From 2bc2b430bc4c1a9a0bfd1c01da68bd53bf7da052 Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Sun, 10 Sep 2023 03:05:12 +0000 Subject: automatic import of rpm --- backport-CVE-2021-35938.patch | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 backport-CVE-2021-35938.patch (limited to 'backport-CVE-2021-35938.patch') diff --git a/backport-CVE-2021-35938.patch b/backport-CVE-2021-35938.patch new file mode 100644 index 0000000..4e5b3d4 --- /dev/null +++ b/backport-CVE-2021-35938.patch @@ -0,0 +1,40 @@ +From 25a435e90844ea98fe5eb7bef22c1aecf3a9c033 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Mon, 14 Feb 2022 14:29:33 +0200 +Subject: [PATCH] Set file metadata via fd-based ops for everything but + symlinks + +Regular file ops are fd-based already, for the rest we need to open them +manually. Files with temporary suffix must never be followed, for +directories (and pre-existing FA_TOUCHed files) use the rpm symlink +"root or target owner allowed" rule wrt following. + +This mostly fixes CVE-2021-35938, but as we're not yet using dirfd-based +operatiosn for everything there are corner cases left undone. And then +there's the plugin API which needs updating for all this. +--- + lib/fsm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/fsm.c b/lib/fsm.c +index 913e9de..6f781c6 100644 +--- a/lib/fsm.c ++++ b/lib/fsm.c +@@ -1133,6 +1133,14 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files, + rc = RPMERR_UNKNOWN_FILETYPE; + } + ++ if (!rc && fd == -1 && !S_ISLNK(fp->sb.st_mode)) { ++ /* Only follow safe symlinks, and never on temporary files */ ++ fd = fsmOpenat(di.dirfd, fp->fpath, ++ fp->suffix ? AT_SYMLINK_NOFOLLOW : 0); ++ if (fd < 0) ++ rc = RPMERR_OPEN_FAILED; ++ } ++ + if (fd != firstlinkfile) + fsmClose(&fd); + } +-- +1.8.3.1 + -- cgit v1.2.3