On Tue, Jun 29, 2021 at 09:02:43PM +0200, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
>
> On 2021-06-29 20:15:33 +0300, Peter Pentchev wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: team+pkg-rpm@tracker.debian.org
> >
> > Please unblock package rpm to fix a couple of security problems in
> > handling untrusted RPM files.
> >
> > [ Reason ]
> > See #985308 for more information - there are three CVEs filed for
> > problems in rpm's parsing of various header fields, one of which
> > may even be used to lead to code execution.
[snip]
> > diff -Nru rpm-4.16.1.2+dfsg1/debian/librpm9.symbols rpm-4.16.1.2+dfsg1/debian/librpm9.symbols
> > --- rpm-4.16.1.2+dfsg1/debian/librpm9.symbols 2021-01-02 12:04:09.000000000 +0200
> > +++ rpm-4.16.1.2+dfsg1/debian/librpm9.symbols 2021-06-29 12:23:21.000000000 +0300
> > @@ -473,3 +473,4 @@
> > rpmvsVerify@Base 4.16
> > showQueryPackage@Base 4.14.0+dfsg1
> > showVerifyPackage@Base 4.14.0+dfsg1
> > + xlateTags@Base 4.16.1.2+dfsg1
[snip]
> > diff -Nru rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch
> > --- rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch 1970-01-01 02:00:00.000000000 +0200
> > +++ rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch 2021-06-29 17:06:43.000000000 +0300
> > @@ -0,0 +1,180 @@
> > +Description: Be much more careful about copying data from the signature header
[snip]
> > +Origin: upstream; https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
> > +Author: Panu Matilainen <pmatilai@redhat.com>
> > +Bug-Debian: https://bugs.debian.org/985308
> > +Last-Update: 2021-06-29
> > +
> > +--- a/lib/package.c
> > ++++ b/lib/package.c
> > +@@ -31,82 +31,78 @@
> > + rpmRC rc;
> > + };
> > +
> > ++struct taglate_s {
> > ++ rpmTagVal stag;
> > ++ rpmTagVal xtag;
> > ++ rpm_count_t count;
> > ++ int quirk;
> > ++} const xlateTags[] = {
> > ++ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1, 0 },
> > ++ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0, 0 },
> > ++ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16, 0 },
> > ++ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0, 0 },
> > ++ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0, 0 }, */ /* long obsolete, dont use */
> > ++ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1, 1 },
> > ++ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0, 1 },
> > ++ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1, 1 },
> > ++ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1, 0 },
> > ++ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1, 0 },
> > ++ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0, 0 },
> > ++ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0, 0 },
> > ++ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1, 0 },
> > ++ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1, 0 },
> > ++ { 0 }
> > ++};
>
> Is this constant really supposed to be part of the public ABI? This
> looks like it could use a static modifier.
Hm, you are right. At least for the moment, it does not seem that
anything else is using it, so it does not need to be exposed in
the public library.
I'll adapt the patch, drop the symbol from the library's symbols
file (yes, I know, it would have been so much better if it had
never actually hit the archive... true), and upload a new version.
Thanks for making me stop and think about this!
G'luck,
Peter
--
Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Attachment:
signature.asc
Description: PGP signature