Bug 1168715 (CVE-2014-8118)

Summary: CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, ffesti, fweimer, huzaifas, jrusnack, ksrot, magoldma, pmatilai, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-19 04:47:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1170036, 1170037, 1172125    
Bug Blocks: 1039813, 1168704    
Attachments:
Description Flags
rpm-4.12-CVE-2014-8118.patch none

Description Florian Weimer 2014-11-27 16:07:33 UTC 
IssueDescription:

It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file.  This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 1 Florian Weimer 2014-11-27 16:12:57 UTC 
Created attachment 962159 [details]
rpm-4.12-CVE-2014-8118.patch

Proposed patch to limit the length of the file name to a reasonable value.
Comment 6 Huzaifa S. Sidhpurwala 2014-12-09 12:51:00 UTC 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1172125]
Comment 7 errata-xmlrpc 2014-12-09 19:51:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1976 https://rhn.redhat.com/errata/RHSA-2014-1976.html
Comment 8 Fedora Update System 2014-12-17 04:46:15 UTC 
rpm-4.12.0.1-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Huzaifa S. Sidhpurwala 2014-12-19 04:47:21 UTC 
Statement:

This issue does not affect the version of rpm package as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 11 Fedora Update System 2014-12-29 09:57:25 UTC 
rpm-4.11.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.