r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality

Debian Bug report logs - #857466
r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality

Date: Sat, 11 Mar 2017 17:56:57 +0100

Source: r-base
Version: 3.1.1-1
Severity: grave
Tags: patch security upstream fixed-upstream
Justification: user security hole
Control: fixed -1 3.3.3-1 

Hi,

the following vulnerability was published for r-base.

CVE-2016-8714[0]:
| An exploitable buffer overflow vulnerability exists in the
| LoadEncoding functionality of the R programming language version
| 3.3.0. A specially crafted R script can cause a buffer overflow
| resulting in a memory corruption. An attacker can send a malicious R
| script to trigger this vulnerability.

The relevant changes seem to be the following, but I might be mistaken. (btw,
is there a VCS repository for r-base or does upstream not share development
VCS?)

----cut---------cut---------cut---------cut---------cut---------cut-----
--- r-base-3.3.2/src/library/grDevices/src/devPS.c      2016-01-05 00:15:05.000000000 +0100
+++ r-base-3.3.3/src/library/grDevices/src/devPS.c      2017-01-17 00:15:12.000000000 +0100
@@ -412,10 +412,10 @@
        /* check for incomplete encoding file */
        if(!state->p) return 1;
        while (isspace((int)* state->p)) state->p++;
-       if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
+       if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
        state->p0 = state->p;
        while (!isspace((int)*state->p)) state->p++;
-       if (state->p != '\0') *state->p++ = '\0';
+       if (*state->p != '\0') *state->p++ = '\0';
        if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0);
        break;
     }
@@ -513,13 +513,15 @@
        if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0;
     }
     if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */
-    strcpy(encname, buf+1);
+    strncpy(encname, buf+1, 99); 
+    encname[99] = '\0';
     if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname);
     else enccode[0] = '\0';
     if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */
     for(i = 0; i < 256; i++) {
        if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; }
-       strcpy(encnames[i].cname, buf+1);
+       strncpy(encnames[i].cname, buf+1, 39);
+       encnames[i].cname[39] = '\0';
        strcat(enccode, " /"); strcat(enccode, encnames[i].cname);
        if(i%8 == 7) strcat(enccode, "\n");
     }
----cut---------cut---------cut---------cut---------cut---------cut-----

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Can you as well please make sure with the release team that the fix might enter
for stretch?

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8714
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
[1] http://www.talosintelligence.com/reports/TALOS-2016-0227/

Regards,
Salvatore

Message #14 received at 857466-done@bugs.debian.org (full text, mbox, reply):

From: Dirk Eddelbuettel <edd@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 857466-done@bugs.debian.org

Cc: Dirk Eddelbuettel <edd@debian.org>

Subject: Re: Bug#857466: r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality

Date: Wed, 15 Mar 2017 16:56:59 -0500

Sorry, didn't catch this earlier as I was in Europe ... and my server was
down.  Been catching up since -- but this has been addressed and @security
will now prepare the post.

On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
| Source: r-base
| Version: 3.1.1-1
| Severity: grave
| Tags: patch security upstream fixed-upstream
| Justification: user security hole
| Control: fixed -1 3.3.3-1 
| 
| Hi,
| 
| the following vulnerability was published for r-base.
| 
| CVE-2016-8714[0]:
| | An exploitable buffer overflow vulnerability exists in the
| | LoadEncoding functionality of the R programming language version
| | 3.3.0. A specially crafted R script can cause a buffer overflow
| | resulting in a memory corruption. An attacker can send a malicious R
| | script to trigger this vulnerability.
| 
| The relevant changes seem to be the following, but I might be mistaken. (btw,
| is there a VCS repository for r-base or does upstream not share development
| VCS?)

They do at svn.r-project.org  -- but that isn't browsable -- and the
community has a mirror here https://github.com/wch/r-source


| ----cut---------cut---------cut---------cut---------cut---------cut-----
| --- r-base-3.3.2/src/library/grDevices/src/devPS.c      2016-01-05 00:15:05.000000000 +0100
| +++ r-base-3.3.3/src/library/grDevices/src/devPS.c      2017-01-17 00:15:12.000000000 +0100
| @@ -412,10 +412,10 @@
|         /* check for incomplete encoding file */
|         if(!state->p) return 1;
|         while (isspace((int)* state->p)) state->p++;
| -       if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
| +       if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
|         state->p0 = state->p;
|         while (!isspace((int)*state->p)) state->p++;
| -       if (state->p != '\0') *state->p++ = '\0';
| +       if (*state->p != '\0') *state->p++ = '\0';
|         if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0);
|         break;
|      }
| @@ -513,13 +513,15 @@
|         if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0;
|      }
|      if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */
| -    strcpy(encname, buf+1);
| +    strncpy(encname, buf+1, 99); 
| +    encname[99] = '\0';
|      if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname);
|      else enccode[0] = '\0';
|      if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */
|      for(i = 0; i < 256; i++) {
|         if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; }
| -       strcpy(encnames[i].cname, buf+1);
| +       strncpy(encnames[i].cname, buf+1, 39);
| +       encnames[i].cname[39] = '\0';
|         strcat(enccode, " /"); strcat(enccode, encnames[i].cname);
|         if(i%8 == 7) strcat(enccode, "\n");
|      }
| ----cut---------cut---------cut---------cut---------cut---------cut-----
| 
| If you fix the vulnerability please also make sure to include the
| CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I did.
 
| Can you as well please make sure with the release team that the fix might enter
| for stretch?

How would I do that?  Suggest current upstream 3.3.3 to be passed down, or
prepare a 'testing-security' upload?

Dirk

| 
| For further information see:
| 
| [0] https://security-tracker.debian.org/tracker/CVE-2016-8714
|     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
| [1] http://www.talosintelligence.com/reports/TALOS-2016-0227/
| 
| Regards,
| Salvatore

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org

Message #19 received at 857466@bugs.debian.org (full text, mbox, reply):

From: Charles Plessy <plessy@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 857466@bugs.debian.org

Subject: Re: Bug#857466: marked as done (r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality)

Date: Thu, 16 Mar 2017 07:33:37 +0900

Hi Dirk and Salvatore,

> From: Dirk Eddelbuettel <edd@debian.org>
> On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
> | 
> | The relevant changes seem to be the following, but I might be mistaken. (btw,
> | is there a VCS repository for r-base or does upstream not share development
> | VCS?)
> 
> They do at svn.r-project.org  -- but that isn't browsable -- and the
> community has a mirror here https://github.com/wch/r-source

Actually there is anonymous access:

	$ svn log https://svn.r-project.org/R/trunk/ | head
	------------------------------------------------------------------------
	r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes

	Use two uniforms in sample() for higher precision when the uniform
	generator is one of the Knuth generators or a user-defined generator
	and the population size is at least 2^25.

	------------------------------------------------------------------------
	r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes

But the GitHub mirror is likely to be more convenient 

> | Can you as well please make sure with the release team that the fix might enter
> | for stretch?
> 
> How would I do that?  Suggest current upstream 3.3.3 to be passed down, or
> prepare a 'testing-security' upload?

Actually, I see 3.3.3 in testing already.

On my side, I plan to fix the security issue in jessie-backports by
updating it to 3.3.3 as well.

Have a nice day,

-- 
Charles

Message #24 received at 857466@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Charles Plessy <plessy@debian.org>

Cc: 857466@bugs.debian.org

Subject: Re: Bug#857466: marked as done (r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality)

Date: Thu, 16 Mar 2017 06:52:46 +0100

On Thu, Mar 16, 2017 at 07:33:37AM +0900, Charles Plessy wrote:
> Hi Dirk and Salvatore,
> 
> > From: Dirk Eddelbuettel <edd@debian.org>
> > On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
> > | 
> > | The relevant changes seem to be the following, but I might be mistaken. (btw,
> > | is there a VCS repository for r-base or does upstream not share development
> > | VCS?)
> > 
> > They do at svn.r-project.org  -- but that isn't browsable -- and the
> > community has a mirror here https://github.com/wch/r-source
> 
> Actually there is anonymous access:
> 
> 	$ svn log https://svn.r-project.org/R/trunk/ | head
> 	------------------------------------------------------------------------
> 	r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes
> 
> 	Use two uniforms in sample() for higher precision when the uniform
> 	generator is one of the Knuth generators or a user-defined generator
> 	and the population size is at least 2^25.
> 
> 	------------------------------------------------------------------------
> 	r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes
> 
> But the GitHub mirror is likely to be more convenient 

Thanks a lot to both for the information about that! I did not found
initially when trying to deduce what changes were done for the CVE.
Thanks, really appreciated.

> 
> > | Can you as well please make sure with the release team that the fix might enter
> > | for stretch?
> > 
> > How would I do that?  Suggest current upstream 3.3.3 to be passed down, or
> > prepare a 'testing-security' upload?
> 
> Actually, I see 3.3.3 in testing already.

Yep, apparently in this case was hint'ed without a explicit unblock
request. For reference:
https://release.debian.org/stretch/freeze_policy.html

Does this help?

Regards,
Salvatore

Message #29 received at 857466@bugs.debian.org (full text, mbox, reply):

From: Dirk Eddelbuettel <edd@debian.org>

To: Charles Plessy <plessy@debian.org>, 857466@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#857466: marked as done (r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality)

Date: Thu, 16 Mar 2017 07:02:30 -0500

On 16 March 2017 at 07:33, Charles Plessy wrote:
| Hi Dirk and Salvatore,
| 
| > From: Dirk Eddelbuettel <edd@debian.org>
| > On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
| > | 
| > | The relevant changes seem to be the following, but I might be mistaken. (btw,
| > | is there a VCS repository for r-base or does upstream not share development
| > | VCS?)
| > 
| > They do at svn.r-project.org  -- but that isn't browsable -- and the
| > community has a mirror here https://github.com/wch/r-source
| 
| Actually there is anonymous access:
| 
| 	$ svn log https://svn.r-project.org/R/trunk/ | head
| 	------------------------------------------------------------------------
| 	r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes
| 
| 	Use two uniforms in sample() for higher precision when the uniform
| 	generator is one of the Knuth generators or a user-defined generator
| 	and the population size is at least 2^25.
| 
| 	------------------------------------------------------------------------
| 	r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes
 
Sorry, I was sloppy. What I meant to say is that a) the SVN has no easy
'browser' and b) is not that advertised.

But yes, "everybody" can have a checkout. I have been building r-devel
locally for years as package authors are encouraged to test on r-devel too.

| But the GitHub mirror is likely to be more convenient 

Yup.
 
| > | Can you as well please make sure with the release team that the fix might enter
| > | for stretch?
| > 
| > How would I do that?  Suggest current upstream 3.3.3 to be passed down, or
| > prepare a 'testing-security' upload?
| 
| Actually, I see 3.3.3 in testing already.

Great.
 
| On my side, I plan to fix the security issue in jessie-backports by
| updating it to 3.3.3 as well.

Appreciate that.  I still have to do / help with 'oldstable-security'.

Everybody has been super helpful, especially when I was a few thousand miles
away and my server was down (for something caused by power / a storm)  :-/

Dirk
 
| Have a nice day,
| 
| -- 
| Charles

-- 
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org

Send a report that this bug log contains spam.