Bug 14766 - rpm new security issues CVE-2013-6435 and CVE-2014-8118
Summary: rpm new security issues CVE-2013-6435 and CVE-2014-8118
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/625494/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-09 19:02 CET by David Walser
Modified: 2014-12-14 15:11 CET (History)
4 users (show)

See Also:
Source RPM: rpm-4.12.0.1-13.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-09 19:02:15 CET
Two security issues in rpm have been announced today (December 9):
http://openwall.com/lists/oss-security/2014/12/09/14

Fedora hasn't checked anything into git yet, but the RedHat bugs have proposed patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1039811
https://bugzilla.redhat.com/show_bug.cgi?id=1168715

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-09 19:02:22 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-12-09 19:09:32 CET
RedHat has issued an advisory for CVE-2013-6345 for RHEL5/RHEL6 today:
https://rhn.redhat.com/errata/RHSA-2014-1974.html
Comment 2 Thierry Vignaud 2014-12-10 12:29:37 CET
Actually I think only mga4 is affected, not mga5

Status: NEW => ASSIGNED

Comment 3 Thierry Vignaud 2014-12-10 12:31:35 CET
For the first one, the 2nd affects cauldron too
Comment 4 David Walser 2014-12-10 17:56:40 CET
RedHat has issued an advisory for both CVEs for RHEL7 on December 9:
https://rhn.redhat.com/errata/RHSA-2014-1976.html
Comment 5 David Walser 2014-12-10 17:59:02 CET
Here is the RHEL7 commit with both fixes:
https://git.centos.org/commit/rpms!rpm.git/b7b7cd856d8d286a343f22710009c81ca7b244dc
Comment 6 David Walser 2014-12-10 18:09:28 CET
Both patches apply cleanly to the package in Mageia 4.

For Cauldron, the chmod patch (which I guess is the CVE-2013-6345 fix) won't apply as is, but looking a the expandRegular() code in lib/fsm.c, it appears the vulnerability is there and the patch could easily be rediffed for it.  The patch in the RedHat bug in Comment 0 looks quite different, but also does not appear to have already been applied in Cauldron.  For the CVE-2014-8118 patch, it would also need to be rediffed, but it looks like it could be done easily too in the rpmcpioHeaderRead() code in lib/cpio.c.  Actually for CVE-2014-8118, the RedHat bug linked in Comment 0 already has done so for rpm 4.12.
David Walser 2014-12-10 19:07:40 CET

URL: (none) => http://lwn.net/Vulnerabilities/625494/

Comment 7 David Walser 2014-12-11 20:27:56 CET
Ahh, I just noticed there's two patch attachments to the RedHat bug for CVE-2013-6435, and the second one is much shorter and closer to the RHEL7 chmod patch.  The second part of the patch where it adds the umask calls around the Fopen to write the file with 0000 permissions initially is easy enough to add in the code in rpm 4.12.  The first part of the patch doesn't appear to go anywhere (the change to the rpm_loff_t left variable initialization, which doesn't appear anywhere in 4.12).  Hopefully there's nothing that needs to be done for that change.  I've checked it into Cauldron SVN with just the umask change.  Thierry, does this appear to be correct?

I've also added the RHEL7 patches in Mageia 4 SVN.  This is good to go if it's OK with you Thierry.
Comment 8 Thierry Vignaud 2014-12-11 21:48:10 CET
I think so
Comment 9 David Walser 2014-12-11 22:29:24 CET
Thanks Thierry!

Patched packages uploaded for Mageia 4 and Cauldron.

RedHat did a nice write-up on these security issues:
https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/

Advisory:
========================

Updated rpm packages fix security vulnerabilities:

It was found that RPM wrote file contents to the target installation
directory under a temporary name, and verified its cryptographic signature
only after the temporary file has been written completely. Under certain
conditions, the system interprets the unverified temporary file contents
and extracts commands from it. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation (CVE-2013-6435).

It was found that RPM could encounter an integer overflow, leading to a
stack-based buffer overflow, while parsing a crafted CPIO header in the
payload section of an RPM file. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation (CVE-2014-8118).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118
https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/
https://rhn.redhat.com/errata/RHSA-2014-1976.html
========================

Updated packages in core/updates_testing:
========================
rpm-4.11.1-9.mga4
librpmbuild3-4.11.1-9.mga4
librpmsign3-4.11.1-9.mga4
librpm3-4.11.1-9.mga4
librpm-devel-4.11.1-9.mga4
rpm-build-4.11.1-9.mga4
rpm-sign-4.11.1-9.mga4
python-rpm-4.11.1-9.mga4

from rpm-4.11.1-9.mga4.src.rpm

CC: (none) => thierry.vignaud
Version: Cauldron => 4
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 10 David Walser 2014-12-12 00:28:15 CET
Tested successfully on Mageia 4 i586.

I installed this update and then installed some recent updates (12 packages) as well as a few from updates_testing (3 packages), and verified some of those packages with rpm -V, and everything was fine.

Whiteboard: (none) => MGA4-32-OK

Comment 11 olivier charles 2014-12-13 10:37:24 CET
Testing on Mageia4-64 real hardware,

Updated to testing packages :

rpm-4.11.1-9.mga4.x86_64

- lib64rpm3-4.11.1-9.mga4.x86_64
- lib64rpmbuild3-4.11.1-9.mga4.x86_64
- lib64rpmsign3-4.11.1-9.mga4.x86_64
- python-rpm-4.11.1-9.mga4.x86_64

Installed new packages via rpm (using sometimes options), uninstalled packages, used some query and verify options.

All nice.

CC: (none) => olchal
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 12 Rémi Verschelde 2014-12-14 14:52:46 CET
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 13 Mageia Robot 2014-12-14 15:11:07 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0529.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.