diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2012-01-19 08:25:15 +0200 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2012-04-03 15:45:46 +0300 |
| commit | e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190 (patch) | |
| tree | 47d9fdace09c67dfbf825a097bdeb36b0ddb37f7 | |
| parent | eaece70c1e80f6830b4a222f0ba47f4a75a0136b (diff) | |
| download | librpm-tizen-e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190.tar.gz librpm-tizen-e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190.tar.bz2 librpm-tizen-e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190.zip | |
Specifically validate region tag on header import
- Region tags need to have very specific content, the generic
header tag checks are not sufficient to ensure sanity. Verify
the tag is one of the known region tags and that the entry has
expected type and count.
- Fixes the first half of CVE-2012-0060
| -rw-r--r-- | lib/header.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/header.c b/lib/header.c index 023c6e30d..f7d3ade59 100644 --- a/lib/header.c +++ b/lib/header.c @@ -828,10 +828,13 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags) entry->info.type = htonl(pe->type); entry->info.count = htonl(pe->count); + entry->info.tag = htonl(pe->tag); - if (hdrchkType(entry->info.type)) + if (!ENTRY_IS_REGION(entry)) + goto errxit; + if (entry->info.type != REGION_TAG_TYPE) goto errxit; - if (hdrchkTags(entry->info.count)) + if (entry->info.count != REGION_TAG_COUNT) goto errxit; { int off = ntohl(pe->offset); @@ -847,7 +850,6 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags) ril = rdl/sizeof(*pe); if (hdrchkTags(ril) || hdrchkData(rdl)) goto errxit; - entry->info.tag = htonl(pe->tag); } else { ril = il; rdl = (ril * sizeof(struct entryInfo_s)); |