Bug 239557
Summary: | Crash on fuzzed RPM files | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Victor Stinner <victor.stinner> | ||||||||
Component: | rpm | Assignee: | Panu Matilainen <pmatilai> | ||||||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | herrold | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | i386 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2007-06-26 07:51:44 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Victor Stinner
2007-05-09 13:54:48 UTC
Created attachment 154393 [details]
File #1 to crash rpm
Created attachment 154394 [details]
File #2 to crash rpm
Created attachment 154395 [details]
File #3 to crash rpm
I was on #rpm (Freenode IRC server) to speak about the bugs. Some informations from jbj: <jbj> haypo: rpm -qpi w rpm-4.4.9 does not segfault on any of the three. <jbj> ah, I'm blind. crash_rpm3 segfaults. I'll have a fix today ... <haypo> jbj: what is your CPU? <jbj> generic i686 <jbj> haypo: crash_rpm3 has i18n tag without the associated array for tag 100. <jbj> all rpms are fuzzed and suspect yes. rpm has to be able to query random crapola without segfault. <jbj> i have fuzzed. rpm was (likely still is) immune to all single byte fuzz. <jbj> multi-byte fuzz is trickier to test. <haypo> jbj: oh, i do more than just one byte fuzzing :) I've checked a fix for the segfault into rpm cvs, will be in rpm-4.4.9-0.7 when built. The real fix is mandatory and enforcing signature checking when a signature is present. All 3 of the fuzzed rpm's display warning: only V3 and V4 signatures can be verified, skipping V0 signature Skipping is not at all the right thing to do. rpm.org now treats unverifiable signatures as errors and skips over the packages (instead of signatures): [pmatilai@localhost rpm]$ ./rpmq -pi ~/crash_rpm1.rpm error: skipping package /home/pmatilai/crash_rpm1.rpm with unverifiable V0 signature FWIW rpm-4.4.2 dies on crash1 and crash2 in provides legacy retrofitting which 4.4.9 doesn't have at all, which explains why it doesn't die on them. 4.4.2 survives 1 & 2 too if the legacy provides adding is skipped. The legacy retrofitting needs remove because information is added outside of the digitally signed immutable header region. Its just a matter of time before that behavior will be exploited. Fixed in next rawhide push by rpm 4.4.2.1-rc1 |