Fix CVE-2021-20271
This commit is contained in:
yeah_wang
parent
9865ccaa67
commit
e881f626d5
169
backport-CVE-2021-20271.patch
Normal file
169
backport-CVE-2021-20271.patch
Normal file
@ -0,0 +1,169 @@
|
||||
From d6a86b5e69e46cc283b1e06c92343319beb42e21 Mon Sep 17 00:00:00 2001
|
||||
From: Panu Matilainen <pmatilai@redhat.com>
|
||||
Date: Thu, 4 Mar 2021 13:21:19 +0200
|
||||
Subject: [PATCH] Be much more careful about copying data from the signature
|
||||
header
|
||||
Conflict:NA
|
||||
Reference:https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
|
||||
|
||||
Only look for known tags, and ensure correct type and size where known
|
||||
before copying over. Bump the old arbitrary 16k count limit to 16M limit
|
||||
though, it's not inconceivable that a package could have that many files.
|
||||
While at it, ensure none of these tags exist in the main header,
|
||||
which would confuse us greatly.
|
||||
This is optimized for backporting ease, upstream can remove redundancies
|
||||
and further improve checking later.
|
||||
Reported and initial patches by Demi Marie Obenour.
|
||||
Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
|
||||
Fixes: CVE-2021-3421, CVE-2021-20271
|
||||
---
|
||||
lib/package.c | 112 +++++++++++++++++++++++++---------------------------------
|
||||
1 file changed, 49 insertions(+), 63 deletions(-)
|
||||
|
||||
diff --git a/lib/package.c b/lib/package.c
|
||||
index db70d13..6f10bb9 100644
|
||||
--- a/lib/package.c
|
||||
+++ b/lib/package.c
|
||||
@@ -31,82 +31,67 @@ struct pkgdata_s {
|
||||
rpmRC rc;
|
||||
};
|
||||
|
||||
+struct taglate_s {
|
||||
+ rpmTagVal stag;
|
||||
+ rpmTagVal xtag;
|
||||
+ rpm_count_t count;
|
||||
+} const xlateTags[] = {
|
||||
+ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 },
|
||||
+ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 },
|
||||
+ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 },
|
||||
+ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
|
||||
+ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */
|
||||
+ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
|
||||
+ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
|
||||
+ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
|
||||
+ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
|
||||
+ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
|
||||
+ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
|
||||
+ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 },
|
||||
+ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 },
|
||||
+ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 },
|
||||
+ { 0 }
|
||||
+};
|
||||
+
|
||||
/** \ingroup header
|
||||
* Translate and merge legacy signature tags into header.
|
||||
* @param h header (dest)
|
||||
* @param sigh signature header (src)
|
||||
+ * @return failing tag number, 0 on success
|
||||
*/
|
||||
static
|
||||
-void headerMergeLegacySigs(Header h, Header sigh)
|
||||
+rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
|
||||
{
|
||||
- HeaderIterator hi;
|
||||
+ const struct taglate_s *xl;
|
||||
struct rpmtd_s td;
|
||||
-
|
||||
- hi = headerInitIterator(sigh);
|
||||
- for (; headerNext(hi, &td); rpmtdFreeData(&td))
|
||||
- {
|
||||
- switch (td.tag) {
|
||||
- /* XXX Translate legacy signature tag values. */
|
||||
- case RPMSIGTAG_SIZE:
|
||||
- td.tag = RPMTAG_SIGSIZE;
|
||||
- break;
|
||||
- case RPMSIGTAG_PGP:
|
||||
- td.tag = RPMTAG_SIGPGP;
|
||||
- break;
|
||||
- case RPMSIGTAG_MD5:
|
||||
- td.tag = RPMTAG_SIGMD5;
|
||||
- break;
|
||||
- case RPMSIGTAG_GPG:
|
||||
- td.tag = RPMTAG_SIGGPG;
|
||||
- break;
|
||||
- case RPMSIGTAG_PGP5:
|
||||
- td.tag = RPMTAG_SIGPGP5;
|
||||
- break;
|
||||
- case RPMSIGTAG_PAYLOADSIZE:
|
||||
- td.tag = RPMTAG_ARCHIVESIZE;
|
||||
- break;
|
||||
- case RPMSIGTAG_FILESIGNATURES:
|
||||
- td.tag = RPMTAG_FILESIGNATURES;
|
||||
- break;
|
||||
- case RPMSIGTAG_FILESIGNATURELENGTH:
|
||||
- td.tag = RPMTAG_FILESIGNATURELENGTH;
|
||||
- break;
|
||||
- case RPMSIGTAG_SHA1:
|
||||
- case RPMSIGTAG_SHA256:
|
||||
- case RPMSIGTAG_DSA:
|
||||
- case RPMSIGTAG_RSA:
|
||||
- default:
|
||||
- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
|
||||
- continue;
|
||||
- break;
|
||||
- }
|
||||
- if (!headerIsEntry(h, td.tag)) {
|
||||
- switch (td.type) {
|
||||
- case RPM_NULL_TYPE:
|
||||
- continue;
|
||||
+ rpmtdReset(&td);
|
||||
+ for (xl = xlateTags; xl->stag; xl++) {
|
||||
+ /* There mustn't be one in the main header */
|
||||
+ if (headerIsEntry(h, xl->xtag))
|
||||
+ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
|
||||
+ /* Translate legacy tags */
|
||||
+ if (xl->stag != xl->xtag)
|
||||
+ td.tag = xl->xtag;
|
||||
+ /* Ensure type and tag size match expectations */
|
||||
+ if (td.type != rpmTagGetTagType(td.tag))
|
||||
break;
|
||||
- case RPM_CHAR_TYPE:
|
||||
- case RPM_INT8_TYPE:
|
||||
- case RPM_INT16_TYPE:
|
||||
- case RPM_INT32_TYPE:
|
||||
- case RPM_INT64_TYPE:
|
||||
- if (td.count != 1)
|
||||
- continue;
|
||||
+ if (td.count < 1 || td.count > 16*1024*1024)
|
||||
break;
|
||||
- case RPM_STRING_TYPE:
|
||||
- case RPM_STRING_ARRAY_TYPE:
|
||||
- case RPM_BIN_TYPE:
|
||||
- if (td.count >= 16*1024)
|
||||
- continue;
|
||||
+ if (xl->count && td.count != xl->count)
|
||||
break;
|
||||
- case RPM_I18NSTRING_TYPE:
|
||||
- continue;
|
||||
+ if (!headerPut(h, &td, HEADERPUT_DEFAULT))
|
||||
break;
|
||||
- }
|
||||
- (void) headerPut(h, &td, HEADERPUT_DEFAULT);
|
||||
+ rpmtdFreeData(&td);
|
||||
}
|
||||
}
|
||||
- headerFreeIterator(hi);
|
||||
+ rpmtdFreeData(&td);
|
||||
+
|
||||
+ if (xl->stag) {
|
||||
+ rasprintf(msg, "invalid signature tag %s (%d)",
|
||||
+ rpmTagGetName(xl->xtag), xl->xtag);
|
||||
+ }
|
||||
+
|
||||
+ return xl->stag;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -369,7 +354,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
|
||||
goto exit;
|
||||
|
||||
/* Append (and remap) signature tags to the metadata. */
|
||||
- headerMergeLegacySigs(h, sigh);
|
||||
+ if (headerMergeLegacySigs(h, sigh, &msg))
|
||||
+ goto exit;
|
||||
applyRetrofits(h);
|
||||
|
||||
/* Bump reference count for return. */
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
9
rpm.spec
9
rpm.spec
@ -1,6 +1,6 @@
|
||||
Name: rpm
|
||||
Version: 4.15.1
|
||||
Release: 21
|
||||
Release: 22
|
||||
Summary: RPM Package Manager
|
||||
License: GPLv2+
|
||||
URL: http://www.rpm.org/
|
||||
@ -48,6 +48,7 @@ Patch37: backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch
|
||||
Patch38: backport-Make-fdSeek-return-0-on-success-1-on-error.patch
|
||||
Patch39: backport-Fix-logic-error-in-grabArgs.patch
|
||||
Patch40: backport-Use-libelf-for-determining-file-colors.patch
|
||||
Patch41: backport-CVE-2021-20271.patch
|
||||
|
||||
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
|
||||
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
|
||||
@ -296,6 +297,12 @@ make check || (cat tests/rpmtests.log; exit 0)
|
||||
%{_mandir}/man1/gendiff.1*
|
||||
|
||||
%changelog
|
||||
* Tue Apr 13 2021 liudabo<liudabo1@huawei.com> - 4.15.1-22
|
||||
- Type:enhancement
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:Fix CVE-2021-20271
|
||||
|
||||
* Mon Jan 11 2021 Liquor <lirui130@huawei.com> - 4.15.1-21
|
||||
- Type:enhancement
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user