rpm: remove two unused patch
They are already in the source: rpm-CVE-2013-6435.patch rpm-CVE-2014-8118.patch (From OE-Core rev: 8bed58160316c84bb4c4e866058f695c4402b95e) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Robert Yang
Richard Purdie
parent
3d56864fd3
commit
476eeeae0f
|
|
@ -1,110 +0,0 @@
|
|||
From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
|
||||
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
|
||||
Date: Wed, 10 Jun 2015 14:36:56 +0000
|
||||
Subject: [PATCH 2/2] rpm: CVE-2013-6435
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2013-6435
|
||||
|
||||
Reference:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
|
||||
|
||||
Description:
|
||||
It was found that RPM wrote file contents to the target installation
|
||||
directory under a temporary name, and verified its cryptographic signature
|
||||
only after the temporary file has been written completely. Under certain
|
||||
conditions, the system interprets the unverified temporary file contents
|
||||
and extracts commands from it. This could allow an attacker to modify
|
||||
signed RPM files in such a way that they would execute code chosen
|
||||
by the attacker during package installation.
|
||||
|
||||
Original Patch:
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=956207
|
||||
|
||||
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
|
||||
---
|
||||
lib/fsm.c | 2 +-
|
||||
rpmio/rpmio.c | 18 ++++++++++++++----
|
||||
2 files changed, 15 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/fsm.c b/lib/fsm.c
|
||||
index 1ee7e67..094eb1d 100644
|
||||
--- a/lib/fsm.c
|
||||
+++ b/lib/fsm.c
|
||||
@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
|
||||
{
|
||||
FD_t wfd = NULL;
|
||||
const struct stat * st = &fsm->sb;
|
||||
- rpm_loff_t left = st->st_size;
|
||||
+ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
|
||||
const unsigned char * fidigest = NULL;
|
||||
pgpHashAlgo digestalgo = 0;
|
||||
int rc = 0;
|
||||
diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
|
||||
index cd223e8..0b12e31 100644
|
||||
--- a/rpmio/rpmio.c
|
||||
+++ b/rpmio/rpmio.c
|
||||
@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
|
||||
* - bzopen: [1-9] is block size (modulo 100K)
|
||||
* - bzopen: 's' is smallmode
|
||||
* - HACK: '.' terminates, rest is type of I/O
|
||||
+ * - 'U' sets *mode to zero (no permissions) instead of 0666
|
||||
*/
|
||||
static void cvtfmode (const char *m,
|
||||
char *stdio, size_t nstdio,
|
||||
char *other, size_t nother,
|
||||
- const char **end, int * f)
|
||||
+ const char **end, int *f, mode_t *mode)
|
||||
{
|
||||
int flags = 0;
|
||||
char c;
|
||||
|
||||
+ if (mode)
|
||||
+ *mode = 0666;
|
||||
+
|
||||
switch (*m) {
|
||||
case 'a':
|
||||
flags |= O_WRONLY | O_CREAT | O_APPEND;
|
||||
@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
|
||||
if (--nstdio > 0) *stdio++ = c;
|
||||
continue;
|
||||
break;
|
||||
+ case 'U':
|
||||
+ if (mode)
|
||||
+ *mode = 0;
|
||||
+ break;
|
||||
default:
|
||||
if (--nother > 0) *other++ = c;
|
||||
continue;
|
||||
@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
|
||||
if (fd == NULL || fmode == NULL)
|
||||
return NULL;
|
||||
|
||||
- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
|
||||
+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
|
||||
+ NULL);
|
||||
if (stdio[0] == '\0')
|
||||
return NULL;
|
||||
zstdio[0] = '\0';
|
||||
@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
|
||||
{
|
||||
char stdio[20], other[20];
|
||||
const char *end = NULL;
|
||||
- mode_t perms = 0666;
|
||||
+ mode_t perms;
|
||||
int flags = 0;
|
||||
FD_t fd;
|
||||
|
||||
@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
|
||||
return NULL;
|
||||
|
||||
stdio[0] = '\0';
|
||||
- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
|
||||
+ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
|
||||
+ &perms);
|
||||
if (stdio[0] == '\0')
|
||||
return NULL;
|
||||
|
||||
--
|
||||
1.8.4.5
|
||||
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
|
||||
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
|
||||
Date: Wed, 10 Jun 2015 12:56:55 +0000
|
||||
Subject: [PATCH 1/2] rpm: CVE-2014-8118
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2014-8118
|
||||
|
||||
Reference:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1168715
|
||||
|
||||
Description:
|
||||
It was found that RPM could encounter an integer overflow,
|
||||
leading to a stack-based overflow, while parsing a crafted
|
||||
CPIO header in the payload section of an RPM file. This could
|
||||
allow an attacker to modify signed RPM files in such a way that
|
||||
they would execute code chosen by the attacker during package
|
||||
installation.
|
||||
|
||||
Original Patch:
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=962159
|
||||
|
||||
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
|
||||
---
|
||||
lib/cpio.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/lib/cpio.c b/lib/cpio.c
|
||||
index 382eeb6..74ddd9c 100644
|
||||
--- a/lib/cpio.c
|
||||
+++ b/lib/cpio.c
|
||||
@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
|
||||
st->st_rdev = makedev(major, minor);
|
||||
|
||||
GET_NUM_FIELD(hdr.namesize, nameSize);
|
||||
+ if (nameSize <= 0 || nameSize > 4096) {
|
||||
+ return CPIOERR_BAD_HEADER;
|
||||
+ }
|
||||
|
||||
*path = xmalloc(nameSize + 1);
|
||||
read = Fread(*path, nameSize, 1, cpio->fd);
|
||||
--
|
||||
1.8.4.5
|
||||
|
||||
Loading…
Reference in New Issue