diff options
-rw-r--r-- | meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch | 110 | ||||
-rw-r--r-- | meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch | 44 |
2 files changed, 0 insertions, 154 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch deleted file mode 100644 index a2691f6da8..0000000000 --- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001 -From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> -Date: Wed, 10 Jun 2015 14:36:56 +0000 -Subject: [PATCH 2/2] rpm: CVE-2013-6435 - -Upstream-Status: Backport -CVE: CVE-2013-6435 - -Reference: -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 - -Description: -It was found that RPM wrote file contents to the target installation -directory under a temporary name, and verified its cryptographic signature -only after the temporary file has been written completely. Under certain -conditions, the system interprets the unverified temporary file contents -and extracts commands from it. This could allow an attacker to modify -signed RPM files in such a way that they would execute code chosen -by the attacker during package installation. - -Original Patch: -https://bugzilla.redhat.com/attachment.cgi?id=956207 - -Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> ---- - lib/fsm.c | 2 +- - rpmio/rpmio.c | 18 ++++++++++++++---- - 2 files changed, 15 insertions(+), 5 deletions(-) - -diff --git a/lib/fsm.c b/lib/fsm.c -index 1ee7e67..094eb1d 100644 ---- a/lib/fsm.c -+++ b/lib/fsm.c -@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest) - { - FD_t wfd = NULL; - const struct stat * st = &fsm->sb; -- rpm_loff_t left = st->st_size; -+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix); - const unsigned char * fidigest = NULL; - pgpHashAlgo digestalgo = 0; - int rc = 0; -diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c -index cd223e8..0b12e31 100644 ---- a/rpmio/rpmio.c -+++ b/rpmio/rpmio.c -@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd) - * - bzopen: [1-9] is block size (modulo 100K) - * - bzopen: 's' is smallmode - * - HACK: '.' terminates, rest is type of I/O -+ * - 'U' sets *mode to zero (no permissions) instead of 0666 - */ - static void cvtfmode (const char *m, - char *stdio, size_t nstdio, - char *other, size_t nother, -- const char **end, int * f) -+ const char **end, int *f, mode_t *mode) - { - int flags = 0; - char c; - -+ if (mode) -+ *mode = 0666; -+ - switch (*m) { - case 'a': - flags |= O_WRONLY | O_CREAT | O_APPEND; -@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m, - if (--nstdio > 0) *stdio++ = c; - continue; - break; -+ case 'U': -+ if (mode) -+ *mode = 0; -+ break; - default: - if (--nother > 0) *other++ = c; - continue; -@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd)); - if (fd == NULL || fmode == NULL) - return NULL; - -- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL); -+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL, -+ NULL); - if (stdio[0] == '\0') - return NULL; - zstdio[0] = '\0'; -@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode) - { - char stdio[20], other[20]; - const char *end = NULL; -- mode_t perms = 0666; -+ mode_t perms; - int flags = 0; - FD_t fd; - -@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode) - return NULL; - - stdio[0] = '\0'; -- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags); -+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags, -+ &perms); - if (stdio[0] == '\0') - return NULL; - --- -1.8.4.5 - diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch deleted file mode 100644 index 985f150f0f..0000000000 --- a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001 -From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> -Date: Wed, 10 Jun 2015 12:56:55 +0000 -Subject: [PATCH 1/2] rpm: CVE-2014-8118 - -Upstream-Status: Backport -CVE: CVE-2014-8118 - -Reference: -https://bugzilla.redhat.com/show_bug.cgi?id=1168715 - -Description: -It was found that RPM could encounter an integer overflow, -leading to a stack-based overflow, while parsing a crafted -CPIO header in the payload section of an RPM file. This could -allow an attacker to modify signed RPM files in such a way that -they would execute code chosen by the attacker during package -installation. - -Original Patch: -https://bugzilla.redhat.com/attachment.cgi?id=962159 - -Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> ---- - lib/cpio.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/cpio.c b/lib/cpio.c -index 382eeb6..74ddd9c 100644 ---- a/lib/cpio.c -+++ b/lib/cpio.c -@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st) - st->st_rdev = makedev(major, minor); - - GET_NUM_FIELD(hdr.namesize, nameSize); -+ if (nameSize <= 0 || nameSize > 4096) { -+ return CPIOERR_BAD_HEADER; -+ } - - *path = xmalloc(nameSize + 1); - read = Fread(*path, nameSize, 1, cpio->fd); --- -1.8.4.5 - |