pld rpm 5.4.17

Sat Mar 4 10:17:26 CET 2017

On Thu, Mar 02, 2017 at 04:05:49PM -0500, Jeffrey Johnson wrote:
> 
> > On Mar 2, 2017, at 3:52 PM, Jakub Bogusz <qboosh at pld-linux.org> wrote:
> > 
> > 
> > As far as I understand the code, rdl is size of immutable entry infos
> > part, while off is an offset in tags data part.
> > And when immutable tags data is short enough (shorter than entry infos
> > of immutable part), this check refuses to load header.
> > 
> 
> Yes. there is a ???immutable region??? header and trailer, where the
> offset field is used as a double check on the tags in the immutable region.
> 
> > IMO the checks should be like in the attached patch.
> > With it, the two refused packages are accessible again.
> > 
> 
> I???ve applied the patch and will do a few tests before checking in.
> 
> One item I note (just scanning the patch) is
> 
> -		if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(off+nb))
> +		if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(il * REGION_TAG_COUNT))
> 
> The variable il is derived and may be tainted, while off and nb are de facto positioning
> within the header memory blob. And yes, it may not matter.

il is already used earlier to calculate dataStart. And length of the
whole data (pvlen).

> Meanwhile the entire issue is rather obscure, and only testing will tell.
> Is there any information about what header???s are failing headerCopyLoad()?
> If those headers are public keys, then the real flaw is elsewhere, wrapping
> a public key within an immutable region, with an appended SHA1.

No, these are two packages.
I'm attaching whole db data of one of them (partially described by me
during investigation).

-- 
Jakub Bogusz    http://qboosh.pl/
-------------- next part --------------
* index 0b270000:
00000043 il
00000384 dl

0000003f 00000007 00000280 00000010	HEADER_IMMUTABLE	REGION_TAG_TYPE=RPM_BIN_TYPE
00000064 00000008 00000000 00000002	HEADER_I18NTABLE	RPM_STRING_ARRAY_TYPE
000003e8 00000006 0000000b 00000001	RPMTAG_NAME		RPM_STRING_TYPE
000003e9 00000006 00000019 00000001	RPMTAG_VERSION		RPM_STRING_TYPE
000003ea 00000006 00000020 00000001
000003eb 00000004 00000024 00000001
000003ec 00000009 00000028 00000002
000003ed 00000009 00000058 00000002
000003ee 00000004 00000090 00000001
000003ef 00000006 00000094 00000001
000003f1 00000004 000000a8 00000001
000003f2 00000006 000000ac 00000001
000003f6 00000006 000000b0 00000001
000003f7 00000006 000000b4 00000001
000003f8 00000009 000000c1 00000001
000003fc 00000006 000000d7 00000001
000003fd 00000006 000000f6 00000001
000003fe 00000006 000000fc 00000001
00000404 00000004 00000104 00000001
00000406 00000003 00000108 00000001
00000409 00000003 0000010a 00000001
0000040a 00000004 0000010c 00000001
0000040b 00000008 00000110 00000001
0000040c 00000008 00000131 00000001
0000040d 00000004 00000134 00000001
0000040f 00000008 00000138 00000001
00000410 00000008 0000013d 00000001
00000414 00000006 00000142 00000001
00000415 00000004 0000015c 00000001
00000417 00000008 00000160 00000001
00000418 00000004 00000170 00000002
00000419 00000008 00000178 00000002
0000041a 00000008 0000019b 00000002
00000428 00000006 000001ac 00000001
00000447 00000004 000001b0 00000001
00000448 00000004 000001b4 00000001
00000449 00000008 000001b8 00000001
00000458 00000004 000001bc 00000001
00000459 00000008 000001c0 00000001
0000045c 00000004 000001cc 00000001
0000045d 00000008 000001d0 00000001
0000045e 00000008 000001da 00000001
00000462 00000006 000001e8 00000001
00000464 00000006 0000022b 00000001
00000465 00000006 00000230 00000001
00000466 00000006 00000235 00000001
0000046c 00000006 00000237 00000001
00000474 00000004 00000248 00000001
00000475 00000004 0000024c 00000001
00000476 00000008 00000250 00000003
00000477 00000004 00000270 00000001
00000478 00000004 00000274 00000001
0000047b 00000008 00000278 00000001
00000499 00000004 0000027c 00000001	RPMTAG_FILEDIGESTALGOS	RPM_UINT32_TYPE
-- immutable end
00000101 00000004 00000290 00000001	RPMTAG_SIGSIZE
00000105 00000007 00000294 00000010	RPMTAG_SIGMD5
0000010d 00000006 000002a4 00000001	RPMTAG_SHA1HEADER
000003f0 00000004 000002d0 00000001	RPMTAG_INSTALLTIME
00000405 00000001 000002d4 00000001	RPMTAG_FILESTATES
00000416 00000004 000002d8 00000001	RPMTAG_ARCHIVESIZE
00000467 00000004 000002dc 00000001	RPMTAG_INSTALLCOLOR
00000468 00000004 000002e0 00000001	RPMTAG_INSTALLTID
0000048c 00000008 000002e4 00000001	RPMTAG_BLINKPKGID
0000048d 00000008 00000305 00000001	RPMTAG_BLINKHDRID
0000048e 00000008 0000032e 00000001	RPMTAG_BLINKNEVRA
00000492 00000006 0000034a 00000001	RPMTAG_PACKAGEORIGIN
000004a0 00000004 00000380 00000001	RPMTAG_PACKAGECOLOR

dataStart
d+0000	4300706c2e5554462d3800
d+000b	746f6c75612b2b2d646576656c00
d+0019	312e302e393300
d+0020	35000000
d+0024	00000000
d+0028	746f6c75612b2b206865616465722066696c657300506c696b69206e6167c582c3b3776b6f776520746f6c75612b2b00
d+0058	4865616465722066696c657320666f7220746f6c75612b2b2e00506c696b69206e6167c582c3b3776b6f776520746f6c75612b2b2e000000
d+0090	50180128
d+0094	737472616e6765722e71626f6f73682e706c0000
d+00a8	00001c20
d+00ac	504c4400
d+00b0	4d495400
d+00b4	4a616b756220426f6775737a00
d+00c1	446576656c6f706d656e742f4c696272617269657300
d+00d7	687474703a2f2f7777772e636f64656e69782e636f6d2f7e746f6c75612f00
d+00f6	6c696e757800
d+00fc	6936383600000000
d+0104	00001c20
d+0108	81a4
d+010a	0000
d+010c	50180127
d+0110	636235333237613036333131356161663335306339326438653931633261386600
d+0131	000000
d+0134	00000000
d+0138	726f6f7400
d+013d	726f6f7400
d+0142	746f6c75612b2b2d312e302e39332d352e7372632e72706d0000
d+015c	ffffffff
d+0160	746f6c75612b2b2d646576656c000000
d+0170	000000080100000a
d+0178	746f6c75612b2b2d6c6962730072706d6c6962285061796c6f616449734c7a6d612900
d+019b	312e302e39332d3500342e342e362d3100
d+01ac	342e3500
d+01b0	00000803
d+01b4	40366500
d+01b8	00000000
d+01bc	00000008
d+01c0	303a312e302e39332d350000
d+01cc	00000000
d+01d0	746f6c75612b2b2e6800
d+01da	2f7573722f696e636c7564652f00
d+01e8	2d4f32202d70697065202d666e6f2d7374726963742d616c696173696e67202d667772617076202d6d617263683d69363836202d6d74756e653d70656e7469756d3400
d+022b	6370696f00
d+0230	6c7a6d6100
d+0235	3900
d+0237	693638362d706c642d6c696e7578000000
d+0248	00000000
d+024c	00000001
d+0250	004320736f757263652c2041534349492074657874006469726563746f727900
d+0270	00000000
d+0274	00000000
d+0278	00000000
d+027c	00000001
-- immutable trailer
d+0280	0000003f 00000007 fffffca0 00000010
-- immutable end
d+0290	00000c11
d+0294	c8a786a05dc5214888b2ff2ae38a6147
d+02a4	61303336323662323336313030633035346134363334353931616161363263343436613038663430000000005018
d+02d0	01c70000
d+02d4	00000000
d+02d8	1d240000
d+02dc	00035018
d+02e0	01c33166
d+02e4	35383066316336383866306466393866353662646364363431626432333900
d+0305	3435393438653936306330623837336332666131633433633537653834346139653233346239323600
d+032e	746f6c75612b2b2d646576656c2d312e302e39332d342e6936383600
d+034a	2f686f6d652f636f6d702f72706d2f52504d532f746f6c75612b2b2d646576656c2d312e302e39332d352e693638362e72706d000000
d+0380	00000000
dataEnd=dataStart+0384