Bug 1371487

Summary: RPM: OOB read in headerSigVerify()
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ffesti, security-response-team, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-24 11:07:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1372685, 1373107    
Bug Blocks: 1357448    

Description Cedric Buissart 2016-08-30 10:14:48 UTC 
A heap based out-of-bound (OOB) read was discovered in RPM headerSigVerify() function, when doing a sanity check of the RPM headers. An attacker could trick a system administrator into reading a specially crafted RPM file, resulting in the crash of the RPM command.
The OOB read happens before the signature verification, thus the RPM does not need to be signed for the OOB to happen.

Upstream fix :
https://github.com/rpm-software-management/rpm/commit/89dce2b
Comment 1 Cedric Buissart 2016-08-30 10:14:53 UTC 
Acknowledgments:

Name: Francisco Alonso
Comment 2 Cedric Buissart 2016-08-30 10:24:53 UTC 
Valgrind backtrace:

==11445== Invalid read of size 8   
==11445==    at 0x4C2E25E: memcpy@@GLIBC_2.14 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11445==    by 0x4E62530: UnknownInlinedFun (string3.h:51)
==11445==    by 0x4E62530: headerSigVerify (package.c:240)
==11445==    by 0x4E62530: headerVerify (package.c:363)
==11445==    by 0x4E62915: rpmpkgReadHeader (package.c:457)
==11445==    by 0x4E62BEA: rpmpkgRead (package.c:578)
==11445==    by 0x4E6352D: rpmReadPackageFile (package.c:717)
==11445==    by 0x4E6EB81: rpmgiReadHeader (rpmgi.c:90)
==11445==    by 0x4E6EB81: rpmgiLoadReadHeader (rpmgi.c:126)
==11445==    by 0x4E6EB81: rpmgiNext (rpmgi.c:216)
==11445==    by 0x4E671D8: rpmgiShowMatches (query.c:274)
==11445==    by 0x4E671D8: rpmcliArgIter (query.c:518)
==11445==    by 0x4E672A6: rpmcliQuery (query.c:568)
==11445==    by 0x401918: main (rpmqv.c:304)

Vulnerable code :
sigtd.data = memcpy(xmalloc(siglen), dataStart + info.offset, siglen);

While sanity checking a SHA1HEADER, RSAHEADER or DSAHEADER tag entry, there is no check that 'dataStart + info.offset + siglen' remains in the malloc'ed boundary.
Comment 3 Cedric Buissart 2016-09-02 11:29:39 UTC 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1372685]