Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <17a82e5c-0576-4678-b88b-48355247e1e9@tum.de>
Date: Thu, 18 Jan 2024 09:40:50 +0100
From: Valentin Metz <valentin.metz@....de>
To: oss-security@...ts.openwall.com
Subject: GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow
 vulnerability

Hi,
I have discovered a vulnerability in the GNU coreutils "split" program.
Specifically, it concerns a heap overflow with user-controlled data of 
multiple hundred bytes in length.
It was introduced in 40bf1591bb4362fa91e501bcec7c2029c5f65a43 on 
2023-03-04. | 
https://github.com/coreutils/coreutils/commit/40bf1591bb4362fa91e501bcec7c2029c5f65a43#diff-30bc328ab3afa0ab9f17c6e7cf1752d558ae37cf4200e95bbb04c405c2b59518L821

Relevant diff:
@@ -816,15 +820,10 @@
            /* Update hold if needed.  */
            if ((eoc && split_rest) || (!eoc && n_left))
              {
-              size_t n_buf = eoc ? split_rest : n_left;
+              idx_t n_buf = eoc ? split_rest : n_left;
                if (hold_size - n_hold < n_buf)
-                {
-                  if (hold_size <= SIZE_MAX - bufsize)
-                    hold_size += bufsize;
-                  else
-                    xalloc_die ();
-                  hold = xrealloc (hold, hold_size);
-                }
+                hold = xpalloc (hold, &hold_size, n_buf - (hold_size - 
n_hold),
+                                -1, sizeof *hold);
                memcpy (hold + n_hold, sob, n_buf);
                n_hold += n_buf;
                n_left -= n_buf;

This allowed the "hold" buffer to overflow in the memcpy() of line 827 
(right below the marked diff).

The GNU coreutils maintainers have been informed, and a fix was deployed 
today with c4c5ed8f4e9cd55a12966d4f520e3a13101637d9. | 
https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9

A proof-of-concept file to trigger the crash is available under 
https://github.com/Valentin-Metz/writeup_split/blob/main/split_me
You can use it to trigger a segmentation fault (SIGABRT) in split, using 
"split -C 1024 ./split_me".
A detailed writeup will follow once distro maintainers have had some 
time to distribute a fix.
A CVE-ID is yet to be assigned.

With excellent regards,
Valentin Metz


Download attachment "OpenPGP_0x1E1CC59A3E0AC2FF.asc" of type "application/pgp-keys" (653 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.