Debian Bug report logs -
#862707
libytnef: CVE-2017-9146: Heap-buffer overrun: write extra bytes in TNEFFillMapi
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#862707; Package libytnef.
(Tue, 16 May 2017 02:06:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "bingosxs" <bingosxs@qq.com>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Tue, 16 May 2017 02:06:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libytnef
Version: 1.9.2-1
Severity: normal
Tags: security
Hi,
We discover a buffer over-write problem in the T::NEFFillMapi functiion.
The root cause of this problem is zero-byte allocation problem.
in lib/ytnef.c:485
mp->data = calloc(mp->count, sizeof(variableLength));
the value of mp->count can be zero and the write and read operation cause problems in
TNEFFillMapi (ytnef.c:508) ,TNEFFillMapi (ytnef.c:517), TNEFFillMapi (ytnef.c:526).
The following patch can solve this issue:
--- ../ytnef/lib/ytnef.c 2017-05-14 19:44:47.417979746 +0800 +++ lib/ytnef.c 2017-05-16 08:59:28.088356920 +0800 @@ -479,7 +482,9 @@ d += 4; count = 0; } - mp->data = calloc(mp->count, sizeof(variableLength)); + if (mp->count>0){ + mp->data = calloc(mp->count, sizeof(variableLength)); + }else{ mp->data=NULL; } ALLOCCHECK(mp->data); vl = mp->data; } else {
To verify this, use the testcase from:
https://github.com/bingosxs/fuzzdata/raw/master/ytnef-1.9/TNEFFillMapi-over-write.tnef
run the sample with command:
ytnef/.libs/ytnef -v TNEFFillMapi-over-write.tnef
The tracelog is:
=================================================================
valgrind ./bin/ytnef -v ../../libytnef0/testenv/out/crashes/id\:000015\,sig\:06\,src\:000007\,op\:int16\,pos\:2540\,val\:+1 ==12741== Memcheck, a memory error detector ==12741== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==12741== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==12741== Command: ./bin/ytnef -v ../../libytnef0/testenv/out/crashes/id:000015,sig:06,src:000007,op:int16,pos:2540,val:+1 ==12741== Attempting to parse ../../libytnef0/testenv/out/crashes/id:000015,sig:06,src:000007,op:int16,pos:2540,val:+1... ==12741== Invalid write of size 4 ==12741== at 0x4E3F89A: TNEFFillMapi (ytnef.c:504) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== Address 0x542a488 is 8 bytes after a block of size 0 alloc'd ==12741== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==12741== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== ==12741== Invalid write of size 8 ==12741== at 0x4E3FA0A: TNEFFillMapi (ytnef.c:513) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== Address 0x542a480 is 0 bytes after a block of size 0 alloc'd ==12741== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==12741== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== ==12741== Invalid read of size 4 ==12741== at 0x4E3FA50: TNEFFillMapi (ytnef.c:515) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== Address 0x542a488 is 8 bytes after a block of size 0 alloc'd ==12741== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==12741== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== ==12741== Invalid read of size 4 ==12741== at 0x4E3FAA1: TNEFFillMapi (ytnef.c:522) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== Address 0x542a488 is 8 bytes after a block of size 0 alloc'd ==12741== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==12741== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==12741== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==12741== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==12741== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==12741== by 0x4017F8: main (main.c:125) ==12741== Corrupted file detected at ytnef.c : 509 ERROR Parsing MAPI block ==12741== ==12741== HEAP SUMMARY: ==12741== in use at exit: 9 bytes in 1 blocks ==12741== total heap usage: 167 allocs, 166 frees, 18,316 bytes allocated ==12741== ==12741== LEAK SUMMARY: ==12741== definitely lost: 9 bytes in 1 blocks ==12741== indirectly lost: 0 bytes in 0 blocks ==12741== possibly lost: 0 bytes in 0 blocks ==12741== still reachable: 0 bytes in 0 blocks ==12741== suppressed: 0 bytes in 0 blocks ==12741== Rerun with --leak-check=full to see details of leaked memory ==12741== ==12741== For counts of detected and suppressed errors, rerun with: -v ==12741== ERROR SUMMARY: 5 errors from 4 contexts (suppressed: 0 from 0)
Credits: National Computer Network Emergency Response Technical Team/Coordination Center of China. Wang Bo, Fan Lejun, Wu Qian. TCA, ISCAS.
[Message part 2 (text/html, inline)]
Severity set to 'important' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 May 2017 04:21:02 GMT) (full text, mbox, link).
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 May 2017 04:21:03 GMT) (full text, mbox, link).
Marked as found in versions 1.9.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 May 2017 04:21:05 GMT) (full text, mbox, link).
Changed Bug title to 'libytnef: CVE-2017-9146: Heap-buffer overrun: write extra bytes in TNEFFillMapi' from 'Heap-buffer overrun: write extra bytes in TNEFFillMapi '.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 May 2017 04:30:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 31 May 2018 17:48:40 GMT) (full text, mbox, link).
Marked as fixed in versions 1.9.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 Jan 2019 12:51:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 Jan 2019 12:51:03 GMT) (full text, mbox, link).
Notification sent
to "bingosxs" <bingosxs@qq.com>:
Bug acknowledged by developer.
(Sun, 06 Jan 2019 12:51:04 GMT) (full text, mbox, link).
Message sent on
to "bingosxs" <bingosxs@qq.com>:
Bug#862707.
(Sun, 06 Jan 2019 12:51:10 GMT) (full text, mbox, link).
Message #26 received at 862707-submitter@bugs.debian.org (full text, mbox, reply):
close 862707 1.9.3-1
thanks
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Feb 2019 07:36:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon