Control: tags 773101 + patch Control: tags 773101 + pending Hi,
I've prepared an NMU for rpm (versioned as 4.11.3-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should cancel it or delay it longer. -- Matt
diff -Nru rpm-4.11.3/debian/changelog rpm-4.11.3/debian/changelog --- rpm-4.11.3/debian/changelog 2014-09-22 02:17:30.000000000 -0700 +++ rpm-4.11.3/debian/changelog 2014-12-14 18:14:54.000000000 -0800 @@ -1,3 +1,10 @@ +rpm (4.11.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2013-6435 and CVE-2014-8118 (Closes: #773101). + + -- Matt Kraai <kr...@debian.org> Sun, 14 Dec 2014 18:14:54 -0800 + rpm (4.11.3-1) unstable; urgency=medium * New upstream release. diff -Nru rpm-4.11.3/debian/patches/CVE-2013-6435.patch rpm-4.11.3/debian/patches/CVE-2013-6435.patch --- rpm-4.11.3/debian/patches/CVE-2013-6435.patch 1969-12-31 16:00:00.000000000 -0800 +++ rpm-4.11.3/debian/patches/CVE-2013-6435.patch 2014-12-14 18:10:27.000000000 -0800 @@ -0,0 +1,31 @@ +Description: Create the file with mode 0 + It was found that RPM wrote file contents to the target installation + directory under a temporary name, and verified its cryptographic + signature only after the temporary file has been written + completely. Under certain conditions, the system interprets the + unverified temporary file contents and extracts commands from + it. This could allow an attacker to modify signed RPM files in such a + way that they would execute code chosen by the attacker during + package installation. +Origin: https://bugzilla.redhat.com/attachment.cgi?id=956268&action=diff +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 +Last-Update: 2014-12-14 + +Index: rpm-4.11.3/lib/fsm.c +=================================================================== +--- rpm-4.11.3.orig/lib/fsm.c 2014-12-14 18:01:29.484568052 -0800 ++++ rpm-4.11.3/lib/fsm.c 2014-12-14 18:02:05.550228685 -0800 +@@ -731,7 +731,12 @@ + pgpHashAlgo digestalgo = 0; + int rc = 0; + +- wfd = Fopen(fsm->path, "w.ufdio"); ++ /* Create the file with 000 permissions. */ ++ { ++ mode_t old_umask = umask(0777); ++ wfd = Fopen(fsm->path, "w.ufdio"); ++ umask(old_umask); ++ } + if (Ferror(wfd)) { + rc = CPIOERR_OPEN_FAILED; + goto exit; diff -Nru rpm-4.11.3/debian/patches/CVE-2014-8118.patch rpm-4.11.3/debian/patches/CVE-2014-8118.patch --- rpm-4.11.3/debian/patches/CVE-2014-8118.patch 1969-12-31 16:00:00.000000000 -0800 +++ rpm-4.11.3/debian/patches/CVE-2014-8118.patch 2014-12-14 18:08:28.000000000 -0800 @@ -0,0 +1,24 @@ +Description: Limit the length of the file name to a reasonable value + It was found that RPM could encounter an integer overflow, leading to + a stack-based overflow, while parsing a crafted CPIO header in the + payload section of an RPM file. This could allow an attacker to + modify signed RPM files in such a way that they would execute code + chosen by the attacker during package installation. +Origin: backport, https://bugzilla.redhat.com/attachment.cgi?id=962159&action=diff +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8118 +Last-Update: 2014-12-14 + +Index: rpm-4.11.3/lib/cpio.c +=================================================================== +--- rpm-4.11.3.orig/lib/cpio.c 2013-11-22 02:31:31.000000000 -0800 ++++ rpm-4.11.3/lib/cpio.c 2014-12-14 17:44:58.572662964 -0800 +@@ -296,6 +296,9 @@ + st->st_rdev = makedev(major, minor); + + GET_NUM_FIELD(hdr.namesize, nameSize); ++ if (nameSize <= 0 || nameSize > 4096) { ++ return CPIOERR_BAD_HEADER; ++ } + + *path = xmalloc(nameSize + 1); + read = Fread(*path, nameSize, 1, cpio->fd); diff -Nru rpm-4.11.3/debian/patches/series rpm-4.11.3/debian/patches/series --- rpm-4.11.3/debian/patches/series 2014-09-22 02:17:30.000000000 -0700 +++ rpm-4.11.3/debian/patches/series 2014-12-14 17:18:57.000000000 -0800 @@ -13,3 +13,5 @@ rpm-4.10.90-rpmlib-filesystem-check.patch fix-python-multiarch-include.patch rpm-4.11.2-double-separator-warning.patch +CVE-2014-8118.patch +CVE-2013-6435.patch
