228215 – glibc reported buffer overflow

Bug 228215 - glibc reported buffer overflow

Summary: glibc reported buffer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Panu Matilainen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-02-11 19:49 UTC by Charlie Brady
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-27 18:28:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Charlie Brady 2007-02-11 19:49:07 UTC

Description of problem:

glibc stack traceback reports buffer overflow from rpm, when executed by mzbuild
from mezzanine:


[charlieb@pc-00227 smeserver-spamassassin]$ mzbuild 
*** buffer overflow detected ***: /bin/rpm terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x369bae0cdf]
/usr/lib64/librpmio-4.4.so(rpmExpand+0x66)[0x369de1bd16]
/usr/lib64/librpm-4.4.so[0x369ea22d6c]
/usr/lib64/libpopt.so.0[0x36a8c024e0]
/usr/lib64/libpopt.so.0[0x36a8c02519]
/usr/lib64/libpopt.so.0(poptGetNextOpt+0x402)[0x36a8c03342]
/bin/rpm[0x4037d9]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x369ba1da44]
/bin/rpm[0x403549]
======= Memory map: ========
00400000-00413000 r-xp 00000000 fd:00 18251803                           /bin/rpm
00612000-00615000 rw-p 00012000 fd:00 18251803                           /bin/rpm
00615000-00621000 rw-p 00615000 00:00 0 
00814000-00817000 rw-p 00014000 fd:00 18251803                           /bin/rpm
00817000-00858000 rw-p 00817000 00:00 0                                  [heap]
369b600000-369b61a000 r-xp 00000000 fd:00 15695934                      
/lib64/ld-2.5.so
369b819000-369b81a000 r--p 00019000 fd:00 15695934                      
/lib64/ld-2.5.so
369b81a000-369b81b000 rw-p 0001a000 fd:00 15695934                      
/lib64/ld-2.5.so
369ba00000-369bb44000 r-xp 00000000 fd:00 15696149                      
/lib64/libc-2.5.so
369bb44000-369bd44000 ---p 00144000 fd:00 15696149                      
/lib64/libc-2.5.so
369bd44000-369bd48000 r--p 00144000 fd:00 15696149                      
/lib64/libc-2.5.so
369bd48000-369bd49000 rw-p 00148000 fd:00 15696149                      
/lib64/libc-2.5.so
369bd49000-369bd4e000 rw-p 369bd49000 00:00 0 
369be00000-369be82000 r-xp 00000000 fd:00 15696195                      
/lib64/libm-2.5.so
369be82000-369c081000 ---p 00082000 fd:00 15696195                      
/lib64/libm-2.5.so
369c081000-369c082000 r--p 00081000 fd:00 15696195                      
/lib64/libm-2.5.so
369c082000-369c083000 rw-p 00082000 fd:00 15696195                      
/lib64/libm-2.5.so
369c200000-369c203000 r-xp 00000000 fd:00 15696196                      
/lib64/libdl-2.5.so
369c203000-369c402000 ---p 00003000 fd:00 15696196                      
/lib64/libdl-2.5.so
369c402000-369c403000 r--p 00002000 fd:00 15696196                      
/lib64/libdl-2.5.so
369c403000-369c404000 rw-p 00003000 fd:00 15696196                      
/lib64/libdl-2.5.so
369c600000-369c614000 r-xp 00000000 fd:00 28704777                      
/usr/lib64/libz.so.1.2.3
369c614000-369c813000 ---p 00014000 fd:00 28704777                      
/usr/lib64/libz.so.1.2.3
369c813000-369c814000 rw-p 00013000 fd:00 28704777                      
/usr/lib64/libz.so.1.2.3
369ca00000-369ca11000 r-xp 00000000 fd:00 28715379                      
/usr/lib64/libelf-0.125.so
369ca11000-369cc11000 ---p 00011000 fd:00 28715379                      
/usr/lib64/libelf-0.125.so
369cc11000-369cc12000 rw-p 00011000 fd:00 28715379                      
/usr/lib64/libelf-0.125.so
369ce00000-369ce29000 r-xp 00000000 fd:00 28711046                      
/usr/lib64/libbeecrypt.so.6.4.0
369ce29000-369d028000 ---p 00029000 fd:00 28711046                      
/usr/lib64/libbeecrypt.so.6.4.0
369d028000-369d02c000 rw-p 00028000 fd:00 28711046                      
/usr/lib64/libbeecrypt.so.6.4.0
369d200000-369d21e000 r-xp 00000000 fd:00 28715374                      
/usr/lib64/libneon.so.25.0.5
369d21e000-369d41d000 ---p 0001e000 fd:00 28715374                      
/usr/lib64/libneon.so.25.0.5
369d41d000-369d41f000 rw-p 0001d000 fd:00 28715374                      
/usr/lib64/libneon.so.25.0.5
369d600000-369d615000 r-xp 00000000 fd:00 15696202                      
/lib64/libpthread-2.5.so
369d615000-369d814000 ---p 00015000 fd:00 15696202                      
/lib64/libpthread-2.5.so
369d814000-369d815000 r--p 00014000 fd:00 15696202                      
/lib64/libpthread-2.5.so
369d815000-369d816000 rw-p 00015000 fd:00 15696202                      
/lib64/libpthread-2.5.so
369d816000-369d81a000 rw-p 369d816000 00:00 0 
369da00000-369da20000 r-xp 00000000 fd:00 15696194                      
/lib64/libexpat.so.0.5.0
369da20000-369dc1f000 ---p 00020000 fd:00 15696194                      
/lib64/libexpat.so.0.5.0
369dc1f000-369dc22000 rw-p 0001f000 fd:00 15696194                      
/lib64/libexpat.so.0.5.0
369de00000-369de77000 r-xp 00000000 fd:00 28715376                      
/usr/lib64/librpmio-4.4.so
369de77000-369e077000 ---p 00077000 fd:00 28715376                      
/usr/lib64/librpmio-4.4.so
369e077000-369e07c000 rw-p 00077000 fd:00 28715376                      
/usr/lib64/librpmio-4.4.so
369e07c000-369e09f000 rw-p 369e07c000 00:00 0 
369e200000-369e258000 r-xp 00000000 fd:00 28715378                      
/usr/lib64/libsqlite3.so.0.8.6
369e258000-369e458000 ---p 00058000 fd:00 28715378                      
/usr/lib64/libsqlite3.so.0.8.6
369e458000-369e45a000 rw-p 00058000 fd:00 28715378                      
/usr/lib64/libsqlite3.so.0.8.6
369e600000-369e70d000 r-xp 00000000 fd:00 28715380                      
/usr/lib64/librpmdb-4.4.so
369e70d000-369e90c000 ---p 0010d000 fd:00 28715380                      
/usr/lib64/librpmdb-4.4.so
369e90c000-369e913000 rw-p 0010c000 fd:00 28715380                      
/usr/lib64/librpmdb-4.4.so
369e913000-369e914000 rw-p 369e913000 00:00 0 
369ea00000-369ea58000 r-xp 00000000 fd:00 28715381                      
/usr/lib64/librpm-4.4.so
369ea58000-369ec57000 ---p 00058000 fd:00 28715381                      
/usr/lib64/librpm-4.4.so
369ec57000-369ec5d000 rw-p 00057000 fd:00 28715381                      
/usr/lib64/librpm-4.4.so
369ec5d000-369ec8f000 rw-p 369ec5d000 00:00 0 
36a1200000-36a120d000 r-xp 00000000 fd:00 15696197                      
/lib64/libgcc_s-4.1.1-20070105.so.1
36a120d000-36a140c000 ---p 0000d000 fd:00 15696197                      
/lib64/libgcc_s-4.1.1-20070105.so.1
36a140c000-36a140d000 rw-p 0000c000 fd:00 15696197                      
/lib64/libgcc_s-4.1.1-20070105.so.1
36a1a00000-36a1ae6000 r-xp 00000000 fd:00 28709672                      
/usr/lib64/libstdc++.so.6.0.8
36a1ae6000-36a1ce5000 ---p 000e6000 fd:00 28709672                      
/usr/lib64/libstdc++.so.6.0.8
36a1ce5000-36a1ceb000 r--p 000e5000 fd:00 28709672                      
/usr/lib64/libstdc++.so.6.0.8
36a1ceb000-36a1cee000 rw-p 000eb000 fd:00 28709672                      
/usr/lib64/libstdc++.so.6.0.8
36a1cee000-36a1d00000 rw-p 36a1cee000 00:00 0 
36a4c00000-36a4c3b000 r-xp 00000000 fd:00 15695911                      
/lib64/libsepol.so.1
36a4c3b000-36a4e3b000 ---p 0003b000 fd:00 15695911                      
/lib64/libsepol.so.1
36a4e3b000-36a4e3c000 rw-p 0003b000 fd:00 15695911                      
/lib64/libsepol.so.1
36a4e3c000-36a4e46000 rw-p 36a4e3c000 00:00 0 
36a5400000-36a5415000 r-xp 00000000 fd:00 15696206                      
/lib64/libselinux.so.1
36a5415000-36a5615000 ---p 00015000 fd:00 15696206                      
/lib64/libselinux.so.1
36a5615000-36a5617000 rw-p 00015000 fd:00 15696206                      
/lib64/libselinux.so.1
36a5617000-36a5618000 rw-p 36a5617000 00:00 0 
36a5800000-36a5808000 r-xp 00000000 fd:00 15696205                      
/lib64/librt-2.5.so
36a5808000-36a5a07000 ---p 00008000 fd:00 15696205                      
/lib64/librt-2.5.so
36a5a07000-36a5a08000 r--p 00007000 fd:00 15696205                      
/lib64/librt-2.5.so
36a5a08000-36a5a09000 rw-p 00008000 fd:00 15696205                      
/lib64/librt-2.5.so
36a6000000-36a6011000 r-xp 00000000 fd:00 15695874                      
/lib64/libresolv-2.5.so
36a6011000-36a6211000 ---p 00011000 fd:00 15695874                      
/lib64/libresolv-2.5.so
36a6211000-36a6212000 r--p 00011000 fd:00 15695874                      
/lib64/libresolv-2.5.so
36a6212000-36a6213000 rw-p 00012000 fd:00 15695874                      
/lib64/libresolv-2.5.so
36a6213000-36a6215000 rw-p 36a6213000 00:00 0 
36a6400000-36a6525000 r-xp 00000000 fd:00 15696200                      
/lib64/libcrypto.so.0.9.8b
36a6525000-36a6724000 ---p 00125000 fd:00 15696200                      
/lib64/libcrypto.so.0.9.8b
36a6724000-36a6743000 rw-p 00124000 fd:00 15696200                      
/lib64/libcrypto.so.0.9.8b
36a6743000-36a6747000 rw-p 36a6743000 00:00 0 
36a6800000-36a6802000 r-xp 00000000 fd:00 15696199                      
/lib64/libcom_err.so.2.1
36a6802000-36a6a01000 ---p 00002000 fd:00 15696199                      
/lib64/libcom_err.so.2.1
36a6a01000-36a6a02000 rw-p 00001000 fd:00 15696199                      
/lib64/libcom_err.so.2.1
36a6c00000-36a6c83000 r-xp 00000000 fd:00 28710930                      
/usr/lib64/libkrb5.so.3.2
36a6c83000-36a6e83000 ---p 00083000 fd:00 28710930                      
/usr/lib64/libkrb5.so.3.2
36a6e83000-36a6e87000 rw-p 00083000 fd:00 28710930                      
/usr/lib64/libkrb5.so.3.2
36a7000000-36a7007000 r-xp 00000000 fd:00 28710910                      
/usr/lib64/libkrb5support.so.0.1
36a7007000-36a7206000 ---p 00007000 fd:00 28710910                      
/usr/lib64/libkrb5support.so.0.1
36a7206000-36a7207000 rw-p 00006000 fd:00 28710910                      
/usr/lib64/libkrb5support.so.0.1
36a7400000-36a7423000 r-xp 00000000 fd:00 28710911                      
/usr/lib64/libk5crypto.so.3.0
36a7423000-36a7623000 ---p 00023000 fd:00 28710911                      
/usr/lib64/libk5crypto.so.3.0
36a7623000-36a7625000 rw-p 00023000 fd:00 28710911                      
/usr/lib64/libk5crypto.so.3.0
36a7c00000-36a7c29000 r-xp 00000000 fd:00 28710962                      
/usr/lib64/libgssapi_krb5.so.2.2
36a7c29000-36a7e28000 ---p 00029000 fd:00 28710962                      
/usr/lib64/libgssapi_krb5.so.2.2
36a7e28000-36a7e2a000 rw-p 00028000 fd:00 28710962                      
/usr/lib64/libgssapi_krb5.so.2.2
36a8400000-36a8443000 r-xp 00000000 fd:00 15696201                      
/lib64/libssl.so.0.9.8b
36a8443000-36a8643000 ---p 00043000 fd:00 15696201                      
/lib64/libssl.so.0.9.8b
36a8643000-36a8649000 rw-p 00043000 fd:00 15696201                      
/lib64/libssl.so.0.9.8b
36a8c00000-36a8c07000 r-xp 00000000 fd:00 28715377                      
/usr/lib64/libpopt.so.0.0.0
36a8c07000-36a8e07000 ---p 00007000 fd:00 28715377                      
/usr/lib64/libpopt.so.0.0.0
36a8e07000-36a8e08000 rw-p 00007000 fd:00 28715377                      
/usr/lib64/libpopt.so.0.0.0
36ae800000-36ae80f000 r-xp 00000000 fd:00 28715375                      
/usr/lib64/libbz2.so.1.0.3
36ae80f000-36aea0e000 ---p 0000f000 fd:00 28715375                      
/usr/lib64/libbz2.so.1.0.3
36aea0e000-36aea10000 rw-p 0000e000 fd:00 28715375                      
/usr/lib64/libbz2.so.1.0.3
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaad9000-2aaaaaae5000 rw-p 2aaaaaad9000 00:00 0 
2aaaaaae5000-2aaaadfd7000 r--p 00000000 fd:00 28709277                  
/usr/lib/locale/locale-archive
7fffd08ca000-7fffd08e3000 rw-p 7fffd08ca000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
pkgtool:  Warning:  Pre-processing spec file
/home/charlieb/mezzanine/smeserver-spamassassin/build.mezz/SPECS/smeserver-spamassassin.spec
failed; using internal parser.
pkgtool:  Warning:  Build dependency installation failed:  Unable to install
e-smith-devtools (1)
error: Failed build dependencies:
pkgtool:  Error:  Package build failed:  Building this package requires the
following:  e-smith-devtools >= 1.11.0-12
[charlieb@pc-00227 smeserver-spamassassin]$ 



Version-Release number of selected component (if applicable):

[charlieb@pc-00227 smeserver-spamassassin]$ rpm -q rpm glibc mezzanine
rpm-4.4.2-32
glibc-2.5-10.fc6
glibc-2.5-10.fc6
mezzanine-1.9-0.12.el4.sme
[charlieb@pc-00227 smeserver-spamassassin]$

Comment 1 Michael Jennings (KainX) 2007-02-12 23:30:41 UTC

Hey Charlie. :)

First, you'll want to fire up mzbuild in debug mode (-d or --debug) to get more
detailed tracing information about which invocation of /bin/rpm is causing this.

From the look of it, it appears to be the same type of problem I ran into not
too long ago which was fixed in upstream RPM, around 4.4.8-0.4 or so.  It has to
do with Mezz running "rpm --eval" to expand macros in the spec file.  The
rpm-devel list archives should have the patch jbj worked up for it.

Comment 2 Charlie Brady 2007-02-13 01:03:25 UTC

> The rpm-devel list archives should have the patch jbj worked up for it.

I couldn't find it. But I did find a patch by Olivier Thauvin:

https://lists.dulug.duke.edu/pipermail/rpm-devel/2006-June/001114.html

And that patch does fix the problem.

--- rpm-4.4.2/rpmio/macro.c     2005-07-13 05:49:40.000000000 -0400
+++ mezzanine_patched_rpm-4.4.2/rpmio/macro.c   2007-02-12 19:33:31.000000000 -0500
@@ -1256,7 +1256,7 @@
        chkexist = 0;
        switch ((c = *s)) {
        default:                /* %name substitution */
-               while (strchr("!?", *s) != NULL) {
+               while (*s && strchr("!?", *s) != NULL) {
                        switch(*s++) {
                        case '!':
  

BTW, jbj does say there are 3-4 other segfaults in macro.c, but doesn't say
whether he has fixed them.

[BTW, there's another bug here for you to chase. mzimport -L of the rpm src.rpm
lost the rpm tarball:

...
srctool:  Warning:  Pre-processing spec file
/var/tmp/mezzanine.temp.SPM.32539.2730/rpm/F/rpm.spec failed; using internal parser.
You requested local mode.  To add this tree to SCM, you will need to import it
by hand (mzimport rpm).
[charlieb@pc-00227 mezzanine.local]$ ls rpm
F  P  S
[charlieb@pc-00227 mezzanine.local]$ ls rpm/S/
mono-find-provides  mono-find-requires
[charlieb@pc-00227 mezzanine.local]$ 
]

Comment 3 Jeff Johnson 2007-02-13 01:21:19 UTC

If you can find the prpblems in macros.c, I can fix. Meanwhile, gud enuf. My "3-4" estimate is purely a 
guess eyeballing code ...

Comment 4 Michael Jennings (KainX) 2007-02-13 03:46:16 UTC

(In reply to comment #2)
> > The rpm-devel list archives should have the patch jbj worked up for it.
> 
> I couldn't find it.

https://lists.dulug.duke.edu/pipermail/rpm-devel/2006-November/001839.html

I believe it contains the fixes for the problem I reported as well as other
similar issues.  Even though you found the fix for your particular problem, this
patch will almost certainly correct other problems.

> [BTW, there's another bug here for you to chase. mzimport -L of the rpm src.rpm
> lost the rpm tarball:
> 
> ...
> srctool:  Warning:  Pre-processing spec file
> /var/tmp/mezzanine.temp.SPM.32539.2730/rpm/F/rpm.spec failed; using internal
parser.
> You requested local mode.  To add this tree to SCM, you will need to import it
> by hand (mzimport rpm).
> [charlieb@pc-00227 mezzanine.local]$ ls rpm
> F  P  S
> [charlieb@pc-00227 mezzanine.local]$ ls rpm/S/
> mono-find-provides  mono-find-requires
> [charlieb@pc-00227 mezzanine.local]$ 
> ]

Yes, this is a known issue with Mezz and the rpm spec file used in older
versions of RPM.  (It does not occur with RPM 4.4.8.)

It has to do with the use of %expand, the failure of /bin/rpm to parse the spec
file (as noted in the warning), and the use of the %{rpm_version} macro in the
Source0: line.  Specifically, Mezz's internal parser does not properly handle
this line:

%{expand: %%define rpm_version %{version}}

which causes this line:

Source: ftp://wraptastic.org/pub/rpm-devel/rpm-%{rpm_version}.tar.gz

to be erroneously parsed.  My work-around in the past has always been to rpm
-Uvh the SRPM, edit the spec file, build an SRPM, and then mzimport the new SRPM.

However, fixing the problems which are causing the "Pre-processing spec file"
failure or updating to RPM 4.4.8 will alleviate the issue.

Comment 5 Charlie Brady 2007-05-15 22:32:54 UTC

This bug appears to be unfixed in RHEL5.

Comment 6 Red Hat Bugzilla 2007-08-21 05:31:48 UTC

User pnasrat's account has been closed

Comment 7 Panu Matilainen 2007-08-22 06:33:50 UTC

Reassigning to owner after bugzilla made a mess, sorry about the noise...

Comment 8 Panu Matilainen 2007-08-27 18:28:42 UTC

This should be fixed by rpm 4.4.2.1 now in FC6 updates, if not please reopen.

Note You need to log in before you can comment on or make changes to this bug.