Debian Bug report logs -
#857466
r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 11 Mar 2017 17:00:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions r-base/3.3.2-1, r-base/3.1.1-1
Fixed in version r-base/3.3.3-1
Done: Dirk Eddelbuettel <edd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dirk Eddelbuettel <edd@debian.org>
:
Bug#857466
; Package src:r-base
.
(Sat, 11 Mar 2017 17:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dirk Eddelbuettel <edd@debian.org>
.
(Sat, 11 Mar 2017 17:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: r-base
Version: 3.1.1-1
Severity: grave
Tags: patch security upstream fixed-upstream
Justification: user security hole
Control: fixed -1 3.3.3-1
Hi,
the following vulnerability was published for r-base.
CVE-2016-8714[0]:
| An exploitable buffer overflow vulnerability exists in the
| LoadEncoding functionality of the R programming language version
| 3.3.0. A specially crafted R script can cause a buffer overflow
| resulting in a memory corruption. An attacker can send a malicious R
| script to trigger this vulnerability.
The relevant changes seem to be the following, but I might be mistaken. (btw,
is there a VCS repository for r-base or does upstream not share development
VCS?)
----cut---------cut---------cut---------cut---------cut---------cut-----
--- r-base-3.3.2/src/library/grDevices/src/devPS.c 2016-01-05 00:15:05.000000000 +0100
+++ r-base-3.3.3/src/library/grDevices/src/devPS.c 2017-01-17 00:15:12.000000000 +0100
@@ -412,10 +412,10 @@
/* check for incomplete encoding file */
if(!state->p) return 1;
while (isspace((int)* state->p)) state->p++;
- if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
+ if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
state->p0 = state->p;
while (!isspace((int)*state->p)) state->p++;
- if (state->p != '\0') *state->p++ = '\0';
+ if (*state->p != '\0') *state->p++ = '\0';
if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0);
break;
}
@@ -513,13 +513,15 @@
if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0;
}
if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */
- strcpy(encname, buf+1);
+ strncpy(encname, buf+1, 99);
+ encname[99] = '\0';
if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname);
else enccode[0] = '\0';
if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */
for(i = 0; i < 256; i++) {
if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; }
- strcpy(encnames[i].cname, buf+1);
+ strncpy(encnames[i].cname, buf+1, 39);
+ encnames[i].cname[39] = '\0';
strcat(enccode, " /"); strcat(enccode, encnames[i].cname);
if(i%8 == 7) strcat(enccode, "\n");
}
----cut---------cut---------cut---------cut---------cut---------cut-----
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Can you as well please make sure with the release team that the fix might enter
for stretch?
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
[1] http://www.talosintelligence.com/reports/TALOS-2016-0227/
Regards,
Salvatore
Marked as fixed in versions r-base/3.3.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 11 Mar 2017 17:00:04 GMT) (full text, mbox, link).
Marked as found in versions r-base/3.3.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 11 Mar 2017 17:03:08 GMT) (full text, mbox, link).
Reply sent
to Dirk Eddelbuettel <edd@debian.org>
:
You have taken responsibility.
(Wed, 15 Mar 2017 22:00:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 15 Mar 2017 22:00:09 GMT) (full text, mbox, link).
Message #14 received at 857466-done@bugs.debian.org (full text, mbox, reply):
Sorry, didn't catch this earlier as I was in Europe ... and my server was
down. Been catching up since -- but this has been addressed and @security
will now prepare the post.
On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
| Source: r-base
| Version: 3.1.1-1
| Severity: grave
| Tags: patch security upstream fixed-upstream
| Justification: user security hole
| Control: fixed -1 3.3.3-1
|
| Hi,
|
| the following vulnerability was published for r-base.
|
| CVE-2016-8714[0]:
| | An exploitable buffer overflow vulnerability exists in the
| | LoadEncoding functionality of the R programming language version
| | 3.3.0. A specially crafted R script can cause a buffer overflow
| | resulting in a memory corruption. An attacker can send a malicious R
| | script to trigger this vulnerability.
|
| The relevant changes seem to be the following, but I might be mistaken. (btw,
| is there a VCS repository for r-base or does upstream not share development
| VCS?)
They do at svn.r-project.org -- but that isn't browsable -- and the
community has a mirror here https://github.com/wch/r-source
| ----cut---------cut---------cut---------cut---------cut---------cut-----
| --- r-base-3.3.2/src/library/grDevices/src/devPS.c 2016-01-05 00:15:05.000000000 +0100
| +++ r-base-3.3.3/src/library/grDevices/src/devPS.c 2017-01-17 00:15:12.000000000 +0100
| @@ -412,10 +412,10 @@
| /* check for incomplete encoding file */
| if(!state->p) return 1;
| while (isspace((int)* state->p)) state->p++;
| - if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
| + if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
| state->p0 = state->p;
| while (!isspace((int)*state->p)) state->p++;
| - if (state->p != '\0') *state->p++ = '\0';
| + if (*state->p != '\0') *state->p++ = '\0';
| if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0);
| break;
| }
| @@ -513,13 +513,15 @@
| if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0;
| }
| if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */
| - strcpy(encname, buf+1);
| + strncpy(encname, buf+1, 99);
| + encname[99] = '\0';
| if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname);
| else enccode[0] = '\0';
| if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */
| for(i = 0; i < 256; i++) {
| if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; }
| - strcpy(encnames[i].cname, buf+1);
| + strncpy(encnames[i].cname, buf+1, 39);
| + encnames[i].cname[39] = '\0';
| strcat(enccode, " /"); strcat(enccode, encnames[i].cname);
| if(i%8 == 7) strcat(enccode, "\n");
| }
| ----cut---------cut---------cut---------cut---------cut---------cut-----
|
| If you fix the vulnerability please also make sure to include the
| CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I did.
| Can you as well please make sure with the release team that the fix might enter
| for stretch?
How would I do that? Suggest current upstream 3.3.3 to be passed down, or
prepare a 'testing-security' upload?
Dirk
|
| For further information see:
|
| [0] https://security-tracker.debian.org/tracker/CVE-2016-8714
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
| [1] http://www.talosintelligence.com/reports/TALOS-2016-0227/
|
| Regards,
| Salvatore
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>
:
Bug#857466
; Package src:r-base
.
(Wed, 15 Mar 2017 22:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Charles Plessy <plessy@debian.org>
:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>
.
(Wed, 15 Mar 2017 22:45:06 GMT) (full text, mbox, link).
Message #19 received at 857466@bugs.debian.org (full text, mbox, reply):
Hi Dirk and Salvatore,
> From: Dirk Eddelbuettel <edd@debian.org>
> On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
> |
> | The relevant changes seem to be the following, but I might be mistaken. (btw,
> | is there a VCS repository for r-base or does upstream not share development
> | VCS?)
>
> They do at svn.r-project.org -- but that isn't browsable -- and the
> community has a mirror here https://github.com/wch/r-source
Actually there is anonymous access:
$ svn log https://svn.r-project.org/R/trunk/ | head
------------------------------------------------------------------------
r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes
Use two uniforms in sample() for higher precision when the uniform
generator is one of the Knuth generators or a user-defined generator
and the population size is at least 2^25.
------------------------------------------------------------------------
r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes
But the GitHub mirror is likely to be more convenient
> | Can you as well please make sure with the release team that the fix might enter
> | for stretch?
>
> How would I do that? Suggest current upstream 3.3.3 to be passed down, or
> prepare a 'testing-security' upload?
Actually, I see 3.3.3 in testing already.
On my side, I plan to fix the security issue in jessie-backports by
updating it to 3.3.3 as well.
Have a nice day,
--
Charles
Information forwarded
to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>
:
Bug#857466
; Package src:r-base
.
(Thu, 16 Mar 2017 05:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>
.
(Thu, 16 Mar 2017 05:57:02 GMT) (full text, mbox, link).
Message #24 received at 857466@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 16, 2017 at 07:33:37AM +0900, Charles Plessy wrote:
> Hi Dirk and Salvatore,
>
> > From: Dirk Eddelbuettel <edd@debian.org>
> > On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
> > |
> > | The relevant changes seem to be the following, but I might be mistaken. (btw,
> > | is there a VCS repository for r-base or does upstream not share development
> > | VCS?)
> >
> > They do at svn.r-project.org -- but that isn't browsable -- and the
> > community has a mirror here https://github.com/wch/r-source
>
> Actually there is anonymous access:
>
> $ svn log https://svn.r-project.org/R/trunk/ | head
> ------------------------------------------------------------------------
> r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes
>
> Use two uniforms in sample() for higher precision when the uniform
> generator is one of the Knuth generators or a user-defined generator
> and the population size is at least 2^25.
>
> ------------------------------------------------------------------------
> r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes
>
> But the GitHub mirror is likely to be more convenient
Thanks a lot to both for the information about that! I did not found
initially when trying to deduce what changes were done for the CVE.
Thanks, really appreciated.
>
> > | Can you as well please make sure with the release team that the fix might enter
> > | for stretch?
> >
> > How would I do that? Suggest current upstream 3.3.3 to be passed down, or
> > prepare a 'testing-security' upload?
>
> Actually, I see 3.3.3 in testing already.
Yep, apparently in this case was hint'ed without a explicit unblock
request. For reference:
https://release.debian.org/stretch/freeze_policy.html
Does this help?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#857466
; Package src:r-base
.
(Thu, 16 Mar 2017 12:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dirk Eddelbuettel <edd@debian.org>
:
Extra info received and forwarded to list.
(Thu, 16 Mar 2017 12:06:02 GMT) (full text, mbox, link).
Message #29 received at 857466@bugs.debian.org (full text, mbox, reply):
On 16 March 2017 at 07:33, Charles Plessy wrote:
| Hi Dirk and Salvatore,
|
| > From: Dirk Eddelbuettel <edd@debian.org>
| > On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote:
| > |
| > | The relevant changes seem to be the following, but I might be mistaken. (btw,
| > | is there a VCS repository for r-base or does upstream not share development
| > | VCS?)
| >
| > They do at svn.r-project.org -- but that isn't browsable -- and the
| > community has a mirror here https://github.com/wch/r-source
|
| Actually there is anonymous access:
|
| $ svn log https://svn.r-project.org/R/trunk/ | head
| ------------------------------------------------------------------------
| r72357 | luke | 2017-03-16 04:32:54 +0900 (jeu. 16 mars 2017) | 4 lignes
|
| Use two uniforms in sample() for higher precision when the uniform
| generator is one of the Knuth generators or a user-defined generator
| and the population size is at least 2^25.
|
| ------------------------------------------------------------------------
| r72356 | luke | 2017-03-16 03:58:45 +0900 (jeu. 16 mars 2017) | 2 lignes
Sorry, I was sloppy. What I meant to say is that a) the SVN has no easy
'browser' and b) is not that advertised.
But yes, "everybody" can have a checkout. I have been building r-devel
locally for years as package authors are encouraged to test on r-devel too.
| But the GitHub mirror is likely to be more convenient
Yup.
| > | Can you as well please make sure with the release team that the fix might enter
| > | for stretch?
| >
| > How would I do that? Suggest current upstream 3.3.3 to be passed down, or
| > prepare a 'testing-security' upload?
|
| Actually, I see 3.3.3 in testing already.
Great.
| On my side, I plan to fix the security issue in jessie-backports by
| updating it to 3.3.3 as well.
Appreciate that. I still have to do / help with 'oldstable-security'.
Everybody has been super helpful, especially when I was a few thousand miles
away and my server was down (for something caused by power / a storm) :-/
Dirk
| Have a nice day,
|
| --
| Charles
--
http://dirk.eddelbuettel.com | @eddelbuettel | edd@debian.org
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 18 Jun 2017 07:35:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.