Validate negated offsets too in headerVerifyInfo()

- Undo the ancient broken fix for RhBug:71996 from commit
  9e06e3b8ca76ae55eaf2c4e37ba9cac729789014: instead of disabling
  the check, pass in the correct upper range which is entirely
  different from everything else for the region trailer tag.
- Fixes CVE-2012-0815

diff --git a/lib/header.c b/lib/header.c
index f7d3ade..5d14bc1 100644 (file)
--- a/lib/header.c
+++ b/lib/header.c
@@ -199,7 +199,7 @@ int headerVerifyInfo(int il, int dl, const void * pev, void * iv, int negate)
            return i;
        if (hdrchkAlign(info->type, info->offset))
            return i;
-       if (!negate && hdrchkRange(dl, info->offset))
+       if (hdrchkRange(dl, info->offset))
            return i;
        if (hdrchkData(info->count))
            return i;

diff --git a/lib/package.c b/lib/package.c
index 6d0c80d..ce1c71e 100644 (file)
--- a/lib/package.c
+++ b/lib/package.c
@@ -339,7 +339,7 @@ static rpmRC headerVerify(rpmKeyring keyring, rpmVSFlags vsflags,
     (void) memcpy(&info, regionEnd, REGION_TAG_COUNT);
     regionEnd += REGION_TAG_COUNT;
 
-    if (headerVerifyInfo(1, dl, &info, &entry.info, 1) != -1 ||
+    if (headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1) != -1 ||
        !(entry.info.tag == RPMTAG_HEADERIMMUTABLE
        && entry.info.type == REGION_TAG_TYPE
        && entry.info.count == REGION_TAG_COUNT))

diff --git a/lib/signature.c b/lib/signature.c
index 42c4721..c29064e 100644 (file)
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -165,7 +165,7 @@ rpmRC rpmReadSignature(FD_t fd, Header * sighp, sigType sig_type, char ** msg)
        }
        dataEnd += REGION_TAG_COUNT;
 
-       xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
+       xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
        if (xx != -1 ||
            !((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
           && entry.info.type == REGION_TAG_TYPE