Bug 474550 - segfault from some rpm queryformat strings
segfault from some rpm queryformat strings
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Panu Matilainen
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-12-04 07:25 EST by Jürgen Botz
Modified: 2009-01-07 04:21 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-07 04:21:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jürgen Botz 2008-12-04 07:25:18 EST
Description of problem:

Either of the following produce a segfault
rpm -q --queryformat="%{TRIGGERCONDS}" package
rpm -q --queryformat="%{ORIGFILENAMES}" package

Adding ":base64" prevents segfault, but now rpm outputs only "(not a blob)"

I discovered this when I wrote a quick script to see what all
of the query format strings listed in "rpm --querytags" would
give me.  All the rest work (i.e. they give some output or the
string "(none)"), but these two segfault.

Version-Release number of selected component (if applicable):
Comment 1 Panu Matilainen 2008-12-04 08:42:52 EST
Easily reproduced. Will fix, thanks for reporting.
Comment 2 Panu Matilainen 2008-12-04 09:14:41 EST
There appear to be some other cases too, the conditions for this to occur is that an array type extension is used without formatting as array, and the extension doesn't return any data. Neither of these crashes when the expected array formatting is used:
rpm -q --queryformat="[%{ORIGFILENAMES}\n]" package

But obviously not an excuse for crashing...
Comment 3 R P Herrold 2008-12-04 12:45:44 EST
Hi, Jürgen

could you attach the reproducer for adding to a unit test suite?

thanks -- Russ herrold
Comment 4 Jürgen Botz 2008-12-04 12:55:40 EST
I'm not sure what you mean by "attach" it.  It's there in my original comments just replace "package" with any installed package name and you have a "reproducer" as Panu already confirmed.

Also, I didn't know about the array formatting, but as Panu said, it still shouldn't segfault AND the array formatting does not appear to be documented in the man page.
Comment 5 Jeff Johnson 2008-12-04 15:17:29 EST
None of these --queryformats segfaults @rpm5.org on F10 packages currently installed:

    [jbj@wellfleet wdj]$ rpm -qa --qf '%{triggerconds}\n'
    [jbj@wellfleet wdj]$ rpm -qa --qf '[%{triggerconds}\n]'
    [jbj@wellfleet wdj]$ rpm -qa --qf '%{origfilenames}\n'
    [jbj@wellfleet wdj]$ rpm -qa --qf '[%{origfilenames}\n]'
    [jbj@wellfleet wdj]$ rpm --version
    rpm (RPM) 5.2.DEVEL

(aside) Arguably, the "(not a number)" and/or "(none)" in-band error messages
could/should be filtered if the --queryformat does not include a "[...]" array
iterator. I've left the in-band error msgs because no output is often more confusing
than endless spewage for tag arrays that are usually not commonly found in headers.
Comment 6 Panu Matilainen 2008-12-04 15:45:29 EST
Jeff, this bug is about rpm 4.6.0-rc1 in F10 in case you didn't notice. Whatever some other implementations development version does or doesn't do is very irrelevant.

Fixed upstream and will find it's way to Fedora shortly.
Comment 7 Jeff Johnson 2008-12-04 16:22:02 EST
I supplied reproducers (per request in comment #3 and uncertainty in comment #4).

I'm very happy that you've fixed your rpm-4.6 --queryformat bug. I'll be happy
to supply more --queryformat bugs any time you wish.

Note that __ANY__ segfault in RPM queries, partcularly when run by root, is a potential
exploit through buffer overruns, and is a cause for concern. Comment #2 "used correctly"
is irrelavant.
Comment 8 Panu Matilainen 2008-12-05 02:21:22 EST
> I supplied reproducers (per request in comment #3 and uncertainty in comment
> #4).

Oh yes. Request for a reproducer, by somebody who has nothing to do with this bug, when reproducer was already supplied by the reporter, and I guess you managed to supply some extra uncertainty too as you say here. You rpm5 people have been sooooo helpful here I don't know what I would do without you.

Jürgen, from my behalf apologies for the extra noise. Just ignore comments from Russ and Jeff, they're not in any way involved in resolving this bug.
Comment 9 R P Herrold 2008-12-05 14:15:13 EST
Panu .. snipe at me if you wish but it was NOT a set up

I AM an RPM stakeholder and have been one since long before your arrival at Red Hat, or on the RPM scene; I am as well as a RPM5 participant.  

You choose not to answer reasonable email requests and to point at stale archives of the former RPM.ORG I maintained rather than the accurate one.  My request for a password resend on my trac account on the new RPM website mysteriously never arrives.  I think the direction arrow is not toward me.

But my request was made of Jürgen to get unit test fodder for an Rspec testing harness for RH's rpm tine which I am building.  I fail to see how RPM5 entered into the discussion from my actions on this ticket.

-- Russ herrold
Comment 10 Fedora Update System 2008-12-12 14:14:29 EST
rpm-4.6.0-0.rc3.1.fc10 has been submitted as an update for Fedora 10.
Comment 11 Fedora Update System 2008-12-17 19:34:32 EST
rpm-4.6.0-0.rc3.1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11332
Comment 12 Fedora Update System 2009-01-07 04:20:32 EST
rpm-4.6.0-0.rc3.1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.