[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#697483: marked as done (tpu: rpm/4.10.0-5+deb7u1)

Your message dated Sun, 6 Jan 2013 16:16:48 +0100
with message-id <20130106151648.GJ5676@radis.cristau.org>
and subject line Re: Bug#697483: tpu: rpm/4.10.0-5+deb7u1
has caused the Debian Bug report #697483,
regarding tpu: rpm/4.10.0-5+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
697483: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697483
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Release Team

rpm in testing (4.10.0-5) is also affected by CVE-2012-6088: Signature
checking function returned success on (possibly malicious) rpm
packages. See #697375.

After confirming by Michal[1] I uploaded the fix for unstable (with
4.10.1-2.1) and now would like to ask for an unblock for an upload to
t-p-u. I'm attaching the debdiff to this report.

 [1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697375#27

unblock rpm/4.10.0-5+deb7u1

Thanks for your release work, and

Regards,
Salvatore

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQ6L0qAAoJEHidbwV/2GP+Pw4P/3lMqjcktDLd0ir038QNWf1I
QNQhwcEuO/dGH3pWKRRjHEjdcDTQBkDC8zCthtRuk3CcjUFYBh6BosLo45LELdIf
0Av6Kj0yiGwHcUmWrqDnO59cqTpugoGk0KN/IHH7UZD+ggRKgRblm/OtSymA7uxq
5zcVGOWfnzoXHeH8U5bTTVwPBP3qj4kZwHr53/UlQdNARKh6vVFAmvlvcEmMNrIM
3ySEphYQ69aQOmftYyVlciMBlqcL21I1EQm78bH97jXnIwX3ZAuNAMmRVtbuL6Bv
hc/K7JkfVbUl4cB/fsiGJWrabiVppvWhAw5Ho2mCqn+d11e7SZVTr9fpYmgiTWOn
6KTE3ruvlAKvVclFDplKg7sD+UvHbskxAB6i7h21vhQ4uUqPu6bfjGw7hEC+bwLO
ZyB4btVz22LcPGlgAzzYatkgA6jBalp+y/ykz2n2NG6OwOUCxwZI+68IBC4Zr/6J
p15G9o0YyP92j7ro9D8SJwFVj8jNlOJkCvWEV1pZ16KCBxhFvz8jTQu2FkHh/LI6
F2WfOcAKeVMUTyWau5CXCQgr1M6e7dmQXWDfwmnwW8FusZW+3SDMU9oglT7bYHx9
LKEdjmFVrw1uiLY8rIvTLtKjJznHH86sn1jKyx29V5wImkomAsNi2SB+pE2S2Y6K
as2theFUFQdhqD7HYpeF
=D64D
-----END PGP SIGNATURE-----

diff -Nru rpm-4.10.0/debian/changelog rpm-4.10.0/debian/changelog
--- rpm-4.10.0/debian/changelog	2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/changelog	2013-01-06 00:31:43.000000000 +0100
@@ -1,3 +1,13 @@
+rpm (4.10.0-5+deb7u1) testing-proposed-updates; urgency=low
+
+  * Non-maintainer upload.
+  * Add 0001-Ensure-correct-return-code-on-malformed-signature-in.patch
+    [SECURITY] CVE-2012-6088: Ensure correct return code on malformed
+    signature in packages. Patch cherry-picked from upstream git repository.
+    (Closes: #697375)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 05 Jan 2013 13:11:49 +0100
+
 rpm (4.10.0-5) unstable; urgency=low
 
   * Added patch from Fedora to support X-CheckUnifiedSystemdir 
diff -Nru rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
--- rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch	1970-01-01 01:00:00.000000000 +0100
+++ rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch	2013-01-06 00:31:43.000000000 +0100
@@ -0,0 +1,50 @@
+From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 7 Dec 2012 13:54:23 +0200
+Subject: [PATCH] Ensure correct return code on malformed signature in
+ packages
+
+- rpmpkgRead() starts with assumed failure, but there are a number
+  of places assigning the return code, and by the time we get
+  to the parsePGPSig() calls its likely to be RPMRC_OK, so the
+  jumps to exit result in "all is well" return code on a signature
+  we couldn't even parse. Oops.
+- Set the failure status explicitly to fix this fairly nasty regression
+  introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie
+  rpm >= 4.10.
+(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14)
+---
+ lib/package.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 4eeddbf..907cf73 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
+     switch (sigtag) {
+     case RPMSIGTAG_RSA:
+     case RPMSIGTAG_DSA:
+-	if (parsePGPSig(&sigtd, "package", fn, &sig))
++	if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++	    rc = RPMRC_FAIL;
+ 	    goto exit;
++	}
+ 	/* fallthrough */
+     case RPMSIGTAG_SHA1:
+     {	struct rpmtd_s utd;
+@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags,
+     case RPMSIGTAG_GPG:
+     case RPMSIGTAG_PGP5:	/* XXX legacy */
+     case RPMSIGTAG_PGP:
+-	if (parsePGPSig(&sigtd, "package", fn, &sig))
++	if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++	    rc = RPMRC_FAIL;
+ 	    goto exit;
++	}
+ 	/* fallthrough */
+     case RPMSIGTAG_MD5:
+ 	/* Legacy signatures need the compressed payload in the digest too. */
+-- 
+1.7.10.4
+
diff -Nru rpm-4.10.0/debian/patches/series rpm-4.10.0/debian/patches/series
--- rpm-4.10.0/debian/patches/series	2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/patches/series	2013-01-06 00:31:43.000000000 +0100
@@ -10,3 +10,4 @@
 autogen-cleanup.patch
 lua-libname.patch
 rpm-4.9.1.2-rpmlib-filesystem-check.patch
+0001-Ensure-correct-return-code-on-malformed-signature-in.patch

--- End Message ---
--- Begin Message --- 
On Sun, Jan  6, 2013 at 15:26:02 +0100, Salvatore Bonaccorso wrote:

> Thanks a lot for quick confirmation. Just uploaded for t-p-u.
> 
Approved.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: