import rpm-4.14.3-15.el8
This commit is contained in:
CentOS Sources
parent
6d629ce848
commit
883db33fa0
100
SOURCES/rpm-4.14.3-hdrblobInit-add-bounds-check.patch
Normal file
100
SOURCES/rpm-4.14.3-hdrblobInit-add-bounds-check.patch
Normal file
@ -0,0 +1,100 @@
|
||||
commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
|
||||
Author: Demi Marie Obenour <athena@invisiblethingslab.com>
|
||||
Date: Mon Feb 8 16:05:01 2021 -0500
|
||||
|
||||
hdrblobInit() needs bounds checks too
|
||||
|
||||
Users can pass untrusted data to hdrblobInit() and it must be robust
|
||||
against this.
|
||||
|
||||
diff --git a/lib/header.c b/lib/header.c
|
||||
index ea39e679f..ebba9c2b0 100644
|
||||
--- a/lib/header.c
|
||||
+++ b/lib/header.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "system.h"
|
||||
#include <netdb.h>
|
||||
#include <errno.h>
|
||||
+#include <inttypes.h>
|
||||
#include <rpm/rpmtypes.h>
|
||||
#include <rpm/rpmstring.h>
|
||||
#include "lib/header_internal.h"
|
||||
@@ -1912,6 +1913,25 @@ hdrblob hdrblobFree(hdrblob blob)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
|
||||
+ char **emsg) {
|
||||
+ uint32_t il_max = HEADER_TAGS_MAX;
|
||||
+ uint32_t dl_max = HEADER_DATA_MAX;
|
||||
+ if (regionTag == RPMTAG_HEADERSIGNATURES) {
|
||||
+ il_max = 32;
|
||||
+ dl_max = 64 * 1024 * 1024;
|
||||
+ }
|
||||
+ if (hdrchkRange(il_max, il)) {
|
||||
+ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
|
||||
+ return RPMRC_FAIL;
|
||||
+ }
|
||||
+ if (hdrchkRange(dl_max, dl)) {
|
||||
+ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
|
||||
+ return RPMRC_FAIL;
|
||||
+ }
|
||||
+ return RPMRC_OK;
|
||||
+}
|
||||
+
|
||||
rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
|
||||
{
|
||||
int32_t block[4];
|
||||
@@ -1924,13 +1944,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
|
||||
size_t nb;
|
||||
rpmRC rc = RPMRC_FAIL; /* assume failure */
|
||||
int xx;
|
||||
- int32_t il_max = HEADER_TAGS_MAX;
|
||||
- int32_t dl_max = HEADER_DATA_MAX;
|
||||
-
|
||||
- if (regionTag == RPMTAG_HEADERSIGNATURES) {
|
||||
- il_max = 32;
|
||||
- dl_max = 64 * 1024 * 1024;
|
||||
- }
|
||||
|
||||
memset(block, 0, sizeof(block));
|
||||
if ((xx = Freadall(fd, bs, blen)) != blen) {
|
||||
@@ -1943,15 +1956,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
|
||||
goto exit;
|
||||
}
|
||||
il = ntohl(block[2]);
|
||||
- if (hdrchkRange(il_max, il)) {
|
||||
- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
|
||||
- goto exit;
|
||||
- }
|
||||
dl = ntohl(block[3]);
|
||||
- if (hdrchkRange(dl_max, dl)) {
|
||||
- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
|
||||
+ if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
|
||||
goto exit;
|
||||
- }
|
||||
|
||||
nb = (il * sizeof(struct entryInfo_s)) + dl;
|
||||
uc = sizeof(il) + sizeof(dl) + nb;
|
||||
@@ -1995,11 +2002,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
|
||||
struct hdrblob_s *blob, char **emsg)
|
||||
{
|
||||
rpmRC rc = RPMRC_FAIL;
|
||||
-
|
||||
memset(blob, 0, sizeof(*blob));
|
||||
+ if (uc && uc < 8) {
|
||||
+ rasprintf(emsg, _("hdr length: BAD"));
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
blob->ei = (int32_t *) uh; /* discards const */
|
||||
- blob->il = ntohl(blob->ei[0]);
|
||||
- blob->dl = ntohl(blob->ei[1]);
|
||||
+ blob->il = ntohl((uint32_t)(blob->ei[0]));
|
||||
+ blob->dl = ntohl((uint32_t)(blob->ei[1]));
|
||||
+ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
|
||||
+ goto exit;
|
||||
+
|
||||
blob->pe = (entryInfo) &(blob->ei[2]);
|
||||
blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
|
||||
(blob->il * sizeof(*blob->pe)) + blob->dl;
|
||||
48
SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
Normal file
48
SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
Normal file
@ -0,0 +1,48 @@
|
||||
commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
|
||||
Author: Michal Domonkos <mdomonko@redhat.com>
|
||||
Date: Sun Jul 11 18:08:26 2021 +0200
|
||||
|
||||
Don't brp-strip .ko files
|
||||
|
||||
Otherwise SecureBoot signatures may be stripped too.
|
||||
|
||||
We used to exclude shared libraries from this strip as they were
|
||||
supposed to be covered by another brp script (brp-strip-shared), however
|
||||
it turned out the latter was never really used, so we removed the
|
||||
exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
|
||||
|
||||
As it turns out, that was a little too ambitious, since we may now
|
||||
inadvertently strip SecureBoot signatures from kernel modules too,
|
||||
provided that they're made during the build, prior to the invocation of
|
||||
brp-strip.
|
||||
|
||||
Note that this regression currently does *not* affect the following two
|
||||
cases on Fedora/RHEL systems with redhat-rpm-config installed:
|
||||
|
||||
- in-tree kernel modules; these are built from kernel.spec which
|
||||
already contains a hack ensuring that module signing only happens
|
||||
*after* any stripping (see %__modsign_install_post in kernel.spec)
|
||||
|
||||
- out-of-tree kernel modules built with debuginfo enabled; this is
|
||||
because brp-strip is only called when %debug_package is set to
|
||||
%{nil}
|
||||
|
||||
Any other combinations may be affected, depending on the macros and
|
||||
.spec files used, so let's fix this by effectively "reverting" said
|
||||
commit for .ko files only.
|
||||
|
||||
Fixes: rhbz#1967291
|
||||
|
||||
Backported into 4.14.3
|
||||
diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
|
||||
--- rpm-4.14.3/scripts/brp-strip.orig 2021-07-12 17:21:04.446396789 +0200
|
||||
+++ rpm-4.14.3/scripts/brp-strip 2021-07-12 17:21:20.673633783 +0200
|
||||
@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
|
||||
esac
|
||||
|
||||
# Strip ELF binaries
|
||||
-for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
|
||||
+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
|
||||
grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug" | \
|
||||
sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p'`; do
|
||||
$STRIP -g "$f" || :
|
||||
@ -30,7 +30,7 @@
|
||||
|
||||
%global rpmver 4.14.3
|
||||
#global snapver rc2
|
||||
%global rel 14
|
||||
%global rel 15
|
||||
|
||||
%global srcver %{version}%{?snapver:-%{snapver}}
|
||||
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
||||
@ -104,6 +104,8 @@ Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch
|
||||
Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch
|
||||
Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch
|
||||
Patch154: rpm-4.14.3-more-careful-sig-hdr-copy.patch
|
||||
Patch155: rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
|
||||
Patch156: rpm-4.14.3-hdrblobInit-add-bounds-check.patch
|
||||
|
||||
# Python 3 string API sanity
|
||||
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
||||
@ -682,6 +684,11 @@ make check || cat tests/rpmtests.log
|
||||
%doc doc/librpm/html/*
|
||||
|
||||
%changelog
|
||||
* Thu Jul 15 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-15
|
||||
- Add out-of-bounds checks to hdrblobInit() (#1929445)
|
||||
- Fixes CVE-2021-20266
|
||||
- Fix regression in brp-strip causing kmods to lose SecureBoot sig (#1967291)
|
||||
|
||||
* Thu May 27 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-14
|
||||
- Be more careful about copying data from signature header (#1958477)
|
||||
- Fixes CVE-2021-20271
|
||||
|
||||
Loading…
Reference in New Issue
Block a user