CVE-2021-33938

An attacker supplies a crafted testcase file (PoC) to the `testsolv` tool, which triggers the `prune_to_recommended` function during dependency resolution [ref_id=1]. The macros `MAPSET` and `MAPTST` compute a byte offset as `p >> 3` without checking that this offset is within the bounds of the `recommendsmap.map` array [ref_id=1]. When `p` is larger than expected, the resulting out-of-bounds read/write causes a heap-buffer-overflow, leading to a crash (Denial of Service) [ref_id=1]. No authentication or special network access is required beyond the ability to provide a malformed solver input file.

The vulnerability resides in the function `prune_to_recommended` in `src/policy.c`. Two heap-buffer-overflow bugs occur at line 403 (`MAPSET(&solv->recommendsmap, p)`) and line 514 (`MAPTST(&solv->recommendsmap, p)`) [ref_id=1]. Both involve the `solv->recommendsmap` Map structure, where the index `p >> 3` can exceed the allocated `map->size` [ref_id=1].

The advisory does not include a patch diff; it reports the bugs as unresolved in libsolv before version 0.7.17 [ref_id=1]. The recommended fix is to add bounds checks before the `MAPSET` and `MAPTST` operations in `prune_to_recommended`, ensuring that the computed index `p >> 3` is strictly less than `solv->recommendsmap.size` [ref_id=1]. Upgrading to libsolv 0.7.17 or later is the vendor's remediation guidance [ref_id=1].

Use the provided PoC files with the `testsolv` tool built with AddressSanitizer. Run `/libsolvBuildDir/tools/testsolv PoC-policy_update_recommendsmap-403` to trigger the overflow at line 403, or `/libsolvBuildDir/tools/testsolv PoC-policy_update_recommendsmap-514` to trigger the overflow at line 514 [ref_id=1]. The ASan output will show a heap-buffer-overflow READ at the respective source line [ref_id=1].