From 78045a2b6803a02f331c3564f195709037d10dc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Wed, 27 May 2026 16:04:54 +0200 Subject: [PATCH] Fix a buffer overflow when decompressing solv pages (CVE-2026-48864) Resolves: RHEL-178982 --- ...erflow-when-decompressing-solv-pages.patch | 62 +++++++++++++++++++ libsolv.spec | 11 +++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch diff --git a/0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch b/0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch new file mode 100644 index 0000000..ccbf761 --- /dev/null +++ b/0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch @@ -0,0 +1,62 @@ +From 6ba8fbf6603a7fcfdb1744df52d6f0c291f7b29f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Tue, 5 May 2026 10:52:20 +0200 +Subject: [PATCH] Fix a buffer overflow when decompressing solv pages + +repopagestore_load_page_range() and +repopagestore_read_or_setup_pages() functions called +unchecked_decompress_buf() on compressed data which were just loaded +from a solv file without validating them with check_decompress_buf(). + +If the solv file was maliously crafted to decompress beyond +REPOPAGE_BLOBSIZE-byte-sized stack-allocated buffer (e.g. 100lllll +byte with high lllll counter at the end of the buffer), or +a backreference was pointing out of the output buffer (e.g. +a reference at the beginning of the buffer with high offset pointing +before a start of the buffer), unchecked_decompress_buf() would read +or write out of the output buffer, causing a buffer overflow. + +Trival fix would be calling check_decompress_buf() before +unchecked_decompress_buf() as repopagestore_decompress_page() already +does. + +Instead, this patch uses repopagestore_decompress_page() to do the +check and decompression in a single step. + +Acknowledgement: Aisle Research + +CVE-2026-48864 +https://bugzilla.redhat.com/show_bug.cgi?id=2460425 +--- + src/repopage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/repopage.c b/src/repopage.c +index a9a1c074..0967979b 100644 +--- a/src/repopage.c ++++ b/src/repopage.c +@@ -779,8 +779,8 @@ repopagestore_load_page_range(Repopagestore *store, unsigned int pstart, unsigne + if (compressed) + { + unsigned int out_len; +- out_len = unchecked_decompress_buf(buf, in_len, dest, REPOPAGE_BLOBSIZE); +- if (out_len != REPOPAGE_BLOBSIZE && pnum < store->num_pages - 1) ++ out_len = repopagestore_decompress_page(buf, in_len, dest, REPOPAGE_BLOBSIZE); ++ if (out_len == 0 || (out_len != REPOPAGE_BLOBSIZE && pnum < store->num_pages - 1)) + { + #ifdef DEBUG_PAGING + fprintf(stderr, "can't decompress\n"); +@@ -947,8 +947,8 @@ repopagestore_read_or_setup_pages(Repopagestore *store, FILE *fp, unsigned int p + } + if (compressed) + { +- out_len = unchecked_decompress_buf(buf, in_len, dest, REPOPAGE_BLOBSIZE); +- if (out_len != REPOPAGE_BLOBSIZE && i < npages - 1) ++ out_len = repopagestore_decompress_page(buf, in_len, dest, REPOPAGE_BLOBSIZE); ++ if (out_len == 0 || (out_len != REPOPAGE_BLOBSIZE && i < npages - 1)) + { + return SOLV_ERROR_CORRUPT; + } +-- +2.54.0 + diff --git a/libsolv.spec b/libsolv.spec index f0d035b..628f61f 100644 --- a/libsolv.spec +++ b/libsolv.spec @@ -23,7 +23,7 @@ Name: lib%{libname} Version: 0.7.24 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Package dependency solver License: BSD @@ -44,6 +44,11 @@ Patch12: 0012-Add-testcase-for-color-filtering-when-adding-update-.patch # upstream patch: https://github.com/openSUSE/libsolv/commit/2c85ed581422e072ad95119f3d7dc19eb45f29ac Patch13: 0013-choice-rules-also-do-solver_choicerulecheck-for-pack.patch +# Fix a buffer overflow when decompressing solv pages (CVE-2026-48864), +# RHEL-178982, rejected by upstream, +# . +Patch14: 0014-Fix-a-buffer-overflow-when-decompressing-solv-pages.patch + BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: ninja-build @@ -269,6 +274,10 @@ export LD_LIBRARY_PATH=%{buildroot}%{_libdir} %endif %changelog +* Fri Jun 05 2026 Petr Pisar - 0.7.24-6 +- Fix a buffer overflow when decompressing solv pages (CVE-2026-48864) + (RHEL-178982) + * Wed Apr 22 2026 Marek Blaha - 0.7.24-5 - Backport "choice rules: also do solver_choicerulecheck for package downgrades" Resolves: RHEL-141449