Re: [OE-core] [meta][dunfell][PATCH] rpm: Add fix for CVE-2021-20266

Ranjitsinh Rathod Mon, 23 Aug 2021 21:54:30 -0700

Steve,

It is strange as I have not faced this issue during the local build.


I will update the patch and resend it.


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403
__________________________________________
KPIT<http://www.kpit.com/> | Follow us on LinkedIn<http://www.kpit.com/linkedin>

[cid:6fb72eb3-447e-4bb8-bf95-b9d1a5a6f680]<https://www.kpit.com/TheNewBrand>

________________________________
From: Steve Sakoman <st...@sakoman.com>
Sent: Tuesday, August 24, 2021 1:24 AM
To: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
Cc: Patches and discussions about the oe-core layer 
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [meta][dunfell][PATCH] rpm: Add fix for CVE-2021-20266

Caution: This email originated from outside of the KPIT. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

On Mon, Aug 23, 2021 at 8:12 AM Ranjitsinh Rathod
<ranjitsinh.rat...@kpit.com> wrote:
>
> Adding fix for CVE-2021-20266
> Upstream-Status: Backport 
> [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Frpm%2Fpull%2F1587%2Fcommits%2F9646711891df851dfbf7ef54cc171574a0914b15&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C89d7c6b26cfb4e79602f08d9666feae7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637653453206357564%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=oF%2FII4zn%2BX2v6ES0%2BI14nBjIRErXpR3nsm18%2B9PWUas%3D&amp;reserved=0]
>
> Note: Hunk#2 and Hunk#3 refreshed to apply patch and match value of
> dl_max variable to make it with current version

Causes autobuilder failures:

https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ferrors.yoctoproject.org%2FErrors%2FDetails%2F602478%2F&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C89d7c6b26cfb4e79602f08d9666feae7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637653453206357564%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=QpiS8zQ%2FQ%2B2o6s1XrKsT2eRNm7k5GJGtLItDwnly1D4%3D&amp;reserved=0

Steve

>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
> ---
>  .../rpm/files/CVE-2021-20266.patch            | 108 ++++++++++++++++++
>  meta/recipes-devtools/rpm/rpm_4.14.2.1.bb     |   1 +
>  2 files changed, 109 insertions(+)
>  create mode 100644 meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
>
> diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch 
> b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
> new file mode 100644
> index 0000000000..d8b91d4f8e
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
> @@ -0,0 +1,108 @@
> +From 9646711891df851dfbf7ef54cc171574a0914b15 Mon Sep 17 00:00:00 2001
> +From: Demi Marie Obenour <ath...@invisiblethingslab.com>
> +Date: Mon, 8 Feb 2021 16:05:01 -0500
> +Subject: [PATCH] hdrblobInit() needs bounds checks too
> +
> +Users can pass untrusted data to hdrblobInit() and it must be robust
> +against this.
> +
> +Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
> +
> +Upstream-Status: Backport 
> [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frpm-software-management%2Frpm%2Fpull%2F1587%2Fcommits%2F9646711891df851dfbf7ef54cc171574a0914b15&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C89d7c6b26cfb4e79602f08d9666feae7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637653453206367523%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=CPPv79htmIf%2FsDEV1JN8dZWCjME%2BBH4ns%2BOM2zEDEI0%3D&amp;reserved=0]
> +CVE: CVE-2021-20266
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rat...@kpit.com>
> +---
> + lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
> + 1 file changed, 31 insertions(+), 17 deletions(-)
> +
> +diff --git a/lib/header.c b/lib/header.c
> +index 6af48e61af..46ded5dd99 100644
> +--- a/lib/header.c
> ++++ b/lib/header.c
> +@@ -11,6 +11,7 @@
> + #include "system.h"
> + #include <netdb.h>
> + #include <errno.h>
> ++#include <inttypes.h>
> + #include <rpm/rpmtypes.h>
> + #include <rpm/rpmstring.h>
> + #include "lib/header_internal.h"
> +@@ -1910,6 +1911,25 @@ hdrblob hdrblobFree(hdrblob blob)
> +     return NULL;
> + }
> +
> ++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, 
> uint32_t dl,
> ++                                char **emsg) {
> ++    uint32_t il_max = HEADER_TAGS_MAX;
> ++    uint32_t dl_max = HEADER_DATA_MAX;
> ++    if (regionTag == RPMTAG_HEADERSIGNATURES) {
> ++      il_max = 32;
> ++      dl_max = 8192;
> ++    }
> ++    if (hdrchkRange(il_max, il)) {
> ++      rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of 
> range"), il);
> ++      return RPMRC_FAIL;
> ++    }
> ++    if (hdrchkRange(dl_max, dl)) {
> ++      rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of 
> range"), dl);
> ++      return RPMRC_FAIL;
> ++    }
> ++    return RPMRC_OK;
> ++}
> ++
> + rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, 
> hdrblob blob, char **emsg)
> + {
> +     int32_t block[4];
> +@@ -1922,13 +1942,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, 
> rpmTagVal regionTag, hdrbl
> +     size_t nb;
> +     rpmRC rc = RPMRC_FAIL;            /* assume failure */
> +     int xx;
> +-    int32_t il_max = HEADER_TAGS_MAX;
> +-    int32_t dl_max = HEADER_DATA_MAX;
> +-
> +-    if (regionTag == RPMTAG_HEADERSIGNATURES) {
> +-      il_max = 32;
> +-      dl_max = 8192;
> +-    }
> +
> +     memset(block, 0, sizeof(block));
> +     if ((xx = Freadall(fd, bs, blen)) != blen) {
> +@@ -1941,15 +1954,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, 
> rpmTagVal regionTag, hdrbl
> +       goto exit;
> +     }
> +     il = ntohl(block[2]);
> +-    if (hdrchkRange(il_max, il)) {
> +-      rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
> +-      goto exit;
> +-    }
> +     dl = ntohl(block[3]);
> +-    if (hdrchkRange(dl_max, dl)) {
> +-      rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), 
> dl);
> ++    if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
> +       goto exit;
> +-    }
> +
> +     nb = (il * sizeof(struct entryInfo_s)) + dl;
> +     uc = sizeof(il) + sizeof(dl) + nb;
> +@@ -1993,11 +2000,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
> +               struct hdrblob_s *blob, char **emsg)
> + {
> +     rpmRC rc = RPMRC_FAIL;
> +-
> +     memset(blob, 0, sizeof(*blob));
> ++    if (uc && uc < 8) {
> ++      rasprintf(emsg, _("hdr length: BAD"));
> ++      goto exit;
> ++    }
> ++
> +     blob->ei = (int32_t *) uh; /* discards const */
> +-    blob->il = ntohl(blob->ei[0]);
> +-    blob->dl = ntohl(blob->ei[1]);
> ++    blob->il = ntohl((uint32_t)(blob->ei[0]));
> ++    blob->dl = ntohl((uint32_t)(blob->ei[1]));
> ++    if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != 
> RPMRC_OK)
> ++      goto exit;
> ++
> +     blob->pe = (entryInfo) &(blob->ei[2]);
> +     blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
> +                 (blob->il * sizeof(*blob->pe)) + blob->dl;
> diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb 
> b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
> index 018b2f8700..c93654aa8f 100644
> --- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
> +++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
> @@ -45,6 +45,7 @@ SRC_URI = 
> "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
>             
> file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
>             file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \
>             file://CVE-2021-3421.patch \
> +           file://CVE-2021-20266.patch \
>             "
>
>  PE = "1"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential and 
> is the property of the KPIT Technologies Ltd. It is intended only for the 
> person to whom it is addressed. If you are not the intended recipient, you 
> are not authorized to read, print, retain copy, disseminate, distribute, or 
> use this message or any part thereof. If you receive this message in error, 
> please notify the sender immediately and delete all copies of this message. 
> KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>
This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155203): 
https://lists.openembedded.org/g/openembedded-core/message/155203
Mute This Topic: https://lists.openembedded.org/mt/85092279/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [meta][dunfell][PATCH] rpm: Add fix for CVE-2021-20266

Reply via email to