Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533740 (CVE-2013-6435, CVE-2014-8118) - <app-arch/rpm-4.13.0: two vulnerabilities (CVE-2013-6435,CVE-2014-8118)
Summary: <app-arch/rpm-4.13.0: two vulnerabilities (CVE-2013-6435,CVE-2014-8118)
Status: RESOLVED FIXED
Alias: CVE-2013-6435, CVE-2014-8118
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2017-7501
  Show dependency tree
 
Reported: 2014-12-28 09:24 UTC by Agostino Sarubbo
Modified: 2018-11-28 22:54 UTC (History)
6 users (show)

See Also:
Package list:
app-arch/rpm-4.14.1 sys-apps/fakechroot-2.19 ppc ppc64
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-28 09:24:58 UTC
From ${URL} :

Two flaws in RPM (actually one of them is in cpio, which is embedded 
into RPM) was found by Florian Weimer of Red Hat Product Security.
Details as follows:

CVE-2013-6435:
It was found that RPM wrote file contents to the target installation 
directory under a temporary name, and verified its cryptographic 
signature only after the temporary file has been written completely. 
Under certain conditions, the system interprets the unverified temporary 
file contents and extracts commands from it. This could allow an 
attacker to modify signed RPM files in such a way that they would 
execute code chosen by the attacker during package installation.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1039811

CVE-2014-8118:
It was found that RPM could encounter an integer overflow, leading to a 
stack-based overflow, while parsing a crafted CPIO header in the payload 
section of an RPM file.  This could allow an attacker to modify signed 
RPM files in such a way that they would execute code chosen by the 
attacker during package installation.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1168715



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 16:42:58 UTC
CVE-2014-8118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8118):
  Integer overflow in RPM 4.12 and earlier allows remote attackers to execute
  arbitrary code via a crafted CPIO header in the payload section of an RPM
  file, which triggers a stack-based buffer overflow.

CVE-2013-6435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6435):
  Race condition in RPM 4.11.1 and earlier allows remote attackers to execute
  arbitrary code via a crafted RPM file whose installation extracts the
  contents to temporary files before validating the signature, as demonstrated
  by installing a file in the /etc/cron.d directory.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-19 11:00:45 UTC
RepoMan scours the neighborhood...
  dependency.missingslot        10
   app-arch/rpm/rpm-4.11.0.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.0.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.2.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.2.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.2-r1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.11.2-r1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.12.0.1.ebuild: RDEPEND: '>=sys-libs/db-4.5' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   app-arch/rpm/rpm-4.12.0.1.ebuild: RDEPEND: '>=dev-lang/lua-5.1.0[deprecated]' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator

@maintainer(s), please fix the ebuilds and request stabilization of 4.12.0.1 when ready.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-28 00:52:09 UTC
From rpm-4.13.0 changelog:

> commit f3168c06943f56422eddeabef906d71dc03a81d3
> Author: Panu Matilainen <pmatilai@redhat.com>
> Date:   Tue Oct 11 09:43:54 2016 +0300
> 
>     Revised fix for CVE-2013-6435
>     
>     In case of hardlinked files, we first create a zero-length file
>     to which all the links are created, the content comes in the last
>     link. When the links have been created with no permissions at all
>     (as per commit 7e26e2bd726f48836be289400c7d82cb8b067dc1), reopening
>     the final file for writing the actual content fails for non-root users.
>     Which breaks installation of hardlinked files for regular users,
>     including our testsuite.
>     
>     Creating the files with write-only permissions solves the issue - we
>     *are* writing to these files afterall so it only makes sense.
>     This doesn't stop root from reading the file but neither does zero
>     permissions so no change there. But if somebody reads a file with
>     write-only permissions and gets garbage, at least we get to tell
>     them "told you so".
>     
>     (cherry picked from commit 6e7c6d1a18aa14fc7a980c43d980a26d82f785c4)
> 

and

> commit c5bfb3ce1affd4469e37f7242c9e1065dd3fc18b
> Author: Florian Festi <ffesti@redhat.com>
> Date:   Thu Jul 23 11:56:13 2015 +0200
> 
>     Create files with with 000 permissions to avoid leaking yet unchecked data
>     
>     As we are calculating the check sum while writing we only know the file
>     content is correct after it being written comletely. CVE-2013-6435
>     
>     (cherry picked from commit 7e26e2bd726f48836be289400c7d82cb8b067dc1)


@ Maintainer(s): Please bump to >=app-arch/rpm-4.13.0.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 04:21:43 UTC
@Maintainers ping

Gentoo Security Padawan
ChrisADR
Comment 5 Daniel M. Weeks 2017-11-17 18:11:50 UTC
This really needs to get fixed. amavisd uses rpm2cpio when scanning mail. It's not inconceivable that a specially crafted attachment could be used to compromise a mail server running amavisd.
Comment 6 Daniel M. Weeks 2017-11-22 06:28:17 UTC
Updated rpm ebuilds are available in the junkdrawer overlay.
Comment 7 Michael Boyle 2018-05-20 13:56:21 UTC
@maintainers ping

Please bump to app-arch/rpm-4.13.0.

Michael Boyle
Gentoo Security Padawan
Comment 8 Virgil Dupras gentoo-dev 2018-06-06 02:33:43 UTC
alpha, amd64, arm, arm64, ia64, ppc, ppc64, x86: please test and mark stable
        =app-arch/rpm-4.14.1
Comment 9 Agostino Sarubbo gentoo-dev 2018-06-06 12:10:47 UTC
amd64 stable
Comment 10 Mart Raudsepp gentoo-dev 2018-06-06 14:01:00 UTC
>>> Test phase: app-arch/rpm-4.14.1
 * Test::Harness Jobs=99
make -j99 test TEST_VERBOSE=0 
make: *** No rule to make target 'test'.  Stop.
 * ERROR: app-arch/rpm-4.14.1::gentoo failed (test phase):
 *   emake failed
Comment 11 Virgil Dupras gentoo-dev 2018-06-06 21:10:17 UTC
Hum, I'm sure I did run the 'test' phase on that package when writing this ebuild at some point. But I indeed get the same error, so something broke along the way.

Oops, sorry, will fix soon.
Comment 12 Thomas Deutschmann gentoo-dev Security 2018-06-06 21:50:12 UTC
I reverted amd64's stabilization.

Looks like the package has serious test failures, see bug 657500.

Note: Tests in previous ebuilds were disabled/missing.

I wouldn't block stabilization if tests wouldn't fail with

> Failed to initialize NSS library

message which looks like a major incompatibility with NSS/NSPR, see https://access.redhat.com/solutions/3134931.
Comment 13 Virgil Dupras gentoo-dev 2018-06-08 00:06:58 UTC
Bug 657500 has been resolved, so here I go again:

alpha, amd64, arm, arm64, ia64, ppc, ppc64, x86: please test and mark stable
        =app-arch/rpm-4.14.1
Comment 14 Stabilization helper bot gentoo-dev 2018-06-08 01:00:50 UTC
An automated check of this bug failed - repoman reported dependency errors (25 lines truncated): 

> dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['sys-apps/fakechroot']
> dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop) ['sys-apps/fakechroot']
> dependency.bad app-arch/rpm/rpm-4.14.1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0/desktop/gnome) ['sys-apps/fakechroot']
Comment 15 Agostino Sarubbo gentoo-dev 2018-06-08 10:40:53 UTC
amd64 stable
Comment 16 Markus Meier gentoo-dev 2018-06-11 17:56:20 UTC
arm stable
Comment 17 Larry the Git Cow gentoo-dev 2018-06-12 09:52:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd451c7a597fbfae0f2d28700bff56a6f2ebfbb8

commit dd451c7a597fbfae0f2d28700bff56a6f2ebfbb8
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-12 09:52:16 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-12 09:52:16 +0000

    app-arch/rpm: stable 4.14.1 for ia64, bug #533740
    
    Bug: https://bugs.gentoo.org/533740
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 app-arch/rpm/rpm-4.14.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 18 Mart Raudsepp gentoo-dev 2018-06-13 22:58:42 UTC
Reluctantly stable on arm64 due to test failures, but this is for security + earlier versions didn't run tests afaik..
Comment 19 Larry the Git Cow gentoo-dev 2018-06-24 19:40:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2ae29edf013020d1c6a0723b2df26be7e3325b5

commit d2ae29edf013020d1c6a0723b2df26be7e3325b5
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:57:20 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:36:05 +0000

    app-arch/rpm: stable 4.14.1 for ppc, bug #533740
    
    Bug: https://bugs.gentoo.org/533740
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 app-arch/rpm/rpm-4.14.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6996ff1607c9bbd1d80d10842265c3112f28c53

commit b6996ff1607c9bbd1d80d10842265c3112f28c53
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:25:41 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:35:01 +0000

    sys-apps/fakechroot: stable 2.17.2 for ppc, bug #533740
    
    Bug: https://bugs.gentoo.org/533740
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 sys-apps/fakechroot/fakechroot-2.17.2.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 20 Larry the Git Cow gentoo-dev 2018-06-24 20:25:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff31a79dafbd7f4e7c90143dd25b8f5345cc2580

commit ff31a79dafbd7f4e7c90143dd25b8f5345cc2580
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 20:02:01 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:21:07 +0000

    app-arch/rpm: stable 4.14.1 for ppc64, bug #533740
    
    Bug: https://bugs.gentoo.org/533740
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 app-arch/rpm/rpm-4.14.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1f42efcfca6be4f5aaf8a2afb99dc3a5af45730

commit f1f42efcfca6be4f5aaf8a2afb99dc3a5af45730
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 19:46:33 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:20:18 +0000

    sys-apps/fakechroot: stable 2.17.2 for ppc64, bug #533740
    
    Bug: https://bugs.gentoo.org/533740
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 sys-apps/fakechroot/fakechroot-2.17.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 21 Thomas Deutschmann gentoo-dev Security 2018-07-09 01:30:44 UTC
x86 stable
Comment 22 Stabilization helper bot gentoo-dev 2018-10-14 13:00:24 UTC
An automated check of this bug failed - the following atom is unknown:

sys-apps/fakechroot-2.17.2

Please verify the atom list.
Comment 23 Larry the Git Cow gentoo-dev 2018-10-18 11:45:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fdbdc9113477c128db16a30b4f8f61cefd96d13

commit 4fdbdc9113477c128db16a30b4f8f61cefd96d13
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-10-18 11:43:55 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-10-18 11:43:55 +0000

    app-arch/rpm-4.14.1-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/533740
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 app-arch/rpm/rpm-4.14.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 24 Tobias Klausmann gentoo-dev 2018-10-18 11:45:32 UTC
Stable on alpha.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2018-11-28 22:54:30 UTC
This issue was resolved and addressed in
 GLSA 201811-22 at https://security.gentoo.org/glsa/201811-22
by GLSA coordinator Aaron Bauman (b-man).