Hide Forgot
A malformed expression with braces can lead to a heap out-of-bound read in next_brace_sub(), causing a segfault. The flaw has been enabled when brace'd expansion has been enabled, via the following upstream commit (present in rpm-4.13.0-rc1): https://github.com/rpm-software-management/rpm/commit/d14ecfe587 The flaw was fixed by the following subsequent commit : https://github.com/rpm-software-management/rpm/commit/1af568ac Backtrace : #0 next_brace_sub () at rpmglob.c:129 #1 rpmIsGlob () at rpmglob.c:991 #2 0x00007ffff7952929 in rpmGlob () at rpmglob.c:879 #3 0x00007ffff7b98670 in rpmReadPackageManifest () at manifest.c:117 #4 0x00007ffff7ba8a63 in rpmgiLoadManifest () at rpmgi.c:76 #5 rpmgiLoadReadHeader () at rpmgi.c:152 #6 rpmgiNext () at rpmgi.c:238 #7 0x00007ffff7b9d579 in rpmgiShowMatches () at query.c:273 #8 rpmcliArgIter () at query.c:545 #9 0x00007ffff7b9d660 in rpmcliQuery () at query.c:602 #10 0x0000555555555959 in main ()
Acknowledgments: Name: Francisco Alonso
Created rpm tracking bugs for this issue: Affects: fedora-all [bug 1373956]