Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Feb 2015 17:24:58 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Possible CVE Requests: libmspack: several issues

Hi,

On Tue, 3 Feb 2015 16:52:05 +0100
Salvatore Bonaccorso <carnil@...ian.org> wrote:

> Several issues with the libmspack library were reported recently in
> the Debian bugtracker by Jakub Wilk.

Some additional info: This code is shared with cabextract. I recently
also reported issues to the author that were all fixed in
the cabextract 1.5 and libmspack 0.5alpha releases.
(The author was unaware that I am not part of debian, so he only
mentions Debian fixes in the release notes - but these include the
fixes for the issues reported by me).

Rundown of issues I found:

Invalid read in ensure_filepath:

==29962==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd2 at pc 0x40aafd bp 0x7fff365ba030 sp 0x7fff365ba020 READ
of size 1 at 0x60200000efd2 thread T0 #0 0x40aafc in ensure_filepath
src/cabextract.c:1034 #1 0x40aafc in process_cabinet
src/cabextract.c:504 #2 0x40aafc in main src/cabextract.c:350
    #3 0x7ff5e30f8f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #4 0x40be2d (/tmp/cabextract-1.4/cabextract+0x40be2d)

Invalid in create_output_name:
==29965==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000effe at pc 0x40a9b8 bp 0x7fffd50309e0 sp 0x7fffd50309d0 READ
of size 1 at 0x60200000effe thread T0 #0 0x40a9b7 in create_output_name
src/cabextract.c:828 #1 0x40a9b7 in process_cabinet src/cabextract.c:444
    #2 0x40a9b7 in main src/cabextract.c:350
    #3 0x7f68d131bf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #4 0x40be2d (/tmp/cabextract-1.4/cabextract+0x40be2d)


All found with american fuzzy lop.

(P.S.: Do we have a policy on attachments on this list? I was unsure if
it'd be apprechiated that I attach the issue-exposing samples)


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.