Debian Bug report logs -
#896523
nasm: CVE-2018-10254
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#896523; Package src:nasm.
(Sun, 22 Apr 2018 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Sun, 22 Apr 2018 06:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nasm
Version: 2.11.05-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/nasm/bugs/561/
Hi,
The following vulnerability was published for nasm.
CVE-2018-10254[0]:
| Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in the
| disasm function of the disasm/disasm.c file. Remote attackers could
| leverage this vulnerability to cause a denial of service or possibly
| have unspecified other impact via a crafted ELF file.
./ndisasm -b 32 ~/nasm_2-14-rc0_ndisasm_stack-buffer-overflow_disasm
00000000 7F45 jg 0x47
00000002 5C pop esp
00000003 7E01 jng 0x6
00000005 00DB add bl,bl
00000007 0000 add [eax],al
00000009 80042440 add byte [esp],0x40
0000000D F2 repne
0000000E F2 repne
0000000F F2 repne
00000010 F2 repne
00000011 D0 db 0xd0
00000012 F2 repne
00000013 F2 repne
00000014 F2 repne
00000015 F2 repne
00000016 FE db 0xfe
00000017 FF00 inc dword [eax]
00000019 E3FE jecxz 0x19
0000001B 085A00 or [edx+0x0],bl
=================================================================
==23001==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe10361c60 at pc 0x558500ab159f bp 0x7ffe10361350 sp 0x7ffe10361348
READ of size 1 at 0x7ffe10361c60 thread T0
#0 0x558500ab159e in disasm disasm/disasm.c:1144
#1 0x558500aa0b09 in main disasm/ndisasm.c:319
#2 0x7f48a17a5a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#3 0x558500aa1f89 in _start (/home/dummy/nasm-2.13.02/ndisasm+0xc8f89)
Address 0x7ffe10361c60 is located in stack of thread T0 at offset 352 in frame
#0 0x558500a9fccf in main disasm/ndisasm.c:81
This frame has 6 object(s):
[32, 33) 'rn_error'
[96, 100) 'synclen'
[160, 168) 'ep'
[224, 240) 'prefer'
[288, 352) 'buffer' <== Memory access at offset 352 overflows this variable
[384, 640) 'outbuf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow disasm/disasm.c:1144 in disasm
Shadow bytes around the buggy address:
0x100042064330: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00
0x100042064340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100042064350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100042064360: f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
0x100042064370: f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2
=>0x100042064380: f2 f2 f2 f2 00 00 00 00 00 00 00 00[f2]f2 f2 f2
0x100042064390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000420643a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000420643b0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000420643c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000420643d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23001==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10254
[1] https://sourceforge.net/p/nasm/bugs/561/
Regards,
Salvatore
Marked as fixed in versions nasm/2.14-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 18 Nov 2018 08:36:03 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 18 Nov 2018 08:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 18 Nov 2018 08:36:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 21 Dec 2018 07:27:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:14:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon