Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001 |
| 2 | From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> |
| 3 | Date: Wed, 10 Jun 2015 12:56:55 +0000 |
| 4 | Subject: [PATCH 1/2] rpm: CVE-2014-8118 |
| 5 | |
| 6 | Upstream-Status: Backport |
| 7 | |
| 8 | Reference: |
| 9 | https://bugzilla.redhat.com/show_bug.cgi?id=1168715 |
| 10 | |
| 11 | Description: |
| 12 | It was found that RPM could encounter an integer overflow, |
| 13 | leading to a stack-based overflow, while parsing a crafted |
| 14 | CPIO header in the payload section of an RPM file. This could |
| 15 | allow an attacker to modify signed RPM files in such a way that |
| 16 | they would execute code chosen by the attacker during package |
| 17 | installation. |
| 18 | |
| 19 | Original Patch: |
| 20 | https://bugzilla.redhat.com/attachment.cgi?id=962159 |
| 21 | |
| 22 | Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> |
| 23 | --- |
| 24 | lib/cpio.c | 3 +++ |
| 25 | 1 file changed, 3 insertions(+) |
| 26 | |
| 27 | diff --git a/lib/cpio.c b/lib/cpio.c |
| 28 | index 382eeb6..74ddd9c 100644 |
| 29 | --- a/lib/cpio.c |
| 30 | +++ b/lib/cpio.c |
| 31 | @@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st) |
| 32 | st->st_rdev = makedev(major, minor); |
| 33 | |
| 34 | GET_NUM_FIELD(hdr.namesize, nameSize); |
| 35 | + if (nameSize <= 0 || nameSize > 4096) { |
| 36 | + return CPIOERR_BAD_HEADER; |
| 37 | + } |
| 38 | |
| 39 | *path = xmalloc(nameSize + 1); |
| 40 | read = Fread(*path, nameSize, 1, cpio->fd); |
| 41 | -- |
| 42 | 1.8.4.5 |
| 43 | |