gnu: rpm: Fix CVE-2014-8118.
* gnu/packages/patches/rpm-CVE-2014-8118.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/package-management.scm (rpm): Use it.
This commit is contained in:
parent
41019e9f2a
commit
65da8dd01e
@ -716,6 +716,7 @@ dist_patch_DATA = \
|
||||
%D%/packages/patches/ratpoison-shell.patch \
|
||||
%D%/packages/patches/readline-link-ncurses.patch \
|
||||
%D%/packages/patches/ripperx-missing-file.patch \
|
||||
%D%/packages/patches/rpm-CVE-2014-8118.patch \
|
||||
%D%/packages/patches/rsem-makefile.patch \
|
||||
%D%/packages/patches/ruby-symlinkfix.patch \
|
||||
%D%/packages/patches/rush-CVE-2013-6889.patch \
|
||||
|
@ -334,7 +334,8 @@ symlinks to the files in a common directory such as /usr/local.")
|
||||
version ".tar.bz2"))
|
||||
(sha256
|
||||
(base32
|
||||
"0a82ym8phx7g0f3k6smvxnvzh7yv857l42xafk49689kzhld5pbp"))))
|
||||
"0a82ym8phx7g0f3k6smvxnvzh7yv857l42xafk49689kzhld5pbp"))
|
||||
(patches (search-patches "rpm-CVE-2014-8118.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(#:configure-flags '("--with-external-db" ;use the system's bdb
|
||||
|
25
gnu/packages/patches/rpm-CVE-2014-8118.patch
Normal file
25
gnu/packages/patches/rpm-CVE-2014-8118.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Fix CVE-2014-8118 (integer overflow allowing arbitrary remote code
|
||||
execution via crafted CPIO header).
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118
|
||||
|
||||
Source:
|
||||
https://bugzilla.redhat.com/attachment.cgi?id=962159&action=diff
|
||||
|
||||
Adopted by Debian:
|
||||
http://anonscm.debian.org/cgit/collab-maint/rpm.git/plain/debian/patches/CVE-2014-8118.patch
|
||||
|
||||
diff --git a/lib/cpio.c b/lib/cpio.c
|
||||
index 253ff0f..600633a 100644
|
||||
--- a/lib/cpio.c
|
||||
+++ b/lib/cpio.c
|
||||
@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)
|
||||
|
||||
GET_NUM_FIELD(hdr.filesize, fsize);
|
||||
GET_NUM_FIELD(hdr.namesize, nameSize);
|
||||
+ if (nameSize <= 0 || nameSize > 4096) {
|
||||
+ return RPMERR_BAD_HEADER;
|
||||
+ }
|
||||
|
||||
char name[nameSize + 1];
|
||||
read = Fread(name, nameSize, 1, cpio->fd);
|
Loading…
Reference in New Issue
Block a user