new file mode 100644

@@ -0,0 +1,96 @@

+From 404ef011c300207cdb1e531670384564aae04bdc Mon Sep 17 00:00:00 2001

+From: Panu Matilainen <pmatilai@redhat.com>

+Date: Tue, 19 Sep 2017 14:46:36 +0300

+Subject: [PATCH] Don't follow symlinks on file creation (CVE-2017-7501)

+

+Open newly created files with O_EXCL to prevent symlink tricks.

+When reopening hardlinks for writing the actual content, use append

+mode instead. This is compatible with the write-only permissions but

+is not destructive in case we got redirected to somebody elses file,

+verify the target before actually writing anything.

+

+As these are files with the temporary suffix, errors mean a local

+user with sufficient privileges to break the installation of the package

+anyway is trying to goof us on purpose, don't bother trying to mend it

+(we couldn't fix the hardlink case anyhow) but just bail out.

+

+Based on a patch by Florian Festi.

+---

+ lib/fsm.c | 29 +++++++++++++++++++++++------

+ 1 file changed, 23 insertions(+), 6 deletions(-)

+

+diff --git a/lib/fsm.c b/lib/fsm.c

+index 553774b30..e0e9d03a1 100644

+--- a/lib/fsm.c

+@@ -206,11 +206,22 @@ static int fsmSetFCaps(const char *path, const char *captxt)

+     return rc;

+ }

+ 

++/* Check dest is the same, empty and regular file with writeonly permissions */

++static int linkSane(FD_t wfd, const char *dest)

++{

++    struct stat sb, lsb;

++

++    return (fstat(Fileno(wfd), &sb) == 0 && sb.st_size == 0 &&

++	    (sb.st_mode & ~S_IFMT) == S_IWUSR &&

++	    lstat(dest, &lsb) == 0 && S_ISREG(lsb.st_mode) &&

++	    sb.st_dev == lsb.st_dev && sb.st_ino == lsb.st_ino);

++}

++

+ /** \ingroup payload

+  * Create file from payload stream.

+  * @return		0 on success

+  */

+-static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int nodigest, int nocontent)

++static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int exclusive, int nodigest, int nocontent)

+ {

+     FD_t wfd = NULL;

+     int rc = 0;

+@@ -218,8 +229,14 @@ static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int nodigest, i

+     /* Create the file with 0200 permissions (write by owner). */

+     {

+ 	mode_t old_umask = umask(0577);

+-	wfd = Fopen(dest, "w.ufdio");

++	wfd = Fopen(dest, exclusive ? "wx.ufdio" : "a.ufdio");

+ 	umask(old_umask);

++

++	/* If reopening, make sure the file is what we expect */

++	if (!exclusive && wfd != NULL && !linkSane(wfd, dest)) {

++	    rc = RPMERR_OPEN_FAILED;

++	    goto exit;

++	}

+     }

+     if (Ferror(wfd)) {

+ 	rc = RPMERR_OPEN_FAILED;

+@@ -248,7 +265,7 @@ static int fsmMkfile(rpmfi fi, const char *dest, rpmfiles files,

+ 	/* Create first hardlinked file empty */

+ 	if (*firsthardlink < 0) {

+ 	    *firsthardlink = rpmfiFX(fi);

+-	    rc = expandRegular(fi, dest, psm, nodigest, 1);

++	    rc = expandRegular(fi, dest, psm, 1, nodigest, 1);

+ 	} else {

+ 	    /* Create hard links for others */

+ 	    char *fn = rpmfilesFN(files, *firsthardlink);

+@@ -263,10 +280,10 @@ static int fsmMkfile(rpmfi fi, const char *dest, rpmfiles files,

+        existing) file with content */

+     if (numHardlinks<=1) {

+ 	if (!rc)

+-	    rc = expandRegular(fi, dest, psm, nodigest, 0);

++	    rc = expandRegular(fi, dest, psm, 1, nodigest, 0);

+     } else if (rpmfiArchiveHasContent(fi)) {

+ 	if (!rc)

+-	    rc = expandRegular(fi, dest, psm, nodigest, 0);

++	    rc = expandRegular(fi, dest, psm, 0, nodigest, 0);

+ 	*firsthardlink = -1;

+     } else {

+ 	*setmeta = 0;

+@@ -939,7 +956,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,

+ 	    /* we skip the hard linked file containing the content */

+ 	    /* write the content to the first used instead */

+ 	    char *fn = rpmfilesFN(files, firsthardlink);

+-	    rc = expandRegular(fi, fn, psm, nodigest, 0);

++	    rc = expandRegular(fi, fn, psm, 0, nodigest, 0);

+ 	    firsthardlink = -1;

+ 	    free(fn);

+ 	}

@@ -4,7 +4,7 @@

 Summary:        Package manager

 Name:           rpm

 Version:        4.13.0.1

-Release:        6%{?dist}

+Release:        7%{?dist}

 License:        GPLv2+

 URL:            http://rpm.org

 Group:          Applications/System

@@ -17,6 +17,7 @@ Source2:        brp-strip-debug-symbols

 Source3:        brp-strip-unneeded

 Patch0:         find-debuginfo-do-not-generate-non-existing-build-id.patch

 Patch1:         find-debuginfo-do-not-generate-dir-entries.patch

+Patch2:         rpm-CVE-2017-7501.patch

 Requires:       bash

 Requires:       libdb

 Requires:       rpm-libs = %{version}-%{release}

@@ -88,6 +89,7 @@ Python3 rpm.

 %setup -n rpm-%{name}-%{version}-release

 %patch0 -p1

 %patch1 -p1

+%patch2 -p1

 %build

 sed -i '/define _GNU_SOURCE/a #include "../config.h"' tools/sepdebugcrcfix.c

@@ -258,6 +260,8 @@ rm -rf %{buildroot}

 %{python3_sitelib}/*

 %changelog

+*   Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 4.13.0.1-7

+-   Fix CVE-2017-7501

 *   Wed Oct 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.13.0.1-6

 -   make python{,3}-rpm depend on current version of librpm

 *   Wed Jun 28 2017 Xiaolin Li <xiaolinl@vmware.com> 4.13.0.1-5