Bug 1341913 - off-by-one error in base64_decode_value
Summary: off-by-one error in base64_decode_value
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rpm
Version: 7.4
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florian Festi
QA Contact: Jan Blazek
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1380360
TreeView+ depends on / blocked
 
Reported: 2016-06-02 02:46 UTC by Doran Moppert
Modified: 2017-08-01 19:33 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2017-08-01 19:33:33 UTC


Attachments (Terms of Use)
simple demo of incorrect result by copying static function into standalone program (568 bytes, text/plain)
2016-06-02 02:46 UTC, Doran Moppert
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2160 normal SHIPPED_LIVE rpm bug fix and enhancement update 2017-08-01 18:17:27 UTC

Description Doran Moppert 2016-06-02 02:46:36 UTC
Created attachment 1163869 [details]
simple demo of incorrect result by copying static function into standalone program

Description of problem:

base64_decode_value() in rpmio/base64.c incorrectly uses > instead of >= when bounds checking array.  This leads to base64_decode_value(123) 
returning a garbage value rather than -1.


Version-Release number of selected component (if applicable):

Present in all versions.


How reproducible:

100%


Steps to Reproduce:

Attached file demonstrates the function's incorrect result (should be -1, result is instead arbitrary).


Additional info:

See upstream bug https://github.com/rpm-software-management/rpm/pull/68

Originally disclosed by jwakely@redhat.com to secalert@ as a potential security issue.

Comment 6 errata-xmlrpc 2017-08-01 19:33:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2160


Note You need to log in before you can comment on or make changes to this bug.