Control: tags -1 moreinfo On 2021-06-29 20:15:33 +0300, Peter Pentchev wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: team+pkg-...@tracker.debian.org > > Please unblock package rpm to fix a couple of security problems in > handling untrusted RPM files. > > [ Reason ] > See #985308 for more information - there are three CVEs filed for > problems in rpm's parsing of various header fields, one of which > may even be used to lead to code execution. > > [ Impact ] > If a maliciously-constructed RPM package is installed, > the RPM database may be corrupted or unexpected code may be > executed (other than the scriptlets within the RPM file). > > [ Tests ] > None for the present. > > [ Risks ] > The patches are mostly straightforward and extend already-existing > checks. The only risk here would be rejecting a valid RPM file, but > from what I understand of the source code, this should not happen > any more, especially after catching one such case (one of the new > patches to the Debian package combines three upstream commits, one of > which relaxes some restrictions for this very reason). > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock rpm/4.16.1.2+dfsg1-2
> diff -Nru rpm-4.16.1.2+dfsg1/debian/changelog > rpm-4.16.1.2+dfsg1/debian/changelog > --- rpm-4.16.1.2+dfsg1/debian/changelog 2021-01-28 12:22:55.000000000 > +0200 > +++ rpm-4.16.1.2+dfsg1/debian/changelog 2021-06-29 18:15:25.000000000 > +0300 > @@ -1,3 +1,35 @@ > +rpm (4.16.1.2+dfsg1-2) unstable; urgency=medium > + > + * Team upload. > + * Amend the CVE-2021-3421-CVE-2021-20271 patch, add two follow-up > + upstream commits that relax the restrictions a little bit to > + allow for some existing RPM packages. > + > + -- Peter Pentchev <r...@debian.org> Tue, 29 Jun 2021 18:15:25 +0300 > + > +rpm (4.16.1.2+dfsg1-1) unstable; urgency=medium > + > + * Team upload. > + * Acknowledge NMUs; thanks, Matthias and Boyuan! > + * Add the CVE-2021-20266 and CVE-2021-3421-CVE-2021-20271 patches to > + strengthen the verification of RPM signatures. Closes: #985308 > + > + -- Peter Pentchev <r...@debian.org> Tue, 29 Jun 2021 14:11:21 +0300 > + > +rpm (4.16.1.2+dfsg1-0.6) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Only build-depend on gnupg2 on linux architectures. > + > + -- Matthias Klose <d...@debian.org> Tue, 09 Mar 2021 23:39:07 +0100 > + > +rpm (4.16.1.2+dfsg1-0.5) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Only build-depend on libaudit-dev on linux architectures. > + > + -- Matthias Klose <d...@debian.org> Tue, 09 Mar 2021 22:50:12 +0100 > + > rpm (4.16.1.2+dfsg1-0.4) unstable; urgency=medium > > * Non-maintainer upload. > diff -Nru rpm-4.16.1.2+dfsg1/debian/control rpm-4.16.1.2+dfsg1/debian/control > --- rpm-4.16.1.2+dfsg1/debian/control 2021-01-02 14:03:53.000000000 +0200 > +++ rpm-4.16.1.2+dfsg1/debian/control 2021-06-27 01:21:05.000000000 +0300 > @@ -33,8 +33,8 @@ > liblua5.2-dev, > libsemanage1-dev [linux-any], > libgcrypt20-dev, > - libaudit-dev, > - gnupg2, > + libaudit-dev [linux-any], > + gnupg2 [linux-any], > Standards-Version: 4.5.1 > Vcs-Browser: https://salsa.debian.org/pkg-rpm-team/rpm > Vcs-Git: https://salsa.debian.org/pkg-rpm-team/rpm.git > diff -Nru rpm-4.16.1.2+dfsg1/debian/debugedit.8 > rpm-4.16.1.2+dfsg1/debian/debugedit.8 > --- rpm-4.16.1.2+dfsg1/debian/debugedit.8 2021-01-28 12:22:55.000000000 > +0200 > +++ rpm-4.16.1.2+dfsg1/debian/debugedit.8 2021-06-27 01:21:05.000000000 > +0300 > @@ -1,5 +1,5 @@ > -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.16. > -.TH DEBUGEDIT "8" "January 2021" "debugedit 4.16.1.2" "System Administration > Utilities" > +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.2. > +.TH DEBUGEDIT "8" "March 2021" "debugedit 4.16.1.2" "System Administration > Utilities" > .SH NAME > debugedit \- Debuginfo editing helper > .SH SYNOPSIS > diff -Nru rpm-4.16.1.2+dfsg1/debian/librpm9.symbols > rpm-4.16.1.2+dfsg1/debian/librpm9.symbols > --- rpm-4.16.1.2+dfsg1/debian/librpm9.symbols 2021-01-02 12:04:09.000000000 > +0200 > +++ rpm-4.16.1.2+dfsg1/debian/librpm9.symbols 2021-06-29 12:23:21.000000000 > +0300 > @@ -473,3 +473,4 @@ > rpmvsVerify@Base 4.16 > showQueryPackage@Base 4.14.0+dfsg1 > showVerifyPackage@Base 4.14.0+dfsg1 > + xlateTags@Base 4.16.1.2+dfsg1 > diff -Nru rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-20266.patch > rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-20266.patch > --- rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-20266.patch 1970-01-01 > 02:00:00.000000000 +0200 > +++ rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-20266.patch 2021-06-29 > 12:23:21.000000000 +0300 > @@ -0,0 +1,97 @@ > +Description: hdrblobInit() needs bounds checks too > + Users can pass untrusted data to hdrblobInit() and it must be robust > + against this. > +Origin: upstream; > https://github.com/rpm-software-management/rpm/commit/8f4b3c3cab8922a2022b9e47c71f1ecf906077ef > +Author: Demi Marie Obenour <ath...@invisiblethingslab.com> > +Bug-Debian: https://bugs.debian.org/985308 > +Last-Update: 2021-06-27 > + > +--- a/lib/header.c > ++++ b/lib/header.c > +@@ -11,6 +11,7 @@ > + #include "system.h" > + #include <netdb.h> > + #include <errno.h> > ++#include <inttypes.h> > + #include <rpm/rpmtypes.h> > + #include <rpm/rpmstring.h> > + #include "lib/header_internal.h" > +@@ -1886,6 +1887,25 @@ > + return NULL; > + } > + > ++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, > uint32_t dl, > ++ char **emsg) { > ++ uint32_t il_max = HEADER_TAGS_MAX; > ++ uint32_t dl_max = HEADER_DATA_MAX; > ++ if (regionTag == RPMTAG_HEADERSIGNATURES) { > ++ il_max = 32; > ++ dl_max = 64 * 1024 * 1024; > ++ } > ++ if (hdrchkRange(il_max, il)) { > ++ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of > range"), il); > ++ return RPMRC_FAIL; > ++ } > ++ if (hdrchkRange(dl_max, dl)) { > ++ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of > range"), dl); > ++ return RPMRC_FAIL; > ++ } > ++ return RPMRC_OK; > ++} > ++ > + rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, > hdrblob blob, char **emsg) > + { > + int32_t block[4]; > +@@ -1898,13 +1918,6 @@ > + size_t nb; > + rpmRC rc = RPMRC_FAIL; /* assume failure */ > + int xx; > +- int32_t il_max = HEADER_TAGS_MAX; > +- int32_t dl_max = HEADER_DATA_MAX; > +- > +- if (regionTag == RPMTAG_HEADERSIGNATURES) { > +- il_max = 32; > +- dl_max = 64 * 1024 * 1024; > +- } > + > + memset(block, 0, sizeof(block)); > + if ((xx = Freadall(fd, bs, blen)) != blen) { > +@@ -1917,15 +1930,9 @@ > + goto exit; > + } > + il = ntohl(block[2]); > +- if (hdrchkRange(il_max, il)) { > +- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il); > +- goto exit; > +- } > + dl = ntohl(block[3]); > +- if (hdrchkRange(dl_max, dl)) { > +- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl); > ++ if (hdrblobVerifyLengths(regionTag, il, dl, emsg)) > + goto exit; > +- } > + > + nb = (il * sizeof(struct entryInfo_s)) + dl; > + uc = sizeof(il) + sizeof(dl) + nb; > +@@ -1969,11 +1976,18 @@ > + struct hdrblob_s *blob, char **emsg) > + { > + rpmRC rc = RPMRC_FAIL; > +- > + memset(blob, 0, sizeof(*blob)); > ++ if (uc && uc < 8) { > ++ rasprintf(emsg, _("hdr length: BAD")); > ++ goto exit; > ++ } > ++ > + blob->ei = (int32_t *) uh; /* discards const */ > +- blob->il = ntohl(blob->ei[0]); > +- blob->dl = ntohl(blob->ei[1]); > ++ blob->il = ntohl((uint32_t)(blob->ei[0])); > ++ blob->dl = ntohl((uint32_t)(blob->ei[1])); > ++ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != > RPMRC_OK) > ++ goto exit; > ++ > + blob->pe = (entryInfo) &(blob->ei[2]); > + blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) + > + (blob->il * sizeof(*blob->pe)) + blob->dl; > diff -Nru > rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > --- rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > 1970-01-01 02:00:00.000000000 +0200 > +++ rpm-4.16.1.2+dfsg1/debian/patches/CVE-2021-3421-CVE-2021-20271.patch > 2021-06-29 17:06:43.000000000 +0300 > @@ -0,0 +1,180 @@ > +Description: Be much more careful about copying data from the signature > header > + Only look for known tags, and ensure correct type and size where known > + before copying over. Bump the old arbitrary 16k count limit to 16M limit > + though, it's not inconceivable that a package could have that many files. > + While at it, ensure none of these tags exist in the main header, > + which would confuse us greatly. > + . > + This is optimized for backporting ease, upstream can remove redundancies > + and further improve checking later. > + . > + Reported and initial patches by Demi Marie Obenour. > + . > + Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ... > + . > + Fixes: CVE-2021-3421, CVE-2021-20271 > + . > + NOTE (Debian): the upstream patch was modified to remove the references to > + RPMSIGTAG_VERITYSIGNATURES and RPMSIGTAG_VERITYSIGNATUREALGO, which were > + introduced in upstream changes later than our version. > + . > + This Debian patch combines the upstream patch with two follow-up commits: > + > https://github.com/rpm-software-management/rpm/commit/f7b97593af5cf818a5c6c5b9bc55bba6d08c9cb0#diff-5436e6bf58cd803d29ac1261bfb06f30192193674d8b1493a33b34dcce0514a8 > + > https://github.com/rpm-software-management/rpm/commit/e2f1f1931c5ccf3ecbe4e1e12cacb1e17a277776#diff-5436e6bf58cd803d29ac1261bfb06f30192193674d8b1493a33b34dcce0514a8 > + ...with the last one fixing a problem with too-strict restrictions in > + the original change. > +Origin: upstream; > https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 > +Author: Panu Matilainen <pmati...@redhat.com> > +Bug-Debian: https://bugs.debian.org/985308 > +Last-Update: 2021-06-29 > + > +--- a/lib/package.c > ++++ b/lib/package.c > +@@ -31,82 +31,78 @@ > + rpmRC rc; > + }; > + > ++struct taglate_s { > ++ rpmTagVal stag; > ++ rpmTagVal xtag; > ++ rpm_count_t count; > ++ int quirk; > ++} const xlateTags[] = { > ++ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1, 0 }, > ++ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0, 0 }, > ++ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16, 0 }, > ++ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0, 0 }, > ++ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0, 0 }, */ /* long obsolete, dont > use */ > ++ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1, 1 }, > ++ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0, 1 }, > ++ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1, 1 }, > ++ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1, 0 }, > ++ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1, 0 }, > ++ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0, 0 }, > ++ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0, 0 }, > ++ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1, 0 }, > ++ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1, 0 }, > ++ { 0 } > ++}; Is this constant really supposed to be part of the public ABI? This looks like it could use a static modifier. Cheers > ++ > + /** \ingroup header > + * Translate and merge legacy signature tags into header. > + * @param h header (dest) > + * @param sigh signature header (src) > ++ * @return failing tag number, 0 on success > + */ > + static > +-void headerMergeLegacySigs(Header h, Header sigh) > ++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg) > + { > +- HeaderIterator hi; > ++ const struct taglate_s *xl; > + struct rpmtd_s td; > + > +- hi = headerInitIterator(sigh); > +- for (; headerNext(hi, &td); rpmtdFreeData(&td)) > +- { > +- switch (td.tag) { > +- /* XXX Translate legacy signature tag values. */ > +- case RPMSIGTAG_SIZE: > +- td.tag = RPMTAG_SIGSIZE; > +- break; > +- case RPMSIGTAG_PGP: > +- td.tag = RPMTAG_SIGPGP; > +- break; > +- case RPMSIGTAG_MD5: > +- td.tag = RPMTAG_SIGMD5; > +- break; > +- case RPMSIGTAG_GPG: > +- td.tag = RPMTAG_SIGGPG; > +- break; > +- case RPMSIGTAG_PGP5: > +- td.tag = RPMTAG_SIGPGP5; > +- break; > +- case RPMSIGTAG_PAYLOADSIZE: > +- td.tag = RPMTAG_ARCHIVESIZE; > +- break; > +- case RPMSIGTAG_FILESIGNATURES: > +- td.tag = RPMTAG_FILESIGNATURES; > +- break; > +- case RPMSIGTAG_FILESIGNATURELENGTH: > +- td.tag = RPMTAG_FILESIGNATURELENGTH; > +- break; > +- case RPMSIGTAG_SHA1: > +- case RPMSIGTAG_SHA256: > +- case RPMSIGTAG_DSA: > +- case RPMSIGTAG_RSA: > +- default: > +- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE)) > ++ for (xl = xlateTags; xl->stag; xl++) { > ++ /* There mustn't be one in the main header */ > ++ if (headerIsEntry(h, xl->xtag)) { > ++ /* Some tags may exist in either header, but never both */ > ++ if (xl->quirk && !headerIsEntry(sigh, xl->stag)) > + continue; > +- break; > ++ goto exit; > + } > +- if (!headerIsEntry(h, td.tag)) { > +- switch (td.type) { > +- case RPM_NULL_TYPE: > +- continue; > ++ } > ++ > ++ rpmtdReset(&td); > ++ for (xl = xlateTags; xl->stag; xl++) { > ++ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) { > ++ /* Translate legacy tags */ > ++ if (xl->stag != xl->xtag) > ++ td.tag = xl->xtag; > ++ /* Ensure type and tag size match expectations */ > ++ if (td.type != rpmTagGetTagType(td.tag)) > + break; > +- case RPM_CHAR_TYPE: > +- case RPM_INT8_TYPE: > +- case RPM_INT16_TYPE: > +- case RPM_INT32_TYPE: > +- case RPM_INT64_TYPE: > +- if (td.count != 1) > +- continue; > ++ if (td.count < 1 || td.count > 16*1024*1024) > + break; > +- case RPM_STRING_TYPE: > +- case RPM_STRING_ARRAY_TYPE: > +- case RPM_BIN_TYPE: > +- if (td.count >= 16*1024) > +- continue; > ++ if (xl->count && td.count != xl->count) > + break; > +- case RPM_I18NSTRING_TYPE: > +- continue; > ++ if (!headerPut(h, &td, HEADERPUT_DEFAULT)) > + break; > +- } > +- (void) headerPut(h, &td, HEADERPUT_DEFAULT); > ++ rpmtdFreeData(&td); > + } > + } > +- headerFreeIterator(hi); > ++ rpmtdFreeData(&td); > ++ > ++exit: > ++ if (xl->stag) { > ++ rasprintf(msg, "invalid signature tag %s (%d)", > ++ rpmTagGetName(xl->xtag), xl->xtag); > ++ } > ++ > ++ return xl->stag; > + } > + > + /** > +@@ -378,7 +374,8 @@ > + goto exit; > + > + /* Append (and remap) signature tags to the metadata. */ > +- headerMergeLegacySigs(h, sigh); > ++ if (headerMergeLegacySigs(h, sigh, &msg)) > ++ goto exit; > + applyRetrofits(h); > + > + /* Bump reference count for return. */ > diff -Nru rpm-4.16.1.2+dfsg1/debian/patches/series > rpm-4.16.1.2+dfsg1/debian/patches/series > --- rpm-4.16.1.2+dfsg1/debian/patches/series 2021-01-19 13:28:15.000000000 > +0200 > +++ rpm-4.16.1.2+dfsg1/debian/patches/series 2021-06-29 17:03:24.000000000 > +0300 > @@ -9,3 +9,5 @@ > 0012-pythondistdeps.py-Use-python3-in-shebang.patch > debugedit-trunk.diff > gcc-dwarf5.diff > +CVE-2021-3421-CVE-2021-20271.patch > +CVE-2021-20266.patch -- Sebastian Ramacher
signature.asc
Description: PGP signature
