diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2012-02-14 11:27:46 +0200 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2012-04-03 15:47:44 +0300 |
| commit | 6fc6b45bf9fef0f17a2900c6c5198bda5e50d09e (patch) | |
| tree | 915f10a6238f15907828fa0e5b5bcd3f89393e95 /lib/package.c | |
| parent | f23998251992b8ae25faf5113c42fee2c49c7f29 (diff) | |
| download | librpm-tizen-6fc6b45bf9fef0f17a2900c6c5198bda5e50d09e.tar.gz librpm-tizen-6fc6b45bf9fef0f17a2900c6c5198bda5e50d09e.tar.bz2 librpm-tizen-6fc6b45bf9fef0f17a2900c6c5198bda5e50d09e.zip | |
Validate negated offsets too in headerVerifyInfo()
- Undo the ancient broken fix for RhBug:71996 from commit
9e06e3b8ca76ae55eaf2c4e37ba9cac729789014: instead of disabling
the check, pass in the correct upper range which is entirely
different from everything else for the region trailer tag.
- Fixes CVE-2012-0815
Diffstat (limited to 'lib/package.c')
| -rw-r--r-- | lib/package.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/package.c b/lib/package.c index 6d0c80d12..ce1c71e2c 100644 --- a/lib/package.c +++ b/lib/package.c @@ -339,7 +339,7 @@ static rpmRC headerVerify(rpmKeyring keyring, rpmVSFlags vsflags, (void) memcpy(&info, regionEnd, REGION_TAG_COUNT); regionEnd += REGION_TAG_COUNT; - if (headerVerifyInfo(1, dl, &info, &entry.info, 1) != -1 || + if (headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1) != -1 || !(entry.info.tag == RPMTAG_HEADERIMMUTABLE && entry.info.type == REGION_TAG_TYPE && entry.info.count == REGION_TAG_COUNT)) |