[Rpm-maint] [rpm-software-management/rpm] stack buffer overflow in glob/rpmGlob - rpm 4.13.0.1 (#156)

[Hanno Böck]

This does not affect the current git head code, but it affects the release 4.13.0.1. It's been reported before to the red hat security team and publicly here:
https://blog.fuzzing-project.org/52-Multiple-vulnerabilities-in-RPM-and-a-rant.html

[rpm-stackoverflow-glob.zip](https://github.com/rpm-software-management/rpm/files/782965/rpm-stackoverflow-glob.zip)

ASAN stack trace:
```
==16566==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe01660342 at pc 0x7fe28839a527 bp 0x7ffe01660310 sp 0x7ffe01660308
WRITE of size 1 at 0x7ffe01660342 thread T0
    #0 0x7fe28839a526 in glob /mnt/ram/rpm-rpm-4.13.0.1-release/rpmio/rpmglob.c:342:7
    #1 0x7fe288393eec in rpmGlob /mnt/ram/rpm-rpm-4.13.0.1-release/rpmio/rpmglob.c:875:7
    #2 0x7fe2886bfe4a in rpmReadPackageManifest /mnt/ram/rpm-rpm-4.13.0.1-release/lib/manifest.c:117:14
    #3 0x7fe2887275e8 in tryReadManifest /mnt/ram/rpm-rpm-4.13.0.1-release/lib/rpminstall.c:319:10
    #4 0x7fe2887275e8 in rpmInstall /mnt/ram/rpm-rpm-4.13.0.1-release/lib/rpminstall.c:537
    #5 0x50b446 in main /mnt/ram/rpm-rpm-4.13.0.1-release/rpmqv.c:294:12
    #6 0x7fe2860db1e0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r1/work/glibc-2.24/csu/../csu/libc-start.c:289
    #7 0x41a429 in _start (/mnt/ram/rpm-rpm-4.13.0.1-release/.libs/rpm+0x41a429)


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/156
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170217/911651a8/attachment-0001.html>