blob: 985f150f0fe83b2e96a072f9abe6f822dc3184bc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Date: Wed, 10 Jun 2015 12:56:55 +0000
Subject: [PATCH 1/2] rpm: CVE-2014-8118
Upstream-Status: Backport
CVE: CVE-2014-8118
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1168715
Description:
It was found that RPM could encounter an integer overflow,
leading to a stack-based overflow, while parsing a crafted
CPIO header in the payload section of an RPM file. This could
allow an attacker to modify signed RPM files in such a way that
they would execute code chosen by the attacker during package
installation.
Original Patch:
https://bugzilla.redhat.com/attachment.cgi?id=962159
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
---
lib/cpio.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/cpio.c b/lib/cpio.c
index 382eeb6..74ddd9c 100644
--- a/lib/cpio.c
+++ b/lib/cpio.c
@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
st->st_rdev = makedev(major, minor);
GET_NUM_FIELD(hdr.namesize, nameSize);
+ if (nameSize <= 0 || nameSize > 4096) {
+ return CPIOERR_BAD_HEADER;
+ }
*path = xmalloc(nameSize + 1);
read = Fread(*path, nameSize, 1, cpio->fd);
--
1.8.4.5
|