fix CVE-2021-20266
This commit is contained in:
guoxiaoqi
parent
8fe6479761
commit
7be6ff4a24
102
CVE-2021-20266.patch
Normal file
102
CVE-2021-20266.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef Mon Sep 17 00:00:00 2001
|
||||
From: Demi Marie Obenour <athena@invisiblethingslab.com>
|
||||
Date: Mon, 8 Feb 2021 16:05:01 -0500
|
||||
Subject: [PATCH] hdrblobInit() needs bounds checks too
|
||||
|
||||
Users can pass untrusted data to hdrblobInit() and it must be robust
|
||||
against this.
|
||||
---
|
||||
lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
|
||||
1 file changed, 31 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/lib/header.c b/lib/header.c
|
||||
index ea39e679f4..ebba9c2b09 100644
|
||||
--- a/lib/header.c
|
||||
+++ b/lib/header.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "system.h"
|
||||
#include <netdb.h>
|
||||
#include <errno.h>
|
||||
+#include <inttypes.h>
|
||||
#include <rpm/rpmtypes.h>
|
||||
#include <rpm/rpmstring.h>
|
||||
#include "lib/header_internal.h"
|
||||
@@ -1912,6 +1913,25 @@ hdrblob hdrblobFree(hdrblob blob)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
|
||||
+ char **emsg) {
|
||||
+ uint32_t il_max = HEADER_TAGS_MAX;
|
||||
+ uint32_t dl_max = HEADER_DATA_MAX;
|
||||
+ if (regionTag == RPMTAG_HEADERSIGNATURES) {
|
||||
+ il_max = 32;
|
||||
+ dl_max = 64 * 1024 * 1024;
|
||||
+ }
|
||||
+ if (hdrchkRange(il_max, il)) {
|
||||
+ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
|
||||
+ return RPMRC_FAIL;
|
||||
+ }
|
||||
+ if (hdrchkRange(dl_max, dl)) {
|
||||
+ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
|
||||
+ return RPMRC_FAIL;
|
||||
+ }
|
||||
+ return RPMRC_OK;
|
||||
+}
|
||||
+
|
||||
rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
|
||||
{
|
||||
int32_t block[4];
|
||||
@@ -1924,13 +1944,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
|
||||
size_t nb;
|
||||
rpmRC rc = RPMRC_FAIL; /* assume failure */
|
||||
int xx;
|
||||
- int32_t il_max = HEADER_TAGS_MAX;
|
||||
- int32_t dl_max = HEADER_DATA_MAX;
|
||||
-
|
||||
- if (regionTag == RPMTAG_HEADERSIGNATURES) {
|
||||
- il_max = 32;
|
||||
- dl_max = 64 * 1024 * 1024;
|
||||
- }
|
||||
|
||||
memset(block, 0, sizeof(block));
|
||||
if ((xx = Freadall(fd, bs, blen)) != blen) {
|
||||
@@ -1943,15 +1956,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
|
||||
goto exit;
|
||||
}
|
||||
il = ntohl(block[2]);
|
||||
- if (hdrchkRange(il_max, il)) {
|
||||
- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
|
||||
- goto exit;
|
||||
- }
|
||||
dl = ntohl(block[3]);
|
||||
- if (hdrchkRange(dl_max, dl)) {
|
||||
- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
|
||||
+ if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
|
||||
goto exit;
|
||||
- }
|
||||
|
||||
nb = (il * sizeof(struct entryInfo_s)) + dl;
|
||||
uc = sizeof(il) + sizeof(dl) + nb;
|
||||
@@ -1995,11 +2002,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
|
||||
struct hdrblob_s *blob, char **emsg)
|
||||
{
|
||||
rpmRC rc = RPMRC_FAIL;
|
||||
-
|
||||
memset(blob, 0, sizeof(*blob));
|
||||
+ if (uc && uc < 8) {
|
||||
+ rasprintf(emsg, _("hdr length: BAD"));
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
blob->ei = (int32_t *) uh; /* discards const */
|
||||
- blob->il = ntohl(blob->ei[0]);
|
||||
- blob->dl = ntohl(blob->ei[1]);
|
||||
+ blob->il = ntohl((uint32_t)(blob->ei[0]));
|
||||
+ blob->dl = ntohl((uint32_t)(blob->ei[1]));
|
||||
+ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
|
||||
+ goto exit;
|
||||
+
|
||||
blob->pe = (entryInfo) &(blob->ei[2]);
|
||||
blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
|
||||
(blob->il * sizeof(*blob->pe)) + blob->dl;
|
||||
9
rpm.spec
9
rpm.spec
@ -1,6 +1,6 @@
|
||||
Name: rpm
|
||||
Version: 4.15.1
|
||||
Release: 23
|
||||
Release: 24
|
||||
Summary: RPM Package Manager
|
||||
License: GPLv2+
|
||||
URL: http://www.rpm.org/
|
||||
@ -50,6 +50,7 @@ Patch39: backport-Fix-logic-error-in-grabArgs.patch
|
||||
Patch40: backport-Use-libelf-for-determining-file-colors.patch
|
||||
Patch41: backport-CVE-2021-20271.patch
|
||||
Patch42: backport-optimize-signature-header-merge-a-bit.patch
|
||||
Patch43: CVE-2021-20266.patch
|
||||
|
||||
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
|
||||
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
|
||||
@ -298,6 +299,12 @@ make check || (cat tests/rpmtests.log; exit 0)
|
||||
%{_mandir}/man1/gendiff.1*
|
||||
|
||||
%changelog
|
||||
* Wed Jun 2 2021 guoxiaoqi<guoxiaoqi2@huawei.com> - 4.15.1-23
|
||||
- Type:cve
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2021-20266
|
||||
|
||||
* Sat May 22 2021 liudabo<liudabo1@huawei.com> - 4.15.1-22
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user