From 2474acb1d0a34f108b2605b6271dc3ee1df33f5d Mon Sep 17 00:00:00 2001 From: Lubos Kardos Date: Dec 12 2014 16:06:03 +0000 Subject: - Add check against malicious CPIO file name size - Fixes CVE-2014-8118 - Resolves #1168715 - Fix race condidition where unchecked data is exposed in the file system - Fixes CVE-2013-6435 - Resolves #1039811 --- diff --git a/rpm-4.12.0.x-CVE-2013-6435.patch b/rpm-4.12.0.x-CVE-2013-6435.patch new file mode 100644 index 0000000..c093352 --- /dev/null +++ b/rpm-4.12.0.x-CVE-2013-6435.patch @@ -0,0 +1,16 @@ +--- rpm-4.12.0.1/lib/fsm.c.orig 2014-12-12 16:05:51.683430313 +0100 ++++ rpm-4.12.0.1/lib/fsm.c 2014-12-12 16:08:28.046025597 +0100 +@@ -215,7 +215,12 @@ static int expandRegular(rpmfi fi, const + FD_t wfd = NULL; + int rc = 0; + +- wfd = Fopen(dest, "w.ufdio"); ++ /* Create the file with 000 permissions. */ ++ { ++ mode_t old_umask = umask(0777); ++ wfd = Fopen(dest, "w.ufdio"); ++ umask(old_umask); ++ } + if (Ferror(wfd)) { + rc = RPMERR_OPEN_FAILED; + goto exit; diff --git a/rpm-4.12.0.x-CVE-2014-8118.patch b/rpm-4.12.0.x-CVE-2014-8118.patch new file mode 100644 index 0000000..cabdb33 --- /dev/null +++ b/rpm-4.12.0.x-CVE-2014-8118.patch @@ -0,0 +1,14 @@ +diff --git a/lib/cpio.c b/lib/cpio.c +index 253ff0f..600633a 100644 +--- a/lib/cpio.c ++++ b/lib/cpio.c +@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx) + + GET_NUM_FIELD(hdr.filesize, fsize); + GET_NUM_FIELD(hdr.namesize, nameSize); ++ if (nameSize <= 0 || nameSize > 4096) { ++ return RPMERR_BAD_HEADER; ++ } + + char name[nameSize + 1]; + read = Fread(name, nameSize, 1, cpio->fd); diff --git a/rpm.spec b/rpm.spec index 7d710df..bc7238e 100644 --- a/rpm.spec +++ b/rpm.spec @@ -27,7 +27,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}4%{?dist} +Release: %{?snapver:0.%{snapver}.}5%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2 @@ -67,6 +67,10 @@ Patch305: rpm-4.10.0-dwz-debuginfo.patch Patch306: rpm-4.10.0-minidebuginfo.patch # Fix CRC32 after dwz (#971119) Patch307: rpm-4.11.1-sepdebugcrcfix.patch +# Fix race condidition where unchecked data is exposed in the file system +Patch308: rpm-4.12.0.x-CVE-2013-6435.patch +# Add check against malicious CPIO file name size +Patch309: rpm-4.12.0.x-CVE-2014-8118.patch # Partially GPL/LGPL dual-licensed and some bits with BSD # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD @@ -536,6 +540,13 @@ exit 0 %doc doc/librpm/html/* %changelog +* Fri Dec 12 2014 Lubos Kardos - 4.12.0.1-5 +- Add check against malicious CPIO file name size (#1168715) +- Fixes CVE-2014-8118 +- Fix race condidition where unchecked data is exposed in the file system + (#1039811) +- Fixes CVE-2013-6435 + * Thu Oct 30 2014 Panu Matilainen - 4.12.0.1-4 - Axe unused generator scripts forcing a perl dependency (#1158580, #1158583)