summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch')
-rw-r--r--meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
new file mode 100644
index 0000000000..bf1795ca49
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
@@ -0,0 +1,43 @@
+From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 12:56:55 +0000
+Subject: [PATCH 1/2] rpm: CVE-2014-8118
+
+Upstream-Status: Backport
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=1168715
+
+Description:
+It was found that RPM could encounter an integer overflow,
+leading to a stack-based overflow, while parsing a crafted
+CPIO header in the payload section of an RPM file. This could
+allow an attacker to modify signed RPM files in such a way that
+they would execute code chosen by the attacker during package
+installation.
+
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=962159
+
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/cpio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 382eeb6..74ddd9c 100644
+--- a/lib/cpio.c
++++ b/lib/cpio.c
+@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
+ st->st_rdev = makedev(major, minor);
+
+ GET_NUM_FIELD(hdr.namesize, nameSize);
++ if (nameSize <= 0 || nameSize > 4096) {
++ return CPIOERR_BAD_HEADER;
++ }
+
+ *path = xmalloc(nameSize + 1);
+ read = Fread(*path, nameSize, 1, cpio->fd);
+--
+1.8.4.5
+