[rpm/f21] - Add check against malicious CPIO file name size - Fixes CVE-2014-8118 - Resolves #1168715 - Fix ra
Ľuboš Kardoš
lkardos at fedoraproject.org
Fri Dec 12 16:15:44 UTC 2014
commit 3c276f274436e726cdcaa136d59790db7abc64dc
Author: Lubos Kardos <lkardos at redhat.com>
Date: Fri Dec 12 14:07:52 2014 +0100
- Add check against malicious CPIO file name size
- Fixes CVE-2014-8118
- Resolves #1168715
- Fix race condidition where unchecked data is exposed in the file system
- Fixes CVE-2013-6435
- Resolves #1039811
rpm-4.12.0.x-CVE-2013-6435.patch | 16 ++++++++++++++++
rpm-4.12.0.x-CVE-2014-8118.patch | 14 ++++++++++++++
rpm.spec | 13 ++++++++++++-
3 files changed, 42 insertions(+), 1 deletions(-)
---
diff --git a/rpm-4.12.0.x-CVE-2013-6435.patch b/rpm-4.12.0.x-CVE-2013-6435.patch
new file mode 100644
index 0000000..c093352
--- /dev/null
+++ b/rpm-4.12.0.x-CVE-2013-6435.patch
@@ -0,0 +1,16 @@
+--- rpm-4.12.0.1/lib/fsm.c.orig 2014-12-12 16:05:51.683430313 +0100
++++ rpm-4.12.0.1/lib/fsm.c 2014-12-12 16:08:28.046025597 +0100
+@@ -215,7 +215,12 @@ static int expandRegular(rpmfi fi, const
+ FD_t wfd = NULL;
+ int rc = 0;
+
+- wfd = Fopen(dest, "w.ufdio");
++ /* Create the file with 000 permissions. */
++ {
++ mode_t old_umask = umask(0777);
++ wfd = Fopen(dest, "w.ufdio");
++ umask(old_umask);
++ }
+ if (Ferror(wfd)) {
+ rc = RPMERR_OPEN_FAILED;
+ goto exit;
diff --git a/rpm-4.12.0.x-CVE-2014-8118.patch b/rpm-4.12.0.x-CVE-2014-8118.patch
new file mode 100644
index 0000000..cabdb33
--- /dev/null
+++ b/rpm-4.12.0.x-CVE-2014-8118.patch
@@ -0,0 +1,14 @@
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 253ff0f..600633a 100644
+--- a/lib/cpio.c
++++ b/lib/cpio.c
+@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)
+
+ GET_NUM_FIELD(hdr.filesize, fsize);
+ GET_NUM_FIELD(hdr.namesize, nameSize);
++ if (nameSize <= 0 || nameSize > 4096) {
++ return RPMERR_BAD_HEADER;
++ }
+
+ char name[nameSize + 1];
+ read = Fread(name, nameSize, 1, cpio->fd);
diff --git a/rpm.spec b/rpm.spec
index 35d2aea..f2e5d6d 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -27,7 +27,7 @@
Summary: The RPM package management system
Name: rpm
Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}3%{?dist}
+Release: %{?snapver:0.%{snapver}.}4%{?dist}
Group: System Environment/Base
Url: http://www.rpm.org/
Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@@ -67,6 +67,10 @@ Patch305: rpm-4.10.0-dwz-debuginfo.patch
Patch306: rpm-4.10.0-minidebuginfo.patch
# Fix CRC32 after dwz (#971119)
Patch307: rpm-4.11.1-sepdebugcrcfix.patch
+# Fix race condidition where unchecked data is exposed in the file system
+Patch308: rpm-4.12.0.x-CVE-2013-6435.patch
+# Add check against malicious CPIO file name size
+Patch309: rpm-4.12.0.x-CVE-2014-8118.patch
# Partially GPL/LGPL dual-licensed and some bits with BSD
# SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
@@ -534,6 +538,13 @@ exit 0
%doc doc/librpm/html/*
%changelog
+* Fri Dec 12 2014 Lubos Kardos <lkardos at redhat.com> - 4.12.0.1-4
+- Add check against malicious CPIO file name size (#1168715)
+- Fixes CVE-2014-8118
+- Fix race condidition where unchecked data is exposed in the file system
+ (#1039811)
+- Fixes CVE-2013-6435
+
* Tue Oct 28 2014 Panu Matilainen <pmatilai at redhat.com> - 4.12.0.1-3
- Skip ghost files in payload (#1156497)
- Fix size and archice size tag generation on big-endian systems
More information about the scm-commits
mailing list