Debian Bug report logs -
#874060
unrar-free: CVE-2017-14122: stack overread vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 2 Sep 2017 15:21:04 UTC
Severity: grave
Tags: security, upstream
Found in version unrar-free/1:0.0.1+cvs20140707-1
Fixed in version unrar-free/1:0.0.1+cvs20140707-4
Done: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ying-Chun Liu (PaulLiu) <paulliu@debian.org>:
Bug#874060; Package src:unrar-free.
(Sat, 02 Sep 2017 15:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ying-Chun Liu (PaulLiu) <paulliu@debian.org>.
(Sat, 02 Sep 2017 15:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: unrar-free
Version: 1:0.0.1+cvs20140707-1
Severity: grave
Tags: security upstream
Hi
From http://www.openwall.com/lists/oss-security/2017/08/20/1
Issue 2: Stack overread
A malformed archive can cause a stack overread, detectable with asan.
This issue doesn't happen reliably, I haven't investigated further.
==2585==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff76184120 at pc 0x000000445d25 bp 0x7fff76183ef0 sp 0x7fff761836a0
READ of size 519 at 0x7fff76184120 thread T0
#0 0x445d24 in __interceptor_strchr.part.33 (/r/unrar-gpl/unrar+0x445d24)
#1 0x516d0d in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:851:19
#2 0x511613 in ExtrFile /f/unrar-gpl/unrar/src/unrarlib.c:745:20
#3 0x510b02 in urarlib_get /f/unrar-gpl/unrar/src/unrarlib.c:303:13
#4 0x50b249 in unrar_extract_file /f/unrar-gpl/unrar/src/unrar.c:343:8
#5 0x50be32 in unrar_extract /f/unrar-gpl/unrar/src/unrar.c:483:9
#6 0x50c69c in main /f/unrar-gpl/unrar/src/unrar.c:556:14
#7 0x7f632d3834f0 in __libc_start_main (/lib64/libc.so.6+0x204f0)
#8 0x419e19 in _start (/r/unrar-gpl/unrar+0x419e19)
Address 0x7fff76184120 is located in stack of thread T0 at offset 544 in frame
#0 0x516c1f in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:844
This frame has 2 object(s):
[32, 544) 'S1'
[608, 1120) 'S2' <== Memory access at offset 544 partially
underflows this variable
Regards,
Salvatore
[unrar-gpl-stack-overread.rar (application/x-rar, attachment)]
Changed Bug title to 'unrar-free: CVE-2017-14122: stack overread vulnerability' from 'unrar-free: stack overread vulnerability'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 04 Sep 2017 04:18:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ying-Chun Liu (PaulLiu) <paulliu@debian.org>:
Bug#874060; Package src:unrar-free.
(Sat, 14 Oct 2017 13:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Ying-Chun Liu (PaulLiu)" <paulliu@debian.org>:
Extra info received and forwarded to list. Copy sent to Ying-Chun Liu (PaulLiu) <paulliu@debian.org>.
(Sat, 14 Oct 2017 13:45:03 GMT) (full text, mbox, link).
Message #12 received at 874060@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
How to reproduce your bug?
I'm currently using valgrind with the rar file you provided. And found
that there are some unconditional jump based some uninit value. Please
see the attachment [1].
After fixing that [2], valgrind is happy now without any errors.
Not sure if this is related to this bug.
Attaching the autopkgtest scripts [3] for testing the package.
If this looks good for you I'll upload this soon.
[1] val_log1.txt
[2] 0002-CVE-2017-14122.patch
[3] 0003-CVE-2017-14122
Yours Sincerely,
Paul
--
PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
[val_log1.txt (text/plain, attachment)]
[0002-CVE-2017-14122.patch (text/x-patch, attachment)]
[0003-CVE-2017-14122 (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ying-Chun Liu (PaulLiu) <paulliu@debian.org>:
Bug#874060; Package src:unrar-free.
(Sat, 14 Oct 2017 14:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Ying-Chun Liu (PaulLiu)" <paulliu@debian.org>:
Extra info received and forwarded to list. Copy sent to Ying-Chun Liu (PaulLiu) <paulliu@debian.org>.
(Sat, 14 Oct 2017 14:09:06 GMT) (full text, mbox, link).
Message #17 received at 874060@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2017年10月14日 21:43, Ying-Chun Liu (PaulLiu) wrote:
> Hi Salvatore,
>
> How to reproduce your bug?
>
> I'm currently using valgrind with the rar file you provided. And found
> that there are some unconditional jump based some uninit value. Please
> see the attachment [1].
>
> After fixing that [2], valgrind is happy now without any errors.
> Not sure if this is related to this bug.
>
> Attaching the autopkgtest scripts [3] for testing the package.
>
> If this looks good for you I'll upload this soon.
>
> [1] val_log1.txt
> [2] 0002-CVE-2017-14122.patch
> [3] 0003-CVE-2017-14122
>
> Yours Sincerely,
> Paul
>
I'm not quite familiar on how to use asan. Need some instructions.
But here are some relations:
In the bug report.
==2585==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff76184120 at pc 0x000000445d25 bp 0x7fff76183ef0 sp 0x7fff761836a0
READ of size 519 at 0x7fff76184120 thread T0
#0 0x445d24 in __interceptor_strchr.part.33
(/r/unrar-gpl/unrar+0x445d24)
#1 0x516d0d in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:851:19
#2 0x511613 in ExtrFile /f/unrar-gpl/unrar/src/unrarlib.c:745:20
#3 0x510b02 in urarlib_get /f/unrar-gpl/unrar/src/unrarlib.c:303:13
#4 0x50b249 in unrar_extract_file /f/unrar-gpl/unrar/src/unrar.c:343:8
#5 0x50be32 in unrar_extract /f/unrar-gpl/unrar/src/unrar.c:483:9
#6 0x50c69c in main /f/unrar-gpl/unrar/src/unrar.c:556:14
#7 0x7f632d3834f0 in __libc_start_main (/lib64/libc.so.6+0x204f0)
#8 0x419e19 in _start (/r/unrar-gpl/unrar+0x419e19)
And in the valgrind. There is
==4627== Conditional jump or move depends on uninitialised value(s)
==4627== at 0x4C2F405: __strncpy_sse2_unaligned (vg_replace_strmem.c:552)
==4627== by 0x10C7DB: strncpy (string3.h:126)
==4627== by 0x10C7DB: stricomp (unrarlib.c:852)
==4627== by 0x10E6D9: ExtrFile (unrarlib.c:745)
==4627== by 0x10EA7B: urarlib_get (unrarlib.c:303)
==4627== by 0x10A70F: unrar_extract_file (unrar.c:343)
==4627== by 0x10AA03: unrar_extract (unrar.c:487)
==4627== by 0x109CB4: main (unrar.c:561)
Seems to be just the same place.
Yours Sincerely,
Paul
--
PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Ying-Chun Liu (PaulLiu) <paulliu@debian.org>:
You have taken responsibility.
(Sun, 15 Oct 2017 17:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 15 Oct 2017 17:21:14 GMT) (full text, mbox, link).
Message #22 received at 874060-close@bugs.debian.org (full text, mbox, reply):
Source: unrar-free
Source-Version: 1:0.0.1+cvs20140707-4
We believe that the bug you reported is fixed in the latest version of
unrar-free, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ying-Chun Liu (PaulLiu) <paulliu@debian.org> (supplier of updated unrar-free package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Oct 2017 00:46:04 +0800
Source: unrar-free
Binary: unrar-free
Architecture: source amd64
Version: 1:0.0.1+cvs20140707-4
Distribution: unstable
Urgency: low
Maintainer: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Changed-By: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Description:
unrar-free - Unarchiver for .rar files
Closes: 724295 874060 874061
Changes:
unrar-free (1:0.0.1+cvs20140707-4) unstable; urgency=low
.
* Fix CVE-2017-14122 (Closes: #874060)
- debian/patches/0002-CVE-2017-14122.patch
* Add autopkgtest for testing CVE-2017-14122
* Fix CVE-2017-14121 (Closes: #874061)
- debian/patches/0003-CVE-2017-14121.patch
* Add autopkgtest for testing CVE-2017-14121
* Fix compatibility for -y option (Closes: #724295)
- debian/patches/0004-unrar-nonfree-compat-ignored-options.patch
- Thanks to Dominik George <nik@naturalnet.de>
* Bump Standards-Version to 4.1.1: Nothing needs to be changed
Checksums-Sha1:
ee918fcd8e93bbd251b9ff3a58ec555c3c4840f4 1994 unrar-free_0.0.1+cvs20140707-4.dsc
b20bba1496e45edbd5668b4c30916e61c91bffe8 8016 unrar-free_0.0.1+cvs20140707-4.debian.tar.xz
0e31a6b1a90aa3723e7d8474e05e56f416299be6 38966 unrar-free-dbgsym_0.0.1+cvs20140707-4_amd64.deb
94ded45816828c4c96cab5c51a1b751278d5ed7b 6264 unrar-free_0.0.1+cvs20140707-4_amd64.buildinfo
ce388783311931beae64536f193b4c1674939454 25132 unrar-free_0.0.1+cvs20140707-4_amd64.deb
Checksums-Sha256:
6424e3673e8306e623da65b7562c4fbb5cb4ab45756d4a1b690ded3b955813d4 1994 unrar-free_0.0.1+cvs20140707-4.dsc
4727e63baed3d254d80be9fe6dc77791d1d16dadc31110004d0ee9b74fda097e 8016 unrar-free_0.0.1+cvs20140707-4.debian.tar.xz
a5a0ac29d95c28fb035bde6bc675727290d2afca01aeb95372b5cdecb0f0a937 38966 unrar-free-dbgsym_0.0.1+cvs20140707-4_amd64.deb
ea5b558efd8f8f53abf4938634404d89b315474eca582fcd049e42ecec74e11b 6264 unrar-free_0.0.1+cvs20140707-4_amd64.buildinfo
8b2113d348e065ce71cffab1e15d86102d242efd082d692a9818914d9f8ca36b 25132 unrar-free_0.0.1+cvs20140707-4_amd64.deb
Files:
4523caa1dc452616bcd4a74e5ec7475c 1994 utils optional unrar-free_0.0.1+cvs20140707-4.dsc
52ca7a540d24eb54b6468c5bf56c475e 8016 utils optional unrar-free_0.0.1+cvs20140707-4.debian.tar.xz
62e251264613e0feaed10e328f606d63 38966 debug optional unrar-free-dbgsym_0.0.1+cvs20140707-4_amd64.deb
4f40fd721844bb0431980599af9182ca 6264 utils optional unrar-free_0.0.1+cvs20140707-4_amd64.buildinfo
9d31bb0d4d714a8e2fb25bc01fd25f6f 25132 utils optional unrar-free_0.0.1+cvs20140707-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEo2h49GQQhoFgDLZIRBc/oT0FiIgFAlnjlPgTHHBhdWxsaXVA
ZGViaWFuLm9yZwAKCRBEFz+hPQWIiP9WEACxXokNhO2ES/x0wwCQtsHLuRwt9yeA
xNApQyBaW1g8H76IP5d8UI+W2YBlINVQCaR6dVitaKN/VrNevF/XxAvN9WHWcF2/
rShoFnPCG/6IGldL1jzfH7hUku3VnZcHUuIDABwuej8GPxWxVEBRlHpbwul2oPjR
UMKJYrZ72pH9EHmyYY4MHC0tR697M4/O37AUwBrP+WvTW5auPFIMMjXTa4gJLB+Z
Vx7tID01rWE40bYXG4GFTJtKKXU2isR2MEnb2mOEfgg5AZrruuTfVRjotz5VL35f
lHh5GK9hve8aQG/ZXkuZV7wogweAwPV9FoBwiaURS8W+oUkD5shNSV8JVIL1hD8K
QEe6p0EoVwWd6jklIKJ/UrHybjCd5Yqrmf8NZeGnqFwjt+ophvN16wl+1Bfw4rCh
7C27KYG6smFEn6nnV3BWyGA6z/NdpLukzJbXwD4yOVJLQWoWt5VjZUP/m5dRiSOx
5Ft4FhYGiY4XplHVyLZFG30Oy56rvBxiwBSB+UBhI07aVonkb2LEwzILnmJZLVuy
S2d8LZDC19DSXwCmJ7XbrX3m7Am4HCZIIBmvmXFVhN0BNwQ2f7D5FCJLn0Uc/S/v
5vQaapM3Zn/Wzv4Ed43IuWVE4hf0IMjZzp1rFgkugTkM2fWSGWCjB+l4YnmpaeNr
7HO3S9hjXxWMPQ==
=BgoE
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:26:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon