Open newly created files with O_EXCL to prevent symlink tricks. When reopening hardlinks for writing the actual content, use append mode instead. This is compatible with the write-only permissions but is not destructive in case we got redirected to somebody elses file, verify the target before actually writing anything.
As these are files with the temporary suffix, errors mean a local user with sufficient privileges to break the installation of the package anyway is trying to goof us on purpose, don't bother trying to mend it (we couldn't fix the hardlink case anyhow) but just bail out. Based on a patch by Florian Festi. Affects rpm < 4.13.0.2 Signed-off-by: Jagadeesh Krishnanjanappa <[email protected]> --- .../recipes-devtools/rpm/files/CVE-2017-7501.patch | 106 +++++++++++++++++++++ meta/recipes-devtools/rpm/rpm_git.bb | 1 + 2 files changed, 107 insertions(+) create mode 100644 meta/recipes-devtools/rpm/files/CVE-2017-7501.patch diff --git a/meta/recipes-devtools/rpm/files/CVE-2017-7501.patch b/meta/recipes-devtools/rpm/files/CVE-2017-7501.patch new file mode 100644 index 0000000..fb299d9 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2017-7501.patch @@ -0,0 +1,106 @@ +From 404ef011c300207cdb1e531670384564aae04bdc Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <[email protected]> +Date: Tue, 19 Sep 2017 14:46:36 +0300 +Subject: [PATCH] Don't follow symlinks on file creation (CVE-2017-7501) + +Open newly created files with O_EXCL to prevent symlink tricks. +When reopening hardlinks for writing the actual content, use append +mode instead. This is compatible with the write-only permissions but +is not destructive in case we got redirected to somebody elses file, +verify the target before actually writing anything. + +As these are files with the temporary suffix, errors mean a local +user with sufficient privileges to break the installation of the package +anyway is trying to goof us on purpose, don't bother trying to mend it +(we couldn't fix the hardlink case anyhow) but just bail out. + +Based on a patch by Florian Festi. + +CVE: CVE-2017-7501 +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc] + +Signed-off-by: Panu Matilainen <[email protected]> +Signed-off-by: Florian Festi <[email protected]> +Signed-off-by: Jagadeesh Krishnanjanappa <[email protected]> +--- + lib/fsm.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/lib/fsm.c b/lib/fsm.c +index 553774b..e0e9d03 100644 +--- a/lib/fsm.c ++++ b/lib/fsm.c +@@ -206,11 +206,22 @@ static int fsmSetFCaps(const char *path, const char *captxt) + return rc; + } + ++/* Check dest is the same, empty and regular file with writeonly permissions */ ++static int linkSane(FD_t wfd, const char *dest) ++{ ++ struct stat sb, lsb; ++ ++ return (fstat(Fileno(wfd), &sb) == 0 && sb.st_size == 0 && ++ (sb.st_mode & ~S_IFMT) == S_IWUSR && ++ lstat(dest, &lsb) == 0 && S_ISREG(lsb.st_mode) && ++ sb.st_dev == lsb.st_dev && sb.st_ino == lsb.st_ino); ++} ++ + /** \ingroup payload + * Create file from payload stream. + * @return 0 on success + */ +-static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int nodigest, int nocontent) ++static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int exclusive, int nodigest, int nocontent) + { + FD_t wfd = NULL; + int rc = 0; +@@ -218,8 +229,14 @@ static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int nodigest, i + /* Create the file with 0200 permissions (write by owner). */ + { + mode_t old_umask = umask(0577); +- wfd = Fopen(dest, "w.ufdio"); ++ wfd = Fopen(dest, exclusive ? "wx.ufdio" : "a.ufdio"); + umask(old_umask); ++ ++ /* If reopening, make sure the file is what we expect */ ++ if (!exclusive && wfd != NULL && !linkSane(wfd, dest)) { ++ rc = RPMERR_OPEN_FAILED; ++ goto exit; ++ } + } + if (Ferror(wfd)) { + rc = RPMERR_OPEN_FAILED; +@@ -248,7 +265,7 @@ static int fsmMkfile(rpmfi fi, const char *dest, rpmfiles files, + /* Create first hardlinked file empty */ + if (*firsthardlink < 0) { + *firsthardlink = rpmfiFX(fi); +- rc = expandRegular(fi, dest, psm, nodigest, 1); ++ rc = expandRegular(fi, dest, psm, 1, nodigest, 1); + } else { + /* Create hard links for others */ + char *fn = rpmfilesFN(files, *firsthardlink); +@@ -263,10 +280,10 @@ static int fsmMkfile(rpmfi fi, const char *dest, rpmfiles files, + existing) file with content */ + if (numHardlinks<=1) { + if (!rc) +- rc = expandRegular(fi, dest, psm, nodigest, 0); ++ rc = expandRegular(fi, dest, psm, 1, nodigest, 0); + } else if (rpmfiArchiveHasContent(fi)) { + if (!rc) +- rc = expandRegular(fi, dest, psm, nodigest, 0); ++ rc = expandRegular(fi, dest, psm, 0, nodigest, 0); + *firsthardlink = -1; + } else { + *setmeta = 0; +@@ -939,7 +956,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files, + /* we skip the hard linked file containing the content */ + /* write the content to the first used instead */ + char *fn = rpmfilesFN(files, firsthardlink); +- rc = expandRegular(fi, fn, psm, nodigest, 0); ++ rc = expandRegular(fi, fn, psm, 0, nodigest, 0); + firsthardlink = -1; + free(fn); + } +-- +2.7.4 + diff --git a/meta/recipes-devtools/rpm/rpm_git.bb b/meta/recipes-devtools/rpm/rpm_git.bb index 7866314..bec0630 100644 --- a/meta/recipes-devtools/rpm/rpm_git.bb +++ b/meta/recipes-devtools/rpm/rpm_git.bb @@ -43,6 +43,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm \ file://0003-rpmstrpool.c-make-operations-over-string-pools-threa.patch \ file://0004-build-pack.c-remove-static-local-variables-from-buil.patch \ file://0001-perl-disable-auto-reqs.patch \ + file://CVE-2017-7501.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
