[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773152: marked as done (unblock: rpm/4.11.3-1.1)

Your message dated Mon, 15 Dec 2014 13:23:39 +0000
with message-id <bf57aa583c79c684aa718e20f4102921@mail.adsl.funky-badger.org>
and subject line Re: Bug#773152: unblock: rpm/4.11.3-1.1
has caused the Debian Bug report #773152,
regarding unblock: rpm/4.11.3-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773152
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package rpm.

773101 reports two security issues in rpm, which 4.11.3-1.1 fixes using patches
extracted from upstream.

The differences between 4.11.3-1 and 4.11.3-1.1 are attached.

unblock rpm/4.11.3-1.1

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru rpm-4.11.3/debian/changelog rpm-4.11.3/debian/changelog
--- rpm-4.11.3/debian/changelog	2014-09-22 02:17:30.000000000 -0700
+++ rpm-4.11.3/debian/changelog	2014-12-14 18:14:54.000000000 -0800
@@ -1,3 +1,10 @@
+rpm (4.11.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2013-6435 and CVE-2014-8118 (Closes: #773101).
+
+ -- Matt Kraai <kraai@debian.org>  Sun, 14 Dec 2014 18:14:54 -0800
+
 rpm (4.11.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru rpm-4.11.3/debian/patches/CVE-2013-6435.patch rpm-4.11.3/debian/patches/CVE-2013-6435.patch
--- rpm-4.11.3/debian/patches/CVE-2013-6435.patch	1969-12-31 16:00:00.000000000 -0800
+++ rpm-4.11.3/debian/patches/CVE-2013-6435.patch	2014-12-14 18:10:27.000000000 -0800
@@ -0,0 +1,31 @@
+Description: Create the file with mode 0
+ It was found that RPM wrote file contents to the target installation
+ directory under a temporary name, and verified its cryptographic
+ signature only after the temporary file has been written
+ completely. Under certain conditions, the system interprets the
+ unverified temporary file contents and extracts commands from
+ it. This could allow an attacker to modify signed RPM files in such a
+ way that they would execute code chosen by the attacker during
+ package installation.
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=956268&action=diff
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+Last-Update: 2014-12-14
+
+Index: rpm-4.11.3/lib/fsm.c
+===================================================================
+--- rpm-4.11.3.orig/lib/fsm.c	2014-12-14 18:01:29.484568052 -0800
++++ rpm-4.11.3/lib/fsm.c	2014-12-14 18:02:05.550228685 -0800
+@@ -731,7 +731,12 @@
+     pgpHashAlgo digestalgo = 0;
+     int rc = 0;
+ 
+-    wfd = Fopen(fsm->path, "w.ufdio");
++    /* Create the file with 000 permissions. */
++    {
++	mode_t old_umask = umask(0777);
++	wfd = Fopen(fsm->path, "w.ufdio");
++	umask(old_umask);
++    }
+     if (Ferror(wfd)) {
+ 	rc = CPIOERR_OPEN_FAILED;
+ 	goto exit;
diff -Nru rpm-4.11.3/debian/patches/CVE-2014-8118.patch rpm-4.11.3/debian/patches/CVE-2014-8118.patch
--- rpm-4.11.3/debian/patches/CVE-2014-8118.patch	1969-12-31 16:00:00.000000000 -0800
+++ rpm-4.11.3/debian/patches/CVE-2014-8118.patch	2014-12-14 18:08:28.000000000 -0800
@@ -0,0 +1,24 @@
+Description: Limit the length of the file name to a reasonable value
+ It was found that RPM could encounter an integer overflow, leading to
+ a stack-based overflow, while parsing a crafted CPIO header in the
+ payload section of an RPM file.  This could allow an attacker to
+ modify signed RPM files in such a way that they would execute code
+ chosen by the attacker during package installation.
+Origin: backport, https://bugzilla.redhat.com/attachment.cgi?id=962159&action=diff
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8118
+Last-Update: 2014-12-14
+
+Index: rpm-4.11.3/lib/cpio.c
+===================================================================
+--- rpm-4.11.3.orig/lib/cpio.c	2013-11-22 02:31:31.000000000 -0800
++++ rpm-4.11.3/lib/cpio.c	2014-12-14 17:44:58.572662964 -0800
+@@ -296,6 +296,9 @@
+     st->st_rdev = makedev(major, minor);
+ 
+     GET_NUM_FIELD(hdr.namesize, nameSize);
++    if (nameSize <= 0 || nameSize > 4096) {
++        return CPIOERR_BAD_HEADER;
++    }
+ 
+     *path = xmalloc(nameSize + 1);
+     read = Fread(*path, nameSize, 1, cpio->fd);
diff -Nru rpm-4.11.3/debian/patches/series rpm-4.11.3/debian/patches/series
--- rpm-4.11.3/debian/patches/series	2014-09-22 02:17:30.000000000 -0700
+++ rpm-4.11.3/debian/patches/series	2014-12-14 17:18:57.000000000 -0800
@@ -13,3 +13,5 @@
 rpm-4.10.90-rpmlib-filesystem-check.patch
 fix-python-multiarch-include.patch
 rpm-4.11.2-double-separator-warning.patch
+CVE-2014-8118.patch
+CVE-2013-6435.patch

--- End Message ---
--- Begin Message --- 
On 2014-12-15 8:35, Matt Kraai wrote:

Control: tags -1 - moreinfo

Hi,

On Mon, Dec 15, 2014 at 06:16:10AM +0000, Adam D. Barratt wrote:

For the record, this is in DELAYED/5. Please remove the "moreinfo" tag
once the package reaches unstable.


I've uploaded it directly to unstable with the maintainer's
permission, so I'm removing the moreinfo tag now.


It looks like jmw unblocked this.

Regards,

Adam

--- End Message ---
Reply to: