Bug 213515 (CVE-2006-5466) - CVE-2006-5466 RPM Crash after listing contents of non-installed package
Summary: CVE-2006-5466 RPM Crash after listing contents of non-installed package
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2006-5466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Peter Jones
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-01 19:04 UTC by Josh Bressers
Modified: 2021-02-25 18:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-02 19:04:29 UTC
Embargoed:

Attachments (Terms of Use)

Description Josh Bressers 2006-11-01 19:04:35 UTC 
+++ This bug was initially created as a clone of Bug #212833 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; ru; rv:1.8.0.7) Gecko/20061011
Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7

Description of problem:
RPM crashes when trying to show info/listing/changelog of sylpheed-claws package
from extras.

Version-Release number of selected component (if applicable):
rpm-4.4.2-32.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Download sylpheed-claws package "wget
http://redhat.download.fedoraproject.org/pub/fedora/linux/extras/6/x86_64/sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
2. Do "rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
3. Observe the crash after last file from package is listed

Actual Results:
*** glibc detected *** /usr/lib/rpm/rpmq: double free or corruption (!prev):
0x000000000065b640 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3e3bc6ea60]
/lib64/libc.so.6(cfree+0x8c)[0x3e3bc7217c]
/usr/lib64/librpm-4.4.so(showQueryPackage+0x10a)[0x356c02924a]
/usr/lib64/librpm-4.4.so[0x356c027f1e]
/usr/lib64/librpm-4.4.so(rpmQueryVerify+0xae)[0x356c02848e]
/usr/lib64/librpm-4.4.so(rpmcliArgIter+0x12a)[0x356c028e6a]
/usr/lib64/librpm-4.4.so(rpmcliQuery+0xa2)[0x356c029062]
/usr/lib/rpm/rpmq[0x401fe8]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3e3bc1da44]
/usr/lib/rpm/rpmq[0x401779]
======= Memory map: ========
00400000-00403000 r-xp 00000000 08:06 1529712                           
/usr/lib/rpm/rpmq
00602000-00605000 rw-p 00002000 08:06 1529712                           
/usr/lib/rpm/rpmq
00605000-0068b000 rw-p 00605000 00:00 0                                  [heap]
356ac00000-356ac77000 r-xp 00000000 08:06 2248411                       
/usr/lib64/librpmio-4.4.so
356ac77000-356ae77000 ---p 00077000 08:06 2248411                       
/usr/lib64/librpmio-4.4.so
356ae77000-356ae7c000 rw-p 00077000 08:06 2248411                       
/usr/lib64/librpmio-4.4.so
356ae7c000-356ae9f000 rw-p 356ae7c000 00:00 0 
356b000000-356b029000 r-xp 00000000 08:06 2248409                       
/usr/lib64/libbeecrypt.so.6.4.0
356b029000-356b228000 ---p 00029000 08:06 2248409                       
/usr/lib64/libbeecrypt.so.6.4.0
356b228000-356b22c000 rw-p 00028000 08:06 2248409                       
/usr/lib64/libbeecrypt.so.6.4.0
356b400000-356b458000 r-xp 00000000 08:06 2248412                       
/usr/lib64/libsqlite3.so.0.8.6
356b458000-356b658000 ---p 00058000 08:06 2248412                       
/usr/lib64/libsqlite3.so.0.8.6
356b658000-356b65a000 rw-p 00058000 08:06 2248412                       
/usr/lib64/libsqlite3.so.0.8.6
356b800000-356b81e000 r-xp 00000000 08:06 2248410                       
/usr/lib64/libneon.so.25.0.5
356b81e000-356ba1d000 ---p 0001e000 08:06 2248410                       
/usr/lib64/libneon.so.25.0.5
356ba1d000-356ba1f000 rw-p 0001d000 08:06 2248410                       
/usr/lib64/libneon.so.25.0.5
356bc00000-356bd0d000 r-xp 00000000 08:06 2248413                       
/usr/lib64/librpmdb-4.4.so
356bd0d000-356bf0c000 ---p 0010d000 08:06 2248413                       
/usr/lib64/librpmdb-4.4.so
356bf0c000-356bf13000 rw-p 0010c000 08:06 2248413                       
/usr/lib64/librpmdb-4.4.so
356bf13000-356bf14000 rw-p 356bf13000 00:00 0 
356c000000-356c058000 r-xp 00000000 08:06 2248444                       
/usr/lib64/librpm-4.4.so
356c058000-356c257000 ---p 00058000 08:06 2248444                       
/usr/lib64/librpm-4.4.so
356c257000-356c25d000 rw-p 00057000 08:06 2248444                       
/usr/lib64/librpm-4.4.so
356c25d000-356c28f000 rw-p 356c25d000 00:00 0 
356c400000-356c422000 r-xp 00000000 08:06 2248250                       
/usr/lib64/librpmbuild-4.4.so
356c422000-356c622000 ---p 00022000 08:06 2248250                       
/usr/lib64/librpmbuild-4.4.so
356c622000-356c625000 rw-p 00022000 08:06 2248250                       
/usr/lib64/librpmbuild-4.4.so
356c625000-356c633000 rw-p 356c625000 00:00 0 
356d600000-356d725000 r-xp 00000000 08:03 63959                         
/lib64/libcrypto.so.0.9.8b
356d725000-356d924000 ---p 00125000 08:03 63959                         
/lib64/libcrypto.so.0.9.8b
356d924000-356d943000 rw-p 00124000 08:03 63959                         
/lib64/libcrypto.so.0.9.8b
356d943000-356d947000 rw-p 356d943000 00:00 0 
356de00000-356de43000 r-xp 00000000 08:03 64009                         
/lib64/libssl.so.0.9.8b
356de43000-356e043000 ---p 00043000 08:03 64009                         
/lib64/libssl.so.0.9.8b
356e043000-356e049000 rw-p 00043000 08:03 64009                         
/lib64/libssl.so.0.9.8b
3e3ac00000-3e3ac1a000 r-xp 00000000 08:03 63998                         
/lib64/ld-2.5.so
3e3ae19000-3e3ae1a000 r--p 00019000 08:03 63998                         
/lib64/ld-2.5.so
3e3ae1a000-3e3ae1b000 rw-p 0001a000 08:03 63998                         
/lib64/ld-2.5.so
3e3b000000-3e3b015000 r-xp 00000000 08:03 64239                         
/lib64/libselinux.so.1
3e3b015000-3e3b214000 ---p 00015000 08:03 64239                         
/lib64/libselinux.so.1
3e3b214000-3e3b216000 rw-p 00014000 08:03 64239                         
/lib64/libselinux.so.1
3e3b216000-3e3b217000 rw-p 3e3b216000 00:00 0 
3e3b400000-3e3b43b000 r-xp 00000000 08:03 64238                         
/lib64/libsepol.so.1
3e3b43b000-3e3b63b000 ---p 0003b000 08:03 64238                         
/lib64/libsepol.so.1
3e3b63b000-3e3b63c000 rw-p 0003b000 08:03 64238                         
/lib64/libsepol.so.1
3e3b63c000-3e3b646000 rw-p 3e3b63c000 00:00 0 
3e3b800000-3e3b811000 r-xp 00000000 08:06 2247759                       
/usr/lib64/libelf-0.123.so
3e3b811000-3e3ba11000 ---p 00011000 08:06 2247759                       
/usr/lib64/libelf-0.123.so
3e3ba11000-3e3ba12000 rw-p 00011000 08:06 2247759                       
/usr/lib64/libelf-0.123.so
3e3bc00000-3e3bd44000 r-xp 00000000 08:03 63999                         
/lib64/libc-2.5.so
3e3bd44000-3e3bf44000 ---p 00144000 08:03 63999                         
/lib64/libc-2.5.so
3e3bf44000-3e3bf48000 r--p 00144000 08:03 63999                         
/lib64/libc-2.5.so
3e3bf48000-3e3bf49000 rw-p 00148000 08:03 63999                         
/lib64/libc-2.5.so
3e3bf49000-3e3bf4e000 rw-p 3e3bf49000 00:00 0 
3e3c000000-3e3c082000 r-xp 00000000 08:03 64222                         
/lib64/libm-2.5.so
3e3c082000-3e3c281000 ---p 00082000 08:03 64222                         
/lib64/libm-2.5.so
3e3c281000-3e3c282000 r--p 00081000 08:03 64222                         
/lib64/libm-2.5.so
3e3c282000-3e3c283000 rw-p 00082000 08:03 64222                         
/lib64/libm-2.5.so
3e3c400000-3e3c403000 r-xp 00000000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c403000-3e3c602000 ---p 00003000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c602000-3e3c603000 r--p 00002000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c603000-3e3c604000 rw-p 00003000 08:03 64227                         
/lib64/libdl-2.5.so
3e3c800000-3e3c815000 r-xp 00000000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3c815000-3e3ca14000 ---p 00015000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3ca14000-3e3ca15000 r--p 00014000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3ca15000-3e3ca16000 rw-p 00015000 08:03 64223                         
/lib64/libpthread-2.5.so
3e3ca16000-3e3ca1a000 rw-p 3e3ca16000 00:00 0 
3e3cc00000-3e3cc14000 r-xp 00000000 08:06 2247696                       
/usr/lib64/libz.so.1.2.3
3e3cc14000-3e3ce13000 ---p 00014000 08:06 2247696                       
/usr/lib64/libz.so.1.2.3
3e3ce13000-3e3ce14000 rw-p 00013000 08:06 2247696                       
/usr/lib64/libz.so.1.2.3
3e3d000000-3e3d008000 r-xp 00000000 08:03 64224                         
/lib64/librt-2.5.so
3e3d008000-3e3d207000 ---p 00008000 08:03 64224                         
/lib64/librt-2.5.so
3e3d207000-3e3d208000 r--p 00007000 08:03 64224                         
/lib64/librt-2.5.so
3e3d208000-3e3d209000 rw-p 00008000 08:03 64224                         
/lib64/librt-2.5.so
3e3f000000-3e3f020000 r-xp 00000000 08:03 64229                         
/lib64/libexpat.so.0.5.0
3e3f020000-3e3f21f000 ---p 00020000 08:03 64229                         
/lib64/libexpat.so.0.5.0
3e3f21f000-3e3f222000 rw-p 0001f000 08:03 64229                         
/lib64/libexpat.so.0.5.0
3e43a00000-3e43a11000 r-xp 00000000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43a11000-3e43c11000 ---p 00011000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43c11000-3e43c12000 r--p 00011000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43c12000-3e43c13000 rw-p 00012000 08:03 64234                         
/lib64/libresolv-2.5.so
3e43c13000-3e43c15000 rw-p 3e43c13000 00:00 0 
3e44200000-3e44202000 r-xp 00000000 08:03 64235                         
/lib64/libcom_err.so.2.1
3e44202000-3e44401000 ---p 00002000 08:03 64235                         
/lib64/libcom_err.so.2.1
3e44401000-3e44402000 rw-p 00001000 08:03 64235                         
/lib64/libcom_err.so.2.1
3e44a00000-3e44a29000 r-xp 00000000 08:06 2247725                       
/usr/lib64/libgssapi_krb5.so.2.2
3e44a29000-3e44c28000 ---p 00029000 08:06 2247725                       
/usr/lib64/libgssapi_krb5.so.2.2
3e44c28000-3e44c2a000 rw-p 00028000 08:06 2247725                       
/usr/lib64/libgssapi_krb5.so.2.2
3e45200000-3e45223000 r-xp 00000000 08:06 2247723                       
/usr/lib64/libk5crypto.so.3.0
3e45223000-3e45423000 ---p 00023000 08:06 2247723                       
/usr/lib64/libk5crypto.so.3.0
3e45423000-3e45425000 rw-p 00023000 08:06 2247723                       
/usr/lib64/libk5crypto.so.3.0
3e45e00000-3e45e07000 r-xp 00000000 08:06 2247722                       
/usr/lib64/libkrb5support.so.0.1
3e45e07000-3e46006000 ---p 00007000 08:06 2247722                       
/usr/lib64/libkrb5support.so.0.1
3e46006000-3e46007000 rw-p 00006000 08:06 2247722                       
/usr/lib64/libkrb5support.so.0.1
3e46600000-3e46683000 r-xp 00000000 08:06 2247724                       
/usr/lib64/libkrb5.so.3.2
3e46683000-3e46883000 ---p 00083000 08:06 2247724                       
/usr/lib64/libkrb5.so.3.2
3e46883000-3e46887000 rw-p 00083000 08:06 2247724                       
/usr/lib64/libkrb5.so.3.2
3e47200000-3e47207000 r-xp 00000000 08:06 2247735                       
/usr/lib64/libpopt.so.0.0.0
3e47207000-3e47407000 ---p 00007000 08:06 2247735                       
/usr/lib64/libpopt.so.0.0.0
3e47407000-3e47408000 rw-p 00007000 08:06 2247735                       
/usr/lib64/libpopt.so.0.0.0
3e4aa00000-3e4aa0d000 r-xp 00000000 08:03 64242                         
/lib64/libgcc_s-4.1.1-20061011.so.1
3e4aa0d000-3e4ac0c000 ---p 0000d000 08:03 64242                         
/lib64/libgcc_s-4.1.1-20061011.so.1
3e4ac0c000-3e4ac0d000 rw-p 0000c000 08:03 64242                         
/lib64/libgcc_s-4.1.1-20061011.so.1
3e4be00000-3e4bee7000 r-xp 00000000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4bee7000-3e4c0e7000 ---p 000e7000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4c0e7000-3e4c0ed000 r--p 000e7000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4c0ed000-3e4c0f0000 rw-p 000ed000 08:06 2247753                       
/usr/lib64/libstdc++.so.6.0.8
3e4c0f0000-3e4c102000 rw-p 3e4c0f0000 00:00 0 
3e4da00000-3e4da0f000 r-xp 00000000 08:06 2247756                       
/usr/lib64/libbz2.so.1.0.3
3e4da0f000-3e4dc0e000 ---p 0000f000 08:06 2247756                       
/usr/lib64/libbz2.so.1.0.3
3e4dc0e000-3e4dc10000 rw-p 0000e000 08:06 2247756                       
/usr/lib64/libbz2.so.1.0.3
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaac8000-2aaaaaad5000 rw-p 2aaaaaac8000 00:00 0 
2aaaaaad5000-2aaaadfca000 r--p 00000000 08:06 1434310                   
/usr/lib/locale/locale-archive
2aaaadfca000-2aaaadfdb000 r--p 00000000 08:06 2611319                   
/usr/share/locale/ru/LC_MESSAGES/rpm.mo
2aaaadfdb000-2aaaadfe2000 r--s 00000000 08:06 2245790                   
/usr/lib64/gconv/gconv-modules.cache
2aaaadfe2000-2aaaadfe4000 r-xp 00000000 08:06 2245755                   
/usr/lib64/gconv/KOI8-R.so
2aaaadfe4000-2aaaae1e3000 ---p 00002000 08:06 2245755                   
/usr/lib64/gconv/KOI8-R.so
2aaaae1e3000-2aaaae1e5000 rw-p 00001000 08:06 2245755                   
/usr/lib64/gconv/KOI8-R.so
2aaaae1e5000-2aaaae29b000 r--p 00000000 08:06 2608472                   
/usr/share/locale/en_US/LC_MESSAGES/redhat-dist.mo
2aaaae29b000-2aaaae29c000 rw-p 2aaaae29b000 00:00 0 
2aaab0000000-2aaab0021000 rw-p 2aaab0000000 00:00 0 
2aaab0021000-2aaab4000000 ---p 2aaab0021000 00:00 0 
7fff9cf84000-7fff9cfb1000 rw-p 7fff9cf84000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]


Expected Results:
No crash

Additional info:
You can observe the same by doing "less sylpheed-claws-2.5.6-1.fc6.x86_64.rpm"
(that's how I noticed this BTW).

Maybe the package is broken and bug should be filled against sylpheed-claws
instead, but rpm shouldn't crash anyway.

-- Additional comment from n3npq on 2006-10-29 12:24 EST --
Here's what I see:
  
    $ rpm --version
    RPM version 4.4.8
    $ rpm -qipvl --changelog sylpheed-claws-2.5.6-1.fc6.x86_64.rpm > /tmp/foo
    $ uname -a
    Linux wellfleet.jbj.org 2.6.17-1.2532.fc6PAE #1 SMP Tue Aug 8 20:59:36 EDT
2006 i686 i686 i386 
GNU/Linux

i.e. no segfault (not that I was expecting to be able to reproduce).

If the segfault is reproducible, can you try running under valgind please?

NEEDINFO

-- Additional comment from n3npq on 2006-10-29 12:33 EST --
This command is what I mean (sorry for the typo)

    valgrind -v /usr/lib/rpm/rpmq -qipvl --changelog
sylpheed-claws-2.5.6-1.fc6.x86_64.rpm



-- Additional comment from Vladimir.MV on 2006-10-29 17:16 EST --
Created an attachment (id=139682)
rpm output under valgrind


-- Additional comment from Vladimir.MV on 2006-10-29 17:17 EST --
Well, you are using rpm 4.4.8, probably that makes a difference ;) But we are
not talking about rawhide or something, just plain fc6...

Valgrind output attached.

-- Additional comment from Vladimir.MV on 2006-10-29 17:22 EST --
New information: this doesn't happen under C or English locale. It happens at
least under Russian UTF-8 locale, though. So "LANG=C rpm ..." doesn't crash, but
"LANG=ru_RU.UTF-8 rpm ..." does.

-- Additional comment from n3npq on 2006-10-29 21:52 EST --
Ah, there it is, reproduced with 4.4.8. The LANG=ru_RU.UTF-8 was the hint I
needed, thanks.

Fixed in rpm cvs, will be in rpm-4.4.8-0.2 when built.

UPSTREAM

-- Additional comment from bressers on 2006-10-30 09:55 EST --
Created an attachment (id=139715)
Patch dug out of upstream CVS


-- Additional comment from bressers on 2006-10-31 21:32 EST --
This issue looks to be a heap buffer overflow.  The data scribbled onto the heap
is random text from the RPM file.  I'm not able to reproduce this issue with any
language other than LANG=ru_RU.UTF-8.  This fact mitigates the potential damage
this bug could cause, therefore I'm assigning it low severity.

This issue should also affect RHEL3
Comment 1 Red Hat Bugzilla 2007-08-21 05:28:57 UTC 
User pnasrat's account has been closed
Comment 2 Josh Bressers 2011-08-02 19:04:29 UTC 
Statement:

Red Hat non longer plans to fix this flaw in Red Hat Enterprise Linux 4.
Note You need to log in before you can comment on or make changes to this bug.