rpms/libsolv
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix a buffer overflow when decompressing solv pages (CVE-2026-48864)

Browse Source 
Resolves: RHEL-178982
This commit is contained in:
Petr Písař 2026-05-27 16:04:54 +02:00
parent be95157b02
commit 78045a2b68
2 changed files with 72 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch Normal file
View File

@ -0,0 +1,62 @@
From 6ba8fbf6603a7fcfdb1744df52d6f0c291f7b29f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 5 May 2026 10:52:20 +0200
Subject: [PATCH] Fix a buffer overflow when decompressing solv pages
repopagestore_load_page_range() and
repopagestore_read_or_setup_pages() functions called
unchecked_decompress_buf() on compressed data which were just loaded
from a solv file without validating them with check_decompress_buf().
If the solv file was maliously crafted to decompress beyond
REPOPAGE_BLOBSIZE-byte-sized stack-allocated buffer (e.g. 100lllll
byte with high lllll counter at the end of the buffer), or
a backreference was pointing out of the output buffer (e.g.
a reference at the beginning of the buffer with high offset pointing
before a start of the buffer), unchecked_decompress_buf() would read
or write out of the output buffer, causing a buffer overflow.
Trival fix would be calling check_decompress_buf() before
unchecked_decompress_buf() as repopagestore_decompress_page() already
does.
Instead, this patch uses repopagestore_decompress_page() to do the
check and decompression in a single step.
Acknowledgement: Aisle Research
CVE-2026-48864
https://bugzilla.redhat.com/show_bug.cgi?id=2460425
---
src/repopage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/repopage.c b/src/repopage.c
index a9a1c074..0967979b 100644
--- a/src/repopage.c
+++ b/src/repopage.c
@@ -779,8 +779,8 @@ repopagestore_load_page_range(Repopagestore *store, unsigned int pstart, unsigne
if (compressed)
{
unsigned int out_len;
- out_len = unchecked_decompress_buf(buf, in_len, dest, REPOPAGE_BLOBSIZE);
- if (out_len != REPOPAGE_BLOBSIZE && pnum < store->num_pages - 1)
+ out_len = repopagestore_decompress_page(buf, in_len, dest, REPOPAGE_BLOBSIZE);
+ if (out_len == 0 || (out_len != REPOPAGE_BLOBSIZE && pnum < store->num_pages - 1))
{
#ifdef DEBUG_PAGING
fprintf(stderr, "can't decompress\n");
@@ -947,8 +947,8 @@ repopagestore_read_or_setup_pages(Repopagestore *store, FILE *fp, unsigned int p
}
if (compressed)
{
- out_len = unchecked_decompress_buf(buf, in_len, dest, REPOPAGE_BLOBSIZE);
- if (out_len != REPOPAGE_BLOBSIZE && i < npages - 1)
+ out_len = repopagestore_decompress_page(buf, in_len, dest, REPOPAGE_BLOBSIZE);
+ if (out_len == 0 || (out_len != REPOPAGE_BLOBSIZE && i < npages - 1))
{
return SOLV_ERROR_CORRUPT;
}
--
2.54.0

11
libsolv.spec
View File

@ -23,7 +23,7 @@
Name: lib%{libname}
Version: 0.7.24
Release: 5%{?dist}
Release: 6%{?dist}
Summary: Package dependency solver
License: BSD
@ -44,6 +44,11 @@ Patch12: 0012-Add-testcase-for-color-filtering-when-adding-update-.patch
# upstream patch: https://github.com/openSUSE/libsolv/commit/2c85ed581422e072ad95119f3d7dc19eb45f29ac
Patch13: 0013-choice-rules-also-do-solver_choicerulecheck-for-pack.patch
# Fix a buffer overflow when decompressing solv pages (CVE-2026-48864),
# RHEL-178982, rejected by upstream,
# <https://github.com/openSUSE/libsolv/pull/622>.
Patch14: 0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: ninja-build
@ -269,6 +274,10 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir}
%endif
%changelog
* Fri Jun 05 2026 Petr Pisar <ppisar@redhat.com> - 0.7.24-6
- Fix a buffer overflow when decompressing solv pages (CVE-2026-48864)
(RHEL-178982)
* Wed Apr 22 2026 Marek Blaha <mblaha@redhat.com> - 0.7.24-5
- Backport "choice rules: also do solver_choicerulecheck for package downgrades"
Resolves: RHEL-141449