- fix CVE-2011-3378

.gitignore

@@ -1 +1,2 @@
 rpm-4.8.1.tar.bz2
+/rpm-4.8.1-meego-arm.patch

rpm-4.8.1-fixarm.patch

@@ -0,0 +1,12 @@
+diff -ru rpm-4.8.1-orig/installplatform rpm-4.8.1/installplatform
+--- rpm-4.8.1-orig/installplatform	2009-12-07 09:36:49.000000000 -0500
++++ rpm-4.8.1/installplatform	2011-01-19 02:58:44.000000000 -0500
+@@ -19,7 +19,7 @@
+ case "$arch" in
+   i[3456]86|pentium[34]|athlon|geode) SUBSTS='s_i386_i386_ s_i386_i486_ s_i386_i586_ s_i386_i686_ s_i386_pentium3_ s_i386_pentium4_ s_i386_athlon_ s_i386_geode_' ;;
+   alpha*) SUBSTS='s_alpha_alpha_ s_alpha_alphaev5_ s_alpha_alphaev56_ s_alpha_alphapca56_ s_alpha_alphaev6_ s_alpha_alphaev67_' ;;
+-  arm*) SUBSTS='s_arm_armv3l_ s_arm_armv4l_ s_arm_armv4tl_ s_arm_armv5tel_ s_arm_armv5tejl_ s_arm_armv6l_ s_arm_armv7l_' ;;
++  arm*) SUBSTS='s_arm_arm_ s_arm_armv3l_ s_arm_armv4l_ s_arm_armv4tl_ s_arm_armv5tel_ s_arm_armv5tejl_ s_arm_armv6l_ s_arm_armv7l_' ;;
+   sh4*) SUBSTS='s_sh4_sh4_ s_sh4_sh4a_' ;;
+   sparc*) SUBSTS='s_sparc\(64\|64v\|v9v\|v9\)_sparc_ s_sparc64_sparcv9_;s_sparc\([^v]\|$\)_sparcv9\1_ s_sparcv9_sparc64_;s_sparc\([^6]\|$\)_sparc64\1_' ;;
+   powerpc*|ppc*) SUBSTS='s_ppc64_ppc_ s_ppc\([^6ip]\|$\)_ppc64\1_ s_ppc\([^6ip]\|$\)_ppciseries_ s_ppc\([^6ip]\|$\)_ppcpseries_ s_ppc\([^6ip]\|$\)_ppc64iseries_ s_ppc\([^6ip]\|$\)_ppc64pseries_' ;;

rpm-4.8.x-cve-2011-3378.patch

@@ -0,0 +1,23 @@
+diff --git a/lib/header.c b/lib/header.c
+index 2d68854..536aa89 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -358,6 +358,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
+ 		const unsigned char * dataEnd,
+ 		int regionid)
+ {
++    if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
++	return -1;
++
+     for (; il > 0; il--, pe++) {
+ 	struct indexEntry_s ie;
+ 	rpmTagType type;
+@@ -822,7 +825,7 @@ Header headerLoad(void * uh)
+ 
+ 	{   int off = ntohl(pe->offset);
+ 
+-	    if (hdrchkData(off))
++	    if (hdrchkData(off) || hdrchkRange(dl, off))
+ 		goto errxit;
+ 	    if (off) {
+ 		size_t nb = REGION_TAG_COUNT;

rpm.spec

@@ -21,7 +21,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: 5%{?dist}
+Release: 7%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.8.x/%{name}-%{srcver}.tar.bz2
@@ -47,11 +47,13 @@ Patch202: rpm-4.8.0-findlang-localedirs.patch
 Patch203: rpm-4.8.1-eat-stdin.patch
 Patch204: rpm-4.8.1-getoutput-emsg.patch
 Patch205: rpm-4.8.1-find-debuginfo-gdb-index.patch
+Patch206: rpm-4.8.x-cve-2011-3378.patch
 
 # These are not yet upstream
 Patch301: rpm-4.6.0-niagara.patch
 Patch302: rpm-4.7.1-geode-i686.patch
 Patch303: rpm-4.8.0-pkgconfig-private.patch
+Patch304: rpm-4.8.1-fixarm.patch
 
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD 
@@ -201,10 +203,12 @@ packages on a system.
 %patch203 -p1 -b .eat-stdin
 %patch204 -p1 -b .getoutput-emsg
 %patch205 -p1 -b .find-debuginfo-gdb-index
+%patch206 -p1 -b .cve-2011-3378
 
 %patch301 -p1 -b .niagara
 %patch302 -p1 -b .geode
 %patch303 -p1 -b .pkgconfig-private
+%patch304 -p1 -b .fixarm
 
 %if %{with int_bdb}
 ln -s db-%{bdbver} db
@@ -417,6 +421,12 @@ exit 0
 %doc COPYING doc/librpm/html/*
 
 %changelog
+* Tue Oct 04 2011 Panu Matilainen <pmatilai@redhat.com> - 4.8.1-7
+- fix CVE-2011-3378
+
+* Fri May 27 2011 Paul Whalen <paul.whalen@senecac.on.ca> - 4.8.1-6
+- Added meego patch for ARM macros
+
 * Tue Aug 10 2010 Panu Matilainen <pmatilai@redhat.com> - 4.8.1-5
 - create gdb index on debuginfo generation (#617166)
 - rpm-build now requires /usr/bin/gdb-add-index for consistent index creation