[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#697483: tpu: rpm/4.10.0-5+deb7u1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Release Team

rpm in testing (4.10.0-5) is also affected by CVE-2012-6088: Signature
checking function returned success on (possibly malicious) rpm
packages. See #697375.

After confirming by Michal[1] I uploaded the fix for unstable (with
4.10.1-2.1) and now would like to ask for an unblock for an upload to
t-p-u. I'm attaching the debdiff to this report.

 [1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697375#27

unblock rpm/4.10.0-5+deb7u1

Thanks for your release work, and

Regards,
Salvatore

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ6L0qAAoJEHidbwV/2GP+Pw4P/3lMqjcktDLd0ir038QNWf1I
QNQhwcEuO/dGH3pWKRRjHEjdcDTQBkDC8zCthtRuk3CcjUFYBh6BosLo45LELdIf
0Av6Kj0yiGwHcUmWrqDnO59cqTpugoGk0KN/IHH7UZD+ggRKgRblm/OtSymA7uxq
5zcVGOWfnzoXHeH8U5bTTVwPBP3qj4kZwHr53/UlQdNARKh6vVFAmvlvcEmMNrIM
3ySEphYQ69aQOmftYyVlciMBlqcL21I1EQm78bH97jXnIwX3ZAuNAMmRVtbuL6Bv
hc/K7JkfVbUl4cB/fsiGJWrabiVppvWhAw5Ho2mCqn+d11e7SZVTr9fpYmgiTWOn
6KTE3ruvlAKvVclFDplKg7sD+UvHbskxAB6i7h21vhQ4uUqPu6bfjGw7hEC+bwLO
ZyB4btVz22LcPGlgAzzYatkgA6jBalp+y/ykz2n2NG6OwOUCxwZI+68IBC4Zr/6J
p15G9o0YyP92j7ro9D8SJwFVj8jNlOJkCvWEV1pZ16KCBxhFvz8jTQu2FkHh/LI6
F2WfOcAKeVMUTyWau5CXCQgr1M6e7dmQXWDfwmnwW8FusZW+3SDMU9oglT7bYHx9
LKEdjmFVrw1uiLY8rIvTLtKjJznHH86sn1jKyx29V5wImkomAsNi2SB+pE2S2Y6K
as2theFUFQdhqD7HYpeF
=D64D
-----END PGP SIGNATURE-----

diff -Nru rpm-4.10.0/debian/changelog rpm-4.10.0/debian/changelog
--- rpm-4.10.0/debian/changelog	2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/changelog	2013-01-06 00:31:43.000000000 +0100
@@ -1,3 +1,13 @@
+rpm (4.10.0-5+deb7u1) testing-proposed-updates; urgency=low
+
+  * Non-maintainer upload.
+  * Add 0001-Ensure-correct-return-code-on-malformed-signature-in.patch
+    [SECURITY] CVE-2012-6088: Ensure correct return code on malformed
+    signature in packages. Patch cherry-picked from upstream git repository.
+    (Closes: #697375)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 05 Jan 2013 13:11:49 +0100
+
 rpm (4.10.0-5) unstable; urgency=low
 
   * Added patch from Fedora to support X-CheckUnifiedSystemdir 
diff -Nru rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
--- rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch	1970-01-01 01:00:00.000000000 +0100
+++ rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch	2013-01-06 00:31:43.000000000 +0100
@@ -0,0 +1,50 @@
+From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 7 Dec 2012 13:54:23 +0200
+Subject: [PATCH] Ensure correct return code on malformed signature in
+ packages
+
+- rpmpkgRead() starts with assumed failure, but there are a number
+  of places assigning the return code, and by the time we get
+  to the parsePGPSig() calls its likely to be RPMRC_OK, so the
+  jumps to exit result in "all is well" return code on a signature
+  we couldn't even parse. Oops.
+- Set the failure status explicitly to fix this fairly nasty regression
+  introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie
+  rpm >= 4.10.
+(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14)
+---
+ lib/package.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 4eeddbf..907cf73 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
+     switch (sigtag) {
+     case RPMSIGTAG_RSA:
+     case RPMSIGTAG_DSA:
+-	if (parsePGPSig(&sigtd, "package", fn, &sig))
++	if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++	    rc = RPMRC_FAIL;
+ 	    goto exit;
++	}
+ 	/* fallthrough */
+     case RPMSIGTAG_SHA1:
+     {	struct rpmtd_s utd;
+@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
+     case RPMSIGTAG_GPG:
+     case RPMSIGTAG_PGP5:	/* XXX legacy */
+     case RPMSIGTAG_PGP:
+-	if (parsePGPSig(&sigtd, "package", fn, &sig))
++	if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++	    rc = RPMRC_FAIL;
+ 	    goto exit;
++	}
+ 	/* fallthrough */
+     case RPMSIGTAG_MD5:
+ 	/* Legacy signatures need the compressed payload in the digest too. */
+-- 
+1.7.10.4
+
diff -Nru rpm-4.10.0/debian/patches/series rpm-4.10.0/debian/patches/series
--- rpm-4.10.0/debian/patches/series	2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/patches/series	2013-01-06 00:31:43.000000000 +0100
@@ -10,3 +10,4 @@
 autogen-cleanup.patch
 lua-libname.patch
 rpm-4.9.1.2-rpmlib-filesystem-check.patch
+0001-Ensure-correct-return-code-on-malformed-signature-in.patch
Reply to: