summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/rpm
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/rpm')
-rw-r--r--meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch110
-rw-r--r--meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch44
2 files changed, 0 insertions, 154 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
deleted file mode 100644
index a2691f6da8..0000000000
--- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
+++ /dev/null
@@ -1,110 +0,0 @@
1From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
2From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
3Date: Wed, 10 Jun 2015 14:36:56 +0000
4Subject: [PATCH 2/2] rpm: CVE-2013-6435
5
6Upstream-Status: Backport
7CVE: CVE-2013-6435
8
9Reference:
10https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
11
12Description:
13It was found that RPM wrote file contents to the target installation
14directory under a temporary name, and verified its cryptographic signature
15only after the temporary file has been written completely. Under certain
16conditions, the system interprets the unverified temporary file contents
17and extracts commands from it. This could allow an attacker to modify
18signed RPM files in such a way that they would execute code chosen
19by the attacker during package installation.
20
21Original Patch:
22https://bugzilla.redhat.com/attachment.cgi?id=956207
23
24Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
25---
26 lib/fsm.c | 2 +-
27 rpmio/rpmio.c | 18 ++++++++++++++----
28 2 files changed, 15 insertions(+), 5 deletions(-)
29
30diff --git a/lib/fsm.c b/lib/fsm.c
31index 1ee7e67..094eb1d 100644
32--- a/lib/fsm.c
33+++ b/lib/fsm.c
34@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
35 {
36 FD_t wfd = NULL;
37 const struct stat * st = &fsm->sb;
38- rpm_loff_t left = st->st_size;
39+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
40 const unsigned char * fidigest = NULL;
41 pgpHashAlgo digestalgo = 0;
42 int rc = 0;
43diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
44index cd223e8..0b12e31 100644
45--- a/rpmio/rpmio.c
46+++ b/rpmio/rpmio.c
47@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
48 * - bzopen: [1-9] is block size (modulo 100K)
49 * - bzopen: 's' is smallmode
50 * - HACK: '.' terminates, rest is type of I/O
51+ * - 'U' sets *mode to zero (no permissions) instead of 0666
52 */
53 static void cvtfmode (const char *m,
54 char *stdio, size_t nstdio,
55 char *other, size_t nother,
56- const char **end, int * f)
57+ const char **end, int *f, mode_t *mode)
58 {
59 int flags = 0;
60 char c;
61
62+ if (mode)
63+ *mode = 0666;
64+
65 switch (*m) {
66 case 'a':
67 flags |= O_WRONLY | O_CREAT | O_APPEND;
68@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
69 if (--nstdio > 0) *stdio++ = c;
70 continue;
71 break;
72+ case 'U':
73+ if (mode)
74+ *mode = 0;
75+ break;
76 default:
77 if (--nother > 0) *other++ = c;
78 continue;
79@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
80 if (fd == NULL || fmode == NULL)
81 return NULL;
82
83- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
84+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
85+ NULL);
86 if (stdio[0] == '\0')
87 return NULL;
88 zstdio[0] = '\0';
89@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
90 {
91 char stdio[20], other[20];
92 const char *end = NULL;
93- mode_t perms = 0666;
94+ mode_t perms;
95 int flags = 0;
96 FD_t fd;
97
98@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
99 return NULL;
100
101 stdio[0] = '\0';
102- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
103+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
104+ &perms);
105 if (stdio[0] == '\0')
106 return NULL;
107
108--
1091.8.4.5
110
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
deleted file mode 100644
index 985f150f0f..0000000000
--- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
2From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
3Date: Wed, 10 Jun 2015 12:56:55 +0000
4Subject: [PATCH 1/2] rpm: CVE-2014-8118
5
6Upstream-Status: Backport
7CVE: CVE-2014-8118
8
9Reference:
10https://bugzilla.redhat.com/show_bug.cgi?id=1168715
11
12Description:
13It was found that RPM could encounter an integer overflow,
14leading to a stack-based overflow, while parsing a crafted
15CPIO header in the payload section of an RPM file. This could
16allow an attacker to modify signed RPM files in such a way that
17they would execute code chosen by the attacker during package
18installation.
19
20Original Patch:
21https://bugzilla.redhat.com/attachment.cgi?id=962159
22
23Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
24---
25 lib/cpio.c | 3 +++
26 1 file changed, 3 insertions(+)
27
28diff --git a/lib/cpio.c b/lib/cpio.c
29index 382eeb6..74ddd9c 100644
30--- a/lib/cpio.c
31+++ b/lib/cpio.c
32@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
33 st->st_rdev = makedev(major, minor);
34
35 GET_NUM_FIELD(hdr.namesize, nameSize);
36+ if (nameSize <= 0 || nameSize > 4096) {
37+ return CPIOERR_BAD_HEADER;
38+ }
39
40 *path = xmalloc(nameSize + 1);
41 read = Fread(*path, nameSize, 1, cpio->fd);
42--
431.8.4.5
44