<p>The attached files will cause an invalid free or double free. As they're both in the same code line I assume it's the same bug in different variations.</p>
<p>This only affects the git code, not the latest release (otherwise I wouldn't have reported it to a public bug tracker). This is obviously a very serious security issue.</p>
<pre><code>==27173==ERROR: AddressSanitizer: attempting double-free on 0x61a000012080 in thread T0:
    #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500)
    #1 0x52db63 in readFile /f/rpm/rpm/lib/rpmchecksig.c:157:5
    #2 0x52db63 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #3 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13
    #4 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #5 0x7fca86edb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x61a000012080 is located 0 bytes inside of 1153-byte region [0x61a000012080,0x61a000012501)
freed by thread T0 here:
    #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500)
    #1 0x5c8bac in hdrblobRead /f/rpm/rpm/lib/header.c:1897:2
    #2 0x52dab4 in readFile /f/rpm/rpm/lib/rpmchecksig.c:135:9
    #3 0x52dab4 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #4 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13

previously allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664504 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x52dab4 in readFile /f/rpm/rpm/lib/rpmchecksig.c:135:9
    #3 0x52dab4 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #4 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13

SUMMARY: AddressSanitizer: double-free (/r/rpm/rpmkeys+0x4cc500) in __interceptor_cfree.localalias.1
</code></pre>
<pre><code>==28859==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ffde9ad6100 in thread T0
    #0 0x4cc500 in __interceptor_cfree.localalias.1 (/r/rpm/rpmkeys+0x4cc500)
    #1 0x52db63 in readFile /f/rpm/rpm/lib/rpmchecksig.c:157:5
    #2 0x52db63 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:277
    #3 0x52f31a in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:380:13
    #4 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #5 0x7fee8e92378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free (/r/rpm/rpmkeys+0x4cc500) in __interceptor_cfree.localalias.1
==28859==ABORTING
</code></pre>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/147">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb80_uuvIg8Qr9ZT1nFNNlEOJM93ewUks5rYmY9gaJpZM4L1xcl">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb800Bm0gnCp_XYLkKXPX-Jbdt5c9X_ks5rYmY9gaJpZM4L1xcl.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/147"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Invalid free / double free in readFile() / rpmkeys pre signature check (#147)"}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/147"}}}</script>