Red Hat Bugzilla – Bug 239557
Crash on fuzzed RPM files
Last modified: 2007-11-30 17:12:04 EST
Description of problem:
With my fuzzer, I generated three files which crash rpm. The files may
contains many errors.
Version-Release number of selected component (if applicable):
rpm version 4.4.1, 4.4.6 or 4.4.9.
Try "rpm -qpi crash_rpm1.rpm" to crash it.
Segfault, but not always. It looks to depend on CPU (32/64 bit) or RPM version
I will attach the 3 files.
Created attachment 154393 [details]
File #1 to crash rpm
Created attachment 154394 [details]
File #2 to crash rpm
Created attachment 154395 [details]
File #3 to crash rpm
I was on #rpm (Freenode IRC server) to speak about the bugs. Some informations
<jbj> haypo: rpm -qpi w rpm-4.4.9 does not segfault on any of the three.
<jbj> ah, I'm blind. crash_rpm3 segfaults. I'll have a fix today ...
<haypo> jbj: what is your CPU?
<jbj> generic i686
<jbj> haypo: crash_rpm3 has i18n tag without the associated array for tag 100.
<jbj> all rpms are fuzzed and suspect yes. rpm has to be able to query random
crapola without segfault.
<jbj> i have fuzzed. rpm was (likely still is) immune to all single byte fuzz.
<jbj> multi-byte fuzz is trickier to test.
<haypo> jbj: oh, i do more than just one byte fuzzing :)
I've checked a fix for the segfault into rpm cvs, will be in rpm-4.4.9-0.7 when built.
The real fix is mandatory and enforcing signature checking when a signature is present.
All 3 of the fuzzed rpm's display
warning: only V3 and V4 signatures can be verified, skipping V0 signature
Skipping is not at all the right thing to do.
rpm.org now treats unverifiable signatures as errors and skips over the packages
(instead of signatures):
[pmatilai@localhost rpm]$ ./rpmq -pi ~/crash_rpm1.rpm
error: skipping package /home/pmatilai/crash_rpm1.rpm with unverifiable V0 signature
FWIW rpm-4.4.2 dies on crash1 and crash2 in provides legacy retrofitting which
4.4.9 doesn't have at all, which explains why it doesn't die on them. 4.4.2
survives 1 & 2 too if the legacy provides adding is skipped.
The legacy retrofitting needs remove because information is added outside
of the digitally signed immutable header region. Its just a matter of time
before that behavior will be exploited.
Fixed in next rawhide push by rpm 126.96.36.199-rc1