import rpm-4.14.3-14.el8_4

2021-06-02 18:11:02 +00:00 · 2021-06-02 18:11:02 +00:00 · 6d629ce848
commit 6d629ce848
parent 9109772ba4
2 changed files with 168 additions and 1 deletions
--- a/SOURCES/rpm-4.14.3-more-careful-sig-hdr-copy.patch
+++ b/SOURCES/rpm-4.14.3-more-careful-sig-hdr-copy.patch
@ -0,0 +1,162 @@
 commit d6a86b5e69e46cc283b1e06c92343319beb42e21
 Author: Panu Matilainen <pmatilai@redhat.com>
 Date:   Thu Mar 4 13:21:19 2021 +0200
    Be much more careful about copying data from the signature header
    Only look for known tags, and ensure correct type and size where known
    before copying over. Bump the old arbitrary 16k count limit to 16M limit
    though, it's not inconceivable that a package could have that many files.
    While at it, ensure none of these tags exist in the main header,
    which would confuse us greatly.
    This is optimized for backporting ease, upstream can remove redundancies
    and further improve checking later.
    Reported and initial patches by Demi Marie Obenour.
    Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
    Fixes: CVE-2021-3421, CVE-2021-20271
    Combined with e2f1f1931c5ccf3ecbe4e1e12cacb1e17a277776 and backported into
    4.14.3
 diff -up rpm-4.14.3/lib/package.c.orig rpm-4.14.3/lib/package.c
 --- rpm-4.14.3/lib/package.c.orig	2021-05-31 12:32:49.970393976 +0200
 +++ rpm-4.14.3/lib/package.c	2021-05-31 13:53:58.250673275 +0200
@@ -31,76 +31,72 @@ struct pkgdata_s {
     rpmRC rc;
 };
 +struct taglate_s {
 +    rpmTagVal stag;
 +    rpmTagVal xtag;
 +    rpm_count_t count;
 +    int quirk;
 +} const xlateTags[] = {
 +    { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1, 0 },
 +    { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0, 0 },
 +    { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16, 0 },
 +    { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0, 0 },
 +    /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0, 0 }, */ /* long obsolete, dont use */
 +    { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1, 1 },
 +    { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1, 0 },
 +    { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1, 0 },
 +    { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0, 0 },
 +    { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0, 0 },
 +    { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1, 0 },
 +    { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1, 0 },
 +    { 0 }
 +};
 +
 /** \ingroup header
  * Translate and merge legacy signature tags into header.
  * @param h		header (dest)
  * @param sigh		signature header (src)
 + * @return		failing tag number, 0 on success
  */
 static
 -void headerMergeLegacySigs(Header h, Header sigh)
 +rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
 {
 -    HeaderIterator hi;
 +    const struct taglate_s *xl;
     struct rpmtd_s td;
 -    hi = headerInitIterator(sigh);
 -    for (; headerNext(hi, &td); rpmtdFreeData(&td))
 -    {
 -	switch (td.tag) {
 -	/* XXX Translate legacy signature tag values. */
 -	case RPMSIGTAG_SIZE:
 -	    td.tag = RPMTAG_SIGSIZE;
 -	    break;
 -	case RPMSIGTAG_PGP:
 -	    td.tag = RPMTAG_SIGPGP;
 -	    break;
 -	case RPMSIGTAG_MD5:
 -	    td.tag = RPMTAG_SIGMD5;
 -	    break;
 -	case RPMSIGTAG_GPG:
 -	    td.tag = RPMTAG_SIGGPG;
 -	    break;
 -	case RPMSIGTAG_PGP5:
 -	    td.tag = RPMTAG_SIGPGP5;
 -	    break;
 -	case RPMSIGTAG_PAYLOADSIZE:
 -	    td.tag = RPMTAG_ARCHIVESIZE;
 -	    break;
 -	case RPMSIGTAG_SHA1:
 -	case RPMSIGTAG_SHA256:
 -	case RPMSIGTAG_DSA:
 -	case RPMSIGTAG_RSA:
 -	default:
 -	    if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
 +    rpmtdReset(&td);
 +    for (xl = xlateTags; xl->stag; xl++) {
 +	/* There mustn't be one in the main header */
 +	if (headerIsEntry(h, xl->xtag)) {
 +	    /* Some tags may exist in either header, but never both */
 +	    if (xl->quirk && !headerIsEntry(sigh, xl->stag))
 		continue;
 	    break;
 	}
 -	if (!headerIsEntry(h, td.tag)) {
 -	    switch (td.type) {
 -	    case RPM_NULL_TYPE:
 -		continue;
 +	if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
 +	    /* Translate legacy tags */
 +	    if (xl->stag != xl->xtag)
 +		td.tag = xl->xtag;
 +	    /* Ensure type and tag size match expectations */
 +	    if (td.type != rpmTagGetTagType(td.tag))
 		break;
 -	    case RPM_CHAR_TYPE:
 -	    case RPM_INT8_TYPE:
 -	    case RPM_INT16_TYPE:
 -	    case RPM_INT32_TYPE:
 -	    case RPM_INT64_TYPE:
 -		if (td.count != 1)
 -		    continue;
 +	    if (td.count < 1 || td.count > 16*1024*1024)
 		break;
 -	    case RPM_STRING_TYPE:
 -	    case RPM_BIN_TYPE:
 -		if (td.count >= 16*1024)
 -		    continue;
 +	    if (xl->count && td.count != xl->count)
 		break;
 -	    case RPM_STRING_ARRAY_TYPE:
 -	    case RPM_I18NSTRING_TYPE:
 -		continue;
 +	    if (!headerPut(h, &td, HEADERPUT_DEFAULT))
 		break;
 -	    }
 -	    (void) headerPut(h, &td, HEADERPUT_DEFAULT);
 +	    rpmtdFreeData(&td);
 	}
     }
 -    headerFreeIterator(hi);
 +    rpmtdFreeData(&td);
 +
 +    if (xl->stag) {
 +	rasprintf(msg, "invalid signature tag %s (%d)",
 +			rpmTagGetName(xl->xtag), xl->xtag);
 +    }
 +
 +    return xl->stag;
 }
 /**
@@ -363,7 +359,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t
 		goto exit;
 	    /* Append (and remap) signature tags to the metadata. */
 -	    headerMergeLegacySigs(h, sigh);
 +	    if (headerMergeLegacySigs(h, sigh, &msg))
 +		goto exit;
 	    applyRetrofits(h);
 	    /* Bump reference count for return. */
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@ -30,7 +30,7 @@
 %global rpmver 4.14.3
 #global snapver rc2
-%global rel 13
+%global rel 14
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@ -103,6 +103,7 @@ Patch150: rpm-4.14.3-add-fapolicyd-rpm-plugin.patch
 Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch
 Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch
 Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch
 Patch154: rpm-4.14.3-more-careful-sig-hdr-copy.patch
 # Python 3 string API sanity
 Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@ -681,6 +682,10 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 %changelog
 * Thu May 27 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-14
 - Be more careful about copying data from signature header (#1958477)
 - Fixes CVE-2021-20271
 * Fri Feb 12 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-13
 - Fix minor issues found by COVSCAN in fapolicyd plugin
 - Actually honor libarchive bcond at configure time (#1902887)