From e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 19 Jan 2012 08:25:15 +0200
Subject: [PATCH] Specifically validate region tag on header import

- Region tags need to have very specific content, the generic
  header tag checks are not sufficient to ensure sanity. Verify
  the tag is one of the known region tags and that the entry has
  expected type and count.
- Fixes the first half of CVE-2012-0060
---
 lib/header.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index 023c6e3..f7d3ade 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -828,10 +828,13 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)
 
 	entry->info.type = htonl(pe->type);
 	entry->info.count = htonl(pe->count);
+	entry->info.tag = htonl(pe->tag);
 
-	if (hdrchkType(entry->info.type))
+	if (!ENTRY_IS_REGION(entry))
+	    goto errxit;
+	if (entry->info.type != REGION_TAG_TYPE)
 	    goto errxit;
-	if (hdrchkTags(entry->info.count))
+	if (entry->info.count != REGION_TAG_COUNT)
 	    goto errxit;
 
 	{   int off = ntohl(pe->offset);
@@ -847,7 +850,6 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)
 		ril = rdl/sizeof(*pe);
 		if (hdrchkTags(ril) || hdrchkData(rdl))
 		    goto errxit;
-		entry->info.tag = htonl(pe->tag);
 	    } else {
 		ril = il;
 		rdl = (ril * sizeof(struct entryInfo_s));
-- 
2.7.4