!14 Fix CVE-2020-14352

From: @fly_fzc Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2021-01-25 19:43:54 +08:00 · 2021-01-25 19:43:54 +08:00 · 2343e7ae49
commit 2343e7ae49
parent 20cb6faa48 715dc11068
2 changed files with 57 additions and 1 deletions
--- a/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch
+++ b/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch
@ -0,0 +1,50 @@
+From 7daea2a2429a54dad68b1de9b37a5f65c5cf2600 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Wed, 12 Aug 2020 08:35:28 +0200
+Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
+
+= changelog =
+msg: Validate path read from repomd.xml
+type: security
+---
+ librepo/yum.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/librepo/yum.c b/librepo/yum.c
+index 3059188..529257b 100644
+--- a/librepo/yum.c
+++ b/librepo/yum.c
+@@ -23,6 +23,7 @@
+ #define  BITS_IN_BYTE 8
+ 
+ #include <stdio.h>
+#include <libgen.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
+             continue;
+ 
+         char *location_href = record->location_href;
+
+        char *dest_dir = realpath(handle->destdir, NULL);
+        path = lr_pathconcat(handle->destdir, record->location_href, NULL);
+        char *requested_dir = realpath(dirname(path), NULL);
+        lr_free(path);
+        if (!g_str_has_prefix(requested_dir, dest_dir)) {
+            g_debug("%s: Invalid path: %s", __func__, location_href);
+            g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
+            g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
+            free(requested_dir);
+            free(dest_dir);
+            return FALSE;
+        }
+        free(requested_dir);
+        free(dest_dir);
+
+         gboolean is_zchunk = FALSE;
+         #ifdef WITH_ZCHUNK
+         if (handle->cachedir && record->header_checksum)
+-- 
+1.8.3.1
+
--- a/librepo.spec
+++ b/librepo.spec
@ -6,11 +6,14 @@

 Name:                    librepo
 Version:                 1.12.0
-Release:                 1
+Release:                 2
 Summary:                 Repodata downloading library                 
 License:                 LGPLv2+
 URL:                     https://github.com/rpm-software-management/librepo
 Source0:                 %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+
+Patch0:                  backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch
+
 BuildRequires:           cmake check-devel doxygen pkgconfig(glib-2.0) gcc
 BuildRequires:           libcurl-devel >= %{libcurl_version} pkgconfig(libxml-2.0)
 BuildRequires:           pkgconfig(openssl) gpgme-devel libattr-devel pkgconfig(libcrypto)
@ -77,6 +80,9 @@ popd
 %{python3_sitearch}/%{name}/

 %changelog
+* Mon Jan 25 2021 fuanan <fuanan3@huawei.com> - 1.12.0-2
+- fix CVE-2020-14352
+
 * Tue Apr 28 2020 zhouyihang <zhouyihang3@huawei.com> - 1.12.0-1
 - Type:requirement
 - ID:NA