Bug 239557

Summary: Crash on fuzzed RPM files
Product: [Fedora] Fedora Reporter: Victor Stinner <victor.stinner>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: herrold
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-26 07:51:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File #1 to crash rpm
none
File #2 to crash rpm
none
File #3 to crash rpm none

Description Victor Stinner 2007-05-09 13:54:48 UTC 
Description of problem:
With my fuzzer, I generated three files which crash rpm. The files may 
contains many errors.

Version-Release number of selected component (if applicable):
rpm version 4.4.1, 4.4.6 or 4.4.9.

How reproducible:
Try "rpm -qpi crash_rpm1.rpm" to crash it.

Actual results:
Segfault, but not always. It looks to depend on CPU (32/64 bit) or RPM version 
(4.4.1/4.4.6/4.4.9).

I will attach the 3 files.
Comment 1 Victor Stinner 2007-05-09 13:54:48 UTC 
Created attachment 154393 [details]
File #1 to crash rpm
Comment 2 Victor Stinner 2007-05-09 13:55:42 UTC 
Created attachment 154394 [details]
File #2 to crash rpm
Comment 3 Victor Stinner 2007-05-09 13:56:19 UTC 
Created attachment 154395 [details]
File #3 to crash rpm
Comment 4 Victor Stinner 2007-05-09 13:58:23 UTC 
I was on #rpm (Freenode IRC server) to speak about the bugs. Some informations 
from jbj:

<jbj> haypo: rpm -qpi w rpm-4.4.9 does not segfault on any of the three.
<jbj> ah, I'm blind. crash_rpm3 segfaults. I'll have a fix today ...
<haypo> jbj: what is your CPU?
<jbj> generic i686
<jbj> haypo: crash_rpm3 has i18n tag without the associated array for tag 100.
<jbj> all rpms are fuzzed and suspect yes. rpm has to be able to query random 
crapola without segfault.
<jbj> i have fuzzed. rpm was (likely still is) immune to all single byte fuzz.
<jbj> multi-byte fuzz is trickier to test.
<haypo> jbj: oh, i do more than just one byte fuzzing :)
Comment 5 Jeff Johnson 2007-05-09 18:00:57 UTC 
I've checked a fix for the segfault into rpm cvs, will be in rpm-4.4.9-0.7 when built.

The real fix is mandatory and enforcing signature checking when a signature is present.

All 3 of the fuzzed rpm's display

   warning: only V3 and V4 signatures can be verified, skipping V0 signature

Skipping is not at all the right thing to do.
Comment 6 Panu Matilainen 2007-06-12 08:25:21 UTC 
rpm.org now treats unverifiable signatures as errors and skips over the packages
(instead of signatures):
[pmatilai@localhost rpm]$ ./rpmq -pi ~/crash_rpm1.rpm 
error: skipping package /home/pmatilai/crash_rpm1.rpm with unverifiable V0 signature
Comment 7 Panu Matilainen 2007-06-18 09:51:03 UTC 
FWIW rpm-4.4.2 dies on crash1 and crash2 in provides legacy retrofitting which
4.4.9 doesn't have at all, which explains why it doesn't die on them. 4.4.2
survives 1 & 2 too if the legacy provides adding is skipped.
Comment 8 Jeff Johnson 2007-06-21 02:59:30 UTC 
The legacy retrofitting needs remove because information is added outside
of the digitally signed immutable header region. Its just a matter of time
before that behavior will be exploited.
Comment 9 Panu Matilainen 2007-06-26 07:51:44 UTC 
Fixed in next rawhide push by rpm 4.4.2.1-rc1