From b7b7cd856d8d286a343f22710009c81ca7b244dc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 09 2014 20:34:57 +0000 Subject: import rpm-4.11.1-18.el7_0 --- diff --git a/SOURCES/rpm-4.11.x-CVE-2014-8118.patch b/SOURCES/rpm-4.11.x-CVE-2014-8118.patch new file mode 100644 index 0000000..79e2a00 --- /dev/null +++ b/SOURCES/rpm-4.11.x-CVE-2014-8118.patch @@ -0,0 +1,12 @@ +--- rpm-4.11.1.orig/lib/cpio.c 2014-11-28 12:21:50.444158675 +0100 ++++ rpm-4.11.1/lib/cpio.c 2014-11-28 12:22:53.776453253 +0100 +@@ -296,6 +296,9 @@ + st->st_rdev = makedev(major, minor); + + GET_NUM_FIELD(hdr.namesize, nameSize); ++ if (nameSize <= 0 || nameSize > 4096) { ++ return CPIOERR_BAD_HEADER; ++ } + + *path = xmalloc(nameSize + 1); + read = Fread(*path, nameSize, 1, cpio->fd); diff --git a/SOURCES/rpm-4.11.x-chmod.patch b/SOURCES/rpm-4.11.x-chmod.patch new file mode 100644 index 0000000..2a0636b --- /dev/null +++ b/SOURCES/rpm-4.11.x-chmod.patch @@ -0,0 +1,22 @@ +--- rpm-4.11.1/lib/fsm.c.orig 2014-11-13 13:38:56.742934031 +0100 ++++ rpm-4.11.1/lib/fsm.c 2014-11-13 13:42:13.036380024 +0100 +@@ -726,12 +726,17 @@ + { + FD_t wfd = NULL; + const struct stat * st = &fsm->sb; +- rpm_loff_t left = st->st_size; ++ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix); + const unsigned char * fidigest = NULL; + pgpHashAlgo digestalgo = 0; + int rc = 0; + +- wfd = Fopen(fsm->path, "w.ufdio"); ++ /* Create the file with 000 permissions. */ ++ { ++ mode_t old_umask = umask(0777); ++ wfd = Fopen(fsm->path, "w.ufdio"); ++ umask(old_umask); ++ } + if (Ferror(wfd)) { + rc = CPIOERR_OPEN_FAILED; + goto exit; diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index 51663c8..b1ce7ab 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -21,7 +21,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}16%{?dist} +Release: %{?snapver:0.%{snapver}.}18%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2 @@ -72,6 +72,10 @@ Patch306: rpm-4.10.0-minidebuginfo.patch Patch307: rpm-4.11.1-sepdebugcrcfix.patch # Fix minidebuginfo on ppc64 (#1052415) Patch308: rpm-4.11.x-minidebuginfo-ppc64.patch +# Chmod 000 for files being unpacked +Patch309: rpm-4.11.x-chmod.patch +Patch310: rpm-4.11.x-CVE-2014-8118.patch + # Temporary Patch to provide support for updates Patch400: rpm-4.10.90-rpmlib-filesystem-check.patch @@ -261,6 +265,8 @@ packages on a system. %patch306 -p1 -b .minidebuginfo %patch307 -p1 -b .sepdebugcrcfix %patch308 -p1 -b .minidebuginfo-ppc64 +%patch309 -p1 -b .chmod +%patch310 -p1 -b .namesize %patch400 -p1 -b .rpmlib-filesystem-check @@ -489,6 +495,15 @@ exit 0 %doc COPYING doc/librpm/html/* %changelog +* Fri Nov 28 2014 Florian Festi - 4.11.1-18 +- Add check against malicious CPIO file name size (#1163060) +- Fixes CVE-2014-8118 + +* Thu Nov 13 2014 Florian Festi - 4.11.1-17 +- Fix race condidition where unchecked data is exposed in the file system + (#1163060) +- Fixes CVE-2013-6435 + * Mon Mar 24 2014 Panu Matilainen - 4.11.1-16 - Fully reset file actions between rpmtsRun() calls (#1076552)