diff --git a/backport-CVE-2021-20271.patch b/backport-CVE-2021-20271.patch new file mode 100644 index 0000000..18f73f5 --- /dev/null +++ b/backport-CVE-2021-20271.patch @@ -0,0 +1,169 @@ +From d6a86b5e69e46cc283b1e06c92343319beb42e21 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Thu, 4 Mar 2021 13:21:19 +0200 +Subject: [PATCH] Be much more careful about copying data from the signature + header +Conflict:NA +Reference:https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 + +Only look for known tags, and ensure correct type and size where known +before copying over. Bump the old arbitrary 16k count limit to 16M limit +though, it's not inconceivable that a package could have that many files. +While at it, ensure none of these tags exist in the main header, +which would confuse us greatly. +This is optimized for backporting ease, upstream can remove redundancies +and further improve checking later. +Reported and initial patches by Demi Marie Obenour. +Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ... +Fixes: CVE-2021-3421, CVE-2021-20271 +--- + lib/package.c | 112 +++++++++++++++++++++++++--------------------------------- + 1 file changed, 49 insertions(+), 63 deletions(-) + +diff --git a/lib/package.c b/lib/package.c +index db70d13..6f10bb9 100644 +--- a/lib/package.c ++++ b/lib/package.c +@@ -31,82 +31,67 @@ struct pkgdata_s { + rpmRC rc; + }; + ++struct taglate_s { ++ rpmTagVal stag; ++ rpmTagVal xtag; ++ rpm_count_t count; ++} const xlateTags[] = { ++ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 }, ++ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 }, ++ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 }, ++ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 }, ++ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */ ++ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 }, ++ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 }, ++ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 }, ++ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 }, ++ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 }, ++ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 }, ++ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 }, ++ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 }, ++ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 }, ++ { 0 } ++}; ++ + /** \ingroup header + * Translate and merge legacy signature tags into header. + * @param h header (dest) + * @param sigh signature header (src) ++ * @return failing tag number, 0 on success + */ + static +-void headerMergeLegacySigs(Header h, Header sigh) ++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg) + { +- HeaderIterator hi; ++ const struct taglate_s *xl; + struct rpmtd_s td; +- +- hi = headerInitIterator(sigh); +- for (; headerNext(hi, &td); rpmtdFreeData(&td)) +- { +- switch (td.tag) { +- /* XXX Translate legacy signature tag values. */ +- case RPMSIGTAG_SIZE: +- td.tag = RPMTAG_SIGSIZE; +- break; +- case RPMSIGTAG_PGP: +- td.tag = RPMTAG_SIGPGP; +- break; +- case RPMSIGTAG_MD5: +- td.tag = RPMTAG_SIGMD5; +- break; +- case RPMSIGTAG_GPG: +- td.tag = RPMTAG_SIGGPG; +- break; +- case RPMSIGTAG_PGP5: +- td.tag = RPMTAG_SIGPGP5; +- break; +- case RPMSIGTAG_PAYLOADSIZE: +- td.tag = RPMTAG_ARCHIVESIZE; +- break; +- case RPMSIGTAG_FILESIGNATURES: +- td.tag = RPMTAG_FILESIGNATURES; +- break; +- case RPMSIGTAG_FILESIGNATURELENGTH: +- td.tag = RPMTAG_FILESIGNATURELENGTH; +- break; +- case RPMSIGTAG_SHA1: +- case RPMSIGTAG_SHA256: +- case RPMSIGTAG_DSA: +- case RPMSIGTAG_RSA: +- default: +- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE)) +- continue; +- break; +- } +- if (!headerIsEntry(h, td.tag)) { +- switch (td.type) { +- case RPM_NULL_TYPE: +- continue; ++ rpmtdReset(&td); ++ for (xl = xlateTags; xl->stag; xl++) { ++ /* There mustn't be one in the main header */ ++ if (headerIsEntry(h, xl->xtag)) ++ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) { ++ /* Translate legacy tags */ ++ if (xl->stag != xl->xtag) ++ td.tag = xl->xtag; ++ /* Ensure type and tag size match expectations */ ++ if (td.type != rpmTagGetTagType(td.tag)) + break; +- case RPM_CHAR_TYPE: +- case RPM_INT8_TYPE: +- case RPM_INT16_TYPE: +- case RPM_INT32_TYPE: +- case RPM_INT64_TYPE: +- if (td.count != 1) +- continue; ++ if (td.count < 1 || td.count > 16*1024*1024) + break; +- case RPM_STRING_TYPE: +- case RPM_STRING_ARRAY_TYPE: +- case RPM_BIN_TYPE: +- if (td.count >= 16*1024) +- continue; ++ if (xl->count && td.count != xl->count) + break; +- case RPM_I18NSTRING_TYPE: +- continue; ++ if (!headerPut(h, &td, HEADERPUT_DEFAULT)) + break; +- } +- (void) headerPut(h, &td, HEADERPUT_DEFAULT); ++ rpmtdFreeData(&td); + } + } +- headerFreeIterator(hi); ++ rpmtdFreeData(&td); ++ ++ if (xl->stag) { ++ rasprintf(msg, "invalid signature tag %s (%d)", ++ rpmTagGetName(xl->xtag), xl->xtag); ++ } ++ ++ return xl->stag; + } + + /** +@@ -369,7 +354,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp) + goto exit; + + /* Append (and remap) signature tags to the metadata. */ +- headerMergeLegacySigs(h, sigh); ++ if (headerMergeLegacySigs(h, sigh, &msg)) ++ goto exit; + applyRetrofits(h); + + /* Bump reference count for return. */ +-- +1.8.3.1 + diff --git a/rpm.spec b/rpm.spec index ed0d2e6..0d28563 100644 --- a/rpm.spec +++ b/rpm.spec @@ -1,6 +1,6 @@ Name: rpm Version: 4.15.1 -Release: 21 +Release: 22 Summary: RPM Package Manager License: GPLv2+ URL: http://www.rpm.org/ @@ -48,6 +48,7 @@ Patch37: backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch Patch38: backport-Make-fdSeek-return-0-on-success-1-on-error.patch Patch39: backport-Fix-logic-error-in-grabArgs.patch Patch40: backport-Use-libelf-for-determining-file-colors.patch +Patch41: backport-CVE-2021-20271.patch BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel @@ -296,6 +297,12 @@ make check || (cat tests/rpmtests.log; exit 0) %{_mandir}/man1/gendiff.1* %changelog +* Tue Apr 13 2021 liudabo - 4.15.1-22 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:Fix CVE-2021-20271 + * Mon Jan 11 2021 Liquor - 4.15.1-21 - Type:enhancement - ID:NA