- adapt rpm.org fixes for CVE-2013-6435 and CVE-2014-8118

diff --git a/rpm-CVE-2013-6435.patch b/rpm-CVE-2013-6435.patch
new file mode 100644 (file)
index 0000000..d96fd44
--- /dev/null
+++ b/rpm-CVE-2013-6435.patch
@@ -0,0 +1,72 @@
+--- rpm-5.4.15/rpmio/iosm.c~   2014-06-11 19:58:04.000000000 +0200
++++ rpm-5.4.15/rpmio/iosm.c    2015-01-25 21:53:27.659197235 +0100
+@@ -2627,7 +2627,7 @@
+       iosm->rfd = NULL;
+       break;
+     case IOSM_WOPEN:
+-      iosm->wfd = Fopen(iosm->path, "w.fdio");
++      iosm->wfd = Fopen(iosm->path, "wU.fdio");
+       if (iosm->wfd == NULL || Ferror(iosm->wfd)) {
+           if (iosm->wfd != NULL)      (void) iosmNext(iosm, IOSM_WCLOSE);
+           iosm->wfd = NULL;
+--- rpm-5.4.15/rpmio/rpmio.c~  2014-08-05 00:47:16.000000000 +0200
++++ rpm-5.4.15/rpmio/rpmio.c   2015-01-25 21:50:59.409202466 +0100
+@@ -2638,16 +2638,20 @@
+  * - bzopen:  'q' sets verbosity to 0
+  * - bzopen:  'v' does verbosity++ (up to 4)
+  * - HACK:    '.' terminates, rest is type of I/O
++ * -            'U' sets *mode to zero (no permissions) instead of 0666
+  */
+ static inline void cvtfmode (const char *m,
+                               /*@out@*/ char *stdio, size_t nstdio,
+                               /*@out@*/ char *other, size_t nother,
+-                              /*@out@*/ const char **end, /*@out@*/ int * f)
++                              /*@out@*/ const char **end, /*@out@*/ int * f, mode_t *mode)
+       /*@modifies *stdio, *other, *end, *f @*/
+ {
+     int flags = 0;
+     char c;
+ 
++    if (mode)
++      *mode = 0666;
++
+     switch (*m) {
+     case 'a':
+       flags |= O_WRONLY | O_CREAT | O_APPEND;
+@@ -2661,6 +2665,9 @@
+       flags |= O_RDONLY;
+       if (--nstdio > 0) *stdio++ = *m;
+       break;
++    case 'U':
++      if (mode) *mode = 0;
++      break;
+     default:
+       *stdio = '\0';
+       return;
+@@ -2729,7 +2736,7 @@
+     if (fmode == NULL)
+       return NULL;
+ 
+-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
++    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL, NULL);
+     if (stdio[0] == '\0')
+       return NULL;
+     zstdio[0] = '\0';
+@@ -2835,7 +2842,7 @@
+     const char * fmode = NULL;
+     char stdio[20], other[20];
+     const char *end = NULL;
+-    mode_t perms = 0666;
++    mode_t perms;
+     int flags = 0;
+     FD_t fd = NULL;
+ 
+@@ -2849,7 +2856,7 @@
+ fprintf(stderr, "==> Fopen(%s, %s)\n", path, fmode);
+ 
+     stdio[0] = '\0';
+-    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
++    cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags, &perms);
+     if (stdio[0] == '\0')
+       goto exit;
+ 

diff --git a/rpm-CVE-2014-8118.patch b/rpm-CVE-2014-8118.patch
new file mode 100644 (file)
index 0000000..dfd27f4
--- /dev/null
+++ b/rpm-CVE-2014-8118.patch
@@ -0,0 +1,11 @@
+--- rpm-5.4.15/rpmio/cpio.c.orig       2012-04-16 05:21:22.000000000 +0200
++++ rpm-5.4.15/rpmio/cpio.c    2015-01-25 15:50:23.017311712 +0100
+@@ -136,7 +136,7 @@
+     /*@=shiftimplementation@*/
+ 
+     GET_NUM_FIELD(hdr->namesize, nb);
+-    if (nb >= iosm->wrsize)
++    if (nb <= 0 || nb >= iosm->wrsize)
+       return IOSMERR_BAD_HEADER;
+ 
+     /* Read file name. */

diff --git a/rpm.spec b/rpm.spec
index 0f292e18b55e35ae8465860be2c4116c3d024cc5..7863ff8543916ddd54a68b116a90da8e6fb1a725 100644 (file)
--- a/rpm.spec
+++ b/rpm.spec
@@ -171,6 +171,8 @@ Patch81:    %{name}-perl-magic.patch
 Patch82:       %{name}-5.4.15-use-DSA-sig.patch
 Patch83:       %{name}-ignore-missing-macro-files.patch
 Patch84:       x32.patch
+Patch85:       rpm-CVE-2013-6435.patch
+Patch86:       rpm-CVE-2014-8118.patch
 
 # Patches imported from Mandriva
 
@@ -948,6 +950,8 @@ cd -
 %patch81 -p0
 %patch82 -p1
 %patch84 -p1
+%patch85 -p1
+%patch86 -p1
 
 %patch1000 -p1
 %patch1001 -p1