Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package rpm. 773101 reports two security issues in rpm, which 4.11.3-1.1 fixes using patches extracted from upstream. The differences between 4.11.3-1 and 4.11.3-1.1 are attached. unblock rpm/4.11.3-1.1 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru rpm-4.11.3/debian/changelog rpm-4.11.3/debian/changelog --- rpm-4.11.3/debian/changelog 2014-09-22 02:17:30.000000000 -0700 +++ rpm-4.11.3/debian/changelog 2014-12-14 18:14:54.000000000 -0800 @@ -1,3 +1,10 @@ +rpm (4.11.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2013-6435 and CVE-2014-8118 (Closes: #773101). + + -- Matt Kraai <kr...@debian.org> Sun, 14 Dec 2014 18:14:54 -0800 + rpm (4.11.3-1) unstable; urgency=medium * New upstream release. diff -Nru rpm-4.11.3/debian/patches/CVE-2013-6435.patch rpm-4.11.3/debian/patches/CVE-2013-6435.patch --- rpm-4.11.3/debian/patches/CVE-2013-6435.patch 1969-12-31 16:00:00.000000000 -0800 +++ rpm-4.11.3/debian/patches/CVE-2013-6435.patch 2014-12-14 18:10:27.000000000 -0800 @@ -0,0 +1,31 @@ +Description: Create the file with mode 0 + It was found that RPM wrote file contents to the target installation + directory under a temporary name, and verified its cryptographic + signature only after the temporary file has been written + completely. Under certain conditions, the system interprets the + unverified temporary file contents and extracts commands from + it. This could allow an attacker to modify signed RPM files in such a + way that they would execute code chosen by the attacker during + package installation. +Origin: https://bugzilla.redhat.com/attachment.cgi?id=956268&action=diff +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 +Last-Update: 2014-12-14 + +Index: rpm-4.11.3/lib/fsm.c +=================================================================== +--- rpm-4.11.3.orig/lib/fsm.c 2014-12-14 18:01:29.484568052 -0800 ++++ rpm-4.11.3/lib/fsm.c 2014-12-14 18:02:05.550228685 -0800 +@@ -731,7 +731,12 @@ + pgpHashAlgo digestalgo = 0; + int rc = 0; + +- wfd = Fopen(fsm->path, "w.ufdio"); ++ /* Create the file with 000 permissions. */ ++ { ++ mode_t old_umask = umask(0777); ++ wfd = Fopen(fsm->path, "w.ufdio"); ++ umask(old_umask); ++ } + if (Ferror(wfd)) { + rc = CPIOERR_OPEN_FAILED; + goto exit; diff -Nru rpm-4.11.3/debian/patches/CVE-2014-8118.patch rpm-4.11.3/debian/patches/CVE-2014-8118.patch --- rpm-4.11.3/debian/patches/CVE-2014-8118.patch 1969-12-31 16:00:00.000000000 -0800 +++ rpm-4.11.3/debian/patches/CVE-2014-8118.patch 2014-12-14 18:08:28.000000000 -0800 @@ -0,0 +1,24 @@ +Description: Limit the length of the file name to a reasonable value + It was found that RPM could encounter an integer overflow, leading to + a stack-based overflow, while parsing a crafted CPIO header in the + payload section of an RPM file. This could allow an attacker to + modify signed RPM files in such a way that they would execute code + chosen by the attacker during package installation. +Origin: backport, https://bugzilla.redhat.com/attachment.cgi?id=962159&action=diff +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8118 +Last-Update: 2014-12-14 + +Index: rpm-4.11.3/lib/cpio.c +=================================================================== +--- rpm-4.11.3.orig/lib/cpio.c 2013-11-22 02:31:31.000000000 -0800 ++++ rpm-4.11.3/lib/cpio.c 2014-12-14 17:44:58.572662964 -0800 +@@ -296,6 +296,9 @@ + st->st_rdev = makedev(major, minor); + + GET_NUM_FIELD(hdr.namesize, nameSize); ++ if (nameSize <= 0 || nameSize > 4096) { ++ return CPIOERR_BAD_HEADER; ++ } + + *path = xmalloc(nameSize + 1); + read = Fread(*path, nameSize, 1, cpio->fd); diff -Nru rpm-4.11.3/debian/patches/series rpm-4.11.3/debian/patches/series --- rpm-4.11.3/debian/patches/series 2014-09-22 02:17:30.000000000 -0700 +++ rpm-4.11.3/debian/patches/series 2014-12-14 17:18:57.000000000 -0800 @@ -13,3 +13,5 @@ rpm-4.10.90-rpmlib-filesystem-check.patch fix-python-multiarch-include.patch rpm-4.11.2-double-separator-warning.patch +CVE-2014-8118.patch +CVE-2013-6435.patch