Bug 908128 (CVE-2014-8118) - VUL-0: CVE-2014-8118: rpm: integer overflow leading to stack-based overflow
Summary: VUL-0: CVE-2014-8118: rpm: integer overflow leading to stack-based overflow
Status: RESOLVED FIXED
Alias: CVE-2014-8118
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Critical
Target Milestone: ---
Deadline: 2014-12-12
Assignee: Michael Schröder
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:60027 maint:...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2014-12-03 07:45 UTC by Johannes Segitz
Modified: 2018-10-19 18:30 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-12-03 07:45:03 UTC 
CRD: 2014-12-09 12:00 UTC

From: Huzaifa Sidhpurwala <huzaifas@redhat.com>

It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file.  This could allow an
attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.

This issue was discovered by Florian Weimer of Red Hat Product Security. This issue was assigned CVE-2014-8118.

The following is the patch to fix this issue:

diff --git a/lib/cpio.c b/lib/cpio.c
index 253ff0f..600633a 100644
--- a/lib/cpio.c
+++ b/lib/cpio.c
@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)

     GET_NUM_FIELD(hdr.filesize, fsize);
     GET_NUM_FIELD(hdr.namesize, nameSize);
+    if (nameSize <= 0 || nameSize > 4096) {
+        return RPMERR_BAD_HEADER;
+    }

     char name[nameSize + 1];
     read = Fread(name, nameSize, 1, cpio->fd);
Comment 3 Michael Schröder 2014-12-03 14:02:34 UTC 
There are lots of ways to sneak in bad things. I doubt that visibility matters. The signatures in rpms include the payload, the signatures in the repository metadata is over the complete rpm file.

If you install an rpm from an untrusted source you have to be really really careful.
Comment 4 Swamp Workflow Management 2014-12-03 23:00:13 UTC 
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2014-12-05 12:21:15 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-12-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59965
Comment 7 Johannes Segitz 2014-12-09 14:31:18 UTC 
public
Comment 10 Swamp Workflow Management 2014-12-24 07:05:32 UTC 
SUSE-SU-2014:1697-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 892431,906803,908128
CVE References: CVE-2013-6435,CVE-2014-8118
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    rpm-4.4.2.3-37.60.2
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    rpm-4.4.2.3-37.60.2
SUSE Linux Enterprise Server 11 SP3 (src):    rpm-4.4.2.3-37.60.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    rpm-4.4.2.3-37.60.2
Comment 11 Swamp Workflow Management 2014-12-27 21:05:21 UTC 
openSUSE-SU-2014:1716-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 892431,906803,908128
CVE References: CVE-2013-6435,CVE-2014-8118
Sources used:
openSUSE 13.2 (src):    python3-rpm-4.11.3-4.2, rpm-4.11.3-4.1, rpm-python-4.11.3-4.2
openSUSE 13.1 (src):    python3-rpm-4.11.1-6.9.1, rpm-4.11.1-6.9.1, rpm-python-4.11.1-6.9.1
openSUSE 12.3 (src):    python3-rpm-4.10.2-2.4.1, rpm-4.10.2-2.4.1, rpm-python-4.10.2-2.4.1
Comment 21 Swamp Workflow Management 2015-01-22 17:05:29 UTC 
SUSE-SU-2015:0107-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 892431,906803,908128,911228
CVE References: CVE-2013-6435,CVE-2014-8118
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    rpm-4.11.2-10.1
SUSE Linux Enterprise Server 12 (src):    rpm-4.11.2-10.1, rpm-python-4.11.2-10.1
SUSE Linux Enterprise Desktop 12 (src):    rpm-4.11.2-10.1, rpm-python-4.11.2-10.1
Comment 22 Johannes Segitz 2015-04-09 12:19:39 UTC 
all updates released