Two security issues in rpm have been announced today (December 9): http://openwall.com/lists/oss-security/2014/12/09/14 Fedora hasn't checked anything into git yet, but the RedHat bugs have proposed patches: https://bugzilla.redhat.com/show_bug.cgi?id=1039811 https://bugzilla.redhat.com/show_bug.cgi?id=1168715 Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
RedHat has issued an advisory for CVE-2013-6345 for RHEL5/RHEL6 today: https://rhn.redhat.com/errata/RHSA-2014-1974.html
Actually I think only mga4 is affected, not mga5
Status: NEW => ASSIGNED
For the first one, the 2nd affects cauldron too
RedHat has issued an advisory for both CVEs for RHEL7 on December 9: https://rhn.redhat.com/errata/RHSA-2014-1976.html
Here is the RHEL7 commit with both fixes: https://git.centos.org/commit/rpms!rpm.git/b7b7cd856d8d286a343f22710009c81ca7b244dc
Both patches apply cleanly to the package in Mageia 4. For Cauldron, the chmod patch (which I guess is the CVE-2013-6345 fix) won't apply as is, but looking a the expandRegular() code in lib/fsm.c, it appears the vulnerability is there and the patch could easily be rediffed for it. The patch in the RedHat bug in Comment 0 looks quite different, but also does not appear to have already been applied in Cauldron. For the CVE-2014-8118 patch, it would also need to be rediffed, but it looks like it could be done easily too in the rpmcpioHeaderRead() code in lib/cpio.c. Actually for CVE-2014-8118, the RedHat bug linked in Comment 0 already has done so for rpm 4.12.
URL: (none) => http://lwn.net/Vulnerabilities/625494/
Ahh, I just noticed there's two patch attachments to the RedHat bug for CVE-2013-6435, and the second one is much shorter and closer to the RHEL7 chmod patch. The second part of the patch where it adds the umask calls around the Fopen to write the file with 0000 permissions initially is easy enough to add in the code in rpm 4.12. The first part of the patch doesn't appear to go anywhere (the change to the rpm_loff_t left variable initialization, which doesn't appear anywhere in 4.12). Hopefully there's nothing that needs to be done for that change. I've checked it into Cauldron SVN with just the umask change. Thierry, does this appear to be correct? I've also added the RHEL7 patches in Mageia 4 SVN. This is good to go if it's OK with you Thierry.
I think so
Thanks Thierry! Patched packages uploaded for Mageia 4 and Cauldron. RedHat did a nice write-up on these security issues: https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/ Advisory: ======================== Updated rpm packages fix security vulnerabilities: It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2013-6435). It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation (CVE-2014-8118). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118 https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/ https://rhn.redhat.com/errata/RHSA-2014-1976.html ======================== Updated packages in core/updates_testing: ======================== rpm-4.11.1-9.mga4 librpmbuild3-4.11.1-9.mga4 librpmsign3-4.11.1-9.mga4 librpm3-4.11.1-9.mga4 librpm-devel-4.11.1-9.mga4 rpm-build-4.11.1-9.mga4 rpm-sign-4.11.1-9.mga4 python-rpm-4.11.1-9.mga4 from rpm-4.11.1-9.mga4.src.rpm
CC: (none) => thierry.vignaudVersion: Cauldron => 4Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA4TOO => (none)
Tested successfully on Mageia 4 i586. I installed this update and then installed some recent updates (12 packages) as well as a few from updates_testing (3 packages), and verified some of those packages with rpm -V, and everything was fine.
Whiteboard: (none) => MGA4-32-OK
Testing on Mageia4-64 real hardware, Updated to testing packages : rpm-4.11.1-9.mga4.x86_64 - lib64rpm3-4.11.1-9.mga4.x86_64 - lib64rpmbuild3-4.11.1-9.mga4.x86_64 - lib64rpmsign3-4.11.1-9.mga4.x86_64 - python-rpm-4.11.1-9.mga4.x86_64 Installed new packages via rpm (using sometimes options), uninstalled packages, used some query and verify options. All nice.
CC: (none) => olchalWhiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0529.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED