Bug 213515 (CVE-2006-5466)

Summary: CVE-2006-5466 RPM Crash after listing contents of non-installed package
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Peter Jones <pjones>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-02 19:04:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2006-11-01 19:04:35 UTC 
+++ This bug was initially created as a clone of Bug #212833 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; ru; rv:1.8.0.7) Gecko/20061011
Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7

Description of problem:
RPM crashes when trying to show info/listing/changelog of sylpheed-claws package
from extras.

Version-Release number of selected component (if applicable):
rpm-4.4.2-32.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Download sylpheed-claws package "wget
http://redhat.download.fedoraproject.org/pub/fedora/linux/extras/6/x86_64/sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
2. Do "rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
3. Observe the crash after last file from package is listed

Actual Results:
*** glibc detected *** /usr/lib/rpm/rpmq: double free or corruption (!prev):
0x000000000065b640 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3e3bc6ea60]
/lib64/libc.so.6(cfree+0x8c)[0x3e3bc7217c]
/usr/lib64/librpm-4.4.so(showQueryPackage+0x10a)[0x356c02924a]
/usr/lib64/librpm-4.4.so[0x356c027f1e]
/usr/lib64/librpm-4.4.so(rpmQueryVerify+0xae)[0x356c02848e]
/usr/lib64/librpm-4.4.so(rpmcliArgIter+0x12a)[0x356c028e6a]
/usr/lib64/librpm-4.4.so(rpmcliQuery+0xa2)[0x356c029062]
/usr/lib/rpm/rpmq[0x401fe8]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3e3bc1da44]
/usr/lib/rpm/rpmq[0x401779]
======= Memory map: ========
00400000-00403000 r-xp 00000000 08:06 1529712                           
/usr/lib/rpm/rpmq
00602000-00605000 rw-p 00002000 08:06 1529712                           
/usr/lib/rpm/rpmq
00605000-0068b000 rw-p 00605000 00:00 0                                  [heap]
356ac00000-356ac77000 r-xp 00000000 08:06 2248411                       
/usr/lib64/librpmio-4.4.so
356ac77000-356ae77000 ---p 00077000 08:06 2248411                       
/usr/lib64/librpmio-4.4.so
356ae77000-356ae7c000 rw-p 00077000 08:06 2248411                       
/usr/lib64/librpmio-4.4.so
356ae7c000-356ae9f000 rw-p 356ae7c000 00:00 0 
356b000000-356b029000 r-xp 00000000 08:06 2248409                       
/usr/lib64/libbeecrypt.so.6.4.0
356b029000-356b228000 ---p 00029000 08:06 2248409                       
/usr/lib64/libbeecrypt.so.6.4.0
356b228000-356b22c000 rw-p 00028000 08:06 2248409                       
/usr/lib64/libbeecrypt.so.6.4.0
356b400000-356b458000 r-xp 00000000 08:06 2248412                       
/usr/lib64/libsqlite3.so.0.8.6
356b458000-356b658000 ---p 00058000 08:06 2248412                       
/usr/lib64/libsqlite3.so.0.8.6
356b658000-356b65a000 rw-p 00058000 08:06 2248412                       
/usr/lib64/libsqlite3.so.0.8.6
356b800000-356b81e000 r-xp 00000000 08:06 2248410                       
/usr/lib64/libneon.so.25.0.5
356b81e000-356ba1d000 ---p 0001e000 08:06 2248410                       
/usr/lib64/libneon.so.25.0.5
356ba1d000-356ba1f000 rw-p 0001d000 08:06 2248410                       
/usr/lib64/libneon.so.25.0.5
356bc00000-356bd0d000 r-xp 00000000 08:06 2248413                       
/usr/lib64/librpmdb-4.4.so
356bd0d000-356bf0c000 ---p 0010d000 08:06 2248413                       
/usr/lib64/librpmdb-4.4.so
356bf0c000-356bf13000 rw-p 0010c000 08:06 2248413                       
/usr/lib64/librpmdb-4.4.so
356bf13000-356bf14000 rw-p 356bf13000 00:00 0 
356c000000-356c058000 r-xp 00000000 08:06 2248444                       
/usr/lib64/librpm-4.4.so
356c058000-356c257000 ---p 00058000 08:06 2248444                       
/usr/lib64/librpm-4.4.so
356c257000-356c25d000 rw-p 00057000 08:06 2248444                       
/usr/lib64/librpm-4.4.so
356c25d000-356c28f000 rw-p 356c25d000 00:00 0 
356c400000-356c422000 r-xp 00000000 08:06 2248250                       
/usr/lib64/librpmbuild-4.4.so
356c422000-356c622000 ---p 00022000 08:06 2248250                       
/usr/lib64/librpmbuild-4.4.so
356c622000-356c625000 rw-p 00022000 08:06 2248250                       
/usr/lib64/librpmbuild-4.4.so
356c625000-356c633000 rw-p 356c625000 00:00 0 
356d600000-356d725000 r-xp 00000000 08:03 63959                         
/lib64/libcrypto.so.0.9.8b
356d725000-356d924000 ---p 00125000 08:03 63959                         
/lib64/libcrypto.so.0.9.8b
356d924000-356d943000 rw-p 00124000 08:03 63959                         
/lib64/libcrypto.so.0.9.8b
356d943000-356d947000 rw-p 356d943000 00:00 0 
356de00000-356de43000 r-xp 00000000 08:03 64009                         
/lib64/libssl.so.0.9.8b
356de43000-356e043000 ---p 00043000 08:03 64009                         
/lib64/libssl.so.0.9.8b
356e043000-356e049000 rw-p 00043000 08:03 64009                         
/lib64/libssl.so.0.9.8b
3e3ac00000-3e3ac1a000 r-xp 00000000 08:03 63998                         
/lib64/ld-2.5.so
3e3ae19000-3e3ae1a000 r--p 00019000 08:03 63998                         
/lib64/ld-2.5.so
3e3ae1a000-3e3ae1b000 rw-p 0001a000 08:03 63998                         
/lib64/ld-2.5.so
3e3b000000-3e3b015000 r-xp 00000000 08:03 64239                         
/lib64/libselinux.so.1
3e3b015000-3e3b214000 ---p 00015000 08:03 64239                         
/lib64/libselinux.so.1
3e3b214000-3e3b216000 rw-p 00014000 08:03 64239                         
/lib64/libselinux.so.1
3e3b216000-3e3b217000 rw-p 3e3b216000 00:00 0 
3e3b400000-3e3b43b000 r-xp 00000000 08:03 64238                         
/lib64/libsepol.so.1
3e3b43b000-3e3b63b000 ---p 0003b000 08:03 64238                         
/lib64/libsepol.so.1
3e3b63b000-3e3b63c000 rw-p 0003b000 08:03 64238                         
/lib64/libsepol.so.1
3e3b63c000-3e3b646000 rw-p 3e3b63c000 00:00 0 
3e3b800000-3e3b811000 r-xp 00000000 08:06 2247759                       
/usr/lib64/libelf-0.123.so
3e3b811000-3e3ba11000 ---p 00011000 08:06 2247759                       
/usr/lib64/libelf-0.123.so
3e3ba11000-3e3ba12000 rw-p 00011000 08:06 2247759                       
/usr/lib64/libelf-0.123.so
3e3bc00000-3e3bd44000 r-xp 00000000 08:03 63999                         
/lib64/libc-2.5.so
3e3bd44000-3e3bf44000 ---p 00144000 08:03 63999                         
/lib64/libc-2.5.so
3e3bf44000-3e3bf48000 r--p 00144000 08:03 63999                         
/lib64/libc-2.5.so
3e3bf48000-3e3bf49000 rw-p 00148000 08:03 63999                         
/lib64/libc-2.5.so
3e3bf49000-3e3bf4e000 rw-p 3e3bf49000 00:00 0 
3e3c000000-3e3c082000 r-xp 00000000 08:03 64222                         
/lib64/libm-2.5.so
3e3c082000-3e3c281000 ---p 00082000 08:03 64222                         
/lib64/libm-2.5.so
3e3c281000-3e3c282000 r--p 00081000 08:03 64222                         
/lib64/libm-2.5.so
3e3c282000-3e3c283000 rw-p 00082000 08:03 64222                         
/lib64/libm-2.5.so
3e3c400000-3e3c403000 r-xp 00000000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c403000-3e3c602000 ---p 00003000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c602000-3e3c603000 r--p 00002000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c603000-3e3c604000 rw-p 00003000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c800000-3e3c815000 r-xp 00000000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3c815000-3e3ca14000 ---p 00015000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3ca14000-3e3ca15000 r--p 00014000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3ca15000-3e3ca16000 rw-p 00015000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3ca16000-3e3ca1a000 rw-p 3e3ca16000 00:00 0 
3e3cc00000-3e3cc14000 r-xp 00000000 08:06 2247696                       
/usr/lib64/libz.so.1.2.3
3e3cc14000-3e3ce13000 ---p 00014000 08:06 2247696                       
/usr/lib64/libz.so.1.2.3
3e3ce13000-3e3ce14000 rw-p 00013000 08:06 2247696                       
/usr/lib64/libz.so.1.2.3
3e3d000000-3e3d008000 r-xp 00000000 08:03 64224                         
/lib64/librt-2.5.so
3e3d008000-3e3d207000 ---p 00008000 08:03 64224                         
/lib64/librt-2.5.so
3e3d207000-3e3d208000 r--p 00007000 08:03 64224                         
/lib64/librt-2.5.so
3e3d208000-3e3d209000 rw-p 00008000 08:03 64224                         
/lib64/librt-2.5.so
3e3f000000-3e3f020000 r-xp 00000000 08:03 64229                         
/lib64/libexpat.so.0.5.0
3e3f020000-3e3f21f000 ---p 00020000 08:03 64229                         
/lib64/libexpat.so.0.5.0
3e3f21f000-3e3f222000 rw-p 0001f000 08:03 64229                         
/lib64/libexpat.so.0.5.0
3e43a00000-3e43a11000 r-xp 00000000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43a11000-3e43c11000 ---p 00011000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43c11000-3e43c12000 r--p 00011000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43c12000-3e43c13000 rw-p 00012000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43c13000-3e43c15000 rw-p 3e43c13000 00:00 0 
3e44200000-3e44202000 r-xp 00000000 08:03 64235                         
/lib64/libcom_err.so.2.1
3e44202000-3e44401000 ---p 00002000 08:03 64235                         
/lib64/libcom_err.so.2.1
3e44401000-3e44402000 rw-p 00001000 08:03 64235                         
/lib64/libcom_err.so.2.1
3e44a00000-3e44a29000 r-xp 00000000 08:06 2247725                       
/usr/lib64/libgssapi_krb5.so.2.2
3e44a29000-3e44c28000 ---p 00029000 08:06 2247725                       
/usr/lib64/libgssapi_krb5.so.2.2
3e44c28000-3e44c2a000 rw-p 00028000 08:06 2247725                       
/usr/lib64/libgssapi_krb5.so.2.2
3e45200000-3e45223000 r-xp 00000000 08:06 2247723                       
/usr/lib64/libk5crypto.so.3.0
3e45223000-3e45423000 ---p 00023000 08:06 2247723                       
/usr/lib64/libk5crypto.so.3.0
3e45423000-3e45425000 rw-p 00023000 08:06 2247723                       
/usr/lib64/libk5crypto.so.3.0
3e45e00000-3e45e07000 r-xp 00000000 08:06 2247722                       
/usr/lib64/libkrb5support.so.0.1
3e45e07000-3e46006000 ---p 00007000 08:06 2247722                       
/usr/lib64/libkrb5support.so.0.1
3e46006000-3e46007000 rw-p 00006000 08:06 2247722                       
/usr/lib64/libkrb5support.so.0.1
3e46600000-3e46683000 r-xp 00000000 08:06 2247724                       
/usr/lib64/libkrb5.so.3.2
3e46683000-3e46883000 ---p 00083000 08:06 2247724                       
/usr/lib64/libkrb5.so.3.2
3e46883000-3e46887000 rw-p 00083000 08:06 2247724                       
/usr/lib64/libkrb5.so.3.2
3e47200000-3e47207000 r-xp 00000000 08:06 2247735                       
/usr/lib64/libpopt.so.0.0.0
3e47207000-3e47407000 ---p 00007000 08:06 2247735                       
/usr/lib64/libpopt.so.0.0.0
3e47407000-3e47408000 rw-p 00007000 08:06 2247735                       
/usr/lib64/libpopt.so.0.0.0
3e4aa00000-3e4aa0d000 r-xp 00000000 08:03 64242                         
/lib64/libgcc_s-4.1.1-20061011.so.1
3e4aa0d000-3e4ac0c000 ---p 0000d000 08:03 64242                         
/lib64/libgcc_s-4.1.1-20061011.so.1
3e4ac0c000-3e4ac0d000 rw-p 0000c000 08:03 64242                         
/lib64/libgcc_s-4.1.1-20061011.so.1
3e4be00000-3e4bee7000 r-xp 00000000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4bee7000-3e4c0e7000 ---p 000e7000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4c0e7000-3e4c0ed000 r--p 000e7000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4c0ed000-3e4c0f0000 rw-p 000ed000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4c0f0000-3e4c102000 rw-p 3e4c0f0000 00:00 0 
3e4da00000-3e4da0f000 r-xp 00000000 08:06 2247756                       
/usr/lib64/libbz2.so.1.0.3
3e4da0f000-3e4dc0e000 ---p 0000f000 08:06 2247756                       
/usr/lib64/libbz2.so.1.0.3
3e4dc0e000-3e4dc10000 rw-p 0000e000 08:06 2247756                       
/usr/lib64/libbz2.so.1.0.3
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaac8000-2aaaaaad5000 rw-p 2aaaaaac8000 00:00 0 
2aaaaaad5000-2aaaadfca000 r--p 00000000 08:06 1434310                   
/usr/lib/locale/locale-archive
2aaaadfca000-2aaaadfdb000 r--p 00000000 08:06 2611319                   
/usr/share/locale/ru/LC_MESSAGES/rpm.mo
2aaaadfdb000-2aaaadfe2000 r--s 00000000 08:06 2245790                   
/usr/lib64/gconv/gconv-modules.cache
2aaaadfe2000-2aaaadfe4000 r-xp 00000000 08:06 2245755                   
/usr/lib64/gconv/KOI8-R.so
2aaaadfe4000-2aaaae1e3000 ---p 00002000 08:06 2245755                   
/usr/lib64/gconv/KOI8-R.so
2aaaae1e3000-2aaaae1e5000 rw-p 00001000 08:06 2245755                   
/usr/lib64/gconv/KOI8-R.so
2aaaae1e5000-2aaaae29b000 r--p 00000000 08:06 2608472                   
/usr/share/locale/en_US/LC_MESSAGES/redhat-dist.mo
2aaaae29b000-2aaaae29c000 rw-p 2aaaae29b000 00:00 0 
2aaab0000000-2aaab0021000 rw-p 2aaab0000000 00:00 0 
2aaab0021000-2aaab4000000 ---p 2aaab0021000 00:00 0 
7fff9cf84000-7fff9cfb1000 rw-p 7fff9cf84000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]


Expected Results:
No crash

Additional info:
You can observe the same by doing "less sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
(that's how I noticed this BTW).

Maybe the package is broken and bug should be filled against sylpheed-claws
instead, but rpm shouldn't crash anyway.

-- Additional comment from n3npq on 2006-10-29 12:24 EST --
Here's what I see:
  
    $ rpm --version
    RPM version 4.4.8
    $ rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm > /tmp/foo
    $ uname -a
    Linux wellfleet.jbj.org 2.6.17-1.2532.fc6PAE #1 SMP Tue Aug 8 20:59:36 EDT
2006 i686 i686 i386 
GNU/Linux

i.e. no segfault (not that I was expecting to be able to reproduce).

If the segfault is reproducible, can you try running under valgind please?

NEEDINFO

-- Additional comment from n3npq on 2006-10-29 12:33 EST --
This command is what I mean (sorry for the typo)

    valgrind -v /usr/lib/rpm/rpmq -qipvl --changelog
sylpheed-claws-2.5.6-1.fc6.x86_64.rpm



-- Additional comment from Vladimir.MV on 2006-10-29 17:16 EST --
Created an attachment (id=139682)
rpm output under valgrind


-- Additional comment from Vladimir.MV on 2006-10-29 17:17 EST --
Well, you are using rpm 4.4.8, probably that makes a difference ;) But we are
not talking about rawhide or something, just plain fc6...

Valgrind output attached.

-- Additional comment from Vladimir.MV on 2006-10-29 17:22 EST --
New information: this doesn't happen under C or English locale. It happens at
least under Russian UTF-8 locale, though. So "LANG=C rpm ..." doesn't crash, but
"LANG=ru_RU.UTF-8 rpm ..." does.

-- Additional comment from n3npq on 2006-10-29 21:52 EST --
Ah, there it is, reproduced with 4.4.8. The LANG=ru_RU.UTF-8 was the hint I
needed, thanks.

Fixed in rpm cvs, will be in rpm-4.4.8-0.2 when built.

UPSTREAM

-- Additional comment from bressers on 2006-10-30 09:55 EST --
Created an attachment (id=139715)
Patch dug out of upstream CVS


-- Additional comment from bressers on 2006-10-31 21:32 EST --
This issue looks to be a heap buffer overflow.  The data scribbled onto the heap
is random text from the RPM file.  I'm not able to reproduce this issue with any
language other than LANG=ru_RU.UTF-8.  This fact mitigates the potential damage
this bug could cause, therefore I'm assigning it low severity.

This issue should also affect RHEL3
Comment 1 Red Hat Bugzilla 2007-08-21 05:28:57 UTC 
User pnasrat's account has been closed
Comment 2 Josh Bressers 2011-08-02 19:04:29 UTC 
Statement:

Red Hat non longer plans to fix this flaw in Red Hat Enterprise Linux 4.