Bug#697375: rpm: CVE-2012-6088

Salvatore Bonaccorso Sat, 05 Jan 2013 04:36:14 -0800

Hi Michal

On Fri, Jan 04, 2013 at 03:55:13PM +0100, Moritz Muehlenhoff wrote:
> Package: rpm
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> This was assigned CVE-2012-6088:
> http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3d74c43e7424bc8bf95f5e031446ecb6b08381e8


I have checked, the patch seems to apply to both version in testing
and unstable as it is. Attached are the two debdiffs.

I have seen you are in the LowNMU and the package maintained in
collab-maint. I can do a NMU in case you have not the time to prepare
the upload.

Regards,
Salvatore

diff -Nru rpm-4.10.0/debian/changelog rpm-4.10.0/debian/changelog
--- rpm-4.10.0/debian/changelog 2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/changelog 2013-01-05 13:26:39.000000000 +0100
@@ -1,3 +1,13 @@
+rpm (4.10.0-5+deb7u1) testing-proposed-updates; urgency=low
+
+  * Non-maintainer upload.
+  * Add 0001-Ensure-correct-return-code-on-malformed-signature-in.patch
+    [SECURITY] CVE-2012-6088: Ensure correct return code on malformed
+    signature in packages. Patch cherry-picked from upstream git repository.
+    (Closes: #697375)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 05 Jan 2013 13:11:49 +0100
+
 rpm (4.10.0-5) unstable; urgency=low
 
   * Added patch from Fedora to support X-CheckUnifiedSystemdir 
diff -Nru 
rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
 
rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
--- 
rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
   2013-01-05 13:26:39.000000000 +0100
@@ -0,0 +1,50 @@
+From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmati...@redhat.com>
+Date: Fri, 7 Dec 2012 13:54:23 +0200
+Subject: [PATCH] Ensure correct return code on malformed signature in
+ packages
+
+- rpmpkgRead() starts with assumed failure, but there are a number
+  of places assigning the return code, and by the time we get
+  to the parsePGPSig() calls its likely to be RPMRC_OK, so the
+  jumps to exit result in "all is well" return code on a signature
+  we couldn't even parse. Oops.
+- Set the failure status explicitly to fix this fairly nasty regression
+  introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie
+  rpm >= 4.10.
+(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14)
+---
+ lib/package.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 4eeddbf..907cf73 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags 
vsflags,
+     switch (sigtag) {
+     case RPMSIGTAG_RSA:
+     case RPMSIGTAG_DSA:
+-      if (parsePGPSig(&sigtd, "package", fn, &sig))
++      if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++          rc = RPMRC_FAIL;
+           goto exit;
++      }
+       /* fallthrough */
+     case RPMSIGTAG_SHA1:
+     { struct rpmtd_s utd;
+@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags 
vsflags,
+     case RPMSIGTAG_GPG:
+     case RPMSIGTAG_PGP5:      /* XXX legacy */
+     case RPMSIGTAG_PGP:
+-      if (parsePGPSig(&sigtd, "package", fn, &sig))
++      if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++          rc = RPMRC_FAIL;
+           goto exit;
++      }
+       /* fallthrough */
+     case RPMSIGTAG_MD5:
+       /* Legacy signatures need the compressed payload in the digest too. */
+-- 
+1.7.10.4
+
diff -Nru rpm-4.10.0/debian/patches/series rpm-4.10.0/debian/patches/series
--- rpm-4.10.0/debian/patches/series    2012-08-15 09:05:37.000000000 +0200
+++ rpm-4.10.0/debian/patches/series    2013-01-05 13:26:39.000000000 +0100
@@ -10,3 +10,4 @@
 autogen-cleanup.patch
 lua-libname.patch
 rpm-4.9.1.2-rpmlib-filesystem-check.patch
+0001-Ensure-correct-return-code-on-malformed-signature-in.patch

diff -Nru rpm-4.10.1/debian/changelog rpm-4.10.1/debian/changelog
--- rpm-4.10.1/debian/changelog 2012-10-25 12:41:09.000000000 +0200
+++ rpm-4.10.1/debian/changelog 2013-01-05 13:16:19.000000000 +0100
@@ -1,3 +1,13 @@
+rpm (4.10.1-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Add 0001-Ensure-correct-return-code-on-malformed-signature-in.patch
+    [SECURITY] CVE-2012-6088: Ensure correct return code on malformed
+    signature in packages. Patch cherry-picked from upstream git repository.
+    (Closes: #697375)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 05 Jan 2013 13:06:25 +0100
+
 rpm (4.10.1-2) unstable; urgency=low
 
   * Do not overwrite installed manpages by (wrong) symlinks 
diff -Nru 
rpm-4.10.1/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
 
rpm-4.10.1/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
--- 
rpm-4.10.1/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
rpm-4.10.1/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch
   2013-01-05 13:16:19.000000000 +0100
@@ -0,0 +1,50 @@
+From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmati...@redhat.com>
+Date: Fri, 7 Dec 2012 13:54:23 +0200
+Subject: [PATCH] Ensure correct return code on malformed signature in
+ packages
+
+- rpmpkgRead() starts with assumed failure, but there are a number
+  of places assigning the return code, and by the time we get
+  to the parsePGPSig() calls its likely to be RPMRC_OK, so the
+  jumps to exit result in "all is well" return code on a signature
+  we couldn't even parse. Oops.
+- Set the failure status explicitly to fix this fairly nasty regression
+  introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie
+  rpm >= 4.10.
+(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14)
+---
+ lib/package.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 4eeddbf..907cf73 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags 
vsflags,
+     switch (sigtag) {
+     case RPMSIGTAG_RSA:
+     case RPMSIGTAG_DSA:
+-      if (parsePGPSig(&sigtd, "package", fn, &sig))
++      if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++          rc = RPMRC_FAIL;
+           goto exit;
++      }
+       /* fallthrough */
+     case RPMSIGTAG_SHA1:
+     { struct rpmtd_s utd;
+@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags 
vsflags,
+     case RPMSIGTAG_GPG:
+     case RPMSIGTAG_PGP5:      /* XXX legacy */
+     case RPMSIGTAG_PGP:
+-      if (parsePGPSig(&sigtd, "package", fn, &sig))
++      if (parsePGPSig(&sigtd, "package", fn, &sig)) {
++          rc = RPMRC_FAIL;
+           goto exit;
++      }
+       /* fallthrough */
+     case RPMSIGTAG_MD5:
+       /* Legacy signatures need the compressed payload in the digest too. */
+-- 
+1.7.10.4
+
diff -Nru rpm-4.10.1/debian/patches/series rpm-4.10.1/debian/patches/series
--- rpm-4.10.1/debian/patches/series    2012-10-25 12:41:09.000000000 +0200
+++ rpm-4.10.1/debian/patches/series    2013-01-05 13:16:19.000000000 +0100
@@ -10,3 +10,4 @@
 autogen-cleanup.patch
 lua-libname.patch
 rpm-4.9.1.2-rpmlib-filesystem-check.patch
+0001-Ensure-correct-return-code-on-malformed-signature-in.patch

signature.asc
Description: Digital signature

Bug#697375: rpm: CVE-2012-6088

Reply via email to