Debian Bug report logs -
#775687
libmspack: CVE-2015-4472: CHM decompression: another pointer arithmetic overflow
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Sun, 18 Jan 2015 18:00:11 UTC
Severity: grave
Tags: security
Found in version libmspack/0.4-3
Fixed in version libmspack/0.5-1
Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, pkg-clamav-devel@lists.alioth.debian.org, team@security.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#775687
; Package libmspack0
.
(Sun, 18 Jan 2015 18:00:15 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libmspack0
Version: 0.4-3
Severity: grave
Tags: security
Usertags: afl
Sorry, it's me again! libmspack crashes on the attached file:
$ gpg -d < crash.chm.asc > crash.chm
$ test/chmd_md5 crash.chm
*** crash.chm
WARNING; contents are corrupt
d41d8cd98f00b204e9800998ecf8427e /#ITBITS
5c9d7ff7a1fdaf9bcb9b3fc78b677972 /#SYSTEM
Segmentation fault
Backtrace:
#0 0x56559ca6 in search_chunk (chm=0x565641a8, chunk=0x565652e8 "PMGL\323\r", filename=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData", result=0xffffd3a4, result_end=0xffffd3a8) at mspack/chmd.c:805
#1 0x5655943b in chmd_fast_find (base=0x56564008, chm=0x565641a8, filename=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData", f_ptr=0xffffd430, f_size=28) at mspack/chmd.c:581
#2 0x5655b3c7 in find_sys_file (self=0x56564008, sec=0x565641d8, f_ptr=0x565641e4, name=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData") at mspack/chmd.c:1304
#3 0x5655aa4a in chmd_init_decomp (self=0x56564008, file=0x56565228) at mspack/chmd.c:1075
#4 0x5655a787 in chmd_extract (base=0x56564008, file=0x56565228, filename=0x0) at mspack/chmd.c:998
#5 0x56556304 in main (argc=2, argv=0xffffd848) at test/chmd_md5.c:44
The problem is that the bounds check in mspack/chmd.c:788:
if (name_len > end - p) goto chunk_end;
doesn't work on 32-bit systems if "p" is already bigger than "end" (as
is the case for crash.chm), because negative "end - p" gets
automatically converted to unsigned int.
A quick and dirty fix would be to rewrite the bounds checks as
if (p > end || name_len > end - p) goto chunk_end;
but it'd be better to fix the thing that sets "p" to a value past the
"end".
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libmspack0 depends on:
ii libc6 2.19-13
ii multiarch-support 2.19-13
--
Jakub Wilk
[crash.chm.asc (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#775687
; Package libmspack0
.
(Sun, 18 Jan 2015 22:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Sun, 18 Jan 2015 22:03:05 GMT) (full text, mbox, link).
Message #8 received at 775687@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2015-01-18 18:59:33 [+0100], Jakub Wilk wrote:
> Sorry, it's me again! libmspack crashes on the attached file:
As I've seen your ubsan reports, I assumed you were done. Wrong this
was.
> $ gpg -d < crash.chm.asc > crash.chm
> $ test/chmd_md5 crash.chm
> *** crash.chm
>
> but it'd be better to fix the thing that sets "p" to a value past the "end".
So something like the patch attached then?. But this should be
double-checked in case we properly come to end and don't continue
using p anymore. But not today…
Sebastian
[0001-mspack-chmd-check-p-end-also-after-we-left.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#775687
; Package libmspack0
.
(Mon, 19 Jan 2015 00:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Stuart Caie <kyzer@cabextract.org.uk>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Mon, 19 Jan 2015 00:30:08 GMT) (full text, mbox, link).
Message #13 received at 775687@bugs.debian.org (full text, mbox, reply):
On 18/01/2015 22:00, Sebastian Andrzej Siewior wrote:
> On 2015-01-18 18:59:33 [+0100], Jakub Wilk wrote:
>> Sorry, it's me again! libmspack crashes on the attached file:
> As I've seen your ubsan reports, I assumed you were done. Wrong this
> was.
>
>> $ gpg -d < crash.chm.asc > crash.chm
>> $ test/chmd_md5 crash.chm
>> *** crash.chm
>>
>> but it'd be better to fix the thing that sets "p" to a value past the "end".
> So something like the patch attached then?. But this should be
> double-checked in case we properly come to end and don't continue
> using p anymore. But not today…
>
I made this change instead.
@@ -254,7 +254,7 @@
#define READ_ENCINT(var) do { \
(var) = 0; \
do { \
- if (p > end) goto chunk_end; \
+ if (p >= end) goto chunk_end; \
(var) = ((var) << 7) | (*p & 0x7F); \
} while (*p++ & 0x80); \
} while (0)
Regards
Stuart
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
Bug#775687
; Package libmspack0
.
(Thu, 29 Jan 2015 12:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>
.
(Thu, 29 Jan 2015 12:30:05 GMT) (full text, mbox, link).
Message #18 received at 775687@bugs.debian.org (full text, mbox, reply):
0.5alpha has been just released [0] with this issue fixed. If you
package that one you get rid of all currently known bugs :)
[0] http://www.cabextract.org.uk/libmspack/libmspack-0.5alpha.tar.gz
Sebastian
Reply sent
to Marc Dequènes (Duck) <Duck@DuckCorp.org>
:
You have taken responsibility.
(Mon, 02 Feb 2015 19:09:21 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>
:
Bug acknowledged by developer.
(Mon, 02 Feb 2015 19:09:21 GMT) (full text, mbox, link).
Message #23 received at 775687-close@bugs.debian.org (full text, mbox, reply):
Source: libmspack
Source-Version: 0.5-1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775687@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Feb 2015 19:41:59 +0100
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 774665 775498 775499 775687
Changes:
libmspack (0.5-1) unstable; urgency=medium
.
* New upstream fix-only release:
+ Fix previously reported bugs with an upstream approved patch
(#773041, #774725, #774726)
+ Fixes many security-sensitive bugs (Closes: #775687, #775498,
#774665, #775499).
Checksums-Sha1:
5ee31e4bee00c8d898f8748cc57d7783dc533dc3 2064 libmspack_0.5-1.dsc
226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
0b25b953e95874cd6f3c4faff1d89b5080f5460e 2732 libmspack_0.5-1.debian.tar.xz
3455afb116161bb800208c5e5315c9c0ef74931d 46518 libmspack0_0.5-1_amd64.deb
e039f7f9a29d0369e7bca3216d1711b906badf64 64864 libmspack-dev_0.5-1_amd64.deb
d7e03f123dd5ac4b8744d9aeb7acf4aeb84aeab1 83962 libmspack-dbg_0.5-1_amd64.deb
aa481d5f1bfc4b234005d542a79c4c542380573e 101792 libmspack-doc_0.5-1_all.deb
Checksums-Sha256:
eb9e63d0dd75cb28180f5ed02178c436a723697dab285b5a484729acc4039a2c 2064 libmspack_0.5-1.dsc
8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 libmspack_0.5.orig.tar.gz
42bf17c5b1dd0a44da06117ff4deb52ee06063b002bd8289f8d1ca9df1753cc3 2732 libmspack_0.5-1.debian.tar.xz
805a49cc478460e920930864770071184dc90818bdaf23b81a36bbf6deafa96a 46518 libmspack0_0.5-1_amd64.deb
703badb6b5ca7eaeac15779030c4dbe07fc6d355870da9acdc31a2e7b90c54c4 64864 libmspack-dev_0.5-1_amd64.deb
5992fa23531e125ae07437ca0fc78c1da0dcf573f558fcf1fec3259ec0b6620d 83962 libmspack-dbg_0.5-1_amd64.deb
6852556f9e730725b9820365eeaced90b8affeb648a385ec0fab82d5cffcb6e8 101792 libmspack-doc_0.5-1_all.deb
Files:
6a821d5a21543cac7e931cb2d574f906 2064 libs optional libmspack_0.5-1.dsc
3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
e795c2066af466550f9a19c79addb364 2732 libs optional libmspack_0.5-1.debian.tar.xz
bdacfcaa023672fbd2d6e5351775c85b 46518 libs optional libmspack0_0.5-1_amd64.deb
c88a0b861ce8ef9de6ea119f6db22c9f 64864 libdevel optional libmspack-dev_0.5-1_amd64.deb
6a47691d38eb3bcaeac00b051e1e6f86 83962 debug extra libmspack-dbg_0.5-1_amd64.deb
60e609c122d314710d819847ac9c3e8a 101792 doc optional libmspack-doc_0.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUz8edAAoJEFXp+fesHEQ/vzYP+gI2sbMP3ABuE6rOJeLdLtcH
JZyPz+xkqzFgQENkKboo8IRYRp9JUSmQjJGLXDjTd3SmMZ7zJzl+miVvMHYZuMJm
K9UJRtDw+0nXphYIZ86Jci0/UbgvMrwMDhgDbR8hZMdzanoAul0oyynDLqINc/q4
Myl+fG8c8hEgY96dWxkytRJkOIWiZ7F+vdjPtP1ASuT+3MFGql5nLRaQDXFQh7me
UQAmq32baaD/9HdEQHCbjVyzSGIMPmO+sTutqu+mmRKCrJUBhucb4ALj4Z1cBsGA
/r72kMKx1jeDmzisvFCSweVIBzukVAuOhndzdv1tpZedgNuKaJhPNFz4sb6aFvuY
r6X4Zr5o3qv8VzizcRoSmuI+eR52FZQ77z1ydqRqxMdi2bJgDj2YN3XKsZ6IQnod
YVMPujdeSVCe40m5ZC6eAvC/LHW6AfpbDrWamvBAZZZfRd/mkq3ZXA55BQE5GixD
cfv7FNv0050is1H8mWiS4r9Qjb0np4MeGPYqJQxiQcKyXMvZdt3gk60dFFVdqsrN
rbdHKdKlncTLaNtGllCiwylozaGctgnoGPBfaSEaurfZmZirV+dezcJ7xnGBiIIq
V9kKQNnT73iMHQnwChXKZa7YZEPxEDnFiNFXRqHnksUVCIO+tRumk2hfKTKVxLJP
3/Ri1tZ38Kmjl+Pwg1wB
=F8TC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 07 Mar 2015 07:34:27 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 11 Jun 2015 15:21:12 GMT) (full text, mbox, link).
Changed Bug title to 'libmspack: CVE-2015-4472: CHM decompression: another pointer arithmetic overflow' from 'libmspack: CHM decompression: another pointer arithmetic overflow'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 11 Jun 2015 15:21:13 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 10 Jul 2015 07:32:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:56:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.