Bug 2872

This can be tested with this package :
https://bugzilla.redhat.com/attachment.cgi?id=525110

rpm -qp --checksig on this package creates a segmentation fault.

Problem confirmed with just --checksig.

$ rpm --checksig dataStart.rpm
Segmentation fault

CC: (none) => davidwhodgins

rpm available in core/update_testing

Assignee: dmorganec => qa-bugs

Confirmed bug and fix on x86_64 with rpm-4.8.1-10.1.mga1.x86_64.rpm
Verified rpm still working normally

CC: (none) => derekjenn

Confirmed fixed in i586.
$ rpm --checksig dataStart.rpm
error: dataStart.rpm: headerRead failed

Could someone from the sysadmin team push the srpm
rpm-4.8.1-10.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory.
This security update corrects CVE-2011-3378 where a malformed
header could cause rpm to fail with a segfault.

https://bugs.mageia.org/show_bug.cgi?id=2872

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

As it's a very very very important package that we can't afford to break, I suggest to wait for a few days before pushing it.

CC: (none) => stormi

One more patch fixing segfaults with malformed packages :
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=30635dd4330a192fa2b6e202a0e2490eba599a93

I think we should include this one too.

Keywords: validated_update => (none)
Assignee: qa-bugs => dmorganec

Confirmed bug on i56 using
https://bugzilla.redhat.com/attachment.cgi?id=525758
# rpm -i ./nothing.rpm
Segmentation fault

CC: sysadmin-bugs => (none)

new rpm just uploaded in the BS.

The update creates a /etc/rpm/macros.rpmnew file:

current /etc/rpm/macros:
%_install_langs _:de:en:es:fr:fr_BE:fr_CA:fr_CH:fr_FR:fr_LU:it:pl:pt:ru

/etc/rpm/macros.rpmnew:
# Put your own system macros here
# usually contains 

# Set this one according your locales
# %_install_langs

I don't remember having changed /etc/rpm/macros by myself. Does it risk to occur for many users ? If yes, it will be confusing, as MageiaUpdate asks the user to make a choice (create .rpmnew, drop old changes, or do nothing).

CC: (none) => qa-bugs

It's the installer that modifies that file on system install according to selected languages, so only manpages for those languages are installed.

CC: (none) => tmb

(In reply to comment #11)
> It's the installer that modifies that file on system install according to
> selected languages, so only manpages for those languages are installed.

Hmm, bad news, this means that all users will have this "there was a .rpmnew created during install" message and many probably wonder what it means.

There's no way to avoid it ?

(In reply to comment #7)
> One more patch fixing segfaults with malformed packages :
> http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=30635dd4330a192fa2b6e202a0e2490eba599a93
> 
> I think we should include this one too.

# rpm -i ./nothing.rpm
error: skipping package with unverifiable V0 signature
error: ./nothing.rpm cannot be installed

Confirmed fixed on i586.

Confirmed fixed on x86_64.

If a packager can answer to comment #12, then we'll see if we push as is or wait for a change to handle it.

This is not a new problem, it has always been like this when pushing a new rpm.
It was (afaik still is) the same in mdv.

Yes, it would be nice to fix it somehow, but I dont think it should block this security update.

Agreed comment 12 is not a regression, so it does not block this update.

As the people testing the latest package have been running with it for q
week now, with no regressions detected, I'm validating the update.

Can someone from the sysadmin team push the srpm
rpm-4.8.1-10.2.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:
This security update to rpm fixes two vulnerabilities.
CVE-2011-3378: rpm: crashes and overflows on malformed header
Red Hat bug 742499: Sub-packet prefix length + packet length exceeds
the remaining packet length

https://bugs.mageia.org/show_bug.cgi?id=2872

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED