- fix CVE-2011-3378

rpm-4.8.x-cve-2011-3378.patch

@@ -0,0 +1,23 @@
+diff --git a/lib/header.c b/lib/header.c
+index 2d68854..536aa89 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -358,6 +358,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
+ 		const unsigned char * dataEnd,
+ 		int regionid)
+ {
++    if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
++	return -1;
++
+     for (; il > 0; il--, pe++) {
+ 	struct indexEntry_s ie;
+ 	rpmTagType type;
+@@ -822,7 +825,7 @@ Header headerLoad(void * uh)
+ 
+ 	{   int off = ntohl(pe->offset);
+ 
+-	    if (hdrchkData(off))
++	    if (hdrchkData(off) || hdrchkRange(dl, off))
+ 		goto errxit;
+ 	    if (off) {
+ 		size_t nb = REGION_TAG_COUNT;

rpm.spec

@@ -21,7 +21,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: 6%{?dist}
+Release: 7%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.8.x/%{name}-%{srcver}.tar.bz2
@@ -47,6 +47,7 @@ Patch202: rpm-4.8.0-findlang-localedirs.patch
 Patch203: rpm-4.8.1-eat-stdin.patch
 Patch204: rpm-4.8.1-getoutput-emsg.patch
 Patch205: rpm-4.8.1-find-debuginfo-gdb-index.patch
+Patch206: rpm-4.8.x-cve-2011-3378.patch
 
 # These are not yet upstream
 Patch301: rpm-4.6.0-niagara.patch
@@ -202,6 +203,7 @@ packages on a system.
 %patch203 -p1 -b .eat-stdin
 %patch204 -p1 -b .getoutput-emsg
 %patch205 -p1 -b .find-debuginfo-gdb-index
+%patch206 -p1 -b .cve-2011-3378
 
 %patch301 -p1 -b .niagara
 %patch302 -p1 -b .geode
@@ -419,6 +421,9 @@ exit 0
 %doc COPYING doc/librpm/html/*
 
 %changelog
+* Tue Oct 04 2011 Panu Matilainen <pmatilai@redhat.com> - 4.8.1-7
+- fix CVE-2011-3378
+
 * Fri May 27 2011 Paul Whalen <paul.whalen@senecac.on.ca> - 4.8.1-6
 - Added meego patch for ARM macros