It looks like 6 seconds were enough to make makedeltarpm to crash...
Here are the summary of the crashes I found, I'm pretty sure that some of these have the same root cause, so in order to make as little confusion as possible on the CVE request, please confirm that.
1-
Testcase: 1.crashes.rpm
Full log: 1.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000009a6 at pc 0x0000004088c4 bp 0x7ffe805e20d0 sp 0x7ffe805e20c8
READ of size 1 at 0x6060000009a6 thread T0
#0 0x4088c3 in main /root/drpm/deltarpm/makedeltarpm.c:1097
#1 0x7f1c35e7a1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#2 0x7f1c35e7a2ab in __libc_start_main_impl ../csu/libc-start.c:381
#3 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
2-
Testcase: 10.crashes.rpm
Full log: 10.crashes.rpm.log.txt
ERROR: AddressSanitizer: SEGV on unknown address 0x620023bcfb1e (pc 0x7f119f165399 bp 0x7ffcff90c460 sp 0x7ffcff90bc08 T0)
==23738==The signal is caused by a READ memory access.
#0 0x7f119f165399 (/lib64/libc.so.6+0x141399)
#1 0x7f119f26187c in __interceptor_strlen /var/tmp/portage/sys-devel/gcc-11.3.1_p20221209/work/gcc-11-20221209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:387
#2 0x4311ac in headtonevr /root/drpm/deltarpm/rpmhead.c:322
#3 0x40be02 in main /root/drpm/deltarpm/makedeltarpm.c:1522
#4 0x7f119f0471f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f119f0472ab in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
3-
Testcase: 1000.crashes.rpm
Full log: 1000.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000000f2d at pc 0x7f0af1fed8f6 bp 0x7ffec9a8e460 sp 0x7ffec9a8dc10
READ of size 1 at 0x620000000f2d thread T0
#0 0x7f0af1fed8f5 in __interceptor_strlen /var/tmp/portage/sys-devel/gcc-11.3.1_p20221209/work/gcc-11-20221209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#1 0x431196 in headtonevr /root/drpm/deltarpm/rpmhead.c:322
#2 0x40be02 in main /root/drpm/deltarpm/makedeltarpm.c:1522
#3 0x7f0af1dd31f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7f0af1dd32ab in __libc_start_main_impl ../csu/libc-start.c:381
#5 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
4-
Testcase: 101.crashes.rpm
Full log: 101.crashes.rpm.log.txt
ERROR: AddressSanitizer: SEGV on unknown address 0x62000a000d76 (pc 0x000000407e48 bp 0x7ffc442e5e20 sp 0x7ffc442e4450 T0)
==24138==The signal is caused by a READ memory access.
#0 0x407e48 in main /root/drpm/deltarpm/makedeltarpm.c:1097
#1 0x7f697890a1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#2 0x7f697890a2ab in __libc_start_main_impl ../csu/libc-start.c:381
#3 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
5-
Testcase: 1038.crashes.rpm
Full log: 1038.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000000e23 at pc 0x00000042dffd bp 0x7ffe74c78410 sp 0x7ffe74c78408
READ of size 1 at 0x620000000e23 thread T0
#0 0x42dffc in headstring /root/drpm/deltarpm/rpmhead.c:169
#1 0x407d40 in main /root/drpm/deltarpm/makedeltarpm.c:1093
#2 0x7f45f52441f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7f45f52442ab in __libc_start_main_impl ../csu/libc-start.c:381
#4 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
6-
Testcase: 1049.crashes.rpm
Full log: 1049.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000000e23 at pc 0x00000042c2ba bp 0x7ffce8c801f0 sp 0x7ffce8c801e8
READ of size 1 at 0x620000000e23 thread T0
#0 0x42c2b9 in headint32 /root/drpm/deltarpm/rpmhead.c:108
#1 0x430efe in headtonevr /root/drpm/deltarpm/rpmhead.c:307
#2 0x40be02 in main /root/drpm/deltarpm/makedeltarpm.c:1522
#3 0x7f5874f271f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7f5874f272ab in __libc_start_main_impl ../csu/libc-start.c:381
#5 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
7-
Testcase: 1058.crashes.rpm
Full log: 1058.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000037 at pc 0x7fa5bc56c6e0 bp 0x7ffdd6454600 sp 0x7ffdd6453db0
READ of size 24 at 0x604000000037 thread T0
#0 0x7fa5bc56c6df in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-11.3.1_p20221209/work/gcc-11-20221209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x422c4b in rpmMD5Update /root/drpm/deltarpm/md5.c:96
#2 0x40798f in main /root/drpm/deltarpm/makedeltarpm.c:1073
#3 0x7fa5bc3551f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7fa5bc3552ab in __libc_start_main_impl ../csu/libc-start.c:381
#5 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
8-
Testcase: 1072.crashes.rpm
Full log: 1072.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-use-after-free on address 0x62000000272d at pc 0x7f222818f8f6 bp 0x7ffd31c9a260 sp 0x7ffd31c99a10
READ of size 1 at 0x62000000272d thread T0
#0 0x7f222818f8f5 in __interceptor_strlen /var/tmp/portage/sys-devel/gcc-11.3.1_p20221209/work/gcc-11-20221209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#1 0x431196 in headtonevr /root/drpm/deltarpm/rpmhead.c:322
#2 0x40be02 in main /root/drpm/deltarpm/makedeltarpm.c:1522
#3 0x7f2227f751f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7f2227f752ab in __libc_start_main_impl ../csu/libc-start.c:381
#5 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
9-
Testcase: 11.crashes.rpm
Full log: 11.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x00000043806a bp 0x7ffea4157e20 sp 0x7ffea4157e18
READ of size 1 at 0x631000024800 thread T0
#0 0x438069 in hash_findnext /root/drpm/deltarpm/delta.c:338
#1 0x43bee8 in mkdiff /root/drpm/deltarpm/delta.c:896
#2 0x40da41 in main /root/drpm/deltarpm/makedeltarpm.c:1496
#3 0x7f327abdc1f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7f327abdc2ab in __libc_start_main_impl ../csu/libc-start.c:381
#5 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
10-
Testcase: 724.crashes.rpm
Full log: 724.crashes.rpm.log.txt
ERROR: AddressSanitizer: heap-use-after-free on address 0x621000001a5e at pc 0x7f2250a7e36c bp 0x7ffcf50c70b0 sp 0x7ffcf50c6860
READ of size 1 at 0x621000001a5e thread T0
#0 0x7f2250a7e36b in __interceptor_strcmp /var/tmp/portage/sys-devel/gcc-11.3.1_p20221209/work/gcc-11-20221209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466
#1 0x40afd8 in main /root/drpm/deltarpm/makedeltarpm.c:1485
#2 0x7f22508141f6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7f22508142ab in __libc_start_main_impl ../csu/libc-start.c:381
#4 0x410d10 in _start (/usr/bin/makedeltarpm+0x410d10)
The archive with the testcases and the logs is here:
makedeltarpm.zip
It looks like 6 seconds were enough to make makedeltarpm to crash...
Here are the summary of the crashes I found, I'm pretty sure that some of these have the same root cause, so in order to make as little confusion as possible on the CVE request, please confirm that.
All issues are reproducible via:
Where
drpm-old.rpmis available at: https://github.com/rpm-software-management/drpm/raw/master/test/drpm-old.rpmTHE LIST OF THE ISSUES:
1- Testcase: 1.crashes.rpm Full log: 1.crashes.rpm.log.txt
2- Testcase: 10.crashes.rpm Full log: 10.crashes.rpm.log.txt
3- Testcase: 1000.crashes.rpm Full log: 1000.crashes.rpm.log.txt
4- Testcase: 101.crashes.rpm Full log: 101.crashes.rpm.log.txt
5- Testcase: 1038.crashes.rpm Full log: 1038.crashes.rpm.log.txt
6- Testcase: 1049.crashes.rpm Full log: 1049.crashes.rpm.log.txt
7- Testcase: 1058.crashes.rpm Full log: 1058.crashes.rpm.log.txt
8- Testcase: 1072.crashes.rpm Full log: 1072.crashes.rpm.log.txt
9- Testcase: 11.crashes.rpm Full log: 11.crashes.rpm.log.txt
10- Testcase: 724.crashes.rpm Full log: 724.crashes.rpm.log.txt
The archive with the testcases and the logs is here: makedeltarpm.zip
I tested the package at the following commit: https://github.com/rpm-software-management/deltarpm/commit/1e764732d53b51720f2faabb409462b1af7a8ca7