From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001 From: Leonardo Sandoval Date: Wed, 10 Jun 2015 14:36:56 +0000 Subject: [PATCH 2/2] rpm: CVE-2013-6435 Upstream-Status: Backport Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 Description: It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. Original Patch: https://bugzilla.redhat.com/attachment.cgi?id=956207 Signed-off-by: Leonardo Sandoval --- lib/fsm.c | 2 +- rpmio/rpmio.c | 18 ++++++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/lib/fsm.c b/lib/fsm.c index 1ee7e67..094eb1d 100644 --- a/lib/fsm.c +++ b/lib/fsm.c @@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest) { FD_t wfd = NULL; const struct stat * st = &fsm->sb; - rpm_loff_t left = st->st_size; + rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix); const unsigned char * fidigest = NULL; pgpHashAlgo digestalgo = 0; int rc = 0; diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c index cd223e8..0b12e31 100644 --- a/rpmio/rpmio.c +++ b/rpmio/rpmio.c @@ -1309,15 +1309,19 @@ int Fclose(FD_t fd) * - bzopen: [1-9] is block size (modulo 100K) * - bzopen: 's' is smallmode * - HACK: '.' terminates, rest is type of I/O + * - 'U' sets *mode to zero (no permissions) instead of 0666 */ static void cvtfmode (const char *m, char *stdio, size_t nstdio, char *other, size_t nother, - const char **end, int * f) + const char **end, int *f, mode_t *mode) { int flags = 0; char c; + if (mode) + *mode = 0666; + switch (*m) { case 'a': flags |= O_WRONLY | O_CREAT | O_APPEND; @@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m, if (--nstdio > 0) *stdio++ = c; continue; break; + case 'U': + if (mode) + *mode = 0; + break; default: if (--nother > 0) *other++ = c; continue; @@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd)); if (fd == NULL || fmode == NULL) return NULL; - cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL); + cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL, + NULL); if (stdio[0] == '\0') return NULL; zstdio[0] = '\0'; @@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode) { char stdio[20], other[20]; const char *end = NULL; - mode_t perms = 0666; + mode_t perms; int flags = 0; FD_t fd; @@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode) return NULL; stdio[0] = '\0'; - cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags); + cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags, + &perms); if (stdio[0] == '\0') return NULL; -- 1.8.4.5