Debian Bug report logs -
#774665
libmspack: CVE-2014-9732: null pointer dereference on a crafted CAB
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Sun, 21 Dec 2014 17:39:02 UTC
Severity: normal
Found in version 0.4-2
Fixed in version libmspack/0.5-1
Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#773659; Package cabextract.
(Sun, 21 Dec 2014 17:39:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cabextract
Version: 1.4-4+b1
Usertags: afl
cabextract crashes (trying to dereference null pointed) on the attached
crafted CAB file:
$ gpg -d nullderef.cab.asc > nullderef.cab
$ cabextract -t nullderef.cab
nullderef.cab: WARNING; possible 1626 extra bytes at end of file.
Testing cabinet: nullderef.cab
failed (error in CAB data format)
failed (Success)
E failed (error in CAB data format)
Segmentation fault
Backtrace:
#0 0x00000000 in ?? ()
#1 0x0804e094 in cabd_extract (base=0x805b008, file=0x8063600, filename=0x8056643 "test") at mspack/cabd.c:1068
#2 0x080493b4 in process_cabinet (basename=0xffffd9b8 "nullderef.cab") at src/cabextract.c:467
#3 0x08048fc4 in main (argc=3, argv=0xffffd804) at src/cabextract.c:350
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages cabextract depends on:
ii libc6 2.19-13
--
Jakub Wilk
[nullderef.cab.asc (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#773659; Package cabextract.
(Mon, 05 Jan 2015 21:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>.
(Mon, 05 Jan 2015 21:00:05 GMT) (full text, mbox, link).
Message #8 received at 773659@bugs.debian.org (full text, mbox, reply):
* Jakub Wilk | 2014-12-21 18:35:36 [+0100]:
>Package: cabextract
>Version: 1.4-4+b1
>Usertags: afl
>
>cabextract crashes (trying to dereference null pointed) on the attached
>crafted CAB file:
Jakub, please fill future bugs against libmspack and CC the clamav team. I
am interrested in getting those fixed before they spread since they can
affect clamav.
I'm going to clone this one against libnspack and mark it as fixed in
cabextract after the library switch.
>$ gpg -d nullderef.cab.asc > nullderef.cab
>$ cabextract -t nullderef.cab
>nullderef.cab: WARNING; possible 1626 extra bytes at end of file.
>Testing cabinet: nullderef.cab
> failed (error in CAB data format)
> failed (Success)
> E failed (error in CAB data format)
>Segmentation fault
>
>
>Backtrace:
>#0 0x00000000 in ?? ()
>#1 0x0804e094 in cabd_extract (base=0x805b008, file=0x8063600, filename=0x8056643 "test") at mspack/cabd.c:1068
>#2 0x080493b4 in process_cabinet (basename=0xffffd9b8 "nullderef.cab") at src/cabextract.c:467
>#3 0x08048fc4 in main (argc=3, argv=0xffffd804) at src/cabextract.c:350
The ->search callback of the mspack library finds two cab files within
the one you attached. The internal structure gets real funny. afl
managed to create a .cab file which contains a valid file, followed by
one which contains an invalid compression which removes the
decompression callback. And then mspack thinks that the following file
belongs to the previous folder and therefore the decompression callback
is not updated but have none assigned and the NULL pointer is invoked. I
am not yet sure where this should be fixed but the easy fix is to check
the null pointer cabd_extract() before the invocation.
I will try to check if it is possible to catch this earlier…
The good news is that clamav is not affected by this since it seems not
to trigger if the ->search callback is not invoked. Also we stop
scanning once an invalid file is found within the archive. Not sure if
this is good news…
Sebastian
Bug 773659 cloned as bug 774665
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 05 Jan 2015 21:09:13 GMT) (full text, mbox, link).
Bug reassigned from package 'cabextract' to 'libmspack'.
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 05 Jan 2015 21:09:14 GMT) (full text, mbox, link).
No longer marked as found in versions cabextract/1.4-4.
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 05 Jan 2015 21:09:15 GMT) (full text, mbox, link).
Marked as found in versions 0.4-2.
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 05 Jan 2015 21:09:17 GMT) (full text, mbox, link).
Reply sent
to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility.
(Mon, 02 Feb 2015 19:09:09 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Mon, 02 Feb 2015 19:09:09 GMT) (full text, mbox, link).
Message #21 received at 774665-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.5-1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774665@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Feb 2015 19:41:59 +0100
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 774665 775498 775499 775687
Changes:
libmspack (0.5-1) unstable; urgency=medium
.
* New upstream fix-only release:
+ Fix previously reported bugs with an upstream approved patch
(#773041, #774725, #774726)
+ Fixes many security-sensitive bugs (Closes: #775687, #775498,
#774665, #775499).
Checksums-Sha1:
5ee31e4bee00c8d898f8748cc57d7783dc533dc3 2064 libmspack_0.5-1.dsc
226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
0b25b953e95874cd6f3c4faff1d89b5080f5460e 2732 libmspack_0.5-1.debian.tar.xz
3455afb116161bb800208c5e5315c9c0ef74931d 46518 libmspack0_0.5-1_amd64.deb
e039f7f9a29d0369e7bca3216d1711b906badf64 64864 libmspack-dev_0.5-1_amd64.deb
d7e03f123dd5ac4b8744d9aeb7acf4aeb84aeab1 83962 libmspack-dbg_0.5-1_amd64.deb
aa481d5f1bfc4b234005d542a79c4c542380573e 101792 libmspack-doc_0.5-1_all.deb
Checksums-Sha256:
eb9e63d0dd75cb28180f5ed02178c436a723697dab285b5a484729acc4039a2c 2064 libmspack_0.5-1.dsc
8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 libmspack_0.5.orig.tar.gz
42bf17c5b1dd0a44da06117ff4deb52ee06063b002bd8289f8d1ca9df1753cc3 2732 libmspack_0.5-1.debian.tar.xz
805a49cc478460e920930864770071184dc90818bdaf23b81a36bbf6deafa96a 46518 libmspack0_0.5-1_amd64.deb
703badb6b5ca7eaeac15779030c4dbe07fc6d355870da9acdc31a2e7b90c54c4 64864 libmspack-dev_0.5-1_amd64.deb
5992fa23531e125ae07437ca0fc78c1da0dcf573f558fcf1fec3259ec0b6620d 83962 libmspack-dbg_0.5-1_amd64.deb
6852556f9e730725b9820365eeaced90b8affeb648a385ec0fab82d5cffcb6e8 101792 libmspack-doc_0.5-1_all.deb
Files:
6a821d5a21543cac7e931cb2d574f906 2064 libs optional libmspack_0.5-1.dsc
3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
e795c2066af466550f9a19c79addb364 2732 libs optional libmspack_0.5-1.debian.tar.xz
bdacfcaa023672fbd2d6e5351775c85b 46518 libs optional libmspack0_0.5-1_amd64.deb
c88a0b861ce8ef9de6ea119f6db22c9f 64864 libdevel optional libmspack-dev_0.5-1_amd64.deb
6a47691d38eb3bcaeac00b051e1e6f86 83962 debug extra libmspack-dbg_0.5-1_amd64.deb
60e609c122d314710d819847ac9c3e8a 101792 doc optional libmspack-doc_0.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUz8edAAoJEFXp+fesHEQ/vzYP+gI2sbMP3ABuE6rOJeLdLtcH
JZyPz+xkqzFgQENkKboo8IRYRp9JUSmQjJGLXDjTd3SmMZ7zJzl+miVvMHYZuMJm
K9UJRtDw+0nXphYIZ86Jci0/UbgvMrwMDhgDbR8hZMdzanoAul0oyynDLqINc/q4
Myl+fG8c8hEgY96dWxkytRJkOIWiZ7F+vdjPtP1ASuT+3MFGql5nLRaQDXFQh7me
UQAmq32baaD/9HdEQHCbjVyzSGIMPmO+sTutqu+mmRKCrJUBhucb4ALj4Z1cBsGA
/r72kMKx1jeDmzisvFCSweVIBzukVAuOhndzdv1tpZedgNuKaJhPNFz4sb6aFvuY
r6X4Zr5o3qv8VzizcRoSmuI+eR52FZQ77z1ydqRqxMdi2bJgDj2YN3XKsZ6IQnod
YVMPujdeSVCe40m5ZC6eAvC/LHW6AfpbDrWamvBAZZZfRd/mkq3ZXA55BQE5GixD
cfv7FNv0050is1H8mWiS4r9Qjb0np4MeGPYqJQxiQcKyXMvZdt3gk60dFFVdqsrN
rbdHKdKlncTLaNtGllCiwylozaGctgnoGPBfaSEaurfZmZirV+dezcJ7xnGBiIIq
V9kKQNnT73iMHQnwChXKZa7YZEPxEDnFiNFXRqHnksUVCIO+tRumk2hfKTKVxLJP
3/Ri1tZ38Kmjl+Pwg1wB
=F8TC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Mar 2015 07:30:22 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 11 Jun 2015 15:21:04 GMT) (full text, mbox, link).
Changed Bug title to 'libmspack: CVE-2014-9732: null pointer dereference on a crafted CAB' from 'cabextract: null pointer dereference on a crafted CAB'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 11 Jun 2015 15:21:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Jul 2015 07:30:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:49:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon