Re: [Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)
Closed #148. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/148#event-966621106___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)
Rpm 4.13.0.1 released with the fix, closing. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/148#issuecomment-280610491___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)
Just for completeness: Here's a different file triggering an out of bounds a few lines earlier. It seems it is fixed by the same commit (sidenote: I think it'd be a good idea to have regression tests with all the fuzzed files that triggered bugs). [rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip](https://github.com/rpm-software-management/rpm/files/757334/rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip) asan message (from a 4.13.0 compile): ``` ==27208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602019bd at pc 0x00677a6a bp 0x7ffe5597dc70 sp 0x7ffe5597dc68 READ of size 4 at 0x602019bd thread T0 #0 0x677a69 in pgpPrtSubType /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:427:3 #1 0x66a45d in pgpPrtSig /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:594:6 #2 0x66a45d in pgpPrtPkt /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:819 #3 0x66a45d in pgpPrtParams /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:978 #4 0x592c67 in rpmSigInfoParse /f/rpm/rpm-4.13.0/lib/signature.c:90:6 #5 0x52d789 in rpmpkgVerifySigs /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:270:7 #6 0x52f19a in rpmcliVerifySignatures /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:388:13 #7 0x50415d in main /f/rpm/rpm-4.13.0/rpmkeys.c:70:7 #8 0x7f36453fb78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #9 0x41c4a8 in _start (/f/rpm/rpm-4.13.0/rpmkeys+0x41c4a8) 0x602019bd is located 0 bytes to the right of 13-byte region [0x602019b0,0x602019bd) allocated by thread T0 here: #0 0x4cc608 in malloc (/f/rpm/rpm-4.13.0/rpmkeys+0x4cc608) #1 0x664d64 in rmalloc /f/rpm/rpm-4.13.0/rpmio/rpmmalloc.c:44:13 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/148#issuecomment-277964994___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)
The attached file will cause an oud of bounds heap read in "rpmkeys -K". [rpmkeys-pgpPrtSubType-rpmpgp-444.zip](https://github.com/rpm-software-management/rpm/files/755884/rpmkeys-pgpPrtSubType-rpmpgp-444.zip) Here's the address sanitizer output: ``` ==15315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60201a81 at pc 0x00677361 bp 0x7fff631cdeb0 sp 0x7fff631cdea8 READ of size 8 at 0x60201a81 thread T0 #0 0x677360 in pgpPrtSubType /f/rpm/rpm/rpmio/rpmpgp.c:444:3 #1 0x669d1d in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:594:6 #2 0x669d1d in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:819 #3 0x669d1d in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:978 #4 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6 #5 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7 #6 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13 #7 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7 #8 0x7ff690a0078f in __libc_start_main (/lib64/libc.so.6+0x2078f) #9 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558) 0x60201a81 is located 1 bytes to the right of 16-byte region [0x60201a70,0x60201a80) allocated by thread T0 here: #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8) #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/148___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
