1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-hardlink-segfault-fix.patch b/meta/recipes-devtools/rpm/rpm/rpm-hardlink-segfault-fix.patch
new file mode 100644
index 0000000000..5deb2323ef
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-hardlink-segfault-fix.patch
@@ -0,0 +1,43 @@
+We need to sanity check that the nlink size and our linksLeft counter
+do match. If an rpm is badly constructed with identical inode values
+for multiple hardlinked files, such an rpm will otherwise access memory
+out of array bounds and cause memory corruption and crashes.
+The fix is to add in the sanity check and exit if bad circumstances
+are found. We need to fix the caller to check the return code too.
+RP 2014/6/10
+Upstream-Status: Pending
+Index: rpm-5.4.14/lib/fsm.c
+===================================================================
+--- rpm-5.4.14.orig/lib/fsm.c
+++ rpm-5.4.14/lib/fsm.c
+@@ -495,6 +495,11 @@ static int saveHardLink(/*@special@*/ /*
+     }
+ 
+     if (fsm->goal == IOSM_PKGBUILD) --fsm->li->linksLeft;
+    if (fsm->li->linksLeft > st->st_nlink) {
+       rpmlog(RPMLOG_ERR, _("Corrupted hardlinks found (count %d does not match %d), exiting.\n"), fsm->li->linksLeft, st->st_nlink);
+       return -1;
+    }
+
+     fsm->li->filex[fsm->li->linksLeft] = fsm->ix;
+     /*@-observertrans -dependenttrans@*/
+     fsm->li->nsuffix[fsm->li->linksLeft] = fsm->nsuffix;
+@@ -1878,8 +1883,13 @@ if (!(fsmGetFi(fsm)->mapflags & IOSM_PAY
+        fsm->postpone = iosmFileActionSkipped(fsm->action);
+        if (fsm->goal == IOSM_PKGINSTALL || fsm->goal == IOSM_PKGBUILD) {
+            /*@-evalorder@*/ /* FIX: saveHardLink can modify fsm */
+-           if (S_ISREG(st->st_mode) && st->st_nlink > 1)
+           if (S_ISREG(st->st_mode) && st->st_nlink > 1) {
+                fsm->postpone = saveHardLink(fsm);
+               if (fsm->postpone < 0) {
+                   rc = RPMRC_FAIL;
+                   break;
+               }
+           }
+            /*@=evalorder@*/
+        }
+ if (fsmGetFi(fsm)->mapflags & IOSM_PAYLOAD_LIST) fsm->postpone = 1;

diff --git a/meta/recipes-devtools/rpm/rpm/rpm-hardlink-segfault-fix.patch b/meta/recipes-devtools/rpm/rpm/rpm-hardlink-segfault-fix.patch new file mode 100644 index 0000000000..5deb2323ef --- /dev/null +++ b/meta/recipes-devtools/rpm/rpm/rpm-hardlink-segfault-fix.patch
@@ -0,0 +1,43 @@
	1	We need to sanity check that the nlink size and our linksLeft counter
	2	do match. If an rpm is badly constructed with identical inode values
	3	for multiple hardlinked files, such an rpm will otherwise access memory
	4	out of array bounds and cause memory corruption and crashes.
	5
	6	The fix is to add in the sanity check and exit if bad circumstances
	7	are found. We need to fix the caller to check the return code too.
	8
	9	RP 2014/6/10
	10
	11	Upstream-Status: Pending
	12
	13	Index: rpm-5.4.14/lib/fsm.c
	14	===================================================================
	15	--- rpm-5.4.14.orig/lib/fsm.c
	16	+++ rpm-5.4.14/lib/fsm.c
	17	@@ -495,6 +495,11 @@ static int saveHardLink(/@special@/ /*
	18	}
	19
	20	if (fsm->goal == IOSM_PKGBUILD) --fsm->li->linksLeft;
	21	+ if (fsm->li->linksLeft > st->st_nlink) {
	22	+ rpmlog(RPMLOG_ERR, _("Corrupted hardlinks found (count %d does not match %d), exiting.\n"), fsm->li->linksLeft, st->st_nlink);
	23	+ return -1;
	24	+ }
	25	+
	26	fsm->li->filex[fsm->li->linksLeft] = fsm->ix;
	27	/@-observertrans -dependenttrans@/
	28	fsm->li->nsuffix[fsm->li->linksLeft] = fsm->nsuffix;
	29	@@ -1878,8 +1883,13 @@ if (!(fsmGetFi(fsm)->mapflags & IOSM_PAY
	30	fsm->postpone = iosmFileActionSkipped(fsm->action);
	31	if (fsm->goal == IOSM_PKGINSTALL \|\| fsm->goal == IOSM_PKGBUILD) {
	32	/@-evalorder@/ /* FIX: saveHardLink can modify fsm */
	33	- if (S_ISREG(st->st_mode) && st->st_nlink > 1)
	34	+ if (S_ISREG(st->st_mode) && st->st_nlink > 1) {
	35	fsm->postpone = saveHardLink(fsm);
	36	+ if (fsm->postpone < 0) {
	37	+ rc = RPMRC_FAIL;
	38	+ break;
	39	+ }
	40	+ }
	41	/@=evalorder@/
	42	}
	43	if (fsmGetFi(fsm)->mapflags & IOSM_PAYLOAD_LIST) fsm->postpone = 1;