Skip to content

Fix a buffer overflow when decompressing solv pages#622

Closed
ppisar wants to merge 1 commit into
openSUSE:masterfrom
ppisar:CVE-2026-48864
Closed

Fix a buffer overflow when decompressing solv pages#622
ppisar wants to merge 1 commit into
openSUSE:masterfrom
ppisar:CVE-2026-48864

Conversation

@ppisar

@ppisar ppisar commented May 27, 2026

Copy link
Copy Markdown
Contributor

repopagestore_load_page_range() and
repopagestore_read_or_setup_pages() functions called unchecked_decompress_buf() on compressed data which were just loaded from a solv file without validating them with check_decompress_buf().

If the solv file was maliously crafted to decompress beyond REPOPAGE_BLOBSIZE-byte-sized stack-allocated buffer (e.g. 100lllll byte with high lllll counter at the end of the buffer), or a backreference was pointing out of the output buffer (e.g. a reference at the beginning of the buffer with high offset pointing before a start of the buffer), unchecked_decompress_buf() would read or write out of the output buffer, causing a buffer overflow.

Trival fix would be calling check_decompress_buf() before unchecked_decompress_buf() as repopagestore_decompress_page() already does.

Instead, this patch uses repopagestore_decompress_page() to do the check and decompression in a single step.

Acknowledgement: Aisle Research

CVE-2026-48864
https://bugzilla.redhat.com/show_bug.cgi?id=2460425

repopagestore_load_page_range() and
repopagestore_read_or_setup_pages() functions called
unchecked_decompress_buf() on compressed data which were just loaded
from a solv file without validating them with check_decompress_buf().

If the solv file was maliously crafted to decompress beyond
REPOPAGE_BLOBSIZE-byte-sized stack-allocated buffer (e.g. 100lllll
byte with high lllll counter at the end of the buffer), or
a backreference was pointing out of the output buffer (e.g.
a reference at the beginning of the buffer with high offset pointing
before a start of the buffer), unchecked_decompress_buf() would read
or write out of the output buffer, causing a buffer overflow.

Trival fix would be calling check_decompress_buf() before
unchecked_decompress_buf() as repopagestore_decompress_page() already
does.

Instead, this patch uses repopagestore_decompress_page() to do the
check and decompression in a single step.

Acknowledgement: Aisle Research

CVE-2026-48864
https://bugzilla.redhat.com/show_bug.cgi?id=2460425
@ppisar

ppisar commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was discussed privately with libsolv maintainer before lifting an embargo on this vulnerability. The maintainer rejected it with an explanation that solv file parser is designed for speed and not for parsing nontrusted input.

@mlschroe

Copy link
Copy Markdown
Member

Yes. Closing.

@mlschroe mlschroe closed this May 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants