From 1888a6a18089691c64291a761f4991e7421d9151 Mon Sep 17 00:00:00 2001 From: fuanan Date: Fri, 22 Jan 2021 16:05:37 +0800 Subject: [PATCH 1/2] Fix CVE-2020-14352 --- ...2-Validate-path-read-from-repomd.xml.patch | 50 +++++++++++++++ librepo.spec | 64 +++++++++++++++++-- 2 files changed, 108 insertions(+), 6 deletions(-) create mode 100644 backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch diff --git a/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch b/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch new file mode 100644 index 0000000..13cd87b --- /dev/null +++ b/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch @@ -0,0 +1,50 @@ +From 7daea2a2429a54dad68b1de9b37a5f65c5cf2600 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel +Date: Wed, 12 Aug 2020 08:35:28 +0200 +Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639) + += changelog = +msg: Validate path read from repomd.xml +type: security +--- + librepo/yum.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/librepo/yum.c b/librepo/yum.c +index 3059188..529257b 100644 +--- a/librepo/yum.c ++++ b/librepo/yum.c +@@ -23,6 +23,7 @@ + #define BITS_IN_BYTE 8 + + #include ++#include + #include + #include + #include +@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle, + continue; + + char *location_href = record->location_href; ++ ++ char *dest_dir = realpath(handle->destdir, NULL); ++ path = lr_pathconcat(handle->destdir, record->location_href, NULL); ++ char *requested_dir = realpath(dirname(path), NULL); ++ lr_free(path); ++ if (!g_str_has_prefix(requested_dir, dest_dir)) { ++ g_debug("%s: Invalid path: %s", __func__, location_href); ++ g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href); ++ g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free); ++ free(requested_dir); ++ free(dest_dir); ++ return FALSE; ++ } ++ free(requested_dir); ++ free(dest_dir); ++ + gboolean is_zchunk = FALSE; + #ifdef WITH_ZCHUNK + if (handle->cachedir && record->header_checksum) +-- +1.8.3.1 + diff --git a/librepo.spec b/librepo.spec index 9a132dc..6f8db71 100644 --- a/librepo.spec +++ b/librepo.spec @@ -1,16 +1,21 @@ %global libcurl_version 7.28.0 %global dnf_conflict 2.8.8 +%bcond_without python3 %bcond_without pythontests +%bcond_with python2 %bcond_with zchunk Name: librepo Version: 1.12.0 -Release: 1 +Release: 2 Summary: Repodata downloading library License: LGPLv2+ URL: https://github.com/rpm-software-management/librepo Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +Patch0: backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch + BuildRequires: cmake check-devel doxygen pkgconfig(glib-2.0) gcc BuildRequires: libcurl-devel >= %{libcurl_version} pkgconfig(libxml-2.0) BuildRequires: pkgconfig(openssl) gpgme-devel libattr-devel pkgconfig(libcrypto) @@ -27,6 +32,19 @@ Requires: %{name} = %{version}-%{release} %description devel Development files for librepo. +%if %{with python2} +%package -n python2-librepo +Summary: Python bindings for the librepo library +%{?python_provide:%python_provide python2-%{name}} +BuildRequires: python2-sphinx python2-devel python2-flask python2-nose +BuildRequires: python2-requests python2-pyxattr python2-gpg +Requires: %{name} = %{version}-%{release} +Conflicts: python2-dnf < %{dnf_conflict} + +%description -n python2-%{name} +Python 2 bindings for the librepo library. +%endif + %package -n python3-librepo Summary: Python 3 bindings for the librepo library %{?python_provide:%python_provide python3-%{name}} @@ -42,24 +60,51 @@ Python 3 bindings for the librepo library. %prep %autosetup -p1 +mkdir build-py2 mkdir build-py3 %build +%if %{with python2} +pushd build-py2 + %cmake -DPYTHON_DESIRED:FILEPATH=%{__python2} %{!?with_zchunk:-DWITH_ZCHUNK=OFF} -DENABLE_PYTHON_TESTS=%{?with_pythontests:ON}%{!?with_pythontests:OFF} .. + %make_build +popd +%endif + +%if %{with python3} pushd build-py3 %cmake -DPYTHON_DESIRED:FILEPATH=%{__python3} %{!?with_zchunk:-DWITH_ZCHUNK=OFF} -DENABLE_PYTHON_TESTS=%{?with_pythontests:ON}%{!?with_pythontests:OFF} .. %make_build popd +%endif %check +%if %{with python2} +pushd build-py2 + #ctest -VV + make ARGS="-V" test +popd +%endif + +%if %{with python3} pushd build-py3 #ctest -VV make ARGS="-V" test popd +%endif %install +%if %{with python2} +pushd build-py2 + %make_install +popd +%endif + +%if %{with python3} pushd build-py3 %make_install popd +%endif %ldconfig_scriptlets @@ -73,15 +118,22 @@ popd %{_libdir}/pkgconfig/%{name}.pc %{_includedir}/%{name}/ +%if %{with python2} +%files -n python2-%{name} +%{python2_sitearch}/%{name}/ +%endif + +%if %{with python3} %files -n python3-%{name} %{python3_sitearch}/%{name}/ +%endif %changelog -* Tue Apr 28 2020 zhouyihang - 1.12.0-1 -- Type:requirement -- ID:NA -- SUG:NA -- DESC:update librepo version to 1.12.0 +* Fri Jan 22 2021 fuanan - 1.12.0-2 +- fix CVE-2020-14352 + +* Tue Aug 04 2020 shanzhikun - 1.12.0-1 +- upgrade librepo to 1.12.0. * Tue Jan 7 2020 openEuler Buildteam - 1.11.0-2 - Pakcage init -- Gitee From 5189695a84f59fcc4a3874f023966840478768a2 Mon Sep 17 00:00:00 2001 From: fuanan Date: Fri, 22 Jan 2021 16:24:49 +0800 Subject: [PATCH 2/2] Fix CVE-2020-14352 --- librepo.spec | 56 +++++----------------------------------------------- 1 file changed, 5 insertions(+), 51 deletions(-) diff --git a/librepo.spec b/librepo.spec index 6f8db71..aee9272 100644 --- a/librepo.spec +++ b/librepo.spec @@ -1,9 +1,7 @@ %global libcurl_version 7.28.0 %global dnf_conflict 2.8.8 -%bcond_without python3 %bcond_without pythontests -%bcond_with python2 %bcond_with zchunk Name: librepo @@ -32,19 +30,6 @@ Requires: %{name} = %{version}-%{release} %description devel Development files for librepo. -%if %{with python2} -%package -n python2-librepo -Summary: Python bindings for the librepo library -%{?python_provide:%python_provide python2-%{name}} -BuildRequires: python2-sphinx python2-devel python2-flask python2-nose -BuildRequires: python2-requests python2-pyxattr python2-gpg -Requires: %{name} = %{version}-%{release} -Conflicts: python2-dnf < %{dnf_conflict} - -%description -n python2-%{name} -Python 2 bindings for the librepo library. -%endif - %package -n python3-librepo Summary: Python 3 bindings for the librepo library %{?python_provide:%python_provide python3-%{name}} @@ -60,51 +45,24 @@ Python 3 bindings for the librepo library. %prep %autosetup -p1 -mkdir build-py2 mkdir build-py3 %build -%if %{with python2} -pushd build-py2 - %cmake -DPYTHON_DESIRED:FILEPATH=%{__python2} %{!?with_zchunk:-DWITH_ZCHUNK=OFF} -DENABLE_PYTHON_TESTS=%{?with_pythontests:ON}%{!?with_pythontests:OFF} .. - %make_build -popd -%endif - -%if %{with python3} pushd build-py3 %cmake -DPYTHON_DESIRED:FILEPATH=%{__python3} %{!?with_zchunk:-DWITH_ZCHUNK=OFF} -DENABLE_PYTHON_TESTS=%{?with_pythontests:ON}%{!?with_pythontests:OFF} .. %make_build popd -%endif %check -%if %{with python2} -pushd build-py2 - #ctest -VV - make ARGS="-V" test -popd -%endif - -%if %{with python3} pushd build-py3 #ctest -VV make ARGS="-V" test popd -%endif %install -%if %{with python2} -pushd build-py2 - %make_install -popd -%endif - -%if %{with python3} pushd build-py3 %make_install popd -%endif %ldconfig_scriptlets @@ -118,22 +76,18 @@ popd %{_libdir}/pkgconfig/%{name}.pc %{_includedir}/%{name}/ -%if %{with python2} -%files -n python2-%{name} -%{python2_sitearch}/%{name}/ -%endif - -%if %{with python3} %files -n python3-%{name} %{python3_sitearch}/%{name}/ -%endif %changelog * Fri Jan 22 2021 fuanan - 1.12.0-2 - fix CVE-2020-14352 -* Tue Aug 04 2020 shanzhikun - 1.12.0-1 -- upgrade librepo to 1.12.0. +* Tue Apr 28 2020 zhouyihang - 1.12.0-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update librepo version to 1.12.0 * Tue Jan 7 2020 openEuler Buildteam - 1.11.0-2 - Pakcage init -- Gitee