- Add check against malicious CPIO file name size

- Fixes CVE-2014-8118 - Resolves #1168715 - Fix race condidition where unchecked data is exposed in the file system - Fixes CVE-2013-6435 - Resolves #1039811
2014-12-12 14:07:52 +01:00 · 2014-12-12 14:07:52 +01:00 · 2474acb1d0
commit 2474acb1d0
parent dca944eea4
3 changed files with 42 additions and 1 deletions
--- a/rpm-4.12.0.x-CVE-2013-6435.patch
+++ b/rpm-4.12.0.x-CVE-2013-6435.patch
@ -0,0 +1,16 @@
+--- rpm-4.12.0.1/lib/fsm.c.orig	2014-12-12 16:05:51.683430313 +0100
+++ rpm-4.12.0.1/lib/fsm.c	2014-12-12 16:08:28.046025597 +0100
+@@ -215,7 +215,12 @@ static int expandRegular(rpmfi fi, const
+     FD_t wfd = NULL;
+     int rc = 0;
+ 
+-    wfd = Fopen(dest, "w.ufdio");
+    /* Create the file with 000 permissions. */
+    {
+	mode_t old_umask = umask(0777);
+	wfd = Fopen(dest, "w.ufdio");
+	umask(old_umask);
+    }
+     if (Ferror(wfd)) {
+ 	rc = RPMERR_OPEN_FAILED;
+ 	goto exit;
--- a/rpm-4.12.0.x-CVE-2014-8118.patch
+++ b/rpm-4.12.0.x-CVE-2014-8118.patch
@ -0,0 +1,14 @@
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 253ff0f..600633a 100644
+--- a/lib/cpio.c
+++ b/lib/cpio.c
+@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)
+ 
+     GET_NUM_FIELD(hdr.filesize, fsize);
+     GET_NUM_FIELD(hdr.namesize, nameSize);
+    if (nameSize <= 0 || nameSize > 4096) {
+	 return RPMERR_BAD_HEADER;
+    }
+ 
+     char name[nameSize + 1];
+     read = Fread(name, nameSize, 1, cpio->fd);
--- a/rpm.spec
+++ b/rpm.spec
@ -27,7 +27,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}4%{?dist}
+Release: %{?snapver:0.%{snapver}.}5%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@ -67,6 +67,10 @@ Patch305: rpm-4.10.0-dwz-debuginfo.patch
 Patch306: rpm-4.10.0-minidebuginfo.patch
 # Fix CRC32 after dwz (#971119)
 Patch307: rpm-4.11.1-sepdebugcrcfix.patch
+# Fix race condidition where unchecked data is exposed in the file system
+Patch308: rpm-4.12.0.x-CVE-2013-6435.patch
+# Add check against malicious CPIO file name size
+Patch309: rpm-4.12.0.x-CVE-2014-8118.patch

 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD 
@ -536,6 +540,13 @@ exit 0
 %doc doc/librpm/html/*

 %changelog
+* Fri Dec 12 2014 Lubos Kardos <lkardos@redhat.com> - 4.12.0.1-5
+- Add check against malicious CPIO file name size (#1168715)
+- Fixes CVE-2014-8118
+- Fix race condidition where unchecked data is exposed in the file system
+  (#1039811)
+- Fixes CVE-2013-6435
+
 * Thu Oct 30 2014 Panu Matilainen <pmatilai@redhat.com> - 4.12.0.1-4
 - Axe unused generator scripts forcing a perl dependency (#1158580, #1158583)