1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Date: Wed, 10 Jun 2015 14:36:56 +0000
Subject: [PATCH 2/2] rpm: CVE-2013-6435
Upstream-Status: Backport
CVE: CVE-2013-6435
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
Description:
It was found that RPM wrote file contents to the target installation
directory under a temporary name, and verified its cryptographic signature
only after the temporary file has been written completely. Under certain
conditions, the system interprets the unverified temporary file contents
and extracts commands from it. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen
by the attacker during package installation.
Original Patch:
https://bugzilla.redhat.com/attachment.cgi?id=956207
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
lib/fsm.c | 2 +-
rpmio/rpmio.c | 18 ++++++++++++++----
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/lib/fsm.c b/lib/fsm.c
index 1ee7e67..094eb1d 100644
--- a/lib/fsm.c
+++ b/lib/fsm.c
@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
{
FD_t wfd = NULL;
const struct stat * st = &fsm->sb;
- rpm_loff_t left = st->st_size;
+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
const unsigned char * fidigest = NULL;
pgpHashAlgo digestalgo = 0;
int rc = 0;
diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
index cd223e8..0b12e31 100644
--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
* - bzopen: [1-9] is block size (modulo 100K)
* - bzopen: 's' is smallmode
* - HACK: '.' terminates, rest is type of I/O
+ * - 'U' sets *mode to zero (no permissions) instead of 0666
*/
static void cvtfmode (const char *m,
char *stdio, size_t nstdio,
char *other, size_t nother,
- const char **end, int * f)
+ const char **end, int *f, mode_t *mode)
{
int flags = 0;
char c;
+ if (mode)
+ *mode = 0666;
+
switch (*m) {
case 'a':
flags |= O_WRONLY | O_CREAT | O_APPEND;
@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
if (--nstdio > 0) *stdio++ = c;
continue;
break;
+ case 'U':
+ if (mode)
+ *mode = 0;
+ break;
default:
if (--nother > 0) *other++ = c;
continue;
@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
if (fd == NULL || fmode == NULL)
return NULL;
- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
+ NULL);
if (stdio[0] == '\0')
return NULL;
zstdio[0] = '\0';
@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
{
char stdio[20], other[20];
const char *end = NULL;
- mode_t perms = 0666;
+ mode_t perms;
int flags = 0;
FD_t fd;
@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
return NULL;
stdio[0] = '\0';
- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
+ &perms);
if (stdio[0] == '\0')
return NULL;
--
1.8.4.5
|
