239557 – Crash on fuzzed RPM files

Bug 239557 - Crash on fuzzed RPM files

Summary: Crash on fuzzed RPM files

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Panu Matilainen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-05-09 13:54 UTC by Victor Stinner
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-06-26 07:51:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File #1 to crash rpm (49.98 KB, application/octet-stream) 2007-05-09 13:54 UTC, Victor Stinner	no flags	Details
File #2 to crash rpm (49.98 KB, application/octet-stream) 2007-05-09 13:55 UTC, Victor Stinner	no flags	Details
File #3 to crash rpm (49.98 KB, application/octet-stream) 2007-05-09 13:56 UTC, Victor Stinner	no flags	Details
View All

Description Victor Stinner 2007-05-09 13:54:48 UTC

Description of problem:
With my fuzzer, I generated three files which crash rpm. The files may 
contains many errors.

Version-Release number of selected component (if applicable):
rpm version 4.4.1, 4.4.6 or 4.4.9.

How reproducible:
Try "rpm -qpi crash_rpm1.rpm" to crash it.

Actual results:
Segfault, but not always. It looks to depend on CPU (32/64 bit) or RPM version 
(4.4.1/4.4.6/4.4.9).

I will attach the 3 files.

Comment 1 Victor Stinner 2007-05-09 13:54:48 UTC

Created attachment 154393 [details]
File #1 to crash rpm

Comment 2 Victor Stinner 2007-05-09 13:55:42 UTC

Created attachment 154394 [details]
File #2 to crash rpm

Comment 3 Victor Stinner 2007-05-09 13:56:19 UTC

Created attachment 154395 [details]
File #3 to crash rpm

Comment 4 Victor Stinner 2007-05-09 13:58:23 UTC

I was on #rpm (Freenode IRC server) to speak about the bugs. Some informations 
from jbj:

<jbj> haypo: rpm -qpi w rpm-4.4.9 does not segfault on any of the three.
<jbj> ah, I'm blind. crash_rpm3 segfaults. I'll have a fix today ...
<haypo> jbj: what is your CPU?
<jbj> generic i686
<jbj> haypo: crash_rpm3 has i18n tag without the associated array for tag 100.
<jbj> all rpms are fuzzed and suspect yes. rpm has to be able to query random 
crapola without segfault.
<jbj> i have fuzzed. rpm was (likely still is) immune to all single byte fuzz.
<jbj> multi-byte fuzz is trickier to test.
<haypo> jbj: oh, i do more than just one byte fuzzing :)

Comment 5 Jeff Johnson 2007-05-09 18:00:57 UTC

I've checked a fix for the segfault into rpm cvs, will be in rpm-4.4.9-0.7 when built.

The real fix is mandatory and enforcing signature checking when a signature is present.

All 3 of the fuzzed rpm's display

   warning: only V3 and V4 signatures can be verified, skipping V0 signature

Skipping is not at all the right thing to do.

Comment 6 Panu Matilainen 2007-06-12 08:25:21 UTC

rpm.org now treats unverifiable signatures as errors and skips over the packages
(instead of signatures):
[pmatilai@localhost rpm]$ ./rpmq -pi ~/crash_rpm1.rpm 
error: skipping package /home/pmatilai/crash_rpm1.rpm with unverifiable V0 signature

Comment 7 Panu Matilainen 2007-06-18 09:51:03 UTC

FWIW rpm-4.4.2 dies on crash1 and crash2 in provides legacy retrofitting which
4.4.9 doesn't have at all, which explains why it doesn't die on them. 4.4.2
survives 1 & 2 too if the legacy provides adding is skipped.

Comment 8 Jeff Johnson 2007-06-21 02:59:30 UTC

The legacy retrofitting needs remove because information is added outside
of the digitally signed immutable header region. Its just a matter of time
before that behavior will be exploited.

Comment 9 Panu Matilainen 2007-06-26 07:51:44 UTC

Fixed in next rawhide push by rpm 4.4.2.1-rc1

Note You need to log in before you can comment on or make changes to this bug.