[Rpm-maint] [rpm-software-management/rpm] heap out of bounds read in copyTdEntry() (#133)

Panu Matilainen notifications at github.com
Thu Feb 2 11:47:09 UTC 2017

Just FWIW, this is enough to catch all of #133, #135, #136, #138 and #139:

--- a/lib/header.c
+++ b/lib/header.c
@@ -255,6 +255,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
        if (end > info.offset)
            goto err;
+       if (info.tag < HEADER_I18NTABLE)
+           goto err;
        if (hdrchkType(info.type))
            goto err;
        if (hdrchkAlign(info.type, info.offset))

Hysterically there are no checks whatsoever on the tag values in rpm. In this particular case it's an out-of-place immutable region tag which causes assumptions in the code fail, in #135, #136, #138 and #139 it's a required tag replaced with a negative value. So catching stuff below the normal tag range will minimally cover all these. There are other layers present too, like missing sanity checks on tag types all over the place.

Also it's perhaps worth pointing out that none of the packages in the series crash nor pass through 'rpm -K' verification.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170202/480e5d52/attachment.html>

More information about the Rpm-maint mailing list