2 files changed, 0 insertions, 154 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
deleted file mode 100644
index a2691f6da8..0000000000
--- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
-From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
-Date: Wed, 10 Jun 2015 14:36:56 +0000
-Subject: [PATCH 2/2] rpm: CVE-2013-6435
-Upstream-Status: Backport
-CVE: CVE-2013-6435
-Reference:
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
-Description:
-It was found that RPM wrote file contents to the target installation
-directory under a temporary name, and verified its cryptographic signature
-only after the temporary file has been written completely. Under certain
-conditions, the system interprets the unverified temporary file contents
-and extracts commands from it. This could allow an attacker to modify
-signed RPM files in such a way that they would execute code chosen
-by the attacker during package installation.
-Original Patch:
-https://bugzilla.redhat.com/attachment.cgi?id=956207
-Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
- lib/fsm.c     |  2 +-
- rpmio/rpmio.c | 18 ++++++++++++++----
- 2 files changed, 15 insertions(+), 5 deletions(-)
-diff --git a/lib/fsm.c b/lib/fsm.c
-index 1ee7e67..094eb1d 100644
--- a/lib/fsm.c
-+++ b/lib/fsm.c
-@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
- {
-     FD_t wfd = NULL;
-     const struct stat * st = &fsm->sb;
-    rpm_loff_t left = st->st_size;
-+    rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
-     const unsigned char * fidigest = NULL;
-     pgpHashAlgo digestalgo = 0;
-     int rc = 0;
-diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
-index cd223e8..0b12e31 100644
--- a/rpmio/rpmio.c
-+++ b/rpmio/rpmio.c
-@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
-  * - bzopen:   [1-9] is block size (modulo 100K)
-  * - bzopen:   's' is smallmode
-  * - HACK:     '.' terminates, rest is type of I/O
-+ * -            'U' sets *mode to zero (no permissions) instead of 0666
-  */
- static void cvtfmode (const char *m,
-                                char *stdio, size_t nstdio,
-                                char *other, size_t nother,
-                               const char **end, int * f)
-+                               const char **end, int *f, mode_t *mode)
- {
-     int flags = 0;
-     char c;
- 
-+    if (mode)
-+    *mode = 0666;
-+
-     switch (*m) {
-     case 'a':
-        flags |= O_WRONLY | O_CREAT | O_APPEND;
-@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
-            if (--nstdio > 0) *stdio++ = c;
-            continue;
-            break;
-+       case 'U':
-+           if (mode)
-+               *mode = 0;
-+           break;
-        default:
-            if (--nother > 0) *other++ = c;
-            continue;
-@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
-     if (fd == NULL || fmode == NULL)
-        return NULL;
- 
-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
-+    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
-+        NULL);
-     if (stdio[0] == '\0')
-        return NULL;
-     zstdio[0] = '\0';
-@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
- {
-     char stdio[20], other[20];
-     const char *end = NULL;
-    mode_t perms = 0666;
-+    mode_t perms;
-     int flags = 0;
-     FD_t fd;
- 
-@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
-        return NULL;
- 
-     stdio[0] = '\0';
-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
-+    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
-+        &perms);
-     if (stdio[0] == '\0')
-        return NULL;
- 
-- 
-1.8.4.5
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
deleted file mode 100644
index 985f150f0f..0000000000
--- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
-From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
-Date: Wed, 10 Jun 2015 12:56:55 +0000
-Subject: [PATCH 1/2] rpm: CVE-2014-8118
-Upstream-Status: Backport
-CVE: CVE-2014-8118
-Reference:
-https://bugzilla.redhat.com/show_bug.cgi?id=1168715
-Description:
-It was found that RPM could encounter an integer overflow,
-leading to a stack-based overflow, while parsing a crafted
-CPIO header in the payload section of an RPM file.  This could
-allow an attacker to modify signed RPM files in such a way that
-they would execute code chosen by the attacker during package
-installation.
-Original Patch:
-https://bugzilla.redhat.com/attachment.cgi?id=962159
-Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
- lib/cpio.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/lib/cpio.c b/lib/cpio.c
-index 382eeb6..74ddd9c 100644
--- a/lib/cpio.c
-+++ b/lib/cpio.c
-@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
-     st->st_rdev = makedev(major, minor);
- 
-     GET_NUM_FIELD(hdr.namesize, nameSize);
-+    if (nameSize <= 0 || nameSize > 4096) {
-+        return CPIOERR_BAD_HEADER;
-+    }
- 
-     *path = xmalloc(nameSize + 1);
-     read = Fread(*path, nameSize, 1, cpio->fd);
-- 
-1.8.4.5

diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch deleted file mode 100644 index a2691f6da8..0000000000 --- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch +++ /dev/null
@@ -1,110 +0,0 @@
1	From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
2	From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
3	Date: Wed, 10 Jun 2015 14:36:56 +0000
4	Subject: [PATCH 2/2] rpm: CVE-2013-6435
5
6	Upstream-Status: Backport
7	CVE: CVE-2013-6435
8
9	Reference:
10	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
11
12	Description:
13	It was found that RPM wrote file contents to the target installation
14	directory under a temporary name, and verified its cryptographic signature
15	only after the temporary file has been written completely. Under certain
16	conditions, the system interprets the unverified temporary file contents
17	and extracts commands from it. This could allow an attacker to modify
18	signed RPM files in such a way that they would execute code chosen
19	by the attacker during package installation.
20
21	Original Patch:
22	https://bugzilla.redhat.com/attachment.cgi?id=956207
23
24	Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
25	---
26	lib/fsm.c \| 2 +-
27	rpmio/rpmio.c \| 18 ++++++++++++++----
28	2 files changed, 15 insertions(+), 5 deletions(-)
29
30	diff --git a/lib/fsm.c b/lib/fsm.c
31	index 1ee7e67..094eb1d 100644
32	--- a/lib/fsm.c
33	+++ b/lib/fsm.c
34	@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
35	{
36	FD_t wfd = NULL;
37	const struct stat * st = &fsm->sb;
38	- rpm_loff_t left = st->st_size;
39	+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
40	const unsigned char * fidigest = NULL;
41	pgpHashAlgo digestalgo = 0;
42	int rc = 0;
43	diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
44	index cd223e8..0b12e31 100644
45	--- a/rpmio/rpmio.c
46	+++ b/rpmio/rpmio.c
47	@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
48	* - bzopen: [1-9] is block size (modulo 100K)
49	* - bzopen: 's' is smallmode
50	* - HACK: '.' terminates, rest is type of I/O
51	+ * - 'U' sets *mode to zero (no permissions) instead of 0666
52	*/
53	static void cvtfmode (const char *m,
54	char *stdio, size_t nstdio,
55	char *other, size_t nother,
56	- const char *end, int f)
57	+ const char *end, int f, mode_t *mode)
58	{
59	int flags = 0;
60	char c;
61
62	+ if (mode)
63	+ *mode = 0666;
64	+
65	switch (*m) {
66	case 'a':
67	flags \|= O_WRONLY \| O_CREAT \| O_APPEND;
68	@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
69	if (--nstdio > 0) *stdio++ = c;
70	continue;
71	break;
72	+ case 'U':
73	+ if (mode)
74	+ *mode = 0;
75	+ break;
76	default:
77	if (--nother > 0) *other++ = c;
78	continue;
79	@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
80	if (fd == NULL \|\| fmode == NULL)
81	return NULL;
82
83	- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
84	+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
85	+ NULL);
86	if (stdio[0] == '\0')
87	return NULL;
88	zstdio[0] = '\0';
89	@@ -1436,7 +1445,7 @@ FD_t Fopen(const char path, const char fmode)
90	{
91	char stdio[20], other[20];
92	const char *end = NULL;
93	- mode_t perms = 0666;
94	+ mode_t perms;
95	int flags = 0;
96	FD_t fd;
97
98	@@ -1444,7 +1453,8 @@ FD_t Fopen(const char path, const char fmode)
99	return NULL;
100
101	stdio[0] = '\0';
102	- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
103	+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
104	+ &perms);
105	if (stdio[0] == '\0')
106	return NULL;
107
108	--
109	1.8.4.5
110


diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch deleted file mode 100644 index 985f150f0f..0000000000 --- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch +++ /dev/null
@@ -1,44 +0,0 @@
1	From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
2	From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
3	Date: Wed, 10 Jun 2015 12:56:55 +0000
4	Subject: [PATCH 1/2] rpm: CVE-2014-8118
5
6	Upstream-Status: Backport
7	CVE: CVE-2014-8118
8
9	Reference:
10	https://bugzilla.redhat.com/show_bug.cgi?id=1168715
11
12	Description:
13	It was found that RPM could encounter an integer overflow,
14	leading to a stack-based overflow, while parsing a crafted
15	CPIO header in the payload section of an RPM file. This could
16	allow an attacker to modify signed RPM files in such a way that
17	they would execute code chosen by the attacker during package
18	installation.
19
20	Original Patch:
21	https://bugzilla.redhat.com/attachment.cgi?id=962159
22
23	Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
24	---
25	lib/cpio.c \| 3 +++
26	1 file changed, 3 insertions(+)
27
28	diff --git a/lib/cpio.c b/lib/cpio.c
29	index 382eeb6..74ddd9c 100644
30	--- a/lib/cpio.c
31	+++ b/lib/cpio.c
32	@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
33	st->st_rdev = makedev(major, minor);
34
35	GET_NUM_FIELD(hdr.namesize, nameSize);
36	+ if (nameSize <= 0 \|\| nameSize > 4096) {
37	+ return CPIOERR_BAD_HEADER;
38	+ }
39
40	*path = xmalloc(nameSize + 1);
41	read = Fread(*path, nameSize, 1, cpio->fd);
42	--
43	1.8.4.5
44