Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170110062713.GB10582@lorien.valinor.li>
Date: Tue, 10 Jan 2017 07:27:13 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, Colin Watson <cjwatson@...ark.greenend.org.uk>
Subject: Re: Re: CVE Request: icoutils: exploitable crash in
 wrestool programm

Hi,

On Sun, Jan 08, 2017 at 02:47:40PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > an exploitable crash in wrestool from the icoutils
>
> > https://bugs.debian.org/850017
> > https://anonscm.debian.org/git/users/cjwatson/icoutils.git/plain/debian/patches/check-offset-overflow.patch
>
> >> wrestool/fileread.c
>
> >> On 64-bit systems, the result of subtracting two pointers exceeds the
> >> size of int
>
> Use CVE-2017-5208.

Thanks for the CVE assignment. Ftr, this was upstreamed as

http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=0d569f458f306b88f60156d60c9cf058125cf173

It turns out that this is not enough, so upstream has issued

http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3

to make the checks more stringent. Quoting a reply from upstream to the Debian
maintainer "But as I see it there are still combinations of the arguments which
make the test succeed even though the the memory block identified by
offset&size is not fully inside memory&total_size ??? e.g. offset < memory, but
size is larger than the difference.  I have attached another patch (applies on
top of yours) that more stringently checks all the memory bounds. Hopefully
that will preempt shenanigans with specially crafted files containing weird
offsets and sizes."

Could you please assign a further CVE for this follow up fix?

Furthermore I would like to ask if the following two commits from upstream,
can have as well an identifier assigned:

http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a

They relate to the Red Hat bugzilla entry at

https://bugzilla.redhat.com/show_bug.cgi?id=1249276

All the three followup commits are included in Debian with the recent
upload to Debian unstable, versioned as 0.31.1-1.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.