Your message dated Sun, 6 Jan 2013 16:16:48 +0100 with message-id <20130106151648.GJ5676@radis.cristau.org> and subject line Re: Bug#697483: tpu: rpm/4.10.0-5+deb7u1 has caused the Debian Bug report #697483, regarding tpu: rpm/4.10.0-5+deb7u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 697483: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697483 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: tpu: rpm/4.10.0-5+deb7u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 06 Jan 2013 00:54:24 +0100
- Message-id: <20130105235424.7928.93084.reportbug@elende.valinor.li>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Release Team rpm in testing (4.10.0-5) is also affected by CVE-2012-6088: Signature checking function returned success on (possibly malicious) rpm packages. See #697375. After confirming by Michal[1] I uploaded the fix for unstable (with 4.10.1-2.1) and now would like to ask for an unblock for an upload to t-p-u. I'm attaching the debdiff to this report. [1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697375#27 unblock rpm/4.10.0-5+deb7u1 Thanks for your release work, and Regards, Salvatore -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQ6L0qAAoJEHidbwV/2GP+Pw4P/3lMqjcktDLd0ir038QNWf1I QNQhwcEuO/dGH3pWKRRjHEjdcDTQBkDC8zCthtRuk3CcjUFYBh6BosLo45LELdIf 0Av6Kj0yiGwHcUmWrqDnO59cqTpugoGk0KN/IHH7UZD+ggRKgRblm/OtSymA7uxq 5zcVGOWfnzoXHeH8U5bTTVwPBP3qj4kZwHr53/UlQdNARKh6vVFAmvlvcEmMNrIM 3ySEphYQ69aQOmftYyVlciMBlqcL21I1EQm78bH97jXnIwX3ZAuNAMmRVtbuL6Bv hc/K7JkfVbUl4cB/fsiGJWrabiVppvWhAw5Ho2mCqn+d11e7SZVTr9fpYmgiTWOn 6KTE3ruvlAKvVclFDplKg7sD+UvHbskxAB6i7h21vhQ4uUqPu6bfjGw7hEC+bwLO ZyB4btVz22LcPGlgAzzYatkgA6jBalp+y/ykz2n2NG6OwOUCxwZI+68IBC4Zr/6J p15G9o0YyP92j7ro9D8SJwFVj8jNlOJkCvWEV1pZ16KCBxhFvz8jTQu2FkHh/LI6 F2WfOcAKeVMUTyWau5CXCQgr1M6e7dmQXWDfwmnwW8FusZW+3SDMU9oglT7bYHx9 LKEdjmFVrw1uiLY8rIvTLtKjJznHH86sn1jKyx29V5wImkomAsNi2SB+pE2S2Y6K as2theFUFQdhqD7HYpeF =D64D -----END PGP SIGNATURE-----diff -Nru rpm-4.10.0/debian/changelog rpm-4.10.0/debian/changelog --- rpm-4.10.0/debian/changelog 2012-08-15 09:05:37.000000000 +0200 +++ rpm-4.10.0/debian/changelog 2013-01-06 00:31:43.000000000 +0100 @@ -1,3 +1,13 @@ +rpm (4.10.0-5+deb7u1) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Add 0001-Ensure-correct-return-code-on-malformed-signature-in.patch + [SECURITY] CVE-2012-6088: Ensure correct return code on malformed + signature in packages. Patch cherry-picked from upstream git repository. + (Closes: #697375) + + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 05 Jan 2013 13:11:49 +0100 + rpm (4.10.0-5) unstable; urgency=low * Added patch from Fedora to support X-CheckUnifiedSystemdir diff -Nru rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch --- rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch 1970-01-01 01:00:00.000000000 +0100 +++ rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch 2013-01-06 00:31:43.000000000 +0100 @@ -0,0 +1,50 @@ +From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Fri, 7 Dec 2012 13:54:23 +0200 +Subject: [PATCH] Ensure correct return code on malformed signature in + packages + +- rpmpkgRead() starts with assumed failure, but there are a number + of places assigning the return code, and by the time we get + to the parsePGPSig() calls its likely to be RPMRC_OK, so the + jumps to exit result in "all is well" return code on a signature + we couldn't even parse. Oops. +- Set the failure status explicitly to fix this fairly nasty regression + introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie + rpm >= 4.10. +(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14) +--- + lib/package.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/package.c b/lib/package.c +index 4eeddbf..907cf73 100644 +--- a/lib/package.c ++++ b/lib/package.c +@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags, + switch (sigtag) { + case RPMSIGTAG_RSA: + case RPMSIGTAG_DSA: +- if (parsePGPSig(&sigtd, "package", fn, &sig)) ++ if (parsePGPSig(&sigtd, "package", fn, &sig)) { ++ rc = RPMRC_FAIL; + goto exit; ++ } + /* fallthrough */ + case RPMSIGTAG_SHA1: + { struct rpmtd_s utd; +@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags, + case RPMSIGTAG_GPG: + case RPMSIGTAG_PGP5: /* XXX legacy */ + case RPMSIGTAG_PGP: +- if (parsePGPSig(&sigtd, "package", fn, &sig)) ++ if (parsePGPSig(&sigtd, "package", fn, &sig)) { ++ rc = RPMRC_FAIL; + goto exit; ++ } + /* fallthrough */ + case RPMSIGTAG_MD5: + /* Legacy signatures need the compressed payload in the digest too. */ +-- +1.7.10.4 + diff -Nru rpm-4.10.0/debian/patches/series rpm-4.10.0/debian/patches/series --- rpm-4.10.0/debian/patches/series 2012-08-15 09:05:37.000000000 +0200 +++ rpm-4.10.0/debian/patches/series 2013-01-06 00:31:43.000000000 +0100 @@ -10,3 +10,4 @@ autogen-cleanup.patch lua-libname.patch rpm-4.9.1.2-rpmlib-filesystem-check.patch +0001-Ensure-correct-return-code-on-malformed-signature-in.patch
--- End Message ---
--- Begin Message ---
- To: Salvatore Bonaccorso <carnil@debian.org>, 697483-done@bugs.debian.org
- Subject: Re: Bug#697483: tpu: rpm/4.10.0-5+deb7u1
- From: Julien Cristau <jcristau@debian.org>
- Date: Sun, 6 Jan 2013 16:16:48 +0100
- Message-id: <20130106151648.GJ5676@radis.cristau.org>
- In-reply-to: <20130106142601.GA11050@elende>
- References: <20130105235424.7928.93084.reportbug@elende.valinor.li> <20130106134854.GH5676@radis.cristau.org> <20130106142601.GA11050@elende>
On Sun, Jan 6, 2013 at 15:26:02 +0100, Salvatore Bonaccorso wrote: > Thanks a lot for quick confirmation. Just uploaded for t-p-u. > Approved. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---