* [V3][PATCH] rpm: fix CVE-2021-3521
@ 2021-12-31 2:21 changqing.li
2021-12-31 15:38 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 4+ messages in thread
From: changqing.li @ 2021-12-31 2:21 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
.../rpm/files/0001-CVE-2021-3521.patch | 57 +++
.../rpm/files/0002-CVE-2021-3521.patch | 64 ++++
.../rpm/files/0003-CVE-2021-3521.patch | 329 ++++++++++++++++++
meta/recipes-devtools/rpm/rpm_4.17.0.bb | 3 +
4 files changed, 453 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
create mode 100644 meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
create mode 100644 meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
new file mode 100644
index 0000000000..b374583017
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
@@ -0,0 +1,57 @@
+From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:56:20 +0300
+Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
+
+No functional changes, just to reduce code duplication and needed by
+the following commits.
+
+CVE: CVE-2021-3521
+Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ rpmio/rpmpgp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index d0688ebe9a..e472b5320f 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+ return algo;
+ }
+
++static pgpDigParams pgpDigParamsNew(uint8_t tag)
++{
++ pgpDigParams digp = xcalloc(1, sizeof(*digp));
++ digp->tag = tag;
++ return digp;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ pgpDigParams * ret)
+ {
+@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ if (pkttype && pkt.tag != pkttype) {
+ break;
+ } else {
+- digp = xcalloc(1, sizeof(*digp));
+- digp->tag = pkt.tag;
++ digp = pgpDigParamsNew(pkt.tag);
+ }
+ }
+
+@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+ digps = xrealloc(digps, alloced * sizeof(*digps));
+ }
+
+- digps[count] = xcalloc(1, sizeof(**digps));
+- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
+ /* Copy UID from main key to subkey */
+ digps[count]->userid = xstrdup(mainkey->userid);
+
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
new file mode 100644
index 0000000000..b93a1d5404
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
@@ -0,0 +1,64 @@
+From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:51:10 +0300
+Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
+
+No immediate effect but needed by the following commits.
+
+CVE: CVE-2021-3521
+Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ rpmio/rpmpgp.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 25f67048fd..509e777e6d 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -543,7 +543,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
+ return NULL;
+ }
+
+-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
++static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
+ const uint8_t *p, const uint8_t *h, size_t hlen,
+ pgpDigParams sigp)
+ {
+@@ -556,10 +556,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+ int mpil = pgpMpiLen(p);
+ if (pend - p < mpil)
+ break;
+- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
+- if (sigalg->setmpi(sigalg, i, p))
+- break;
+- }
++ if (sigalg->setmpi(sigalg, i, p))
++ break;
+ p += mpil;
+ }
+
+@@ -619,7 +617,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ }
+
+ p = ((uint8_t *)v) + sizeof(*v);
+- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+ } break;
+ case 4:
+ { pgpPktSigV4 v = (pgpPktSigV4)h;
+@@ -677,8 +675,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ p += 2;
+ if (p > hend)
+ return 1;
+-
+- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+ } break;
+ default:
+ rpmlog(RPMLOG_WARNING, _("Unsupported version of signature: V%d\n"), version);
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
new file mode 100644
index 0000000000..a5ec802501
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
@@ -0,0 +1,329 @@
+From 07676ca03ad8afcf1ca95a2353c83fbb1d970b9b Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:59:30 +0300
+Subject: [PATCH 3/3] Validate and require subkey binding signatures on PGP
+ public keys
+
+All subkeys must be followed by a binding signature by the primary key
+as per the OpenPGP RFC, enforce the presence and validity in the parser.
+
+The implementation is as kludgey as they come to work around our
+simple-minded parser structure without touching API, to maximise
+backportability. Store all the raw packets internally as we decode them
+to be able to access previous elements at will, needed to validate ordering
+and access the actual data. Add testcases for manipulated keys whose
+import previously would succeed.
+
+Depends on the two previous commits:
+7b399fcb8f52566e6f3b4327197a85facd08db91 and
+236b802a4aa48711823a191d1b7f753c82a89ec5
+
+Fixes CVE-2021-3521.
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9]
+CVE:CVE-2021-3521
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ rpmio/rpmpgp.c | 99 +++++++++++++++++--
+ tests/Makefile.am | 3 +
+ tests/data/keys/CVE-2021-3521-badbind.asc | 25 +++++
+ .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++
+ tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 +++++++
+ tests/rpmsigdig.at | 28 ++++++
+ 6 files changed, 209 insertions(+), 8 deletions(-)
+ create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 509e777e6d..371ad4d9b6 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1061,33 +1061,116 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag)
+ return digp;
+ }
+
++static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
++{
++ int rc = -1;
++ if (pkt->tag == exptag) {
++ uint8_t head[] = {
++ 0x99,
++ (pkt->blen >> 8),
++ (pkt->blen ),
++ };
++
++ rpmDigestUpdate(hash, head, 3);
++ rpmDigestUpdate(hash, pkt->body, pkt->blen);
++ rc = 0;
++ }
++ return rc;
++}
++
++static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
++ const struct pgpPkt *all, int i)
++{
++ int rc = -1;
++ DIGEST_CTX hash = NULL;
++
++ switch (selfsig->sigtype) {
++ case PGPSIGTYPE_SUBKEY_BINDING:
++ hash = rpmDigestInit(selfsig->hash_algo, 0);
++ if (hash) {
++ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
++ if (!rc)
++ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
++ }
++ break;
++ default:
++ /* ignore types we can't handle */
++ rc = 0;
++ break;
++ }
++
++ if (hash && rc == 0)
++ rc = pgpVerifySignature(key, selfsig, hash);
++
++ rpmDigestFinal(hash, NULL, NULL, 0);
++
++ return rc;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ pgpDigParams * ret)
+ {
+ const uint8_t *p = pkts;
+ const uint8_t *pend = pkts + pktlen;
+ pgpDigParams digp = NULL;
+- struct pgpPkt pkt;
++ pgpDigParams selfsig = NULL;
++ int i = 0;
++ int alloced = 16; /* plenty for normal cases */
++ struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
+ int rc = -1; /* assume failure */
++ int expect = 0;
++ int prevtag = 0;
+
+ while (p < pend) {
+- if (decodePkt(p, (pend - p), &pkt))
++ struct pgpPkt *pkt = &all[i];
++ if (decodePkt(p, (pend - p), pkt))
+ break;
+
+ if (digp == NULL) {
+- if (pkttype && pkt.tag != pkttype) {
++ if (pkttype && pkt->tag != pkttype) {
+ break;
+ } else {
+- digp = pgpDigParamsNew(pkt.tag);
++ digp = pgpDigParamsNew(pkt->tag);
+ }
+ }
+
+- if (pgpPrtPkt(&pkt, digp))
++ if (expect) {
++ if (pkt->tag != expect)
++ break;
++ selfsig = pgpDigParamsNew(pkt->tag);
++ }
++ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
+ break;
+
+- p += (pkt.body - pkt.head) + pkt.blen;
+- if (pkttype == PGPTAG_SIGNATURE)
+- break;
++ if (selfsig) {
++ /* subkeys must be followed by binding signature */
++ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
++ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
++ break;
++ }
++
++ int xx = pgpVerifySelf(digp, selfsig, all, i);
++
++ selfsig = pgpDigParamsFree(selfsig);
++ if (xx)
++ break;
++ expect = 0;
++ }
++
++ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
++ expect = PGPTAG_SIGNATURE;
++ prevtag = pkt->tag;
++
++ i++;
++ p += (pkt->body - pkt->head) + pkt->blen;
++ if (pkttype == PGPTAG_SIGNATURE)
++ break;
++
++ if (alloced <= i) {
++ alloced *= 2;
++ all = xrealloc(all, alloced * sizeof(*all));
++ }
++
+ }
+
+ rc = (digp && (p == pend)) ? 0 : -1;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index a41ce10de8..7bb23247f1 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
+ EXTRA_DIST += data/SPECS/hello-cd.spec
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
++EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
++EXTRA_DIST += data/keys/CVE-2022-3521-nosubsig.asc
++EXTRA_DIST += data/keys/CVE-2022-3521-nosubsig-last.asc
+ EXTRA_DIST += data/macros.testfile
+ EXTRA_DIST += data/macros.debug
+ EXTRA_DIST += data/SOURCES/foo.c
+diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-badbind.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+new file mode 100644
+index 0000000000..3a2e7417f8
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+@@ -0,0 +1,37 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
++VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
++uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
++8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
++v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
++qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
++Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
++mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
++3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
++zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
++Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
++gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
++E4XX4jtDmdZPreZALsiB
++=rRop
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
+index 8e7c759b8f..e2d30a7f1b 100644
+--- a/tests/rpmsigdig.at
++++ b/tests/rpmsigdig.at
+@@ -2,6 +2,34 @@
+
+ AT_BANNER([RPM signatures and digests])
+
++AT_SETUP([rpmkeys --import invalid keys])
++AT_KEYWORDS([rpmkeys import])
++RPMDB_INIT
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
++)
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
++)
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
++)
++AT_CLEANUP
++
+ # ------------------------------
+ # Test pre-built package verification
+ AT_SETUP([rpmkeys -Kv <unsigned> 1])
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.17.0.bb b/meta/recipes-devtools/rpm/rpm_4.17.0.bb
index beb03ba3dd..11d720cf87 100644
--- a/meta/recipes-devtools/rpm/rpm_4.17.0.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.17.0.bb
@@ -39,6 +39,9 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc
file://0001-tools-Add-error.h-for-non-glibc-case.patch \
file://0001-docs-do-not-build-manpages-requires-pandoc.patch \
file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \
+ file://0001-CVE-2021-3521.patch \
+ file://0002-CVE-2021-3521.patch \
+ file://0003-CVE-2021-3521.patch \
"
PE = "1"
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [V3][PATCH] rpm: fix CVE-2021-3521
2021-12-31 2:21 [V3][PATCH] rpm: fix CVE-2021-3521 changqing.li
@ 2021-12-31 15:38 ` Richard Purdie
2022-01-04 1:48 ` Changqing Li
0 siblings, 1 reply; 4+ messages in thread
From: Richard Purdie @ 2021-12-31 15:38 UTC (permalink / raw)
To: Changqing Li, openembedded-core
On Fri, 2021-12-31 at 10:21 +0800, Changqing Li wrote:
> From: Changqing Li <changqing.li@windriver.com>
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
> .../rpm/files/0001-CVE-2021-3521.patch | 57 +++
> .../rpm/files/0002-CVE-2021-3521.patch | 64 ++++
> .../rpm/files/0003-CVE-2021-3521.patch | 329 ++++++++++++++++++
> meta/recipes-devtools/rpm/rpm_4.17.0.bb | 3 +
> 4 files changed, 453 insertions(+)
> create mode 100644 meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> create mode 100644 meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> create mode 100644 meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
>
> diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> new file mode 100644
> index 0000000000..b374583017
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> @@ -0,0 +1,57 @@
> +From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
> +From: Panu Matilainen <pmatilai@redhat.com>
> +Date: Thu, 30 Sep 2021 09:56:20 +0300
> +Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
> +
> +No functional changes, just to reduce code duplication and needed by
> +the following commits.
> +
> +CVE: CVE-2021-3521
> +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
> +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + rpmio/rpmpgp.c | 13 +++++++++----
> + 1 file changed, 9 insertions(+), 4 deletions(-)
> +
> +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
> +index d0688ebe9a..e472b5320f 100644
> +--- a/rpmio/rpmpgp.c
> ++++ b/rpmio/rpmpgp.c
> +@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
> + return algo;
> + }
> +
> ++static pgpDigParams pgpDigParamsNew(uint8_t tag)
> ++{
> ++ pgpDigParams digp = xcalloc(1, sizeof(*digp));
> ++ digp->tag = tag;
> ++ return digp;
> ++}
> ++
> + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
> + pgpDigParams * ret)
> + {
> +@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
> + if (pkttype && pkt.tag != pkttype) {
> + break;
> + } else {
> +- digp = xcalloc(1, sizeof(*digp));
> +- digp->tag = pkt.tag;
> ++ digp = pgpDigParamsNew(pkt.tag);
> + }
> + }
> +
> +@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
> + digps = xrealloc(digps, alloced * sizeof(*digps));
> + }
> +
> +- digps[count] = xcalloc(1, sizeof(**digps));
> +- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
> ++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
> + /* Copy UID from main key to subkey */
> + digps[count]->userid = xstrdup(mainkey->userid);
> +
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> new file mode 100644
> index 0000000000..b93a1d5404
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> @@ -0,0 +1,64 @@
> +From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
> +From: Panu Matilainen <pmatilai@redhat.com>
> +Date: Thu, 30 Sep 2021 09:51:10 +0300
> +Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
> +
> +No immediate effect but needed by the following commits.
> +
> +CVE: CVE-2021-3521
> +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
> +
The new tests also trigger for the missing space above after Backport. It does
make me wonder why you don't see those test failures. I've tweaked the patches
in master-next to fix this.
Cheers,
Richard
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [V3][PATCH] rpm: fix CVE-2021-3521
2021-12-31 15:38 ` [OE-core] " Richard Purdie
@ 2022-01-04 1:48 ` Changqing Li
2022-01-04 9:31 ` Richard Purdie
0 siblings, 1 reply; 4+ messages in thread
From: Changqing Li @ 2022-01-04 1:48 UTC (permalink / raw)
To: Richard Purdie, openembedded-core
On 12/31/21 11:38 PM, Richard Purdie wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
>
> On Fri, 2021-12-31 at 10:21 +0800, Changqing Li wrote:
>> From: Changqing Li <changqing.li@windriver.com>
>>
>> Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> ---
>> .../rpm/files/0001-CVE-2021-3521.patch | 57 +++
>> .../rpm/files/0002-CVE-2021-3521.patch | 64 ++++
>> .../rpm/files/0003-CVE-2021-3521.patch | 329 ++++++++++++++++++
>> meta/recipes-devtools/rpm/rpm_4.17.0.bb | 3 +
>> 4 files changed, 453 insertions(+)
>> create mode 100644 meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
>> create mode 100644 meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
>> create mode 100644 meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
>>
>> diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
>> new file mode 100644
>> index 0000000000..b374583017
>> --- /dev/null
>> +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
>> @@ -0,0 +1,57 @@
>> +From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
>> +From: Panu Matilainen <pmatilai@redhat.com>
>> +Date: Thu, 30 Sep 2021 09:56:20 +0300
>> +Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
>> +
>> +No functional changes, just to reduce code duplication and needed by
>> +the following commits.
>> +
>> +CVE: CVE-2021-3521
>> +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
>> +
>> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> +---
>> + rpmio/rpmpgp.c | 13 +++++++++----
>> + 1 file changed, 9 insertions(+), 4 deletions(-)
>> +
>> +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
>> +index d0688ebe9a..e472b5320f 100644
>> +--- a/rpmio/rpmpgp.c
>> ++++ b/rpmio/rpmpgp.c
>> +@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
>> + return algo;
>> + }
>> +
>> ++static pgpDigParams pgpDigParamsNew(uint8_t tag)
>> ++{
>> ++ pgpDigParams digp = xcalloc(1, sizeof(*digp));
>> ++ digp->tag = tag;
>> ++ return digp;
>> ++}
>> ++
>> + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
>> + pgpDigParams * ret)
>> + {
>> +@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
>> + if (pkttype && pkt.tag != pkttype) {
>> + break;
>> + } else {
>> +- digp = xcalloc(1, sizeof(*digp));
>> +- digp->tag = pkt.tag;
>> ++ digp = pgpDigParamsNew(pkt.tag);
>> + }
>> + }
>> +
>> +@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
>> + digps = xrealloc(digps, alloced * sizeof(*digps));
>> + }
>> +
>> +- digps[count] = xcalloc(1, sizeof(**digps));
>> +- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
>> ++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
>> + /* Copy UID from main key to subkey */
>> + digps[count]->userid = xstrdup(mainkey->userid);
>> +
>> +--
>> +2.17.1
>> +
>> diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
>> new file mode 100644
>> index 0000000000..b93a1d5404
>> --- /dev/null
>> +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
>> @@ -0,0 +1,64 @@
>> +From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
>> +From: Panu Matilainen <pmatilai@redhat.com>
>> +Date: Thu, 30 Sep 2021 09:51:10 +0300
>> +Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
>> +
>> +No immediate effect but needed by the following commits.
>> +
>> +CVE: CVE-2021-3521
>> +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
>> +
> The new tests also trigger for the missing space above after Backport. It does
> make me wonder why you don't see those test failures. I've tweaked the patches
> in master-next to fix this.
Thanks.
I don't receive mail about the failure, seems the patchwork is not working.
Regards
Changqing
> Cheers,
>
> Richard
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [V3][PATCH] rpm: fix CVE-2021-3521
2022-01-04 1:48 ` Changqing Li
@ 2022-01-04 9:31 ` Richard Purdie
0 siblings, 0 replies; 4+ messages in thread
From: Richard Purdie @ 2022-01-04 9:31 UTC (permalink / raw)
To: Changqing Li, openembedded-core
On Tue, 2022-01-04 at 09:48 +0800, Changqing Li wrote:
> On 12/31/21 11:38 PM, Richard Purdie wrote:
> > [Please note: This e-mail is from an EXTERNAL e-mail address]
> >
> > On Fri, 2021-12-31 at 10:21 +0800, Changqing Li wrote:
> > > From: Changqing Li <changqing.li@windriver.com>
> > >
> > > Signed-off-by: Changqing Li <changqing.li@windriver.com>
> > > ---
> > > .../rpm/files/0001-CVE-2021-3521.patch | 57 +++
> > > .../rpm/files/0002-CVE-2021-3521.patch | 64 ++++
> > > .../rpm/files/0003-CVE-2021-3521.patch | 329 ++++++++++++++++++
> > > meta/recipes-devtools/rpm/rpm_4.17.0.bb | 3 +
> > > 4 files changed, 453 insertions(+)
> > > create mode 100644 meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> > > create mode 100644 meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> > > create mode 100644 meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
> > >
> > > diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> > > new file mode 100644
> > > index 0000000000..b374583017
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> > > @@ -0,0 +1,57 @@
> > > +From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
> > > +From: Panu Matilainen <pmatilai@redhat.com>
> > > +Date: Thu, 30 Sep 2021 09:56:20 +0300
> > > +Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
> > > +
> > > +No functional changes, just to reduce code duplication and needed by
> > > +the following commits.
> > > +
> > > +CVE: CVE-2021-3521
> > > +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
> > > +
> > > +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> > > +---
> > > + rpmio/rpmpgp.c | 13 +++++++++----
> > > + 1 file changed, 9 insertions(+), 4 deletions(-)
> > > +
> > > +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
> > > +index d0688ebe9a..e472b5320f 100644
> > > +--- a/rpmio/rpmpgp.c
> > > ++++ b/rpmio/rpmpgp.c
> > > +@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
> > > + return algo;
> > > + }
> > > +
> > > ++static pgpDigParams pgpDigParamsNew(uint8_t tag)
> > > ++{
> > > ++ pgpDigParams digp = xcalloc(1, sizeof(*digp));
> > > ++ digp->tag = tag;
> > > ++ return digp;
> > > ++}
> > > ++
> > > + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
> > > + pgpDigParams * ret)
> > > + {
> > > +@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
> > > + if (pkttype && pkt.tag != pkttype) {
> > > + break;
> > > + } else {
> > > +- digp = xcalloc(1, sizeof(*digp));
> > > +- digp->tag = pkt.tag;
> > > ++ digp = pgpDigParamsNew(pkt.tag);
> > > + }
> > > + }
> > > +
> > > +@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
> > > + digps = xrealloc(digps, alloced * sizeof(*digps));
> > > + }
> > > +
> > > +- digps[count] = xcalloc(1, sizeof(**digps));
> > > +- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
> > > ++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
> > > + /* Copy UID from main key to subkey */
> > > + digps[count]->userid = xstrdup(mainkey->userid);
> > > +
> > > +--
> > > +2.17.1
> > > +
> > > diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> > > new file mode 100644
> > > index 0000000000..b93a1d5404
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> > > @@ -0,0 +1,64 @@
> > > +From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
> > > +From: Panu Matilainen <pmatilai@redhat.com>
> > > +Date: Thu, 30 Sep 2021 09:51:10 +0300
> > > +Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
> > > +
> > > +No immediate effect but needed by the following commits.
> > > +
> > > +CVE: CVE-2021-3521
> > > +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
> > > +
> > The new tests also trigger for the missing space above after Backport. It does
> > make me wonder why you don't see those test failures. I've tweaked the patches
> > in master-next to fix this.
> Thanks.
>
> I don't receive mail about the failure, seems the patchwork is not working.
You should have seen the error when you tried building/testing the patch
locally...
Cheers,
Richard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-04 9:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-31 2:21 [V3][PATCH] rpm: fix CVE-2021-3521 changqing.li
2021-12-31 15:38 ` [OE-core] " Richard Purdie
2022-01-04 1:48 ` Changqing Li
2022-01-04 9:31 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.