Fedora Account System
Red Hat Associate
Red Hat Customer
AI_ONLY_REPORT package: libsolv-0.7.33-2.el10 ------ Summary: Stack-based Buffer Overflow in EdDSA PGP Verification: libsolv uses `rlen` instead of `slen` when copying the EdDSA `s` MPI into a 64-byte stack buffer, allowing crafted Ed25519 signatures with mismatched MPI lengths to overflow the buffer by up to 31 bytes during PGP verification. Requirements to exploit: An attacker must get a vulnerable libsolv consumer to verify a crafted EdDSA/Ed25519 PGP signature through `solv_pgpvrfy()`. The affected build must include `ENABLE_PGPVRFY` and Ed25519 support; in common package or repository signature-processing workflows, attacker-controlled signed content or metadata may be verified automatically once delivered. Component affected: libsolv - `ext/solv_pgpvrfy.c` (`solv_pgpvrfy()` EdDSA verification path) Version affected: `libsolv-0.7.33-2.el10` is confirmed vulnerable. Broader version bounds could not be determined from the provided snapshot, but builds containing the same `memcpy(sigdata + 64 - slen, s, rlen)` line and compiled with `ENABLE_PGPVRFY` and `ENABLE_PGPVRFY_ED25519` are likely affected. Patch available: Proposed fix included below; upstream release status unknown. Version fixed (if any already): unknown Upstream coordination: Not yet notified. A private disclosure draft is available. CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5 (HIGH) AV:N - In common libsolv consumer workflows, signed repository or package data can be delivered over the network for automatic verification. AC:L - The issue is triggered by malformed EdDSA MPI lengths; no race or unusual precondition is required. PR:N - The attacker needs no privileges on the target system. UI:N - Signature verification can occur automatically when the signed content or metadata is processed. S:U - The overwrite occurs within the verifying process. C:N - No confidentiality impact was demonstrated. I:N - No integrity impact was demonstrated. A:H - Further review confirmed a reachable stack overwrite with reliable crash potential; impact beyond denial of service remains unproven. Impact: Likely Important. This is a real memory-safety flaw in signature-verification code that processes attacker-controlled PGP signature data. Further review confirmed the out-of-bounds stack write is reachable and can plausibly cause denial of service in automated package or repository processing, but the report does not demonstrate code execution or direct confidentiality or integrity impact. Embargo: yes Reason: This is a real memory-corruption issue in signature-verification code with no known upstream fix. Even though impact beyond denial of service is unproven, coordinated disclosure is appropriate until maintainers can assess and patch it. Suggested public date: 16-Jul-2026 Acknowledgement: Aisle Research Steps to reproduce: 1. Build libsolv with AddressSanitizer and with PGP verification enabled (`ENABLE_PGPVRFY=ON`; Ed25519 support is enabled by default in source). 2. Invoke `solv_pgpvrfy(pub, publ, sig, sigl)` with an EdDSA public key (`pub[0] = 22`) that contains the expected Ed25519 OID/check bytes and a 32-byte public key payload, and a signature where `sig[0] = 22`, `sig[1] = 8` (SHA-256), the hash prefix is 32 bytes, the `r` MPI has bit length `0x0100` and 32 non-zero bytes, and the `s` MPI has bit length `0x0001` and a single non-zero byte. 3. After the hash prefix, use the following minimal triggering layout for the signature MPIs: ```text [r MPI: 0x01 0x00 | 32 bytes] [s MPI: 0x00 0x01 | 0x01] ``` 4. During verification, execution reaches `memcpy(sigdata + 64 - slen, s, rlen)`; when `rlen > slen`, the copy writes past the end of `sigdata`. 5. With ASan enabled, expect a `stack-buffer-overflow` report at this copy site. Vulnerability Details In `ext/solv_pgpvrfy.c`, `r` and `s` are parsed independently, so their lengths can differ before the Ed25519 formatting step: ```c r = findmpi(&mpi, &mpil, 256, &rlen); s = findmpi(&mpi, &mpil, 256, &slen); ... rlen = (rlen + 7) / 8; slen = (slen + 7) / 8; if (rlen) memcpy(sigdata + 32 - rlen, r, rlen); if (slen) memcpy(sigdata + 64 - slen, s, rlen); ``` If `rlen = 32` and `slen = 1`, the second `memcpy` starts at `sigdata + 63` and copies 32 bytes, overflowing the 64-byte stack buffer by 31 bytes. Further review also traced attacker-controlled signature bytes into this path through libsolv's signature-verification code in `repo_pubkey.c` and found that malformed packets are not rejected before this copy. Most relevant CWEs: `CWE-121` Stack-based Buffer Overflow `CWE-787` Out-of-bounds Write `CWE-805` Buffer Access with Incorrect Length Value Proposed Fix ```diff diff --git a/ext/solv_pgpvrfy.c b/ext/solv_pgpvrfy.c @@ -586,10 +586,12 @@ memset(sigdata, 0, 64); rlen = (rlen + 7) / 8; slen = (slen + 7) / 8; + if (rlen != 32 || slen != 32) + return 0; if (rlen) memcpy(sigdata + 32 - rlen, r, rlen); if (slen) memcpy(sigdata + 64 - slen, s, rlen); + memcpy(sigdata + 64 - slen, s, slen); res = mped25519(pub + 1 + 10 + 2 + 1, sigdata, sig + 2, hashl); ``` ------ This report was generated using AI technology. Always review AI-generated content prior to use
Upstream confirmed this bug: > Regarding 2460975: That's a valid bug, but is's in solv_pgpvrfy.c > which is not enabled by default and I certainly don't know of > any distribution that uses this. I'll drop the code completely in > the next mayor release. > [...] > Hmm, I mis-remembered. It *is* enabled if you build for SUSE. Still > I don't know of anybody actually using it. libzypp certainly > doesn't use it. > [...] > Btw, will you guys create a CVE for this bug?
Fixed in upstream with: commit 44f8c085045b1f771641091bbb2b810d12cff9e8 Author: Michael Schroeder <mls> Date: Tue May 26 10:30:31 2026 +0200 Fix wrong variable being used in solv_pgpvrfy and included in 0.7.38 upstream release.