Summary: | <app-arch/rpm-4.13.0: two vulnerabilities (CVE-2013-6435,CVE-2014-8118) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dan, leio, maintainer-needed, sochotnicky, suse, tamiko |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/12/09/14 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
app-arch/rpm-4.14.1
sys-apps/fakechroot-2.19 ppc ppc64
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 638636 |
Description
Agostino Sarubbo
![]() CVE-2014-8118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8118): Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow. CVE-2013-6435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6435): Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory. RepoMan scours the neighborhood... dependency.missingslot 10 app-arch/rpm/rpm-4.11.0.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.0.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2-r1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.11.2-r1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.12.0.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator app-arch/rpm/rpm-4.12.0.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator @maintainer(s), please fix the ebuilds and request stabilization of 4.12.0.1 when ready. From rpm-4.13.0 changelog: > commit f3168c06943f56422eddeabef906d71dc03a81d3 > Author: Panu Matilainen <pmatilai@redhat.com> > Date: Tue Oct 11 09:43:54 2016 +0300 > > Revised fix for CVE-2013-6435 > > In case of hardlinked files, we first create a zero-length file > to which all the links are created, the content comes in the last > link. When the links have been created with no permissions at all > (as per commit 7e26e2bd726f48836be289400c7d82cb8b067dc1), reopening > the final file for writing the actual content fails for non-root users. > Which breaks installation of hardlinked files for regular users, > including our testsuite. > > Creating the files with write-only permissions solves the issue - we > *are* writing to these files afterall so it only makes sense. > This doesn't stop root from reading the file but neither does zero > permissions so no change there. But if somebody reads a file with > write-only permissions and gets garbage, at least we get to tell > them "told you so". > > (cherry picked from commit 6e7c6d1a18aa14fc7a980c43d980a26d82f785c4) > and > commit c5bfb3ce1affd4469e37f7242c9e1065dd3fc18b > Author: Florian Festi <ffesti@redhat.com> > Date: Thu Jul 23 11:56:13 2015 +0200 > > Create files with with 000 permissions to avoid leaking yet unchecked data > > As we are calculating the check sum while writing we only know the file > content is correct after it being written comletely. CVE-2013-6435 > > (cherry picked from commit 7e26e2bd726f48836be289400c7d82cb8b067dc1) @ Maintainer(s): Please bump to >=app-arch/rpm-4.13.0. @Maintainers ping Gentoo Security Padawan ChrisADR This really needs to get fixed. amavisd uses rpm2cpio when scanning mail. It's not inconceivable that a specially crafted attachment could be used to compromise a mail server running amavisd. Updated rpm ebuilds are available in the junkdrawer overlay. @maintainers ping Please bump to app-arch/rpm-4.13.0. Michael Boyle Gentoo Security Padawan alpha, amd64, arm, arm64, ia64, ppc, ppc64, x86: please test and mark stable =app-arch/rpm-4.14.1 amd64 stable >>> Test phase: app-arch/rpm-4.14.1
* Test::Harness Jobs=99
make -j99 test TEST_VERBOSE=0
make: *** No rule to make target 'test'. Stop.
* ERROR: app-arch/rpm-4.14.1::gentoo failed (test phase):
* emake failed
Hum, I'm sure I did run the 'test' phase on that package when writing this ebuild at some point. But I indeed get the same error, so something broke along the way. Oops, sorry, will fix soon. I reverted amd64's stabilization. Looks like the package has serious test failures, see bug 657500. Note: Tests in previous ebuilds were disabled/missing. I wouldn't block stabilization if tests wouldn't fail with > Failed to initialize NSS library message which looks like a major incompatibility with NSS/NSPR, see https://access.redhat.com/solutions/3134931. Bug 657500 has been resolved, so here I go again: alpha, amd64, arm, arm64, ia64, ppc, ppc64, x86: please test and mark stable =app-arch/rpm-4.14.1 An automated check of this bug failed - repoman reported dependency errors (25 lines truncated):
> dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['sys-apps/fakechroot']
> dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['sys-apps/fakechroot']
> dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['sys-apps/fakechroot']
amd64 stable arm stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd451c7a597fbfae0f2d28700bff56a6f2ebfbb8 commit dd451c7a597fbfae0f2d28700bff56a6f2ebfbb8 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-12 09:52:16 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-12 09:52:16 +0000 app-arch/rpm: stable 4.14.1 for ia64, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Reluctantly stable on arm64 due to test failures, but this is for security + earlier versions didn't run tests afaik.. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2ae29edf013020d1c6a0723b2df26be7e3325b5 commit d2ae29edf013020d1c6a0723b2df26be7e3325b5 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 17:57:20 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:36:05 +0000 app-arch/rpm: stable 4.14.1 for ppc, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6996ff1607c9bbd1d80d10842265c3112f28c53 commit b6996ff1607c9bbd1d80d10842265c3112f28c53 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 17:25:41 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:35:01 +0000 sys-apps/fakechroot: stable 2.17.2 for ppc, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" sys-apps/fakechroot/fakechroot-2.17.2.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff31a79dafbd7f4e7c90143dd25b8f5345cc2580 commit ff31a79dafbd7f4e7c90143dd25b8f5345cc2580 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 20:02:01 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:21:07 +0000 app-arch/rpm: stable 4.14.1 for ppc64, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1f42efcfca6be4f5aaf8a2afb99dc3a5af45730 commit f1f42efcfca6be4f5aaf8a2afb99dc3a5af45730 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 19:46:33 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:20:18 +0000 sys-apps/fakechroot: stable 2.17.2 for ppc64, bug #533740 Bug: https://bugs.gentoo.org/533740 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" sys-apps/fakechroot/fakechroot-2.17.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) x86 stable An automated check of this bug failed - the following atom is unknown: sys-apps/fakechroot-2.17.2 Please verify the atom list. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fdbdc9113477c128db16a30b4f8f61cefd96d13 commit 4fdbdc9113477c128db16a30b4f8f61cefd96d13 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-10-18 11:43:55 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-10-18 11:43:55 +0000 app-arch/rpm-4.14.1-r0: alpha stable Bug: http://bugs.gentoo.org/533740 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> app-arch/rpm/rpm-4.14.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Stable on alpha. This issue was resolved and addressed in GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22 by GLSA coordinator Aaron Bauman (b-man). |