Bug 1168715 (CVE-2014-8118)

Summary: CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, ffesti, fweimer, huzaifas, jrusnack, ksrot, magoldma, pmatilai, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20141209,reported=20141127,source=redhat,cvss2=7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C,rhel-4/rpm=notaffected,rhel-5.6.z/rpm=notaffected,rhel-5.9.z/rpm=notaffected,rhel-6/rpm=notaffected,rhel-6.2.z/rpm=notaffected,rhel-6.4.z/rpm=notaffected,rhel-6.5.z/rpm=notaffected,rhel-5/rpm=notaffected,rhel-7/rpm=affected,fedora-all/rpm=affected,cwe=CWE-190->CWE-121
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-19 04:47:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1170036, 1170037, 1172125    
Bug Blocks: 1039813, 1168704    
Description Flags
rpm-4.12-CVE-2014-8118.patch none

Description Florian Weimer 2014-11-27 16:07:33 UTC

It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file.  This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.


This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 1 Florian Weimer 2014-11-27 16:12:57 UTC
Created attachment 962159 [details]

Proposed patch to limit the length of the file name to a reasonable value.

Comment 6 Huzaifa S. Sidhpurwala 2014-12-09 12:51:00 UTC
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1172125]

Comment 7 errata-xmlrpc 2014-12-09 19:51:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1976 https://rhn.redhat.com/errata/RHSA-2014-1976.html

Comment 8 Fedora Update System 2014-12-17 04:46:15 UTC
rpm- has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Huzaifa S. Sidhpurwala 2014-12-19 04:47:21 UTC

This issue does not affect the version of rpm package as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 11 Fedora Update System 2014-12-29 09:57:25 UTC
rpm-4.11.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.