pld rpm 5.4.17
Jeffrey Johnson
n3npq at me.com
Thu Mar 2 22:05:49 CET 2017
> On Mar 2, 2017, at 3:52 PM, Jakub Bogusz <qboosh at pld-linux.org> wrote:
>
>
> As far as I understand the code, rdl is size of immutable entry infos
> part, while off is an offset in tags data part.
> And when immutable tags data is short enough (shorter than entry infos
> of immutable part), this check refuses to load header.
>
Yes. there is a “immutable region” header and trailer, where the
offset field is used as a double check on the tags in the immutable region.
> IMO the checks should be like in the attached patch.
> With it, the two refused packages are accessible again.
>
I’ve applied the patch and will do a few tests before checking in.
One item I note (just scanning the patch) is
- if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(off+nb))
+ if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(il * REGION_TAG_COUNT))
The variable il is derived and may be tainted, while off and nb are de facto positioning
within the header memory blob. And yes, it may not matter.
Meanwhile the entire issue is rather obscure, and only testing will tell.
Is there any information about what header’s are failing headerCopyLoad()?
If those headers are public keys, then the real flaw is elsewhere, wrapping
a public key within an immutable region, with an appended SHA1.
Thanks for the patch.
73 de Jeff
More information about the pld-devel-en
mailing list