Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001 |
| 2 | From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> |
| 3 | Date: Wed, 10 Jun 2015 14:36:56 +0000 |
| 4 | Subject: [PATCH 2/2] rpm: CVE-2013-6435 |
| 5 | |
| 6 | Upstream-Status: Backport |
| 7 | |
| 8 | Reference: |
| 9 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 |
| 10 | |
| 11 | Description: |
| 12 | It was found that RPM wrote file contents to the target installation |
| 13 | directory under a temporary name, and verified its cryptographic signature |
| 14 | only after the temporary file has been written completely. Under certain |
| 15 | conditions, the system interprets the unverified temporary file contents |
| 16 | and extracts commands from it. This could allow an attacker to modify |
| 17 | signed RPM files in such a way that they would execute code chosen |
| 18 | by the attacker during package installation. |
| 19 | |
| 20 | Original Patch: |
| 21 | https://bugzilla.redhat.com/attachment.cgi?id=956207 |
| 22 | |
| 23 | Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> |
| 24 | --- |
| 25 | lib/fsm.c | 2 +- |
| 26 | rpmio/rpmio.c | 18 ++++++++++++++---- |
| 27 | 2 files changed, 15 insertions(+), 5 deletions(-) |
| 28 | |
| 29 | diff --git a/lib/fsm.c b/lib/fsm.c |
| 30 | index 1ee7e67..094eb1d 100644 |
| 31 | --- a/lib/fsm.c |
| 32 | +++ b/lib/fsm.c |
| 33 | @@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest) |
| 34 | { |
| 35 | FD_t wfd = NULL; |
| 36 | const struct stat * st = &fsm->sb; |
| 37 | - rpm_loff_t left = st->st_size; |
| 38 | + rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix); |
| 39 | const unsigned char * fidigest = NULL; |
| 40 | pgpHashAlgo digestalgo = 0; |
| 41 | int rc = 0; |
| 42 | diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c |
| 43 | index cd223e8..0b12e31 100644 |
| 44 | --- a/rpmio/rpmio.c |
| 45 | +++ b/rpmio/rpmio.c |
| 46 | @@ -1309,15 +1309,19 @@ int Fclose(FD_t fd) |
| 47 | * - bzopen: [1-9] is block size (modulo 100K) |
| 48 | * - bzopen: 's' is smallmode |
| 49 | * - HACK: '.' terminates, rest is type of I/O |
| 50 | + * - 'U' sets *mode to zero (no permissions) instead of 0666 |
| 51 | */ |
| 52 | static void cvtfmode (const char *m, |
| 53 | char *stdio, size_t nstdio, |
| 54 | char *other, size_t nother, |
| 55 | - const char **end, int * f) |
| 56 | + const char **end, int *f, mode_t *mode) |
| 57 | { |
| 58 | int flags = 0; |
| 59 | char c; |
| 60 | |
| 61 | + if (mode) |
| 62 | + *mode = 0666; |
| 63 | + |
| 64 | switch (*m) { |
| 65 | case 'a': |
| 66 | flags |= O_WRONLY | O_CREAT | O_APPEND; |
| 67 | @@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m, |
| 68 | if (--nstdio > 0) *stdio++ = c; |
| 69 | continue; |
| 70 | break; |
| 71 | + case 'U': |
| 72 | + if (mode) |
| 73 | + *mode = 0; |
| 74 | + break; |
| 75 | default: |
| 76 | if (--nother > 0) *other++ = c; |
| 77 | continue; |
| 78 | @@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd)); |
| 79 | if (fd == NULL || fmode == NULL) |
| 80 | return NULL; |
| 81 | |
| 82 | - cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL); |
| 83 | + cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL, |
| 84 | + NULL); |
| 85 | if (stdio[0] == '\0') |
| 86 | return NULL; |
| 87 | zstdio[0] = '\0'; |
| 88 | @@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode) |
| 89 | { |
| 90 | char stdio[20], other[20]; |
| 91 | const char *end = NULL; |
| 92 | - mode_t perms = 0666; |
| 93 | + mode_t perms; |
| 94 | int flags = 0; |
| 95 | FD_t fd; |
| 96 | |
| 97 | @@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode) |
| 98 | return NULL; |
| 99 | |
| 100 | stdio[0] = '\0'; |
| 101 | - cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags); |
| 102 | + cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags, |
| 103 | + &perms); |
| 104 | if (stdio[0] == '\0') |
| 105 | return NULL; |
| 106 | |
| 107 | -- |
| 108 | 1.8.4.5 |
| 109 | |