Bug 212833
| Summary: | CVE-2006-5466 RPM Crash after listing contents of non-installed package | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vladimir Mosgalin <vladimir.mv> | ||||||||||
| Component: | rpm | Assignee: | Panu Matilainen <pmatilai> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||
| Severity: | high | Docs Contact: | |||||||||||
| Priority: | high | ||||||||||||
| Version: | 6 | CC: | bressers, ldv, lkundrak, mls, pinto.elia, pva, security-response-team | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | x86_64 | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | source=redhat,impact=low,reported=20061029,public=20061029 | ||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2007-08-27 17:51:04 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | |||||||||||||
| Bug Blocks: | 213404 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Vladimir Mosgalin
2006-10-29 14:52:34 UTC
Here's what I see:
$ rpm --version
RPM version 4.4.8
$ rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm > /tmp/foo
$ uname -a
Linux wellfleet.jbj.org 2.6.17-1.2532.fc6PAE #1 SMP Tue Aug 8 20:59:36 EDT 2006 i686 i686 i386
GNU/Linux
i.e. no segfault (not that I was expecting to be able to reproduce).
If the segfault is reproducible, can you try running under valgind please?
NEEDINFO
This command is what I mean (sorry for the typo)
valgrind -v /usr/lib/rpm/rpmq -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm
Created attachment 139682 [details]
rpm output under valgrind
Well, you are using rpm 4.4.8, probably that makes a difference ;) But we are not talking about rawhide or something, just plain fc6... Valgrind output attached. New information: this doesn't happen under C or English locale. It happens at least under Russian UTF-8 locale, though. So "LANG=C rpm ..." doesn't crash, but "LANG=ru_RU.UTF-8 rpm ..." does. Ah, there it is, reproduced with 4.4.8. The LANG=ru_RU.UTF-8 was the hint I needed, thanks. Fixed in rpm cvs, will be in rpm-4.4.8-0.2 when built. UPSTREAM Created attachment 139715 [details]
Patch dug out of upstream CVS
This issue looks to be a heap buffer overflow. The data scribbled onto the heap is random text from the RPM file. I'm not able to reproduce this issue with any language other than LANG=ru_RU.UTF-8. This fact mitigates the potential damage this bug could cause, therefore I'm assigning it low severity. This issue should also affect FC5. But does this affects <=rpm-4.4.7? I did not manage to reproduce, though I do not have package database, as we are using another package manager... Thank you. I can reproduce this as far back as 4.2.3, but not on 4.0.4. So somewhere between 4.0.4 and 4.2.3 this flaw was added. Hint:
Try cvs annotate and figger where the "flaw was added" from there.
As an FYI, to add a little more to this, on Mandriva I can confirm this as far back as rpm 4.2.2. As well, setitng LANG= here doesn't cause the segfault, but setting LC_ALL="ru_RU.UTF-8" does (provided locales- ru is installed, if the locale files are not installed, rpm doesn't crash). Actually showQueryPackage() in 4.0.4 is also vulnerable. UTF-8 and specspo translations are not strictly required - they just make reproducer simpler. One can construct an rpm package with e.g. sufficiently large %description which will overflow malloc'ed buffer in C locale. Created attachment 141570 [details]
sufficiently-long-file-name-to-cause-heap-buffer-overflow.spec
Sample spec file to reproduce a heap buffer overflow in 8bit locale.
FWIW, the example in #14 does not segfault with rpm-4.4.8. My comment does not mean "fixed",
only avoided, by other recent changes in rpm.
(aside) Here's another easy segfault that was fixed/avoided in the last couple of weeks
rpm -E '%(cat foo.spec)"
for sufficiently large foo.spec. I believe that the changes in rpmExpand() are what happened
to avoid the reproducer in #14.
Again, note "avoided", not "fixed".
Note that creating a header with a dirname or basename longer than BUFSIZ is not "fixed" by my patch in #7. I'll have a patch to truncate the path to the getconf runtime limit for lib/rpmfi.c today. That's a better fix than mucking about with the stpcpy's in lib/query.c IMHO. How about the following patch? Created attachment 142065 [details]
Patch to fix buffer overflow
That looks workable. There are many places that rpm assumes that file paths fit into a BUFSIZ buffer which can lead to buffer overflows with crafted packages. Guaranteeing that paths are within getconf(1) limits should also be done imho. Workable for file paths. Howver, there is other data, not just file paths, from a header
that can be maliciously crafted for an overflow.
A complete (afaik) patch for rpm-4.4.8 is at
https://lists.dulug.duke.edu/pipermail/rpm-devel/2006-November/001889.html
The patch includes changes to handle variable length file digests in headers which are irrelevant
for rpm-4.4.5 and earlier.
UPSTREAM
Paul: Is rpm-4.4.2-33.fc6 still affected? If not could you please close this bug, otherwise please push a fixed package info FC6. FC6 rpm seems to be still affected. Fixing by updating to 4.4.2.1 to fix several other issues too but means it'll need to go through updates-testing despite being a security fix (built and push initiated already). This has been fixed in rpm-4.4.2.1-1.fc6 which has now been pushed to updates. Great work, Panu! |