diff -Nru rpm-4.10.0/debian/changelog rpm-4.10.0/debian/changelog --- rpm-4.10.0/debian/changelog 2012-06-25 12:29:22.000000000 +0000 +++ rpm-4.10.0/debian/changelog 2013-07-09 11:07:59.000000000 +0000 @@ -1,3 +1,19 @@ +rpm (4.10.0-4ubuntu0.2) quantal; urgency=low + + * Mark rpm2cpio Multi-Arch: foreign (LP: #1175687) + + -- Mark Russell Wed, 12 Jun 2013 14:25:12 -0400 + +rpm (4.10.0-4ubuntu0.1) quantal-security; urgency=low + + * SECURITY UPDATE: incorrect signature validation + - debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch: + set correct failure code on signatures that can't be parsed in + lib/package.c. + - CVE-2012-6088 + + -- Marc Deslauriers Tue, 15 Jan 2013 11:15:00 -0500 + rpm (4.10.0-4) unstable; urgency=low * Lower librpm -> rpm-common dependency to recommends as there actually diff -Nru rpm-4.10.0/debian/control rpm-4.10.0/debian/control --- rpm-4.10.0/debian/control 2012-06-25 12:29:22.000000000 +0000 +++ rpm-4.10.0/debian/control 2013-07-09 11:07:59.000000000 +0000 @@ -30,7 +30,8 @@ libdw-dev, libdb-dev, liblua5.1-0-dev (>= 5.1.4-4) -Maintainer: Michal Čihař +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Michal Čihař Uploaders: Loic Minier X-Python-Version: >= 2.6 Standards-Version: 3.9.3 @@ -61,6 +62,7 @@ Package: rpm2cpio Architecture: any +Multi-Arch: foreign Suggests: rpm-i18n Replaces: rpm (<<4.7.1-1) Breaks: rpm (<<4.7.1-1) diff -Nru rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch --- rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch 1970-01-01 00:00:00.000000000 +0000 +++ rpm-4.10.0/debian/patches/0001-Ensure-correct-return-code-on-malformed-signature-in.patch 2013-01-15 16:14:54.000000000 +0000 @@ -0,0 +1,50 @@ +From 3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Fri, 7 Dec 2012 13:54:23 +0200 +Subject: [PATCH] Ensure correct return code on malformed signature in + packages + +- rpmpkgRead() starts with assumed failure, but there are a number + of places assigning the return code, and by the time we get + to the parsePGPSig() calls its likely to be RPMRC_OK, so the + jumps to exit result in "all is well" return code on a signature + we couldn't even parse. Oops. +- Set the failure status explicitly to fix this fairly nasty regression + introduced in commit e8bc3ff5d780f4ee6656c24464402723e5fb04f4, ie + rpm >= 4.10. +(cherry picked from commit 96a616c6aed4c516789a154af188f005caf23f14) +--- + lib/package.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/package.c b/lib/package.c +index 4eeddbf..907cf73 100644 +--- a/lib/package.c ++++ b/lib/package.c +@@ -600,8 +600,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags, + switch (sigtag) { + case RPMSIGTAG_RSA: + case RPMSIGTAG_DSA: +- if (parsePGPSig(&sigtd, "package", fn, &sig)) ++ if (parsePGPSig(&sigtd, "package", fn, &sig)) { ++ rc = RPMRC_FAIL; + goto exit; ++ } + /* fallthrough */ + case RPMSIGTAG_SHA1: + { struct rpmtd_s utd; +@@ -619,8 +621,10 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags, + case RPMSIGTAG_GPG: + case RPMSIGTAG_PGP5: /* XXX legacy */ + case RPMSIGTAG_PGP: +- if (parsePGPSig(&sigtd, "package", fn, &sig)) ++ if (parsePGPSig(&sigtd, "package", fn, &sig)) { ++ rc = RPMRC_FAIL; + goto exit; ++ } + /* fallthrough */ + case RPMSIGTAG_MD5: + /* Legacy signatures need the compressed payload in the digest too. */ +-- +1.7.10.4 + diff -Nru rpm-4.10.0/debian/patches/series rpm-4.10.0/debian/patches/series --- rpm-4.10.0/debian/patches/series 2012-06-25 12:29:22.000000000 +0000 +++ rpm-4.10.0/debian/patches/series 2013-01-15 16:14:54.000000000 +0000 @@ -9,3 +9,4 @@ no-linux-gate.so-dependancy.patch autogen-cleanup.patch lua-libname.patch +0001-Ensure-correct-return-code-on-malformed-signature-in.patch