| Summary: | rpm new security issues CVE-2013-6435 and CVE-2014-8118 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | olchal, rverschelde, sysadmin-bugs, thierry.vignaud |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/625494/ | ||
| Whiteboard: | MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | rpm-4.12.0.1-13.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-09 19:02:15 CET
David Walser
2014-12-09 19:02:22 CET
Whiteboard:
(none) =>
MGA4TOO RedHat has issued an advisory for CVE-2013-6345 for RHEL5/RHEL6 today: https://rhn.redhat.com/errata/RHSA-2014-1974.html Actually I think only mga4 is affected, not mga5 Status:
NEW =>
ASSIGNED For the first one, the 2nd affects cauldron too RedHat has issued an advisory for both CVEs for RHEL7 on December 9: https://rhn.redhat.com/errata/RHSA-2014-1976.html Here is the RHEL7 commit with both fixes: https://git.centos.org/commit/rpms!rpm.git/b7b7cd856d8d286a343f22710009c81ca7b244dc Both patches apply cleanly to the package in Mageia 4. For Cauldron, the chmod patch (which I guess is the CVE-2013-6345 fix) won't apply as is, but looking a the expandRegular() code in lib/fsm.c, it appears the vulnerability is there and the patch could easily be rediffed for it. The patch in the RedHat bug in Comment 0 looks quite different, but also does not appear to have already been applied in Cauldron. For the CVE-2014-8118 patch, it would also need to be rediffed, but it looks like it could be done easily too in the rpmcpioHeaderRead() code in lib/cpio.c. Actually for CVE-2014-8118, the RedHat bug linked in Comment 0 already has done so for rpm 4.12.
David Walser
2014-12-10 19:07:40 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/625494/ Ahh, I just noticed there's two patch attachments to the RedHat bug for CVE-2013-6435, and the second one is much shorter and closer to the RHEL7 chmod patch. The second part of the patch where it adds the umask calls around the Fopen to write the file with 0000 permissions initially is easy enough to add in the code in rpm 4.12. The first part of the patch doesn't appear to go anywhere (the change to the rpm_loff_t left variable initialization, which doesn't appear anywhere in 4.12). Hopefully there's nothing that needs to be done for that change. I've checked it into Cauldron SVN with just the umask change. Thierry, does this appear to be correct? I've also added the RHEL7 patches in Mageia 4 SVN. This is good to go if it's OK with you Thierry. I think so Thanks Thierry! Patched packages uploaded for Mageia 4 and Cauldron. RedHat did a nice write-up on these security issues: https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/ Advisory: ======================== Updated rpm packages fix security vulnerabilities: It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2013-6435). It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2014-8118). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118 https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/ https://rhn.redhat.com/errata/RHSA-2014-1976.html ======================== Updated packages in core/updates_testing: ======================== rpm-4.11.1-9.mga4 librpmbuild3-4.11.1-9.mga4 librpmsign3-4.11.1-9.mga4 librpm3-4.11.1-9.mga4 librpm-devel-4.11.1-9.mga4 rpm-build-4.11.1-9.mga4 rpm-sign-4.11.1-9.mga4 python-rpm-4.11.1-9.mga4 from rpm-4.11.1-9.mga4.src.rpm CC:
(none) =>
thierry.vignaud Tested successfully on Mageia 4 i586. I installed this update and then installed some recent updates (12 packages) as well as a few from updates_testing (3 packages), and verified some of those packages with rpm -V, and everything was fine. Whiteboard:
(none) =>
MGA4-32-OK Testing on Mageia4-64 real hardware, Updated to testing packages : rpm-4.11.1-9.mga4.x86_64 - lib64rpm3-4.11.1-9.mga4.x86_64 - lib64rpmbuild3-4.11.1-9.mga4.x86_64 - lib64rpmsign3-4.11.1-9.mga4.x86_64 - python-rpm-4.11.1-9.mga4.x86_64 Installed new packages via rpm (using sometimes options), uninstalled packages, used some query and verify options. All nice. CC:
(none) =>
olchal Advisory uploaded, validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0529.html Status:
ASSIGNED =>
RESOLVED |