| Summary: | rpm: validate input files | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Tobias Stoeckmann <tobias> |
| Component: | Other | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.33.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: |
rpm.patch
proof of concept (crash on 32 and 64 bit) proof of concept (crash on 32 bit) |
||
Created attachment 9036 [details]
proof of concept (crash on 32 and 64 bit)
Created attachment 9041 [details]
proof of concept (crash on 32 bit)
|
Created attachment 9031 [details] rpm.patch Offsets and tag entry count in input files are not validated before used. This can lead to heap overflows and out ouf boundary accesses. Stop processing files if invalid entries are encountered. Entries are invalid if: - Offsets into data area exceed limits - Strings in data area are not nul terminated - Offsets point into data without enough bytes for data type - Too many entries specified The limit of INT_MAX guarantees proper operations even on 32 bit systems with 32 bit off_t data type, i.e. no large file system support. 2 GB is already a very large limit for RPM tags.