libsolv Heap Buffer Overflow Vulnerability in repo_add_solv Function

A heap buffer overflow vulnerability has been identified in libsolv versions through 0.7.36. This vulnerability arises in the repo_add_solv function when processing specially crafted .solv files that contain negative size values. The negative values lead to insufficient memory allocation, allowing for out-of-bounds writes. An attacker could exploit this vulnerability, causing a denial-of-service condition by crashing the application or consuming excessive resources.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, a type of memory corruption that can commonly be exploited to execute arbitrary code. In this case, the vulnerability causes a denial-of-service by crashing the application or causing it to use excessive CPU or memory resources.

Reproduction

The vulnerability can be reproduced by building libsolv with AddressSanitizer enabled, or by using a libsolv consumer that processes .solv files, such as the dumpsolv tool. After preparing a crafted .solv file that exploits the vulnerability, the file can be processed with the libsolv application, which will trigger the heap buffer overflow.

Remediation

Users are advised to avoid processing untrusted .solv files with libsolv or any applications that use libsolv, such as Red Hat Satellite 6. Ensure that all .solv data comes from trusted sources. Red Hat has deferred fixes for this vulnerability in Red Hat Enterprise Linux 7, 8, 9, and in the OpenShift Container Platform 4. Red Hat Enterprise Linux 10 and Red Hat Hardened Images are affected, but no fix is currently available.