oss-sec mailing list archives

Re: rpm/librpm/rpm-python memory corruption pre-verification

From: nicolas vigier <boklm () mars-attacks org>
Date: Thu, 29 Sep 2011 15:25:40 +0200

On Tue, 27 Sep 2011, Tavis Ormandy wrote:


Hey, after the scary flaws Georgi spotted in apt-get, I had a quick look at
rpm signature verification. Some trivial bitflipping found a few memory
corruption issues.

Originally I didn't think yum used rpm, but i was wrong, rpm-python is a
native module wrapper that exports librpm to python. I'll step through the
signature verification logic when I get a chance.

Obviously we need the sections of rpm code touched before signature
verification to be bulletproof, as most distributions rely on public mirror
services that may or may not be trusted. Any volunteers who know crypto
better than me appreciated, I'll be primarily looking for memory corruption.

https://bugzilla.redhat.com/show_bug.cgi?id=741606
https://bugzilla.redhat.com/show_bug.cgi?id=741612


Patches on rpm git :
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656

Current thread:

rpm/librpm/rpm-python memory corruption pre-verification Tavis Ormandy (Sep 27)
- Re: rpm/librpm/rpm-python memory corruption pre-verification yersinia (Sep 28)
- Re: rpm/librpm/rpm-python memory corruption pre-verification nicolas vigier (Sep 29)