From: "Steve Sakoman" <steve@sakoman.com>
To: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [meta][dunfell][PATCH] rpm: Add fix for CVE-2021-20266
Date: Mon, 23 Aug 2021 09:54:56 -1000 [thread overview]
Message-ID: <CAOSpxdZ4Lo1wj_iRu1WS8ngMMFaiNBUWchqXSucmMFgG750nnw@mail.gmail.com> (raw)
In-Reply-To: <20210823181226.3259-1-ranjitsinh.rathod@kpit.com>
On Mon, Aug 23, 2021 at 8:12 AM Ranjitsinh Rathod
<ranjitsinh.rathod@kpit.com> wrote:
>
> Adding fix for CVE-2021-20266
> Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15]
>
> Note: Hunk#2 and Hunk#3 refreshed to apply patch and match value of
> dl_max variable to make it with current version
Causes autobuilder failures:
https://errors.yoctoproject.org/Errors/Details/602478/
Steve
>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> ---
> .../rpm/files/CVE-2021-20266.patch | 108 ++++++++++++++++++
> meta/recipes-devtools/rpm/rpm_4.14.2.1.bb | 1 +
> 2 files changed, 109 insertions(+)
> create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
>
> diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
> new file mode 100644
> index 0000000000..d8b91d4f8e
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
> @@ -0,0 +1,108 @@
> +From 9646711891df851dfbf7ef54cc171574a0914b15 Mon Sep 17 00:00:00 2001
> +From: Demi Marie Obenour <athena@invisiblethingslab.com>
> +Date: Mon, 8 Feb 2021 16:05:01 -0500
> +Subject: [PATCH] hdrblobInit() needs bounds checks too
> +
> +Users can pass untrusted data to hdrblobInit() and it must be robust
> +against this.
> +
> +Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
> +
> +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15]
> +CVE: CVE-2021-20266
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +---
> + lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
> + 1 file changed, 31 insertions(+), 17 deletions(-)
> +
> +diff --git a/lib/header.c b/lib/header.c
> +index 6af48e61af..46ded5dd99 100644
> +--- a/lib/header.c
> ++++ b/lib/header.c
> +@@ -11,6 +11,7 @@
> + #include "system.h"
> + #include <netdb.h>
> + #include <errno.h>
> ++#include <inttypes.h>
> + #include <rpm/rpmtypes.h>
> + #include <rpm/rpmstring.h>
> + #include "lib/header_internal.h"
> +@@ -1910,6 +1911,25 @@ hdrblob hdrblobFree(hdrblob blob)
> + return NULL;
> + }
> +
> ++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
> ++ char **emsg) {
> ++ uint32_t il_max = HEADER_TAGS_MAX;
> ++ uint32_t dl_max = HEADER_DATA_MAX;
> ++ if (regionTag == RPMTAG_HEADERSIGNATURES) {
> ++ il_max = 32;
> ++ dl_max = 8192;
> ++ }
> ++ if (hdrchkRange(il_max, il)) {
> ++ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
> ++ return RPMRC_FAIL;
> ++ }
> ++ if (hdrchkRange(dl_max, dl)) {
> ++ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
> ++ return RPMRC_FAIL;
> ++ }
> ++ return RPMRC_OK;
> ++}
> ++
> + rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
> + {
> + int32_t block[4];
> +@@ -1922,13 +1942,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
> + size_t nb;
> + rpmRC rc = RPMRC_FAIL; /* assume failure */
> + int xx;
> +- int32_t il_max = HEADER_TAGS_MAX;
> +- int32_t dl_max = HEADER_DATA_MAX;
> +-
> +- if (regionTag == RPMTAG_HEADERSIGNATURES) {
> +- il_max = 32;
> +- dl_max = 8192;
> +- }
> +
> + memset(block, 0, sizeof(block));
> + if ((xx = Freadall(fd, bs, blen)) != blen) {
> +@@ -1941,15 +1954,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
> + goto exit;
> + }
> + il = ntohl(block[2]);
> +- if (hdrchkRange(il_max, il)) {
> +- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
> +- goto exit;
> +- }
> + dl = ntohl(block[3]);
> +- if (hdrchkRange(dl_max, dl)) {
> +- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
> ++ if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
> + goto exit;
> +- }
> +
> + nb = (il * sizeof(struct entryInfo_s)) + dl;
> + uc = sizeof(il) + sizeof(dl) + nb;
> +@@ -1993,11 +2000,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
> + struct hdrblob_s *blob, char **emsg)
> + {
> + rpmRC rc = RPMRC_FAIL;
> +-
> + memset(blob, 0, sizeof(*blob));
> ++ if (uc && uc < 8) {
> ++ rasprintf(emsg, _("hdr length: BAD"));
> ++ goto exit;
> ++ }
> ++
> + blob->ei = (int32_t *) uh; /* discards const */
> +- blob->il = ntohl(blob->ei[0]);
> +- blob->dl = ntohl(blob->ei[1]);
> ++ blob->il = ntohl((uint32_t)(blob->ei[0]));
> ++ blob->dl = ntohl((uint32_t)(blob->ei[1]));
> ++ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
> ++ goto exit;
> ++
> + blob->pe = (entryInfo) &(blob->ei[2]);
> + blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
> + (blob->il * sizeof(*blob->pe)) + blob->dl;
> diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
> index 018b2f8700..c93654aa8f 100644
> --- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
> +++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
> @@ -45,6 +45,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
> file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
> file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \
> file://CVE-2021-3421.patch \
> + file://CVE-2021-20266.patch \
> "
>
> PE = "1"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
next prev parent reply other threads:[~2021-08-23 19:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-23 18:12 [meta][dunfell][PATCH] rpm: Add fix for CVE-2021-20266 Ranjitsinh Rathod
2021-08-23 19:54 ` Steve Sakoman [this message]
2021-08-24 4:54 ` [OE-core] " Ranjitsinh Rathod
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOSpxdZ4Lo1wj_iRu1WS8ngMMFaiNBUWchqXSucmMFgG750nnw@mail.gmail.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ranjitsinh.rathod@kpit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.