From 1bf57ad1d91506dd36a086e8029f02cccc5f3641 Mon Sep 17 00:00:00 2001
From: yeah_wang <wangye70@huawei.com>
Date: Tue, 13 Apr 2021 19:37:58 +0800
Subject: [PATCH] FIx-CVE-2021-20271

(cherry picked from commit 85e102c94fd934f86b4ca679b08ab49bf8d8e0e4)
---
 backport-CVE-2021-20271.patch | 169 ++++++++++++++++++++++++++++++++++
 rpm.spec                      | 113 +++++++----------------
 2 files changed, 200 insertions(+), 82 deletions(-)
 create mode 100644 backport-CVE-2021-20271.patch

diff --git a/backport-CVE-2021-20271.patch b/backport-CVE-2021-20271.patch
new file mode 100644
index 0000000..18f73f5
--- /dev/null
+++ b/backport-CVE-2021-20271.patch
@@ -0,0 +1,169 @@
+From d6a86b5e69e46cc283b1e06c92343319beb42e21 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 4 Mar 2021 13:21:19 +0200
+Subject: [PATCH] Be much more careful about copying data from the signature
+ header
+Conflict:NA
+Reference:https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
+
+Only look for known tags, and ensure correct type and size where known
+before copying over. Bump the old arbitrary 16k count limit to 16M limit
+though, it's not inconceivable that a package could have that many files.
+While at it, ensure none of these tags exist in the main header,
+which would confuse us greatly.
+This is optimized for backporting ease, upstream can remove redundancies
+and further improve checking later.
+Reported and initial patches by Demi Marie Obenour.
+Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
+Fixes: CVE-2021-3421, CVE-2021-20271
+---
+ lib/package.c | 112 +++++++++++++++++++++++++---------------------------------
+ 1 file changed, 49 insertions(+), 63 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index db70d13..6f10bb9 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -31,82 +31,67 @@ struct pkgdata_s {
+     rpmRC rc;
+ };
+ 
++struct taglate_s {
++    rpmTagVal stag;
++    rpmTagVal xtag;
++    rpm_count_t count;
++} const xlateTags[] = {
++    { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 },
++    { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 },
++    { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 },
++    { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
++    /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */
++    { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
++    { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
++    { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
++    { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
++    { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
++    { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
++    { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 },
++    { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 },
++    { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 },
++    { 0 }
++};
++
+ /** \ingroup header
+  * Translate and merge legacy signature tags into header.
+  * @param h		header (dest)
+  * @param sigh		signature header (src)
++ *  @return		failing tag number, 0 on success
+  */
+ static
+-void headerMergeLegacySigs(Header h, Header sigh)
++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
+ {
+-    HeaderIterator hi;
++    const struct taglate_s *xl;	
+     struct rpmtd_s td;
+-
+-    hi = headerInitIterator(sigh);
+-    for (; headerNext(hi, &td); rpmtdFreeData(&td))
+-    {
+-	switch (td.tag) {
+-	/* XXX Translate legacy signature tag values. */
+-	case RPMSIGTAG_SIZE:
+-	    td.tag = RPMTAG_SIGSIZE;
+-	    break;
+-	case RPMSIGTAG_PGP:
+-	    td.tag = RPMTAG_SIGPGP;
+-	    break;
+-	case RPMSIGTAG_MD5:
+-	    td.tag = RPMTAG_SIGMD5;
+-	    break;
+-	case RPMSIGTAG_GPG:
+-	    td.tag = RPMTAG_SIGGPG;
+-	    break;
+-	case RPMSIGTAG_PGP5:
+-	    td.tag = RPMTAG_SIGPGP5;
+-	    break;
+-	case RPMSIGTAG_PAYLOADSIZE:
+-	    td.tag = RPMTAG_ARCHIVESIZE;
+-	    break;
+-	case RPMSIGTAG_FILESIGNATURES:
+-	    td.tag = RPMTAG_FILESIGNATURES;
+-	    break;
+-	case RPMSIGTAG_FILESIGNATURELENGTH:
+-	    td.tag = RPMTAG_FILESIGNATURELENGTH;
+-	    break;
+-	case RPMSIGTAG_SHA1:
+-	case RPMSIGTAG_SHA256:
+-	case RPMSIGTAG_DSA:
+-	case RPMSIGTAG_RSA:
+-	default:
+-	    if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
+-		continue;
+-	    break;
+-	}
+-	if (!headerIsEntry(h, td.tag)) {
+-	    switch (td.type) {
+-	    case RPM_NULL_TYPE:
+-		continue;
++    rpmtdReset(&td);
++    for (xl = xlateTags; xl->stag; xl++) {
++	/* There mustn't be one in the main header */
++	if (headerIsEntry(h, xl->xtag))
++		if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
++	    /* Translate legacy tags */
++	    if (xl->stag != xl->xtag)
++		td.tag = xl->xtag;
++	    /* Ensure type and tag size match expectations */
++	    if (td.type != rpmTagGetTagType(td.tag))
+ 		break;
+-	    case RPM_CHAR_TYPE:
+-	    case RPM_INT8_TYPE:
+-	    case RPM_INT16_TYPE:
+-	    case RPM_INT32_TYPE:
+-	    case RPM_INT64_TYPE:
+-		if (td.count != 1)
+-		    continue;
++	    if (td.count < 1 || td.count > 16*1024*1024)
+ 		break;
+-	    case RPM_STRING_TYPE:
+-	    case RPM_STRING_ARRAY_TYPE:
+-	    case RPM_BIN_TYPE:
+-		if (td.count >= 16*1024)
+-		    continue;
++	     if (xl->count && td.count != xl->count)
+ 		break;
+-	    case RPM_I18NSTRING_TYPE:
+-		continue;
++	     if (!headerPut(h, &td, HEADERPUT_DEFAULT))
+ 		break;
+-	    }
+-	    (void) headerPut(h, &td, HEADERPUT_DEFAULT);
++	      rpmtdFreeData(&td);
+ 	}
+     }
+-    headerFreeIterator(hi);
++    rpmtdFreeData(&td);
++
++    if (xl->stag) {
++	rasprintf(msg, "invalid signature tag %s (%d)",
++			rpmTagGetName(xl->xtag), xl->xtag);
++    }
++
++    return xl->stag;
+ }
+ 
+ /**
+@@ -369,7 +354,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
+ 		goto exit;
+ 
+ 	    /* Append (and remap) signature tags to the metadata. */
+-	    headerMergeLegacySigs(h, sigh);
++	     if (headerMergeLegacySigs(h, sigh, &msg))
++		goto exit;
+ 	    applyRetrofits(h);
+ 
+ 	    /* Bump reference count for return. */
+-- 
+1.8.3.1
+
diff --git a/rpm.spec b/rpm.spec
index 9eb6ae2..373b0cc 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -1,6 +1,6 @@
 Name:          rpm
 Version:       4.15.1
-Release:       23
+Release:       19
 Summary:       RPM Package Manager
 License:       GPLv2+
 URL:           http://www.rpm.org/
@@ -19,66 +19,33 @@ Patch9: bugfix-rpm-4.11.3-add-aarch64_ilp32-arch.patch
 Patch10: bugfix-rpm-4.14.2-fix-tty-failed.patch
 Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
 Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch
-Patch13: Generate-digest-lists.patch
-Patch14: Add-digest-list-plugin.patch
-Patch15: Don-t-add-dist-to-release-if-it-is-already-there.patch
-
-Patch16: backport-Fix-changelog-trimming-to-work-relative-to-newest-ex.patch
-Patch17: backport-Fix-resource-leaks-on-zstd-open-error-paths.patch
-Patch18: backport-rpmio-initialise-libgcrypt.patch
-Patch19: backport-fix-zstd-magic.patch
-Patch20: backport-Don-t-require-signature-header-to-be-in-single-conti.patch
-Patch21: backport-Fix-regression-on-v3-package-handling-on-database-re.patch
-Patch22: backport-Fix-a-minor-memory-leak-on-suppressed-inhibition-loc.patch
-Patch23: backport-Fix-POPT_ARG_STRING-memleaks-in-librpmbuild.patch
-Patch24: backport-Fix-build-regression-in-commit-307872f71b357a3839fd0.patch
-Patch25: backport-Fix-isUnorderedReq-for-multiple-qualifiers.patch
-Patch26: backport-If-fork-fails-in-getOutputFrom-close-opened-unused-p.patch
-Patch27: backport-Fix-pointer-dereference-before-testing-for-NULL-in-r.patch
-Patch28: backport-Don-t-look-into-source-package-provides-in-depsolvin.patch
-Patch29: backport-rpmfiArchiveRead-use-signed-return-value-to-handle-1.patch
-Patch30: backport-Fix-bump-up-the-limit-of-signature-header-to-64MB.patch
-Patch31: backport-Remove-compare-of-global-array-tagsByName-to-NULL.patch
-Patch32: backport-Always-close-libelf-handle-1313.patch
-Patch33: backport-Add-missing-terminator-to-copyTagsFromMainDebug-arra.patch
-Patch34: backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch
-Patch35: backport-Make-fdSeek-return-0-on-success-1-on-error.patch
-Patch36: backport-Fix-logic-error-in-grabArgs.patch
-Patch37: backport-Use-libelf-for-determining-file-colors.patch
-
-Patch38: backport-Add-backend-name-and-path-of-main-database-file-to-d.patch
-Patch39: backport-Use-paths-from-db_ops-in-the-backends-too-where-poss.patch
-Patch40: backport-Use-the-new-backend-struct-data-for-backend-configur.patch
-Patch41: backport-Add-support-for-reading-BDB-without-the-library.patch
-Patch42: backport-Fix-building-with-no-BerkeleyDB-support.patch
-Patch43: backport-Implement-a-key-only-rpmdb-index-iterator.patch
-Patch44: backport-ndb-remove-unused-lzo-compression-code.patch
-Patch45: backport-ndb-make-ordered-slots-flag-a-boolean.patch
-Patch46: backport-ndb-drop-unused-number-of-allocated-slots.patch
-Patch47: backport-ndb-no-longer-free-the-pkgid-hash-all-the-time.patch
-Patch48: backport-ndb-add-a-verify-method.patch
-Patch49: backport-ndb-use-the-generation-instead-of-the-current-time-i.patch
-Patch50: backport-ndb-only-clear-the-dbenv-in-the-rpmdb-if-the-last-re.patch
-Patch51: backport-ndb-add-a-rpmxdbDelAllBlobs-method.patch
-Patch52: backport-ndb-implement-index-regeneration-if-the-index-is-out.patch
-Patch53: backport-Remove-the-experimental-status-from-the-ndb-database.patch
-Patch54: backport-ndb-fix-ftruncate-return-value-warning.patch
-Patch55: backport-Permit-ndb-database-queries-on-read-only-media.patch
-Patch56: backport-ndb-add-a-rpmpkgSalvage-method.patch
-Patch57: backport-Add-a-salvagedb-option-to-the-rpmdb-tool.patch
-Patch58: backport-Flush-1998-vintage-dirent.h-compatibility-mess-from-.patch
-Patch59: backport-ndb-also-copy-the-mapped-pointer-when-keeping-a-slot.patch
-Patch60: backport-ndb-do-not-map-the-index-databases-read-write-all-th.patch
-Patch61: backport-ndb-do-not-map-xdb-s-header-read-write-all-the-time.patch
-Patch62: backport-ndb-unmap-xdb-s-header-when-closing-the-xdb-database.patch
-Patch63: backport-ndb-make-rpmxdbWriteHeader-a-void-function.patch
-Patch64: backport-Add-an-index-sync-call-at-the-end-of-a-database-rebu.patch
-Patch65: backport-Deprecate-Berkeley-DB-database-backend.patch
-Patch66: backport-Always-open-and-initialize-the-entire-database-at-on.patch
-Patch67: backport-Stop-on-first-failure-when-trying-to-open-a-database.patch
-Patch68: backport-Only-attempt-loading-the-keyring-once-the-rpmdb-is-o.patch
-
-BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel 
+
+Patch13: backport-Fix-changelog-trimming-to-work-relative-to-newest-ex.patch
+Patch14: backport-Fix-resource-leaks-on-zstd-open-error-paths.patch
+Patch15: backport-rpmio-initialise-libgcrypt.patch
+Patch16: backport-fix-zstd-magic.patch
+Patch17: backport-Don-t-require-signature-header-to-be-in-single-conti.patch
+Patch18: backport-ndb-only-clear-the-dbenv-in-the-rpmdb-if-the-last-re.patch
+Patch19: backport-Fix-regression-on-v3-package-handling-on-database-re.patch
+Patch20: backport-Fix-a-minor-memory-leak-on-suppressed-inhibition-loc.patch
+Patch21: backport-Fix-POPT_ARG_STRING-memleaks-in-librpmbuild.patch
+Patch22: backport-Fix-build-regression-in-commit-307872f71b357a3839fd0.patch
+Patch23: backport-Fix-isUnorderedReq-for-multiple-qualifiers.patch
+Patch24: backport-If-fork-fails-in-getOutputFrom-close-opened-unused-p.patch
+Patch25: backport-Fix-pointer-dereference-before-testing-for-NULL-in-r.patch
+Patch26: backport-Don-t-look-into-source-package-provides-in-depsolvin.patch
+Patch27: backport-rpmfiArchiveRead-use-signed-return-value-to-handle-1.patch
+Patch28: backport-Fix-bump-up-the-limit-of-signature-header-to-64MB.patch
+Patch29: backport-Remove-compare-of-global-array-tagsByName-to-NULL.patch
+Patch30: backport-Always-close-libelf-handle-1313.patch
+Patch31: backport-Add-missing-terminator-to-copyTagsFromMainDebug-arra.patch
+Patch32: backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch
+Patch33: backport-Make-fdSeek-return-0-on-success-1-on-error.patch
+Patch34: backport-Fix-logic-error-in-grabArgs.patch
+Patch35: backport-Use-libelf-for-determining-file-colors.patch
+Patch36: backport-CVE-2021-20271.patch
+
+BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel 
 BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
 BuildRequires: dbus-devel fakechroot elfutils-devel elfutils-libelf-devel ima-evm-utils
 BuildRequires: lua-devel libcap-devel libacl-devel libselinux-devel file-devel gettext-devel ncurses-devel
@@ -345,31 +312,13 @@ make check || (cat tests/rpmtests.log; exit 0)
 %{_mandir}/man1/gendiff.1*
 
 %changelog
-* Fri Mar 26 2021 panxiaohe <panxiaohe@huawei.com> - 4.15.1-23
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:delete unused patches and fix dependency
-
-* Thu Mar 25 2021 Anakin Zhang <benjamin93@163.com> - 4.15.1-22
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:sync with master branch
-
-* Sat Feb 27 2021 Anakin Zhang <benjamin93@163.com> - 4.15.1-21
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:reorder digest lists to fix anaconda build failure
-
-* Tue Jan 12 2021 panxiaohe <panxiaohe@huawei.com> - 4.15.1-20
+*Tue Apr 13 2021 liudabo<liudabo1@huawei.com> - 4.15.1-19
 - Type:enhancement
 - ID:NA
 - SUG:NA
-- DESC:use ndb instead of Berkeley DB, and deprecate Berkeley DB.
+- DESC:Fix CVE-2021-20271
 
-* Mon Jan 11 2021 Liquor <lirui130@huawei.com> - 4.15.1-19
+* Mon Jan 11 2021 Liquor <lirui130@huawei.com> - 4.15.1-18
 - Type:enhancement
 - ID:NA
 - SUG:NA
-- 
Gitee