Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160514135543.9BF946C050C@smtpvmsrv1.mitre.org>
Date: Sat, 14 May 2016 09:55:43 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: dosfstools / fsck.vfat: Several invalid memory accesses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

These reports are about command-line programs that realistically
encounter untrusted input. However,
https://github.com/dosfstools/dosfstools/blob/master/README.md says
"dosfstools consists of the programs mkfs.fat, fsck.fat and fatlabel
to create, check and label file systems of the FAT family." It does
not state that dosfstools provides a library that can be used to build
other programs that a user may want. In particular, there does not
seem to be a use case in which a provided program needs to remain
running to process additional filesystems after encountering an
invalid filesystem.


> https://github.com/dosfstools/dosfstools/issues/11
> Global out of bounds read file_stat() / check_dir()
> https://github.com/dosfstools/dosfstools/commit/2aad1c83c7d010de36afbe79c9fde22c50aa2f74
> Git commit / fix

As far as we can tell, this one is not a vulnerability in the
above-described context. It seems to be an out-of-bounds read that
doesn't affect the flow of control.


> https://github.com/dosfstools/dosfstools/issues/12
> Unclear invalid memory access in get_fat()
> https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
> Git commit / fix
> 
> that was a nasty one: FAT12 corruption when a certain FAT entry at the
> end is changed.
> 
> set_fat(): Fix off-by-2 error leading to corruption in FAT12
> 
> If the third to last entry was written on a FAT12 filesystem with an
> odd number of clusters, the second to last entry would be corrupted.
> This corruption may also lead to invalid memory accesses when the
> corrupted entry becomes out of bounds and is used later.

Use CVE-2015-8872.


> https://github.com/dosfstools/dosfstools/issues/25
> Heap overflow in read_fat()
> https://github.com/dosfstools/dosfstools/issues/26
> Heap out of bounds read in get_fat()
> https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52
> Git commit / fix for both issues
> 
> it's a failure to properly catch a zero length FAT in read_fat() and
> continuing with that and the other corrupt values
> 
> read_boot(): Handle excessive FAT size specifications
> 
> The variable used for storing the FAT size (in bytes) was an unsigned
> int. Since the size in sectors read from the BPB was not sufficiently
> checked, this could end up being zero after multiplying it with the
> sector size while some offsets still stayed excessive. Ultimately it
> would cause segfaults when accessing FAT entries for which no memory
> was allocated.

Use CVE-2016-4804 (this applies to both issues/25 and issues/26, even
though the impact in 25 is a heap-based buffer overflow with write
access, and the impact in 26 is a heap-based buffer over-read).

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXNy15AAoJEHb/MwWLVhi25VEP/iMdL0X84Xo9ysSMP9D0hxZz
1v3OtKF16jmGPpKBiC++PHoBN533jVi+K7epBhkvHC2ycKTsHHK6ImmWCguRU2C5
w+rpoqEHMsqmiCf9M/XjutMHvgCdsFbNf4pe4dkJBt5oAK+oqThzUZ2kFK1Jvs0U
HBDQHs9XKWIMals6N+FyF1TanIX2dUtchaky+Ba92piL3rdN95vs1/Mt1C6l+7bw
ZUt8uqIZMNOCgr5Cq1gMvc16VFYOi8ZYWol1FBq0kFpxzjsOn8dpeJ4lxn+JKyyp
hpAKUBPAgv+OWogtq+LsklD9qoGuaBKClrZiVL6qbr9YYA9NBabXuMqJJghGHUTy
omKQsTOE+SuQXLLiV/gKs0bCUkWbK7yScSRUG2lEb1qtbWqHByZTq/FHTC2Kc5IY
n0VUEayp2IFwfny11pM+D1O6VeWBFRvZNgc849VHNSo5KbTo1z9aFQSmld38t5sW
DOzg6IvV86P+jP/OzCv7uDbJG6aSDoy8fELv4xisCp4cFq+K+9aLUqWj9HrPr+on
3AEntSjDmvrEMvmNxY6I7ayan2AphcEGblUNnuu+2k0KnOEKjS1oIcCXSbnS8F0J
NGI1jYf+Y5LPMX6aLmJEazyU0fXtNJx6BAKhmaGNzTBXpZdhD9nkw88puLQKMBv2
TZGsWop91NEPNGjtPSRa
=tWe9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.