Set file metadata via fd-based ops for everything but symlinks Regular file ops are fd-based already, for the rest we need to open them manually. Files with temporary suffix must never be followed, for directories (and pre-existing FA_TOUCHed files) use the rpm symlink "root or target owner allowed" rule wrt following.
This mostly fixes CVE-2021-35938, but as we're not yet using dirfd-based operatiosn for everything there are corner cases left undone. And then there's the plugin API which needs updating for all this. Signed-off-by: Vivek Kumbhar <[email protected]> --- .../rpm/files/CVE-2021-35938.patch | 36 +++++++++++++++++++ meta/recipes-devtools/rpm/rpm_4.17.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-35938.patch diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch b/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch new file mode 100644 index 0000000000..9b2e7ee91f --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-35938.patch @@ -0,0 +1,36 @@ +From 25a435e90844ea98fe5eb7bef22c1aecf3a9c033 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <[email protected]> +Date: Mon, 14 Feb 2022 14:29:33 +0200 +Subject: [PATCH] Set file metadata via fd-based ops for everything but + symlinks + +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef22c1aecf3a9c033] +CVE: CVE-2023-25193 +Signed-off-by: Vivek Kumbhar <[email protected]> +--- + lib/fsm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/fsm.c b/lib/fsm.c +index 935a0a5c6..50c431d2a 100644 +--- a/lib/fsm.c ++++ b/lib/fsm.c +@@ -1000,6 +1000,15 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files, + if (!IS_DEV_LOG(fp->fpath)) + rc = RPMERR_UNKNOWN_FILETYPE; + } ++ ++ if (!rc && fd == -1 && !S_ISLNK(fp->sb.st_mode)) { ++ /* Only follow safe symlinks, and never on temporary files */ ++ fd = fsmOpenat(di.dirfd, fp->fpath, ++ fp->suffix ? AT_SYMLINK_NOFOLLOW : 0); ++ if (fd < 0) ++ rc = RPMERR_OPEN_FAILED; ++ } ++ + } else if (firstlink && rpmfiArchiveHasContent(fi)) { + /* + * Tricksy case: this file is a being skipped, but it's part of +-- +2.25.1 + diff --git a/meta/recipes-devtools/rpm/rpm_4.17.1.bb b/meta/recipes-devtools/rpm/rpm_4.17.1.bb index 9b6446f265..e12d10c1e9 100644 --- a/meta/recipes-devtools/rpm/rpm_4.17.1.bb +++ b/meta/recipes-devtools/rpm/rpm_4.17.1.bb @@ -40,6 +40,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc file://0001-docs-do-not-build-manpages-requires-pandoc.patch \ file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \ file://0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch \ + file://CVE-2021-35938.patch \ " PE = "1" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177957): https://lists.openembedded.org/g/openembedded-core/message/177957 Mute This Topic: https://lists.openembedded.org/mt/97334710/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
