On Mon, Aug 23, 2021 at 8:12 AM Ranjitsinh Rathod <[email protected]> wrote: > > Adding fix for CVE-2021-20266 > Upstream-Status: Backport > [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15] > > Note: Hunk#2 and Hunk#3 refreshed to apply patch and match value of > dl_max variable to make it with current version
Causes autobuilder failures: https://errors.yoctoproject.org/Errors/Details/602478/ Steve > > Signed-off-by: Ranjitsinh Rathod <[email protected]> > --- > .../rpm/files/CVE-2021-20266.patch | 108 ++++++++++++++++++ > meta/recipes-devtools/rpm/rpm_4.14.2.1.bb | 1 + > 2 files changed, 109 insertions(+) > create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-20266.patch > > diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch > b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch > new file mode 100644 > index 0000000000..d8b91d4f8e > --- /dev/null > +++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch > @@ -0,0 +1,108 @@ > +From 9646711891df851dfbf7ef54cc171574a0914b15 Mon Sep 17 00:00:00 2001 > +From: Demi Marie Obenour <[email protected]> > +Date: Mon, 8 Feb 2021 16:05:01 -0500 > +Subject: [PATCH] hdrblobInit() needs bounds checks too > + > +Users can pass untrusted data to hdrblobInit() and it must be robust > +against this. > + > +Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef > + > +Upstream-Status: Backport > [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15] > +CVE: CVE-2021-20266 > +Signed-off-by: Ranjitsinh Rathod <[email protected]> > +--- > + lib/header.c | 48 +++++++++++++++++++++++++++++++----------------- > + 1 file changed, 31 insertions(+), 17 deletions(-) > + > +diff --git a/lib/header.c b/lib/header.c > +index 6af48e61af..46ded5dd99 100644 > +--- a/lib/header.c > ++++ b/lib/header.c > +@@ -11,6 +11,7 @@ > + #include "system.h" > + #include <netdb.h> > + #include <errno.h> > ++#include <inttypes.h> > + #include <rpm/rpmtypes.h> > + #include <rpm/rpmstring.h> > + #include "lib/header_internal.h" > +@@ -1910,6 +1911,25 @@ hdrblob hdrblobFree(hdrblob blob) > + return NULL; > + } > + > ++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, > uint32_t dl, > ++ char **emsg) { > ++ uint32_t il_max = HEADER_TAGS_MAX; > ++ uint32_t dl_max = HEADER_DATA_MAX; > ++ if (regionTag == RPMTAG_HEADERSIGNATURES) { > ++ il_max = 32; > ++ dl_max = 8192; > ++ } > ++ if (hdrchkRange(il_max, il)) { > ++ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of > range"), il); > ++ return RPMRC_FAIL; > ++ } > ++ if (hdrchkRange(dl_max, dl)) { > ++ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of > range"), dl); > ++ return RPMRC_FAIL; > ++ } > ++ return RPMRC_OK; > ++} > ++ > + rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, > hdrblob blob, char **emsg) > + { > + int32_t block[4]; > +@@ -1922,13 +1942,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, > rpmTagVal regionTag, hdrbl > + size_t nb; > + rpmRC rc = RPMRC_FAIL; /* assume failure */ > + int xx; > +- int32_t il_max = HEADER_TAGS_MAX; > +- int32_t dl_max = HEADER_DATA_MAX; > +- > +- if (regionTag == RPMTAG_HEADERSIGNATURES) { > +- il_max = 32; > +- dl_max = 8192; > +- } > + > + memset(block, 0, sizeof(block)); > + if ((xx = Freadall(fd, bs, blen)) != blen) { > +@@ -1941,15 +1954,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, > rpmTagVal regionTag, hdrbl > + goto exit; > + } > + il = ntohl(block[2]); > +- if (hdrchkRange(il_max, il)) { > +- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il); > +- goto exit; > +- } > + dl = ntohl(block[3]); > +- if (hdrchkRange(dl_max, dl)) { > +- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), > dl); > ++ if (hdrblobVerifyLengths(regionTag, il, dl, emsg)) > + goto exit; > +- } > + > + nb = (il * sizeof(struct entryInfo_s)) + dl; > + uc = sizeof(il) + sizeof(dl) + nb; > +@@ -1993,11 +2000,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc, > + struct hdrblob_s *blob, char **emsg) > + { > + rpmRC rc = RPMRC_FAIL; > +- > + memset(blob, 0, sizeof(*blob)); > ++ if (uc && uc < 8) { > ++ rasprintf(emsg, _("hdr length: BAD")); > ++ goto exit; > ++ } > ++ > + blob->ei = (int32_t *) uh; /* discards const */ > +- blob->il = ntohl(blob->ei[0]); > +- blob->dl = ntohl(blob->ei[1]); > ++ blob->il = ntohl((uint32_t)(blob->ei[0])); > ++ blob->dl = ntohl((uint32_t)(blob->ei[1])); > ++ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != > RPMRC_OK) > ++ goto exit; > ++ > + blob->pe = (entryInfo) &(blob->ei[2]); > + blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) + > + (blob->il * sizeof(*blob->pe)) + blob->dl; > diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb > b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb > index 018b2f8700..c93654aa8f 100644 > --- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb > +++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb > @@ -45,6 +45,7 @@ SRC_URI = > "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \ > > file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \ > file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \ > file://CVE-2021-3421.patch \ > + file://CVE-2021-20266.patch \ > " > > PE = "1" > -- > 2.17.1 > > This message contains information that may be privileged or confidential and > is the property of the KPIT Technologies Ltd. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain copy, disseminate, distribute, or > use this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > KPIT Technologies Ltd. does not accept any liability for virus infected mails. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155190): https://lists.openembedded.org/g/openembedded-core/message/155190 Mute This Topic: https://lists.openembedded.org/mt/85092279/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
