From ${URL} : Two flaws in RPM (actually one of them is in cpio, which is embedded into RPM) was found by Florian Weimer of Red Hat Product Security. Details as follows: CVE-2013-6435: It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1039811 CVE-2014-8118: It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1168715 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-8118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8118): Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow. CVE-2013-6435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6435): Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.
RepoMan scours the neighborhood... dependency.missingslot 10 app-arch/rpm/rpm-4.11.0.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.0.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2-r1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2-r1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.12.0.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.12.0.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator @maintainer(s), please fix the ebuilds and request stabilization of 4.12.0.1 when ready.
From rpm-4.13.0 changelog: > commit f3168c06943f56422eddeabef906d71dc03a81d3 > Author: Panu Matilainen <pmatilai@redhat.com> > Date: Tue Oct 11 09:43:54 2016 +0300 > > Revised fix for CVE-2013-6435 > > In case of hardlinked files, we first create a zero-length file > to which all the links are created, the content comes in the last > link. When the links have been created with no permissions at all > (as per commit 7e26e2bd726f48836be289400c7d82cb8b067dc1), reopening > the final file for writing the actual content fails for non-root users. > Which breaks installation of hardlinked files for regular users, > including our testsuite. > > Creating the files with write-only permissions solves the issue - we > *are* writing to these files afterall so it only makes sense. > This doesn't stop root from reading the file but neither does zero > permissions so no change there. But if somebody reads a file with > write-only permissions and gets garbage, at least we get to tell > them "told you so". > > (cherry picked from commit 6e7c6d1a18aa14fc7a980c43d980a26d82f785c4) > and > commit c5bfb3ce1affd4469e37f7242c9e1065dd3fc18b > Author: Florian Festi <ffesti@redhat.com> > Date: Thu Jul 23 11:56:13 2015 +0200 > > Create files with with 000 permissions to avoid leaking yet unchecked data > > As we are calculating the check sum while writing we only know the file > content is correct after it being written comletely. CVE-2013-6435 > > (cherry picked from commit 7e26e2bd726f48836be289400c7d82cb8b067dc1) @ Maintainer(s): Please bump to >=app-arch/rpm-4.13.0.
@Maintainers ping Gentoo Security Padawan ChrisADR
This really needs to get fixed. amavisd uses rpm2cpio when scanning mail. It's not inconceivable that a specially crafted attachment could be used to compromise a mail server running amavisd.
Updated rpm ebuilds are available in the junkdrawer overlay.
@maintainers ping Please bump to app-arch/rpm-4.13.0. Michael Boyle Gentoo Security Padawan
alpha, amd64, arm, arm64, ia64, ppc, ppc64, x86: please test and mark stable =app-arch/rpm-4.14.1
amd64 stable
>>> Test phase: app-arch/rpm-4.14.1 * Test::Harness Jobs=99 make -j99 test TEST_VERBOSE=0 make: *** No rule to make target 'test'. Stop. * ERROR: app-arch/rpm-4.14.1::gentoo failed (test phase): * emake failed
Hum, I'm sure I did run the 'test' phase on that package when writing this ebuild at some point. But I indeed get the same error, so something broke along the way. Oops, sorry, will fix soon.
I reverted amd64's stabilization. Looks like the package has serious test failures, see bug 657500. Note: Tests in previous ebuilds were disabled/missing. I wouldn't block stabilization if tests wouldn't fail with > Failed to initialize NSS library message which looks like a major incompatibility with NSS/NSPR, see https://access.redhat.com/solutions/3134931.
Bug 657500 has been resolved, so here I go again: alpha, amd64, arm, arm64, ia64, ppc, ppc64, x86: please test and mark stable =app-arch/rpm-4.14.1
An automated check of this bug failed - repoman reported dependency errors (25 lines truncated): > dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['sys-apps/fakechroot'] > dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['sys-apps/fakechroot'] > dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['sys-apps/fakechroot']
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd451c7a597fbfae0f2d28700bff56a6f2ebfbb8 commit dd451c7a597fbfae0f2d28700bff56a6f2ebfbb8 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-12 09:52:16 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-12 09:52:16 +0000 app-arch/rpm: stable 4.14.1 for ia64, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reluctantly stable on arm64 due to test failures, but this is for security + earlier versions didn't run tests afaik..
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2ae29edf013020d1c6a0723b2df26be7e3325b5 commit d2ae29edf013020d1c6a0723b2df26be7e3325b5 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 17:57:20 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:36:05 +0000 app-arch/rpm: stable 4.14.1 for ppc, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6996ff1607c9bbd1d80d10842265c3112f28c53 commit b6996ff1607c9bbd1d80d10842265c3112f28c53 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 17:25:41 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:35:01 +0000 sys-apps/fakechroot: stable 2.17.2 for ppc, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" sys-apps/fakechroot/fakechroot-2.17.2.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff31a79dafbd7f4e7c90143dd25b8f5345cc2580 commit ff31a79dafbd7f4e7c90143dd25b8f5345cc2580 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 20:02:01 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:21:07 +0000 app-arch/rpm: stable 4.14.1 for ppc64, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1f42efcfca6be4f5aaf8a2afb99dc3a5af45730 commit f1f42efcfca6be4f5aaf8a2afb99dc3a5af45730 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 19:46:33 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:20:18 +0000 sys-apps/fakechroot: stable 2.17.2 for ppc64, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" sys-apps/fakechroot/fakechroot-2.17.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
x86 stable
An automated check of this bug failed - the following atom is unknown: sys-apps/fakechroot-2.17.2 Please verify the atom list.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fdbdc9113477c128db16a30b4f8f61cefd96d13 commit 4fdbdc9113477c128db16a30b4f8f61cefd96d13 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-10-18 11:43:55 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-10-18 11:43:55 +0000 app-arch/rpm-4.14.1-r0: alpha stable Bug: http://bugs.gentoo.org/533740 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Stable on alpha.
This issue was resolved and addressed in GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22 by GLSA coordinator Aaron Bauman (b-man).
