On Tue, Jun 29, 2021 at 09:02:43PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > On 2021-06-29 20:15:33 +0300, Peter Pentchev wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: team+pkg-...@tracker.debian.org > > > > Please unblock package rpm to fix a couple of security problems in > > handling untrusted RPM files. > > > > [ Reason ] > > See #985308 for more information - there are three CVEs filed for > > problems in rpm's parsing of various header fields, one of which > > may even be used to lead to code execution. [snip] > > diff -Nru rpm-4.16.1.2+dfsg1/debian/librpm9.symbols > > rpm-4.16.1.2+dfsg1/debian/librpm9.symbols > > --- rpm-4.16.1.2+dfsg1/debian/librpm9.symbols 2021-01-02 > > 12:04:09.000000000 +0200 > > +++ rpm-4.16.1.2+dfsg1/debian/librpm9.symbols 2021-06-29 > > 12:23:21.000000000 +0300 > > @@ -473,3 +473,4 @@ > > rpmvsVerify@Base 4.16 > > showQueryPackage@Base 4.14.0+dfsg1 > > showVerifyPackage@Base 4.14.0+dfsg1 > > + xlateTags@Base 4.16.1.2+dfsg1 [snip] > > diff -Nru > > rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > > rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > > --- rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > > 1970-01-01 02:00:00.000000000 +0200 > > +++ rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > > 2021-06-29 17:06:43.000000000 +0300 > > @@ -0,0 +1,180 @@ > > +Description: Be much more careful about copying data from the signature > > header [snip] > > +Origin: upstream; > > https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 > > +Author: Panu Matilainen <pmati...@redhat.com> > > +Bug-Debian: https://bugs.debian.org/985308 > > +Last-Update: 2021-06-29 > > + > > +--- a/lib/package.c > > ++++ b/lib/package.c > > +@@ -31,82 +31,78 @@ > > + rpmRC rc; > > + }; > > + > > ++struct taglate_s { > > ++ rpmTagVal stag; > > ++ rpmTagVal xtag; > > ++ rpm_count_t count; > > ++ int quirk; > > ++} const xlateTags[] = { > > ++ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1, 0 }, > > ++ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0, 0 }, > > ++ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16, 0 }, > > ++ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0, 0 }, > > ++ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0, 0 }, */ /* long obsolete, > > dont use */ > > ++ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1, 1 }, > > ++ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0, 1 }, > > ++ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1, 1 }, > > ++ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1, 0 }, > > ++ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1, 0 }, > > ++ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0, 0 }, > > ++ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0, 0 }, > > ++ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1, 0 }, > > ++ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1, 0 }, > > ++ { 0 } > > ++}; > > Is this constant really supposed to be part of the public ABI? This > looks like it could use a static modifier.
Hm, you are right. At least for the moment, it does not seem that anything else is using it, so it does not need to be exposed in the public library. I'll adapt the patch, drop the symbol from the library's symbols file (yes, I know, it would have been so much better if it had never actually hit the archive... true), and upload a new version. Thanks for making me stop and think about this! G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
