Bug 212833 - CVE-2006-5466 RPM Crash after listing contents of non-installed package
Summary: CVE-2006-5466 RPM Crash after listing contents of non-installed package
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 6
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Panu Matilainen
QA Contact:
URL:
Whiteboard: source=redhat,impact=low,reported=200...
Depends On:
Blocks: 213404
TreeView+ depends on / blocked
 
Reported: 2006-10-29 14:52 UTC by Vladimir Mosgalin
Modified: 2009-02-19 11:40 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-08-27 17:51:04 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
rpm output under valgrind (58.90 KB, text/plain)
2006-10-29 22:16 UTC, Vladimir Mosgalin 		no flags Details
Patch dug out of upstream CVS (1.91 KB, patch)
2006-10-30 14:55 UTC, Josh Bressers 		no flags Details | Diff
sufficiently-long-file-name-to-cause-heap-buffer-overflow.spec (7.71 KB, text/plain)
2006-11-18 23:09 UTC, Dmitry V. Levin 		no flags Details
Patch to fix buffer overflow (1.15 KB, patch)
2006-11-24 14:06 UTC, Michael Schröder 		no flags Details | Diff
View All

Description Vladimir Mosgalin 2006-10-29 14:52:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; ru; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7

Description of problem:
RPM crashes when trying to show info/listing/changelog of sylpheed-claws package from extras.

Version-Release number of selected component (if applicable):
rpm-4.4.2-32.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Download sylpheed-claws package "wget http://redhat.download.fedoraproject.org/pub/fedora/linux/extras/6/x86_64/sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
2. Do "rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
3. Observe the crash after last file from package is listed

Actual Results:
*** glibc detected *** /usr/lib/rpm/rpmq: double free or corruption (!prev): 0x000000000065b640 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3e3bc6ea60]
/lib64/libc.so.6(cfree+0x8c)[0x3e3bc7217c]
/usr/lib64/librpm-4.4.so(showQueryPackage+0x10a)[0x356c02924a]
/usr/lib64/librpm-4.4.so[0x356c027f1e]
/usr/lib64/librpm-4.4.so(rpmQueryVerify+0xae)[0x356c02848e]
/usr/lib64/librpm-4.4.so(rpmcliArgIter+0x12a)[0x356c028e6a]
/usr/lib64/librpm-4.4.so(rpmcliQuery+0xa2)[0x356c029062]
/usr/lib/rpm/rpmq[0x401fe8]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3e3bc1da44]
/usr/lib/rpm/rpmq[0x401779]
======= Memory map: ========
00400000-00403000 r-xp 00000000 08:06 1529712                            /usr/lib/rpm/rpmq
00602000-00605000 rw-p 00002000 08:06 1529712                            /usr/lib/rpm/rpmq
00605000-0068b000 rw-p 00605000 00:00 0                                  [heap]
356ac00000-356ac77000 r-xp 00000000 08:06 2248411                        /usr/lib64/librpmio-4.4.so
356ac77000-356ae77000 ---p 00077000 08:06 2248411                        /usr/lib64/librpmio-4.4.so
356ae77000-356ae7c000 rw-p 00077000 08:06 2248411                        /usr/lib64/librpmio-4.4.so
356ae7c000-356ae9f000 rw-p 356ae7c000 00:00 0 
356b000000-356b029000 r-xp 00000000 08:06 2248409                        /usr/lib64/libbeecrypt.so.6.4.0
356b029000-356b228000 ---p 00029000 08:06 2248409                        /usr/lib64/libbeecrypt.so.6.4.0
356b228000-356b22c000 rw-p 00028000 08:06 2248409                        /usr/lib64/libbeecrypt.so.6.4.0
356b400000-356b458000 r-xp 00000000 08:06 2248412                        /usr/lib64/libsqlite3.so.0.8.6
356b458000-356b658000 ---p 00058000 08:06 2248412                        /usr/lib64/libsqlite3.so.0.8.6
356b658000-356b65a000 rw-p 00058000 08:06 2248412                        /usr/lib64/libsqlite3.so.0.8.6
356b800000-356b81e000 r-xp 00000000 08:06 2248410                        /usr/lib64/libneon.so.25.0.5
356b81e000-356ba1d000 ---p 0001e000 08:06 2248410                        /usr/lib64/libneon.so.25.0.5
356ba1d000-356ba1f000 rw-p 0001d000 08:06 2248410                        /usr/lib64/libneon.so.25.0.5
356bc00000-356bd0d000 r-xp 00000000 08:06 2248413                        /usr/lib64/librpmdb-4.4.so
356bd0d000-356bf0c000 ---p 0010d000 08:06 2248413                        /usr/lib64/librpmdb-4.4.so
356bf0c000-356bf13000 rw-p 0010c000 08:06 2248413                        /usr/lib64/librpmdb-4.4.so
356bf13000-356bf14000 rw-p 356bf13000 00:00 0 
356c000000-356c058000 r-xp 00000000 08:06 2248444                        /usr/lib64/librpm-4.4.so
356c058000-356c257000 ---p 00058000 08:06 2248444                        /usr/lib64/librpm-4.4.so
356c257000-356c25d000 rw-p 00057000 08:06 2248444                        /usr/lib64/librpm-4.4.so
356c25d000-356c28f000 rw-p 356c25d000 00:00 0 
356c400000-356c422000 r-xp 00000000 08:06 2248250                        /usr/lib64/librpmbuild-4.4.so
356c422000-356c622000 ---p 00022000 08:06 2248250                        /usr/lib64/librpmbuild-4.4.so
356c622000-356c625000 rw-p 00022000 08:06 2248250                        /usr/lib64/librpmbuild-4.4.so
356c625000-356c633000 rw-p 356c625000 00:00 0 
356d600000-356d725000 r-xp 00000000 08:03 63959                          /lib64/libcrypto.so.0.9.8b
356d725000-356d924000 ---p 00125000 08:03 63959                          /lib64/libcrypto.so.0.9.8b
356d924000-356d943000 rw-p 00124000 08:03 63959                          /lib64/libcrypto.so.0.9.8b
356d943000-356d947000 rw-p 356d943000 00:00 0 
356de00000-356de43000 r-xp 00000000 08:03 64009                          /lib64/libssl.so.0.9.8b
356de43000-356e043000 ---p 00043000 08:03 64009                          /lib64/libssl.so.0.9.8b
356e043000-356e049000 rw-p 00043000 08:03 64009                          /lib64/libssl.so.0.9.8b
3e3ac00000-3e3ac1a000 r-xp 00000000 08:03 63998                          /lib64/ld-2.5.so
3e3ae19000-3e3ae1a000 r--p 00019000 08:03 63998                          /lib64/ld-2.5.so
3e3ae1a000-3e3ae1b000 rw-p 0001a000 08:03 63998                          /lib64/ld-2.5.so
3e3b000000-3e3b015000 r-xp 00000000 08:03 64239                          /lib64/libselinux.so.1
3e3b015000-3e3b214000 ---p 00015000 08:03 64239                          /lib64/libselinux.so.1
3e3b214000-3e3b216000 rw-p 00014000 08:03 64239                          /lib64/libselinux.so.1
3e3b216000-3e3b217000 rw-p 3e3b216000 00:00 0 
3e3b400000-3e3b43b000 r-xp 00000000 08:03 64238                          /lib64/libsepol.so.1
3e3b43b000-3e3b63b000 ---p 0003b000 08:03 64238                          /lib64/libsepol.so.1
3e3b63b000-3e3b63c000 rw-p 0003b000 08:03 64238                          /lib64/libsepol.so.1
3e3b63c000-3e3b646000 rw-p 3e3b63c000 00:00 0 
3e3b800000-3e3b811000 r-xp 00000000 08:06 2247759                        /usr/lib64/libelf-0.123.so
3e3b811000-3e3ba11000 ---p 00011000 08:06 2247759                        /usr/lib64/libelf-0.123.so
3e3ba11000-3e3ba12000 rw-p 00011000 08:06 2247759                        /usr/lib64/libelf-0.123.so
3e3bc00000-3e3bd44000 r-xp 00000000 08:03 63999                          /lib64/libc-2.5.so
3e3bd44000-3e3bf44000 ---p 00144000 08:03 63999                          /lib64/libc-2.5.so
3e3bf44000-3e3bf48000 r--p 00144000 08:03 63999                          /lib64/libc-2.5.so
3e3bf48000-3e3bf49000 rw-p 00148000 08:03 63999                          /lib64/libc-2.5.so
3e3bf49000-3e3bf4e000 rw-p 3e3bf49000 00:00 0 
3e3c000000-3e3c082000 r-xp 00000000 08:03 64222                          /lib64/libm-2.5.so
3e3c082000-3e3c281000 ---p 00082000 08:03 64222                          /lib64/libm-2.5.so
3e3c281000-3e3c282000 r--p 00081000 08:03 64222                          /lib64/libm-2.5.so
3e3c282000-3e3c283000 rw-p 00082000 08:03 64222                          /lib64/libm-2.5.so
3e3c400000-3e3c403000 r-xp 00000000 08:03 64227                          /lib64/libdl-2.5.so
3e3c403000-3e3c602000 ---p 00003000 08:03 64227                          /lib64/libdl-2.5.so
3e3c602000-3e3c603000 r--p 00002000 08:03 64227                          /lib64/libdl-2.5.so
3e3c603000-3e3c604000 rw-p 00003000 08:03 64227                          /lib64/libdl-2.5.so
3e3c800000-3e3c815000 r-xp 00000000 08:03 64223                          /lib64/libpthread-2.5.so
3e3c815000-3e3ca14000 ---p 00015000 08:03 64223                          /lib64/libpthread-2.5.so
3e3ca14000-3e3ca15000 r--p 00014000 08:03 64223                          /lib64/libpthread-2.5.so
3e3ca15000-3e3ca16000 rw-p 00015000 08:03 64223                          /lib64/libpthread-2.5.so
3e3ca16000-3e3ca1a000 rw-p 3e3ca16000 00:00 0 
3e3cc00000-3e3cc14000 r-xp 00000000 08:06 2247696                        /usr/lib64/libz.so.1.2.3
3e3cc14000-3e3ce13000 ---p 00014000 08:06 2247696                        /usr/lib64/libz.so.1.2.3
3e3ce13000-3e3ce14000 rw-p 00013000 08:06 2247696                        /usr/lib64/libz.so.1.2.3
3e3d000000-3e3d008000 r-xp 00000000 08:03 64224                          /lib64/librt-2.5.so
3e3d008000-3e3d207000 ---p 00008000 08:03 64224                          /lib64/librt-2.5.so
3e3d207000-3e3d208000 r--p 00007000 08:03 64224                          /lib64/librt-2.5.so
3e3d208000-3e3d209000 rw-p 00008000 08:03 64224                          /lib64/librt-2.5.so
3e3f000000-3e3f020000 r-xp 00000000 08:03 64229                          /lib64/libexpat.so.0.5.0
3e3f020000-3e3f21f000 ---p 00020000 08:03 64229                          /lib64/libexpat.so.0.5.0
3e3f21f000-3e3f222000 rw-p 0001f000 08:03 64229                          /lib64/libexpat.so.0.5.0
3e43a00000-3e43a11000 r-xp 00000000 08:03 64234                          /lib64/libresolv-2.5.so
3e43a11000-3e43c11000 ---p 00011000 08:03 64234                          /lib64/libresolv-2.5.so
3e43c11000-3e43c12000 r--p 00011000 08:03 64234                          /lib64/libresolv-2.5.so
3e43c12000-3e43c13000 rw-p 00012000 08:03 64234                          /lib64/libresolv-2.5.so
3e43c13000-3e43c15000 rw-p 3e43c13000 00:00 0 
3e44200000-3e44202000 r-xp 00000000 08:03 64235                          /lib64/libcom_err.so.2.1
3e44202000-3e44401000 ---p 00002000 08:03 64235                          /lib64/libcom_err.so.2.1
3e44401000-3e44402000 rw-p 00001000 08:03 64235                          /lib64/libcom_err.so.2.1
3e44a00000-3e44a29000 r-xp 00000000 08:06 2247725                        /usr/lib64/libgssapi_krb5.so.2.2
3e44a29000-3e44c28000 ---p 00029000 08:06 2247725                        /usr/lib64/libgssapi_krb5.so.2.2
3e44c28000-3e44c2a000 rw-p 00028000 08:06 2247725                        /usr/lib64/libgssapi_krb5.so.2.2
3e45200000-3e45223000 r-xp 00000000 08:06 2247723                        /usr/lib64/libk5crypto.so.3.0
3e45223000-3e45423000 ---p 00023000 08:06 2247723                        /usr/lib64/libk5crypto.so.3.0
3e45423000-3e45425000 rw-p 00023000 08:06 2247723                        /usr/lib64/libk5crypto.so.3.0
3e45e00000-3e45e07000 r-xp 00000000 08:06 2247722                        /usr/lib64/libkrb5support.so.0.1
3e45e07000-3e46006000 ---p 00007000 08:06 2247722                        /usr/lib64/libkrb5support.so.0.1
3e46006000-3e46007000 rw-p 00006000 08:06 2247722                        /usr/lib64/libkrb5support.so.0.1
3e46600000-3e46683000 r-xp 00000000 08:06 2247724                        /usr/lib64/libkrb5.so.3.2
3e46683000-3e46883000 ---p 00083000 08:06 2247724                        /usr/lib64/libkrb5.so.3.2
3e46883000-3e46887000 rw-p 00083000 08:06 2247724                        /usr/lib64/libkrb5.so.3.2
3e47200000-3e47207000 r-xp 00000000 08:06 2247735                        /usr/lib64/libpopt.so.0.0.0
3e47207000-3e47407000 ---p 00007000 08:06 2247735                        /usr/lib64/libpopt.so.0.0.0
3e47407000-3e47408000 rw-p 00007000 08:06 2247735                        /usr/lib64/libpopt.so.0.0.0
3e4aa00000-3e4aa0d000 r-xp 00000000 08:03 64242                          /lib64/libgcc_s-4.1.1-20061011.so.1
3e4aa0d000-3e4ac0c000 ---p 0000d000 08:03 64242                          /lib64/libgcc_s-4.1.1-20061011.so.1
3e4ac0c000-3e4ac0d000 rw-p 0000c000 08:03 64242                          /lib64/libgcc_s-4.1.1-20061011.so.1
3e4be00000-3e4bee7000 r-xp 00000000 08:06 2247753                        /usr/lib64/libstdc++.so.6.0.8
3e4bee7000-3e4c0e7000 ---p 000e7000 08:06 2247753                        /usr/lib64/libstdc++.so.6.0.8
3e4c0e7000-3e4c0ed000 r--p 000e7000 08:06 2247753                        /usr/lib64/libstdc++.so.6.0.8
3e4c0ed000-3e4c0f0000 rw-p 000ed000 08:06 2247753                        /usr/lib64/libstdc++.so.6.0.8
3e4c0f0000-3e4c102000 rw-p 3e4c0f0000 00:00 0 
3e4da00000-3e4da0f000 r-xp 00000000 08:06 2247756                        /usr/lib64/libbz2.so.1.0.3
3e4da0f000-3e4dc0e000 ---p 0000f000 08:06 2247756                        /usr/lib64/libbz2.so.1.0.3
3e4dc0e000-3e4dc10000 rw-p 0000e000 08:06 2247756                        /usr/lib64/libbz2.so.1.0.3
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaac8000-2aaaaaad5000 rw-p 2aaaaaac8000 00:00 0 
2aaaaaad5000-2aaaadfca000 r--p 00000000 08:06 1434310                    /usr/lib/locale/locale-archive
2aaaadfca000-2aaaadfdb000 r--p 00000000 08:06 2611319                    /usr/share/locale/ru/LC_MESSAGES/rpm.mo
2aaaadfdb000-2aaaadfe2000 r--s 00000000 08:06 2245790                    /usr/lib64/gconv/gconv-modules.cache
2aaaadfe2000-2aaaadfe4000 r-xp 00000000 08:06 2245755                    /usr/lib64/gconv/KOI8-R.so
2aaaadfe4000-2aaaae1e3000 ---p 00002000 08:06 2245755                    /usr/lib64/gconv/KOI8-R.so
2aaaae1e3000-2aaaae1e5000 rw-p 00001000 08:06 2245755                    /usr/lib64/gconv/KOI8-R.so
2aaaae1e5000-2aaaae29b000 r--p 00000000 08:06 2608472                    /usr/share/locale/en_US/LC_MESSAGES/redhat-dist.mo
2aaaae29b000-2aaaae29c000 rw-p 2aaaae29b000 00:00 0 
2aaab0000000-2aaab0021000 rw-p 2aaab0000000 00:00 0 
2aaab0021000-2aaab4000000 ---p 2aaab0021000 00:00 0 
7fff9cf84000-7fff9cfb1000 rw-p 7fff9cf84000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]


Expected Results:
No crash

Additional info:
You can observe the same by doing "less sylpheed-claws-2.5.6-1.fc6.x86_64.rpm" (that's how I noticed this BTW).

Maybe the package is broken and bug should be filled against sylpheed-claws instead, but rpm shouldn't crash anyway.
Comment 1 Jeff Johnson 2006-10-29 17:24:25 UTC 
Here's what I see:
  
    $ rpm --version
    RPM version 4.4.8
    $ rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm > /tmp/foo
    $ uname -a
    Linux wellfleet.jbj.org 2.6.17-1.2532.fc6PAE #1 SMP Tue Aug 8 20:59:36 EDT 2006 i686 i686 i386 
GNU/Linux

i.e. no segfault (not that I was expecting to be able to reproduce).

If the segfault is reproducible, can you try running under valgind please?

NEEDINFO
Comment 2 Jeff Johnson 2006-10-29 17:33:34 UTC 
This command is what I mean (sorry for the typo)

    valgrind -v /usr/lib/rpm/rpmq -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm
Comment 3 Vladimir Mosgalin 2006-10-29 22:16:50 UTC 
Created attachment 139682 [details]
rpm output under valgrind
Comment 4 Vladimir Mosgalin 2006-10-29 22:17:47 UTC 
Well, you are using rpm 4.4.8, probably that makes a difference ;) But we are
not talking about rawhide or something, just plain fc6...

Valgrind output attached.
Comment 5 Vladimir Mosgalin 2006-10-29 22:22:05 UTC 
New information: this doesn't happen under C or English locale. It happens at
least under Russian UTF-8 locale, though. So "LANG=C rpm ..." doesn't crash, but
"LANG=ru_RU.UTF-8 rpm ..." does.
Comment 6 Jeff Johnson 2006-10-30 02:52:09 UTC 
Ah, there it is, reproduced with 4.4.8. The LANG=ru_RU.UTF-8 was the hint I needed, thanks.

Fixed in rpm cvs, will be in rpm-4.4.8-0.2 when built.

UPSTREAM
Comment 7 Josh Bressers 2006-10-30 14:55:18 UTC 
Created attachment 139715 [details]
Patch dug out of upstream CVS
Comment 8 Josh Bressers 2006-11-01 02:32:41 UTC 
This issue looks to be a heap buffer overflow.  The data scribbled onto the heap
is random text from the RPM file.  I'm not able to reproduce this issue with any
language other than LANG=ru_RU.UTF-8.  This fact mitigates the potential damage
this bug could cause, therefore I'm assigning it low severity.

This issue should also affect FC5.
Comment 9 Peter 2006-11-06 14:03:21 UTC 
But does this affects <=rpm-4.4.7? I did not manage to reproduce, though I do
not have package database, as we are using another package manager... Thank you.
Comment 10 Josh Bressers 2006-11-06 15:16:59 UTC 
I can reproduce this as far back as 4.2.3, but not on 4.0.4.  So somewhere
between 4.0.4 and 4.2.3 this flaw was added.
Comment 11 Jeff Johnson 2006-11-06 18:42:26 UTC 
Hint:

    Try cvs annotate and figger where the "flaw was added" from there.
Comment 12 Vincent Danen 2006-11-06 20:04:16 UTC 
As an FYI, to add a little more to this, on Mandriva I can confirm this as far back as rpm 4.2.2.  As well, 
setitng LANG= here doesn't cause the segfault, but setting LC_ALL="ru_RU.UTF-8" does (provided locales-
ru is installed, if the locale files are not installed, rpm doesn't crash).
Comment 13 Dmitry V. Levin 2006-11-18 22:41:10 UTC 
Actually showQueryPackage() in 4.0.4 is also vulnerable.
UTF-8 and specspo translations are not strictly required - they just make
reproducer simpler.  One can construct an rpm package with e.g. sufficiently
large %description which will overflow malloc'ed buffer in C locale.
Comment 14 Dmitry V. Levin 2006-11-18 23:09:37 UTC 
Created attachment 141570 [details]
sufficiently-long-file-name-to-cause-heap-buffer-overflow.spec

Sample spec file to reproduce a heap buffer overflow in 8bit locale.
Comment 15 Jeff Johnson 2006-11-19 14:29:14 UTC 
FWIW, the example in #14 does not segfault with rpm-4.4.8. My comment does not mean "fixed",
only avoided, by other recent changes in rpm.

(aside) Here's another easy segfault that was fixed/avoided in the last couple of weeks
     rpm -E '%(cat foo.spec)"
for sufficiently large foo.spec. I believe that the changes in rpmExpand() are what happened
to avoid the reproducer in #14.

Again, note "avoided", not "fixed".
Comment 16 Jeff Johnson 2006-11-19 18:20:53 UTC 
Note that creating a header with a dirname or basename longer than BUFSIZ
is not "fixed" by my patch in #7. I'll have a patch to truncate the path to
the getconf runtime limit for lib/rpmfi.c today. That's a better fix than mucking
about with the stpcpy's in lib/query.c IMHO.
Comment 17 Michael Schröder 2006-11-24 14:04:10 UTC 
How about the following patch?
Comment 18 Michael Schröder 2006-11-24 14:06:13 UTC 
Created attachment 142065 [details]
Patch to fix buffer overflow
Comment 19 Jeff Johnson 2006-11-24 14:19:17 UTC 
That looks workable.

There are many places that rpm assumes that file paths fit into a BUFSIZ buffer which can lead to buffer 
overflows with crafted packages.

Guaranteeing that paths are within getconf(1) limits should also be done imho.
Comment 20 Jeff Johnson 2006-11-26 21:42:37 UTC 
Workable for file paths. Howver, there is other data, not just file paths, from a header
that can be maliciously crafted for an overflow.

A complete (afaik) patch for rpm-4.4.8 is at
    https://lists.dulug.duke.edu/pipermail/rpm-devel/2006-November/001889.html

The patch includes changes to handle variable length file digests in headers which are irrelevant
for rpm-4.4.5 and earlier.

UPSTREAM
Comment 21 Lubomir Kundrak 2007-08-02 10:29:19 UTC 
Paul: Is rpm-4.4.2-33.fc6 still affected? If not could you please close this bug,
otherwise please push a fixed package info FC6.
Comment 22 Panu Matilainen 2007-08-13 09:40:40 UTC 
FC6 rpm seems to be still affected. 

Fixing by updating to 4.4.2.1 to fix several other issues too but means it'll
need to go through updates-testing despite being a security fix (built and push
initiated already).
Comment 23 Panu Matilainen 2007-08-27 17:51:04 UTC 
This has been fixed in rpm-4.4.2.1-1.fc6 which has now been pushed to updates.
Comment 24 Lubomir Kundrak 2007-08-30 16:46:56 UTC 
Great work, Panu!
Note You need to log in before you can comment on or make changes to this bug.