = ntohl(block[3]); | ||
80 | - if (hdrchkRange(dl_max, dl)) { | ||
81 | - rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl); | ||
82 | + if (hdrblobVerifyLengths(regionTag, il, dl, emsg)) | ||
83 | goto exit; | ||
84 | - } | ||
85 | |||
86 | nb = (il * sizeof(struct entryInfo_s)) + dl; | ||
87 | uc = sizeof(il) + sizeof(dl) + nb; | ||
88 | @@ -1973,11 +1980,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc, | ||
89 | struct hdrblob_s *blob, char **emsg) | ||
90 | { | ||
91 | rpmRC rc = RPMRC_FAIL; | ||
92 | - | ||
93 | memset(blob, 0, sizeof(*blob)); | ||
94 | + if (uc && uc < 8) { | ||
95 | + rasprintf(emsg, _("hdr length: BAD")); | ||
96 | + goto exit; | ||
97 | + } | ||
98 | + | ||
99 | blob->ei = (int32_t *) uh; /* discards const */ | ||
100 | - blob->il = ntohl(blob->ei[0]); | ||
101 | - blob->dl = ntohl(blob->ei[1]); | ||
102 | + blob->il = ntohl((uint32_t)(blob->ei[0])); | ||
103 | + blob->dl = ntohl((uint32_t)(blob->ei[1])); | ||
104 | + if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK) | ||
105 | + goto exit; | ||
106 | + | ||
107 | blob->pe = (entryInfo) &(blob->ei[2]); | ||
108 | blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) + | ||
109 | (blob->il * sizeof(*blob->pe)) + blob->dl; | ||