- Add check against malicious CPIO file name size
- Fixes CVE-2014-8118 - Resolves #1168715 - Fix race condidition where unchecked data is exposed in the file system - Fixes CVE-2013-6435 - Resolves #1039811
This commit is contained in:
parent
dca944eea4
commit
2474acb1d0
16
rpm-4.12.0.x-CVE-2013-6435.patch
Normal file
16
rpm-4.12.0.x-CVE-2013-6435.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
--- rpm-4.12.0.1/lib/fsm.c.orig 2014-12-12 16:05:51.683430313 +0100
|
||||||
|
+++ rpm-4.12.0.1/lib/fsm.c 2014-12-12 16:08:28.046025597 +0100
|
||||||
|
@@ -215,7 +215,12 @@ static int expandRegular(rpmfi fi, const
|
||||||
|
FD_t wfd = NULL;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
- wfd = Fopen(dest, "w.ufdio");
|
||||||
|
+ /* Create the file with 000 permissions. */
|
||||||
|
+ {
|
||||||
|
+ mode_t old_umask = umask(0777);
|
||||||
|
+ wfd = Fopen(dest, "w.ufdio");
|
||||||
|
+ umask(old_umask);
|
||||||
|
+ }
|
||||||
|
if (Ferror(wfd)) {
|
||||||
|
rc = RPMERR_OPEN_FAILED;
|
||||||
|
goto exit;
|
14
rpm-4.12.0.x-CVE-2014-8118.patch
Normal file
14
rpm-4.12.0.x-CVE-2014-8118.patch
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
diff --git a/lib/cpio.c b/lib/cpio.c
|
||||||
|
index 253ff0f..600633a 100644
|
||||||
|
--- a/lib/cpio.c
|
||||||
|
+++ b/lib/cpio.c
|
||||||
|
@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)
|
||||||
|
|
||||||
|
GET_NUM_FIELD(hdr.filesize, fsize);
|
||||||
|
GET_NUM_FIELD(hdr.namesize, nameSize);
|
||||||
|
+ if (nameSize <= 0 || nameSize > 4096) {
|
||||||
|
+ return RPMERR_BAD_HEADER;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
char name[nameSize + 1];
|
||||||
|
read = Fread(name, nameSize, 1, cpio->fd);
|
13
rpm.spec
13
rpm.spec
@ -27,7 +27,7 @@
|
|||||||
Summary: The RPM package management system
|
Summary: The RPM package management system
|
||||||
Name: rpm
|
Name: rpm
|
||||||
Version: %{rpmver}
|
Version: %{rpmver}
|
||||||
Release: %{?snapver:0.%{snapver}.}4%{?dist}
|
Release: %{?snapver:0.%{snapver}.}5%{?dist}
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Url: http://www.rpm.org/
|
Url: http://www.rpm.org/
|
||||||
Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
|
Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
|
||||||
@ -67,6 +67,10 @@ Patch305: rpm-4.10.0-dwz-debuginfo.patch
|
|||||||
Patch306: rpm-4.10.0-minidebuginfo.patch
|
Patch306: rpm-4.10.0-minidebuginfo.patch
|
||||||
# Fix CRC32 after dwz (#971119)
|
# Fix CRC32 after dwz (#971119)
|
||||||
Patch307: rpm-4.11.1-sepdebugcrcfix.patch
|
Patch307: rpm-4.11.1-sepdebugcrcfix.patch
|
||||||
|
# Fix race condidition where unchecked data is exposed in the file system
|
||||||
|
Patch308: rpm-4.12.0.x-CVE-2013-6435.patch
|
||||||
|
# Add check against malicious CPIO file name size
|
||||||
|
Patch309: rpm-4.12.0.x-CVE-2014-8118.patch
|
||||||
|
|
||||||
# Partially GPL/LGPL dual-licensed and some bits with BSD
|
# Partially GPL/LGPL dual-licensed and some bits with BSD
|
||||||
# SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
|
# SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
|
||||||
@ -536,6 +540,13 @@ exit 0
|
|||||||
%doc doc/librpm/html/*
|
%doc doc/librpm/html/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Dec 12 2014 Lubos Kardos <lkardos@redhat.com> - 4.12.0.1-5
|
||||||
|
- Add check against malicious CPIO file name size (#1168715)
|
||||||
|
- Fixes CVE-2014-8118
|
||||||
|
- Fix race condidition where unchecked data is exposed in the file system
|
||||||
|
(#1039811)
|
||||||
|
- Fixes CVE-2013-6435
|
||||||
|
|
||||||
* Thu Oct 30 2014 Panu Matilainen <pmatilai@redhat.com> - 4.12.0.1-4
|
* Thu Oct 30 2014 Panu Matilainen <pmatilai@redhat.com> - 4.12.0.1-4
|
||||||
- Axe unused generator scripts forcing a perl dependency (#1158580, #1158583)
|
- Axe unused generator scripts forcing a perl dependency (#1158580, #1158583)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user