This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes

Bug 1168715 (CVE-2014-8118)

Summary: CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, ffesti, fweimer, huzaifas, jrusnack, ksrot, magoldma, pmatilai, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20141209,reported=20141127,source=redhat,cvss2=7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C,rhel-4/rpm=notaffected,rhel-5.6.z/rpm=notaffected,rhel-5.9.z/rpm=notaffected,rhel-6/rpm=notaffected,rhel-6.2.z/rpm=notaffected,rhel-6.4.z/rpm=notaffected,rhel-6.5.z/rpm=notaffected,rhel-5/rpm=notaffected,rhel-7/rpm=affected,fedora-all/rpm=affected,cwe=CWE-190->CWE-121
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-18 23:47:21 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1170036, 1170037, 1172125    
Bug Blocks: 1039813, 1168704    
Attachments:
Description Flags
rpm-4.12-CVE-2014-8118.patch none

Description Florian Weimer 2014-11-27 11:07:33 EST
IssueDescription:

It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file.  This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 1 Florian Weimer 2014-11-27 11:12:57 EST
Created attachment 962159 [details]
rpm-4.12-CVE-2014-8118.patch

Proposed patch to limit the length of the file name to a reasonable value.
Comment 6 Huzaifa S. Sidhpurwala 2014-12-09 07:51:00 EST
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1172125]
Comment 7 errata-xmlrpc 2014-12-09 14:51:00 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1976 https://rhn.redhat.com/errata/RHSA-2014-1976.html
Comment 8 Fedora Update System 2014-12-16 23:46:15 EST
rpm-4.12.0.1-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Huzaifa S. Sidhpurwala 2014-12-18 23:47:21 EST
Statement:

This issue does not affect the version of rpm package as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 11 Fedora Update System 2014-12-29 04:57:25 EST
rpm-4.11.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.