Bug#773152: unblock: rpm/4.11.3-1.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#773152: unblock: rpm/4.11.3-1.1
From: Matt Kraai <kraai@ftbfs.org>
Date: Sun, 14 Dec 2014 18:36:41 -0800
Message-id: <[🔎] 20141215023641.20541.87307.reportbug@hpe-490t.ftbfs.org>
Reply-to: Matt Kraai <kraai@ftbfs.org>, 773152@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rpm.

773101 reports two security issues in rpm, which 4.11.3-1.1 fixes using patches
extracted from upstream.

The differences between 4.11.3-1 and 4.11.3-1.1 are attached.

unblock rpm/4.11.3-1.1

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru rpm-4.11.3/debian/changelog rpm-4.11.3/debian/changelog
--- rpm-4.11.3/debian/changelog	2014-09-22 02:17:30.000000000 -0700
+++ rpm-4.11.3/debian/changelog	2014-12-14 18:14:54.000000000 -0800
@@ -1,3 +1,10 @@
+rpm (4.11.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2013-6435 and CVE-2014-8118 (Closes: #773101).
+
+ -- Matt Kraai <kraai@debian.org>  Sun, 14 Dec 2014 18:14:54 -0800
+
 rpm (4.11.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru rpm-4.11.3/debian/patches/CVE-2013-6435.patch rpm-4.11.3/debian/patches/CVE-2013-6435.patch
--- rpm-4.11.3/debian/patches/CVE-2013-6435.patch	1969-12-31 16:00:00.000000000 -0800
+++ rpm-4.11.3/debian/patches/CVE-2013-6435.patch	2014-12-14 18:10:27.000000000 -0800
@@ -0,0 +1,31 @@
+Description: Create the file with mode 0
+ It was found that RPM wrote file contents to the target installation
+ directory under a temporary name, and verified its cryptographic
+ signature only after the temporary file has been written
+ completely. Under certain conditions, the system interprets the
+ unverified temporary file contents and extracts commands from
+ it. This could allow an attacker to modify signed RPM files in such a
+ way that they would execute code chosen by the attacker during
+ package installation.
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=956268&action=diff
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+Last-Update: 2014-12-14
+
+Index: rpm-4.11.3/lib/fsm.c
+===================================================================
+--- rpm-4.11.3.orig/lib/fsm.c	2014-12-14 18:01:29.484568052 -0800
++++ rpm-4.11.3/lib/fsm.c	2014-12-14 18:02:05.550228685 -0800
+@@ -731,7 +731,12 @@
+     pgpHashAlgo digestalgo = 0;
+     int rc = 0;
+ 
+-    wfd = Fopen(fsm->path, "w.ufdio");
++    /* Create the file with 000 permissions. */
++    {
++	mode_t old_umask = umask(0777);
++	wfd = Fopen(fsm->path, "w.ufdio");
++	umask(old_umask);
++    }
+     if (Ferror(wfd)) {
+ 	rc = CPIOERR_OPEN_FAILED;
+ 	goto exit;
diff -Nru rpm-4.11.3/debian/patches/CVE-2014-8118.patch rpm-4.11.3/debian/patches/CVE-2014-8118.patch
--- rpm-4.11.3/debian/patches/CVE-2014-8118.patch	1969-12-31 16:00:00.000000000 -0800
+++ rpm-4.11.3/debian/patches/CVE-2014-8118.patch	2014-12-14 18:08:28.000000000 -0800
@@ -0,0 +1,24 @@
+Description: Limit the length of the file name to a reasonable value
+ It was found that RPM could encounter an integer overflow, leading to
+ a stack-based overflow, while parsing a crafted CPIO header in the
+ payload section of an RPM file.  This could allow an attacker to
+ modify signed RPM files in such a way that they would execute code
+ chosen by the attacker during package installation.
+Origin: backport, https://bugzilla.redhat.com/attachment.cgi?id=962159&action=diff
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8118
+Last-Update: 2014-12-14
+
+Index: rpm-4.11.3/lib/cpio.c
+===================================================================
+--- rpm-4.11.3.orig/lib/cpio.c	2013-11-22 02:31:31.000000000 -0800
++++ rpm-4.11.3/lib/cpio.c	2014-12-14 17:44:58.572662964 -0800
+@@ -296,6 +296,9 @@
+     st->st_rdev = makedev(major, minor);
+ 
+     GET_NUM_FIELD(hdr.namesize, nameSize);
++    if (nameSize <= 0 || nameSize > 4096) {
++        return CPIOERR_BAD_HEADER;
++    }
+ 
+     *path = xmalloc(nameSize + 1);
+     read = Fread(*path, nameSize, 1, cpio->fd);
diff -Nru rpm-4.11.3/debian/patches/series rpm-4.11.3/debian/patches/series
--- rpm-4.11.3/debian/patches/series	2014-09-22 02:17:30.000000000 -0700
+++ rpm-4.11.3/debian/patches/series	2014-12-14 17:18:57.000000000 -0800
@@ -13,3 +13,5 @@
 rpm-4.10.90-rpmlib-filesystem-check.patch
 fix-python-multiarch-include.patch
 rpm-4.11.2-double-separator-warning.patch
+CVE-2014-8118.patch
+CVE-2013-6435.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#773152: unblock: rpm/4.11.3-1.1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#773152: unblock: rpm/4.11.3-1.1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#773152: unblock: rpm/4.11.3-1.1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#773152: marked as done (unblock: rpm/4.11.3-1.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#773149: what to do with x52pro???
Next by Date: Processed: Re: Bug#773152: unblock: rpm/4.11.3-1.1
Previous by thread: Processed: Re: Bug#773149: what to do with x52pro???
Next by thread: Processed: Re: Bug#773152: unblock: rpm/4.11.3-1.1
Index(es):
- Date
- Thread