aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
blob: bf1795ca49f9082a467b5abbbe4d9de080553ab7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Date: Wed, 10 Jun 2015 12:56:55 +0000
Subject: [PATCH 1/2] rpm: CVE-2014-8118

Upstream-Status: Backport

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1168715

Description:
It was found that RPM could encounter an integer overflow,
leading to a stack-based overflow, while parsing a crafted
CPIO header in the payload section of an RPM file.  This could
allow an attacker to modify signed RPM files in such a way that
they would execute code chosen by the attacker during package
installation.

Original Patch:
https://bugzilla.redhat.com/attachment.cgi?id=962159

Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
 lib/cpio.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/cpio.c b/lib/cpio.c
index 382eeb6..74ddd9c 100644
--- a/lib/cpio.c
+++ b/lib/cpio.c
@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
     st->st_rdev = makedev(major, minor);
 
     GET_NUM_FIELD(hdr.namesize, nameSize);
+    if (nameSize <= 0 || nameSize > 4096) {
+        return CPIOERR_BAD_HEADER;
+    }
 
     *path = xmalloc(nameSize + 1);
     read = Fread(*path, nameSize, 1, cpio->fd);
-- 
1.8.4.5