Add patch for CVE-2014-8118 - Integer overflow allows remote attackers to

execute arbitrary code via a crafted CPIO header in the payload section of an
RPM file, which triggers a stack-based buffer overflow.

https://bugzilla.redhat.com/show_bug.cgi?id=1168715

Reviewed by wiz@

3 files changed, 24 insertions, 2 deletions

diff --git a/misc/rpm/Makefile b/misc/rpm/Makefile
index bb6c2779e70..598b492a68c 100644
--- a/misc/rpm/Makefile
+++ b/misc/rpm/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.85 2015/03/15 05:34:56 ryoon Exp $
+# $NetBSD: Makefile,v 1.86 2015/03/22 17:32:54 sevan Exp $
 
 DISTNAME=	rpm-4.12.0.1
+PKGREVISION=	1
 CATEGORIES=	misc
 MASTER_SITES=	http://rpm.org/releases/rpm-4.12.x/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/misc/rpm/distinfo b/misc/rpm/distinfo
index d07b1ad61d2..abdd08e9cb6 100644
--- a/misc/rpm/distinfo
+++ b/misc/rpm/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2015/03/15 05:34:56 ryoon Exp $
+$NetBSD: distinfo,v 1.15 2015/03/22 17:32:54 sevan Exp $
 
 SHA1 (rpm-4.12.0.1.tar.bz2) = d416bdb249b246b00b2d5d34c66e7f5a68a62524
 RMD160 (rpm-4.12.0.1.tar.bz2) = c57a676d467d0984b13bdca7df803e26609055fd
@@ -6,6 +6,7 @@ Size (rpm-4.12.0.1.tar.bz2) = 4129093 bytes
 SHA1 (patch-build_rpmfc.c) = 10e3196d7d2dcc17f7c2be0acbea01f00354eee3
 SHA1 (patch-configure.ac) = c6301dce864ad1ade8bc21c2d00f2c9754594b2d
 SHA1 (patch-lib_backend_db3.c) = 241c9193723253bbe037e61c54992f66aa825136
+SHA1 (patch-lib_cpio.c) = e5f0a60e33832175ab393562be89aba998513ae8
 SHA1 (patch-lib_header.c) = 091dc42741fd5f34edcf9b90f1e9d76087be56b4
 SHA1 (patch-lib_rpmrc.c) = cf9e1349d84dea4f60b7db574e31e14799d4e75c
 SHA1 (patch-misc_fnmatch.c) = d4a8d81fe4a0cb97946e4037c5d8a4299a4411a7
diff --git a/misc/rpm/patches/patch-lib_cpio.c b/misc/rpm/patches/patch-lib_cpio.c
new file mode 100644
index 00000000000..12fb6914ae9
--- /dev/null
+++ b/misc/rpm/patches/patch-lib_cpio.c
@@ -0,0 +1,20 @@
+$NetBSD: patch-lib_cpio.c,v 1.1 2015/03/22 17:32:55 sevan Exp $
+
+CVE-2014-8118 - Integer overflow allows remote attackers to execute arbitrary
+code via a crafted CPIO header in the payload section of an RPM file, which
+triggers a stack-based buffer overflow.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1168715
+
+--- lib/cpio.c.orig	2014-06-30 08:47:13.000000000 +0000
++++ lib/cpio.c
+@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, ch
+ 
+     GET_NUM_FIELD(hdr.filesize, fsize);
+     GET_NUM_FIELD(hdr.namesize, nameSize);
++    if (nameSize <= 0 || nameSize > 4096) {
++	return RPMERR_BAD_HEADER;
++    }
+ 
+     char name[nameSize + 1];
+     read = Fread(name, nameSize, 1, cpio->fd);