Re: [OE-core] [V3][PATCH] rpm: fix CVE-2021-3521
From: Richard Purdie <hidden>
Date: 2021-12-31 15:38:39
On Fri, 2021-12-31 at 10:21 +0800, Changqing Li wrote:
quoted hunk ↗ jump to hunk
From: Changqing Li <redacted> Signed-off-by: Changqing Li <redacted> --- .../rpm/files/0001-CVE-2021-3521.patch | 57 +++ .../rpm/files/0002-CVE-2021-3521.patch | 64 ++++ .../rpm/files/0003-CVE-2021-3521.patch | 329 ++++++++++++++++++ meta/recipes-devtools/rpm/rpm_4.17.0.bb | 3 + 4 files changed, 453 insertions(+) create mode 100644 meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch create mode 100644 meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch create mode 100644 meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patchdiff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch new file mode 100644 index 0000000000..b374583017 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch@@ -0,0 +1,57 @@ +From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Thu, 30 Sep 2021 09:56:20 +0300 +Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function + +No functional changes, just to reduce code duplication and needed by +the following commits. + +CVE: CVE-2021-3521 +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + rpmio/rpmpgp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index d0688ebe9a..e472b5320f 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype) + return algo; + } + ++static pgpDigParams pgpDigParamsNew(uint8_t tag) ++{ ++ pgpDigParams digp = xcalloc(1, sizeof(*digp)); ++ digp->tag = tag; ++ return digp; ++} ++ + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, + pgpDigParams * ret) + { +@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, + if (pkttype && pkt.tag != pkttype) { + break; + } else { +- digp = xcalloc(1, sizeof(*digp)); +- digp->tag = pkt.tag; ++ digp = pgpDigParamsNew(pkt.tag); + } + } + +@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, + digps = xrealloc(digps, alloced * sizeof(*digps)); + } + +- digps[count] = xcalloc(1, sizeof(**digps)); +- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY; ++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY); + /* Copy UID from main key to subkey */ + digps[count]->userid = xstrdup(mainkey->userid); + +-- +2.17.1 +diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch new file mode 100644 index 0000000000..b93a1d5404 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch@@ -0,0 +1,64 @@ +From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Thu, 30 Sep 2021 09:51:10 +0300 +Subject: [PATCH 2/3] Process MPI's from all kinds of signatures + +No immediate effect but needed by the following commits. + +CVE: CVE-2021-3521 +Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b] +
The new tests also trigger for the missing space above after Backport. It does make me wonder why you don't see those test failures. I've tweaked the patches in master-next to fix this. Cheers, Richard