Bug 239557 - Crash on fuzzed RPM files
Crash on fuzzed RPM files
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Panu Matilainen
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-09 09:54 EDT by Victor Stinner
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-26 03:51:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File #1 to crash rpm (49.98 KB, application/octet-stream)
2007-05-09 09:54 EDT, Victor Stinner
no flags Details
File #2 to crash rpm (49.98 KB, application/octet-stream)
2007-05-09 09:55 EDT, Victor Stinner
no flags Details
File #3 to crash rpm (49.98 KB, application/octet-stream)
2007-05-09 09:56 EDT, Victor Stinner
no flags Details

  None (edit)
Description Victor Stinner 2007-05-09 09:54:48 EDT
Description of problem:
With my fuzzer, I generated three files which crash rpm. The files may 
contains many errors.

Version-Release number of selected component (if applicable):
rpm version 4.4.1, 4.4.6 or 4.4.9.

How reproducible:
Try "rpm -qpi crash_rpm1.rpm" to crash it.

Actual results:
Segfault, but not always. It looks to depend on CPU (32/64 bit) or RPM version 
(4.4.1/4.4.6/4.4.9).

I will attach the 3 files.
Comment 1 Victor Stinner 2007-05-09 09:54:48 EDT
Created attachment 154393 [details]
File #1 to crash rpm
Comment 2 Victor Stinner 2007-05-09 09:55:42 EDT
Created attachment 154394 [details]
File #2 to crash rpm
Comment 3 Victor Stinner 2007-05-09 09:56:19 EDT
Created attachment 154395 [details]
File #3 to crash rpm
Comment 4 Victor Stinner 2007-05-09 09:58:23 EDT
I was on #rpm (Freenode IRC server) to speak about the bugs. Some informations 
from jbj:

<jbj> haypo: rpm -qpi w rpm-4.4.9 does not segfault on any of the three.
<jbj> ah, I'm blind. crash_rpm3 segfaults. I'll have a fix today ...
<haypo> jbj: what is your CPU?
<jbj> generic i686
<jbj> haypo: crash_rpm3 has i18n tag without the associated array for tag 100.
<jbj> all rpms are fuzzed and suspect yes. rpm has to be able to query random 
crapola without segfault.
<jbj> i have fuzzed. rpm was (likely still is) immune to all single byte fuzz.
<jbj> multi-byte fuzz is trickier to test.
<haypo> jbj: oh, i do more than just one byte fuzzing :)
Comment 5 Jeff Johnson 2007-05-09 14:00:57 EDT
I've checked a fix for the segfault into rpm cvs, will be in rpm-4.4.9-0.7 when built.

The real fix is mandatory and enforcing signature checking when a signature is present.

All 3 of the fuzzed rpm's display

   warning: only V3 and V4 signatures can be verified, skipping V0 signature

Skipping is not at all the right thing to do.
Comment 6 Panu Matilainen 2007-06-12 04:25:21 EDT
rpm.org now treats unverifiable signatures as errors and skips over the packages
(instead of signatures):
[pmatilai@localhost rpm]$ ./rpmq -pi ~/crash_rpm1.rpm 
error: skipping package /home/pmatilai/crash_rpm1.rpm with unverifiable V0 signature

Comment 7 Panu Matilainen 2007-06-18 05:51:03 EDT
FWIW rpm-4.4.2 dies on crash1 and crash2 in provides legacy retrofitting which
4.4.9 doesn't have at all, which explains why it doesn't die on them. 4.4.2
survives 1 & 2 too if the legacy provides adding is skipped.
Comment 8 Jeff Johnson 2007-06-20 22:59:30 EDT
The legacy retrofitting needs remove because information is added outside
of the digitally signed immutable header region. Its just a matter of time
before that behavior will be exploited.
Comment 9 Panu Matilainen 2007-06-26 03:51:44 EDT
Fixed in next rawhide push by rpm 4.4.2.1-rc1 

Note You need to log in before you can comment on or make changes to this bug.