| From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001 |
| From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> |
| Date: Wed, 10 Jun 2015 12:56:55 +0000 |
| Subject: [PATCH 1/2] rpm: CVE-2014-8118 |
| |
| Upstream-Status: Backport |
| |
| Reference: |
| https://bugzilla.redhat.com/show_bug.cgi?id=1168715 |
| |
| Description: |
| It was found that RPM could encounter an integer overflow, |
| leading to a stack-based overflow, while parsing a crafted |
| CPIO header in the payload section of an RPM file. This could |
| allow an attacker to modify signed RPM files in such a way that |
| they would execute code chosen by the attacker during package |
| installation. |
| |
| Original Patch: |
| https://bugzilla.redhat.com/attachment.cgi?id=962159 |
| |
| Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> |
| --- |
| lib/cpio.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/lib/cpio.c b/lib/cpio.c |
| index 382eeb6..74ddd9c 100644 |
| --- a/lib/cpio.c |
| +++ b/lib/cpio.c |
| @@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st) |
| st->st_rdev = makedev(major, minor); |
| |
| GET_NUM_FIELD(hdr.namesize, nameSize); |
| + if (nameSize <= 0 || nameSize > 4096) { |
| + return CPIOERR_BAD_HEADER; |
| + } |
| |
| *path = xmalloc(nameSize + 1); |
| read = Fread(*path, nameSize, 1, cpio->fd); |
| -- |
| 1.8.4.5 |
| |