'Re: [OE-core] [V3][PATCH] rpm: fix CVE-2021-3521'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core] [V3][PATCH] rpm: fix CVE-2021-3521
From:       "Richard Purdie" <richard.purdie () linuxfoundation ! org>
Date:       2021-12-31 15:38:33
Message-ID: 6d4b04f6048055fe85d131679cbfcfda33a97035.camel () linuxfoundation ! org
[Download RAW message or body]

On Fri, 2021-12-31 at 10:21 +0800, Changqing Li wrote:
> From: Changqing Li <changqing.li@windriver.com>
> 
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
> .../rpm/files/0001-CVE-2021-3521.patch        |  57 +++
> .../rpm/files/0002-CVE-2021-3521.patch        |  64 ++++
> .../rpm/files/0003-CVE-2021-3521.patch        | 329 ++++++++++++++++++
> meta/recipes-devtools/rpm/rpm_4.17.0.bb       |   3 +
> 4 files changed, 453 insertions(+)
> create mode 100644 meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> create mode 100644 meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> create mode 100644 meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
> 
> diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch \
> b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch new file mode 100644
> index 0000000000..b374583017
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
> @@ -0,0 +1,57 @@
> +From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
> +From: Panu Matilainen <pmatilai@redhat.com>
> +Date: Thu, 30 Sep 2021 09:56:20 +0300
> +Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
> +
> +No functional changes, just to reduce code duplication and needed by
> +the following commits.
> +
> +CVE: CVE-2021-3521
> +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
>  +
> +Signed-off-by: Changqing Li <changqing.li@windriver.com>
> +---
> + rpmio/rpmpgp.c | 13 +++++++++----
> + 1 file changed, 9 insertions(+), 4 deletions(-)
> +
> +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
> +index d0688ebe9a..e472b5320f 100644
> +--- a/rpmio/rpmpgp.c
> ++++ b/rpmio/rpmpgp.c
> +@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned \
> int algotype) +     return algo;
> + }
> + 
> ++static pgpDigParams pgpDigParamsNew(uint8_t tag)
> ++{
> ++    pgpDigParams digp = xcalloc(1, sizeof(*digp));
> ++    digp->tag = tag;
> ++    return digp;
> ++}
> ++
> + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
> + 		 pgpDigParams * ret)
> + {
> +@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, \
> unsigned int pkttype, + 	    if (pkttype && pkt.tag != pkttype) {
> + 		break;
> + 	    } else {
> +-		digp = xcalloc(1, sizeof(*digp));
> +-		digp->tag = pkt.tag;
> ++		digp = pgpDigParamsNew(pkt.tag);
> + 	    }
> + 	}
> + 
> +@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
> + 		digps = xrealloc(digps, alloced * sizeof(*digps));
> + 	    }
> + 
> +-	    digps[count] = xcalloc(1, sizeof(**digps));
> +-	    digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
> ++	    digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
> + 	    /* Copy UID from main key to subkey */
> + 	    digps[count]->userid = xstrdup(mainkey->userid);
> + 
> +-- 
> +2.17.1
> +
> diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch \
> b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch new file mode 100644
> index 0000000000..b93a1d5404
> --- /dev/null
> +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
> @@ -0,0 +1,64 @@
> +From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
> +From: Panu Matilainen <pmatilai@redhat.com>
> +Date: Thu, 30 Sep 2021 09:51:10 +0300
> +Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
> +
> +No immediate effect but needed by the following commits.
> +
> +CVE: CVE-2021-3521
> +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
>  +

The new tests also trigger for the missing space above after Backport. It does
make me wonder why you don't see those test failures. I've tweaked the patches
in master-next to fix this.

Cheers,

Richard



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#160089): https://lists.openembedded.org/g/openembedded-core/message/160089
Mute This Topic: https://lists.openembedded.org/mt/88047255/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic