Bug 1860976 - NULL ptr deref in initial_state_start_fun
Summary: NULL ptr deref in initial_state_start_fun
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libmetalink
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Alejandro Alvarez
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-27 15:15 UTC by Steve Grubb
Modified: 2020-08-20 01:03 UTC (History)
4 users (show)

Fixed In Version: libmetalink-0.1.3-13.fc33 libmetalink-0.1.3-13.fc32 libmetalink-0.1.3-13.fc31
Clone Of:
Environment:
Last Closed: 2020-08-11 14:11:08 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Patch addressing issue (997 bytes, patch)
2020-07-27 15:15 UTC, Steve Grubb 		no flags Details | Diff
View All

Description Steve Grubb 2020-07-27 15:15:43 UTC 
Created attachment 1702548 [details]
Patch addressing issue

Description of problem:
I spent some time fuzzing this library until I got a crash. The crash is at
lib/metalink_pstate.c line 103. This is called by lib/libexpat_metalink_parser.c at line 81. The issue is that if "name" does not have NAMESPACE_SEPARATOR, then split_ns_name leaves ns_uri == NULL. The fix is to check ns_uri != NULL before using it in initial_state_start_fun at lines 103 and 119.

Version-Release number of selected component (if applicable):
libmetalink-0.1.3-11

Additional info:
Reported upstream: https://bugs.launchpad.net/libmetalink/+bug/1888672
Comment 1 Alejandro Alvarez 2020-08-04 07:16:16 UTC 
Thanks a lot! I have applied the patch and, and just submitted a new build.
Comment 2 Fedora Update System 2020-08-04 08:39:06 UTC 
FEDORA-2020-c3ca827d31 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c3ca827d31
Comment 3 Fedora Update System 2020-08-04 09:01:37 UTC 
FEDORA-2020-2a9b45c1f5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-2a9b45c1f5
Comment 4 Fedora Update System 2020-08-05 01:05:27 UTC 
FEDORA-2020-2a9b45c1f5 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-2a9b45c1f5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-2a9b45c1f5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-08-05 01:21:15 UTC 
FEDORA-2020-c3ca827d31 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-c3ca827d31`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-c3ca827d31

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-08-11 14:11:08 UTC 
FEDORA-2020-c3ca827d31 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 Ben Cotton 2020-08-11 15:28:56 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.
Comment 8 Fedora Update System 2020-08-20 01:03:48 UTC 
FEDORA-2020-2a9b45c1f5 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.