oss-sec mailing list archives
Re: CVE request: Multiple vunerabilities in libdwarf & dwarfdump
From: Solar Designer <solar () openwall com>
Date: Tue, 24 May 2016 11:51:13 +0300
Hi, On oss-security it is strongly preferred that actual content (rather than just links) be included in the postings for long-term archival, as long as the message doesn't exceed 200 KB (including MIME overhead). On Tue, May 24, 2016 at 04:01:42PM +0800, Yue Liu wrote:
There are multiple vunerabilities in libdwarf&dwarfdump which were discovered by Yue Liu(lieanu <liuyue0310 () gmail com>) and Qixue Xiao. Vulnerabilities DW201605-001 to DW201605-019 in https://www.prevanders.net/dwarfbug.html
I've attached the current content of the above web page to this message, as text/plain.
And anther one https://bugzilla.redhat.com/show_bug.cgi?id=1330237
Here it is: --- Description of problem: There is a NULL pointer dereference bug in libdwarf-20160115 and latest git code. The bug is at file dwarf_leb.c:147 143 byte_length++; 144 if (byte_length > BYTESLEBMAX) { 145 /* Erroneous input. What to do? 146 Abort? Return error? Just stop here?*/ 147 *leb128_length = BYTESLEBMAX; <- $pc 148 return number; 149 } 150 } which triggered by dwarf_form.c:918 913 *return_sval = (Dwarf_Signed) ret_value; 914 return DW_DLV_OK; 915 } 916 917 case DW_FORM_sdata: 918 ret_value = 919 (_dwarf_decode_s_leb128(attr->ar_debug_ptr, NULL)); 920 *return_sval = ret_value; 921 return DW_DLV_OK; 922 Version-Release number of selected component (if applicable): Tested in libdwarf-20160115 and latest git code ---
All vulnerabilities have been fixed in upstream. POC: https://sourceforge.net/p/libdwarf/regressiontests/ci/master/tree/liu/
Unfortunately, some of the PoCs are a bit too large to attach. While the above directory is ~110 KB under tar.xz, the PoC attached to Red Hat Bugzilla Bug 1330237 is ~150 KB under xz. So let's keep just the vulnerability detail in here for now. One of the reasons why I am posting this is to provide an example of what content to include in oss-security postings going forward. Also, it's a call for smaller PoCs (for further occasions; no need to rework these PoCs now), so that those could be included as well. Alexander
Attachment:
dwarfbug.txt
Description:
Current thread:
- CVE request: Multiple vunerabilities in libdwarf & dwarfdump Yue Liu (May 24)
- Re: CVE request: Multiple vunerabilities in libdwarf & dwarfdump Solar Designer (May 24)
- Re: CVE request: Multiple vunerabilities in libdwarf & dwarfdump cve-assign (May 24)