Bug 1341913 - off-by-one error in base64_decode_value
Summary: off-by-one error in base64_decode_value
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rpm
Version: 7.4
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Florian Festi
QA Contact: Jan Blazek
Depends On:
Blocks: 1380360
TreeView+ depends on / blocked
Reported: 2016-06-02 02:46 UTC by Doran Moppert
Modified: 2017-08-01 19:33 UTC (History)
0 users

Clone Of:
Last Closed: 2017-08-01 19:33:33 UTC

Attachments (Terms of Use)
simple demo of incorrect result by copying static function into standalone program (568 bytes, text/plain)
2016-06-02 02:46 UTC, Doran Moppert
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2160 normal SHIPPED_LIVE rpm bug fix and enhancement update 2017-08-01 18:17:27 UTC

Description Doran Moppert 2016-06-02 02:46:36 UTC
Created attachment 1163869 [details]
simple demo of incorrect result by copying static function into standalone program

Description of problem:

base64_decode_value() in rpmio/base64.c incorrectly uses > instead of >= when bounds checking array.  This leads to base64_decode_value(123) 
returning a garbage value rather than -1.

Version-Release number of selected component (if applicable):

Present in all versions.

How reproducible:


Steps to Reproduce:

Attached file demonstrates the function's incorrect result (should be -1, result is instead arbitrary).

Additional info:

See upstream bug https://github.com/rpm-software-management/rpm/pull/68

Originally disclosed by jwakely@redhat.com to secalert@ as a potential security issue.

Comment 6 errata-xmlrpc 2017-08-01 19:33:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.