Re: Possible CVE Requests: libmspack: several issues

[Hanno Böck <hanno () hboeck de>]

Hi,

On Tue, 3 Feb 2015 16:52:05 +0100
Salvatore Bonaccorso <carnil () debian org> wrote:

> Several issues with the libmspack library were reported recently in
> the Debian bugtracker by Jakub Wilk.

Some additional info: This code is shared with cabextract. I recently
also reported issues to the author that were all fixed in
the cabextract 1.5 and libmspack 0.5alpha releases.
(The author was unaware that I am not part of debian, so he only
mentions Debian fixes in the release notes - but these include the
fixes for the issues reported by me).

Rundown of issues I found:

Invalid read in ensure_filepath:

==29962==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000efd2 at pc 0x40aafd bp 0x7fff365ba030 sp 0x7fff365ba020 READ
of size 1 at 0x60200000efd2 thread T0 #0 0x40aafc in ensure_filepath
src/cabextract.c:1034 #1 0x40aafc in process_cabinet
src/cabextract.c:504 #2 0x40aafc in main src/cabextract.c:350
    #3 0x7ff5e30f8f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #4 0x40be2d (/tmp/cabextract-1.4/cabextract+0x40be2d)

Invalid in create_output_name:
==29965==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000effe at pc 0x40a9b8 bp 0x7fffd50309e0 sp 0x7fffd50309d0 READ
of size 1 at 0x60200000effe thread T0 #0 0x40a9b7 in create_output_name
src/cabextract.c:828 #1 0x40a9b7 in process_cabinet src/cabextract.c:444
    #2 0x40a9b7 in main src/cabextract.c:350
    #3 0x7f68d131bf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #4 0x40be2d (/tmp/cabextract-1.4/cabextract+0x40be2d)


All found with american fuzzy lop.

(P.S.: Do we have a policy on attachments on this list? I was unsure if
it'd be apprechiated that I attach the issue-exposing samples)


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature