Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Release Team
rpm in testing (4.10.0-5) is also affected by CVE-2012-6088: Signature
checking function returned success on (possibly malicious) rpm
packages. See #697375.
After confirming by Michal[1] I uploaded the fix for unstable (with
4.10.1-2.1) and now would like to ask for an unblock for an upload to
t-p-u. I'm attaching the debdiff to this report.
[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697375#27
unblock rpm/4.10.0-5+deb7u1
Thanks for your release work, and
Regards,
Salvatore
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQ6L0qAAoJEHidbwV/2GP+Pw4P/3lMqjcktDLd0ir038QNWf1I
QNQhwcEuO/dGH3pWKRRjHEjdcDTQBkDC8zCthtRuk3CcjUFYBh6BosLo45LELdIf
0Av6Kj0yiGwHcUmWrqDnO59cqTpugoGk0KN/IHH7UZD+ggRKgRblm/OtSymA7uxq
5zcVGOWfnzoXHeH8U5bTTVwPBP3qj4kZwHr53/UlQdNARKh6vVFAmvlvcEmMNrIM
3ySEphYQ69aQOmftYyVlciMBlqcL21I1EQm78bH97jXnIwX3ZAuNAMmRVtbuL6Bv
hc/K7JkfVbUl4cB/fsiGJWrabiVppvWhAw5Ho2mCqn+d11e7SZVTr9fpYmgiTWOn
6KTE3ruvlAKvVclFDplKg7sD+UvHbskxAB6i7h21vhQ4uUqPu6bfjGw7hEC+bwLO
ZyB4btVz22LcPGlgAzzYatkgA6jBalp+y/ykz2n2NG6OwOUCxwZI+68IBC4Zr/6J
p15G9o0YyP92j7ro9D8SJwFVj8jNlOJkCvWEV1pZ16KCBxhFvz8jTQu2FkHh/LI6
F2WfOcAKeVMUTyWau5CXCQgr1M6e7dmQXWDfwmnwW8FusZW+3SDMU9oglT7bYHx9
LKEdjmFVrw1uiLY8rIvTLtKjJznHH86sn1jKyx29V5wImkomAsNi2SB+pE2S2Y6K
as2theFUFQdhqD7HYpeF
=D64D
-----END PGP SIGNATURE-----
diff -Nru rpm-4.10.0/debian/changelog rpm-4.10.0/debian/changelog
--- rpm-4.10.0/debian/changelog 2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/changelog 2013-01-06 00:31:43.000000000 +0100
@@ -1,3 +1,13 @@
+rpm (4.10.0-5+deb7u1) testing-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Add 0001-Ensure-correct-return-code-on-malformed-signature-in.patch
+ [SECURITY] CVE-2012-6088: Ensure correct return code on malformed
+ signature in packages. Patch cherry-picked from upstream git repository.
+ (Closes: #697375)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 05 Jan 2013 13:11:49 +0100
+
rpm (4.10.0-5) unstable; urgency=low
* Added patch from Fedora to support X-CheckUnifiedSystemdir
diff -Nru rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
--- rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch 1970-01-01 01:00:00.000000000 +0100
+++ rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch 2013-01-06 00:31:43.000000000 +0100
@@ -0,0 +1,50 @@
+From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmati...@redhat.com>
+Date: Fri, 7 Dec 2012 13:54:23 +0200
+Subject: [PATCH] Ensure correct return code on malformed signature in
+ packages
+
+- rpmpkgRead() starts with assumed failure, but there are a number
+ of places assigning the return code, and by the time we get
+ to the parsePGPSig() calls its likely to be RPMRC_OK, so the
+ jumps to exit result in "all is well" return code on a signature
+ we couldn't even parse. Oops.
+- Set the failure status explicitly to fix this fairly nasty regression
+ introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie
+ rpm >= 4.10.
+(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14)
+---
+ lib/package.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 4eeddbf..907cf73 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
+ switch (sigtag) {
+ case RPMSIGTAG_RSA:
+ case RPMSIGTAG_DSA:
+- if (parsePGPSig(&sigtd, "package", fn, &sig))
++ if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++ rc = RPMRC_FAIL;
+ goto exit;
++ }
+ /* fallthrough */
+ case RPMSIGTAG_SHA1:
+ { struct rpmtd_s utd;
+@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
+ case RPMSIGTAG_GPG:
+ case RPMSIGTAG_PGP5: /* XXX legacy */
+ case RPMSIGTAG_PGP:
+- if (parsePGPSig(&sigtd, "package", fn, &sig))
++ if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++ rc = RPMRC_FAIL;
+ goto exit;
++ }
+ /* fallthrough */
+ case RPMSIGTAG_MD5:
+ /* Legacy signatures need the compressed payload in the digest too. */
+--
+1.7.10.4
+
diff -Nru rpm-4.10.0/debian/patches/series rpm-4.10.0/debian/patches/series
--- rpm-4.10.0/debian/patches/series 2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/patches/series 2013-01-06 00:31:43.000000000 +0100
@@ -10,3 +10,4 @@
autogen-cleanup.patch
lua-libname.patch
rpm-4.9.1.2-rpmlib-filesystem-check.patch
+0001-Ensure-correct-return-code-on-malformed-signature-in.patch
