From 581fa980118f4404994796e7e576c928bc3b9b15 Mon Sep 17 00:00:00 2001
From: fuanan <fuanan3@huawei.com>
Date: Fri, 22 Jan 2021 16:02:45 +0800
Subject: [PATCH] Fix CVE-2020-14352

---
 ...2-Validate-path-read-from-repomd.xml.patch | 50 +++++++++++++++++++
 librepo.spec                                  |  8 ++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch

diff --git a/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch b/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch
new file mode 100644
index 0000000..13cd87b
--- /dev/null
+++ b/backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch
@@ -0,0 +1,50 @@
+From 7daea2a2429a54dad68b1de9b37a5f65c5cf2600 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Wed, 12 Aug 2020 08:35:28 +0200
+Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
+
+= changelog =
+msg: Validate path read from repomd.xml
+type: security
+---
+ librepo/yum.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/librepo/yum.c b/librepo/yum.c
+index 3059188..529257b 100644
+--- a/librepo/yum.c
++++ b/librepo/yum.c
+@@ -23,6 +23,7 @@
+ #define  BITS_IN_BYTE 8
+ 
+ #include <stdio.h>
++#include <libgen.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
+             continue;
+ 
+         char *location_href = record->location_href;
++
++        char *dest_dir = realpath(handle->destdir, NULL);
++        path = lr_pathconcat(handle->destdir, record->location_href, NULL);
++        char *requested_dir = realpath(dirname(path), NULL);
++        lr_free(path);
++        if (!g_str_has_prefix(requested_dir, dest_dir)) {
++            g_debug("%s: Invalid path: %s", __func__, location_href);
++            g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
++            g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
++            free(requested_dir);
++            free(dest_dir);
++            return FALSE;
++        }
++        free(requested_dir);
++        free(dest_dir);
++
+         gboolean is_zchunk = FALSE;
+         #ifdef WITH_ZCHUNK
+         if (handle->cachedir && record->header_checksum)
+-- 
+1.8.3.1
+
diff --git a/librepo.spec b/librepo.spec
index 12a1667..6f8db71 100644
--- a/librepo.spec
+++ b/librepo.spec
@@ -8,11 +8,14 @@
 
 Name:                    librepo
 Version:                 1.12.0
-Release:                 1 
+Release:                 2
 Summary:                 Repodata downloading library                 
 License:                 LGPLv2+
 URL:                     https://github.com/rpm-software-management/librepo
 Source0:                 %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+
+Patch0:                  backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch
+
 BuildRequires:           cmake check-devel doxygen pkgconfig(glib-2.0) gcc
 BuildRequires:           libcurl-devel >= %{libcurl_version} pkgconfig(libxml-2.0)
 BuildRequires:           pkgconfig(openssl) gpgme-devel libattr-devel pkgconfig(libcrypto)
@@ -126,6 +129,9 @@ popd
 %endif
 
 %changelog
+* Fri Jan 22 2021 fuanan <fuanan3@huawei.com> - 1.12.0-2
+- fix CVE-2020-14352
+
 * Tue Aug 04 2020 shanzhikun <shanzhikun@huawei.com> - 1.12.0-1
 - upgrade librepo to 1.12.0.
 
-- 
Gitee