formail: CVE-2017-16844: heap-based buffer overflow in loadbuf()

Debian Bug report logs - #876511
formail: CVE-2017-16844: heap-based buffer overflow in loadbuf()

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>

To: submit@bugs.debian.org

Subject: formail: heap-based buffer overflow in loadbuf()

Date: Sat, 23 Sep 2017 00:24:35 +0200

[Message part 1 (text/plain, inline)]

Package: procmail
Version: 3.22-25+b1
Tags: security

formail crashes on the attached file:

  $ zcat overflow.822.gz | formail -r
  *** Error in `formail': corrupted size vs. prev_size: 0x584565a8 ***
  ...
  Aborted

I believe the culrpit is the loadbuf() function. It looks like this:

  void loadbuf(text,len)const char*const text;const size_t len;
  { if(buffilled+len>buflen)                        /* buf can't hold the text */
       buf=realloc(buf,buflen+=Bsize);
    tmemmove(buf+buffilled,text,len);buffilled+=len;
  }

When the buffer is too small, the function tries to resize it, but only 
by Bsize (=128) bytes. This is not necessarily enough.


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages procmail depends on:
ii  libc6  2.24-17

-- 
Jakub Wilk

[overflow.822.gz (application/gzip, attachment)]

Message #10 received at 876511@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Jakub Wilk <jwilk@jwilk.net>, 876511@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#876511: formail: heap-based buffer overflow in loadbuf()

Date: Thu, 16 Nov 2017 22:35:05 +0100

[Message part 1 (text/plain, inline)]

On Sat, Sep 23, 2017 at 12:24:35AM +0200, Jakub Wilk wrote:
> Package: procmail
> Version: 3.22-25+b1
> Tags: security
> 
> formail crashes on the attached file:
> 
>   $ zcat overflow.822.gz | formail -r
>   *** Error in `formail': corrupted size vs. prev_size: 0x584565a8 ***
>   ...
>   Aborted
> 
> I believe the culrpit is the loadbuf() function. It looks like this:
> 
>   void loadbuf(text,len)const char*const text;const size_t len;
>   { if(buffilled+len>buflen)                        /* buf can't hold the text */
>        buf=realloc(buf,buflen+=Bsize);
>     tmemmove(buf+buffilled,text,len);buffilled+=len;
>   }
> 
> When the buffer is too small, the function tries to resize it, but only by
> Bsize (=128) bytes. This is not necessarily enough.

Thanks for the report and sorry for my late reply.

Based on your analysis, it would seem that keeping trying the realloc
until the condition inside the if becomes false would fix this.

I don't have an i386 system around. Can you try the following
(trivial) attached patch?

Salvatore: If this patch solves the issue and I upload it for unstable,
would you like me to care/help about stable as well?
(following your indications).

Thanks.

[formisc.c.patch.txt (text/plain, attachment)]

Message #15 received at 876511@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Jakub Wilk <jwilk@jwilk.net>, 876511@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#876511: formail: heap-based buffer overflow in loadbuf()

Date: Fri, 17 Nov 2017 00:03:05 +0100

I managed to reproduce the problem (but not a crash as such) on a
Debian 8 machine (i386) from Digital Ocean (it is increasingly
difficult to find a i386 machine these days).

In this machine, the output of formail with sample email had garbage
chars, and the garbage was different every time. The patch seems to
fix the problem.

I believe the patch to be correct, so I've uploaded 3.22-26 with it.

Thanks.

Message #20 received at 876511-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>

To: 876511-close@bugs.debian.org

Subject: Bug#876511: fixed in procmail 3.22-26

Date: Thu, 16 Nov 2017 23:35:01 +0000

Source: procmail
Source-Version: 3.22-26

We believe that the bug you reported is fixed in the latest version of
procmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876511@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated procmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 16 Nov 2017 23:42:36 +0100
Source: procmail
Binary: procmail
Architecture: source
Version: 3.22-26
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
 procmail   - Versatile e-mail processor
Closes: 876511
Changes:
 procmail (3.22-26) unstable; urgency=medium
 .
   * Fix buffer overflow in loadbuf(). Closes: #876511.
     Reported by Jakub Wilk using American Fuzzy Lop.
     For reference, this is CVE-2017-16844.
Checksums-Sha1:
 c0d1d7fd5b2b09f2df4c33dca5878304459ce040 1320 procmail_3.22-26.dsc
 e3bc9065f6d2aa7f230ed0b380ab9c103ce56da7 20152 procmail_3.22-26.debian.tar.xz
 a19b9bfeea58d5e1b5a12429189508ab499488ce 3857 procmail_3.22-26_source.buildinfo
Checksums-Sha256:
 aa1d2edc716c28ce8547b49c36acc745eb4f0a1db1f1d362233a8c81060a3518 1320 procmail_3.22-26.dsc
 f1b9d15277013f2ae300a73a51417efc4eaf283f3629986dc8470cdab11f9fb3 20152 procmail_3.22-26.debian.tar.xz
 95ad70de092dbdd008a81afa52280703a22046e1f01e381d622b3ea4f2ce7988 3857 procmail_3.22-26_source.buildinfo
Files:
 cbcdaa0ff0c9f576dc496bf4054e4a12 1320 mail standard procmail_3.22-26.dsc
 56b2ef59dade568b6e5e9ca4e618fec7 20152 mail standard procmail_3.22-26.debian.tar.xz
 07d414301b40a88bc9d7de067c323bf9 3857 mail standard procmail_3.22-26_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAloOF7cACgkQQc5/C58b
izLmygf9HMG7e8ObDBlFQcFiMqvL+beeTlma62DpolkqbZlSkkfvrG7ZzBa/KWI1
6agCAM08EbZT97MiUvFJIDkoVwjMxpWzVgoUMQ3cEQLZNmIBi9a/sOPuzhriHCuf
zCo5S/qPYHa3XfXsnJLBCf1RKvK/4UPJXEnH2doKjjqKcg07MNsHaJA5LN+Y44+W
JI0yTIYTqfVZpxIlg5fiVML+SGVYQHfG6WSFUJFQLY8fDLgLeu4jkWxnqiET/r8k
T7EhU+49XilLO1P3zC6QaVIJyAvjDPOlnRbJyuS0Uc+1Nav89q+awp5xdGEfyxjt
lv50jxOkwWDLur1jXMVVYcZyWUbftg==
=HqOO
-----END PGP SIGNATURE-----

Message #25 received at 876511@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Santiago Vila <sanvila@unex.es>, 876511@bugs.debian.org

Cc: Jakub Wilk <jwilk@jwilk.net>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#876511: formail: heap-based buffer overflow in loadbuf()

Date: Fri, 17 Nov 2017 13:30:55 +0100

Hi Santiago, hi Jakub,

On Thu, Nov 16, 2017 at 10:35:05PM +0100, Santiago Vila wrote:
> On Sat, Sep 23, 2017 at 12:24:35AM +0200, Jakub Wilk wrote:
> > Package: procmail
> > Version: 3.22-25+b1
> > Tags: security
> > 
> > formail crashes on the attached file:
> > 
> >   $ zcat overflow.822.gz | formail -r
> >   *** Error in `formail': corrupted size vs. prev_size: 0x584565a8 ***
> >   ...
> >   Aborted
> > 
> > I believe the culrpit is the loadbuf() function. It looks like this:
> > 
> >   void loadbuf(text,len)const char*const text;const size_t len;
> >   { if(buffilled+len>buflen)                        /* buf can't hold the text */
> >        buf=realloc(buf,buflen+=Bsize);
> >     tmemmove(buf+buffilled,text,len);buffilled+=len;
> >   }
> > 
> > When the buffer is too small, the function tries to resize it, but only by
> > Bsize (=128) bytes. This is not necessarily enough.
> 
> Thanks for the report and sorry for my late reply.
> 
> Based on your analysis, it would seem that keeping trying the realloc
> until the condition inside the if becomes false would fix this.
> 
> I don't have an i386 system around. Can you try the following
> (trivial) attached patch?
> 
> Salvatore: If this patch solves the issue and I upload it for unstable,
> would you like me to care/help about stable as well?
> (following your indications).

It's possibly fine to fix this via a DSA, although I'm not sure if
it's limited to denial-of-service. Can you propose debdiffs for
jessie-security and stretch-security to team@security.debian.org?

Regards,
Salvatore

Message #30 received at 876511@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>

To: 876511@bugs.debian.org

Subject: Re: Bug#876511: formail: heap-based buffer overflow in loadbuf()

Date: Fri, 17 Nov 2017 21:33:58 +0100

* Santiago Vila <sanvila@unex.es>, 2017-11-16, 22:35:
>-{ if(buffilled+len>buflen)			  /* buf can't hold the text */
>+{ while(buffilled+len>buflen)			  /* buf can't hold the text */
>      buf=realloc(buf,buflen+=Bsize);

The patch looks to me, and I confirm that it fixes the crash.

-- 
Jakub Wilk

Message #35 received at 876511@bugs.debian.org (full text, mbox, reply):

From: Pierre-Elliott Bécue <becue@crans.org>

To: 876511@bugs.debian.org

Subject: formail: CVE-2017-16844: heap-based buffer overflow in loadbuf()

Date: Sun, 19 Nov 2017 12:18:28 +0100

[Message part 1 (text/plain, inline)]

Actually, there might be another issue:

>+{ while(buffilled+len>buflen)           /* buf can't hold the text */
>      buf=realloc(buf,buflen+=Bsize);

If buffilled > INT_MAX - len, I think this loop won't work and so that
one'll have the same overflow as the tmemmove will be executed without any
resize.

I'm not sure how it could be exploited, and I might be wrong, but maybe one
should also check that?

-- 
PEB

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 876511@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Pierre-Elliott Bécue <becue@crans.org>, 876511@bugs.debian.org

Subject: Re: Bug#876511: formail: CVE-2017-16844: heap-based buffer overflow in loadbuf()

Date: Sun, 19 Nov 2017 13:16:46 +0100

On Sun, Nov 19, 2017 at 12:18:28PM +0100, Pierre-Elliott Bécue wrote:
> Actually, there might be another issue:
> 
> >+{ while(buffilled+len>buflen)           /* buf can't hold the text */
> >      buf=realloc(buf,buflen+=Bsize);
> 
> If buffilled > INT_MAX - len, I think this loop won't work and so that
> one'll have the same overflow as the tmemmove will be executed without any
> resize.
> 
> I'm not sure how it could be exploited, and I might be wrong, but maybe one
> should also check that?

All variables involved are size_t, which is at least 32 bits on i386.

I guess you would need a 4GB-long email message to "exploit" that.

However, if your inbox allow such big messages, then you don't need an
exploit at all. The message itself would already create a Denial Of
Service issue. So this minor issue about size_t variables would be the
least of our worries.

Thanks.

Message #45 received at 876511-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>

To: 876511-close@bugs.debian.org

Subject: Bug#876511: fixed in procmail 3.22-25+deb9u1

Date: Sun, 19 Nov 2017 22:47:14 +0000

Source: procmail
Source-Version: 3.22-25+deb9u1

We believe that the bug you reported is fixed in the latest version of
procmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876511@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated procmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 19 Nov 2017 00:50:34 +0100
Source: procmail
Binary: procmail
Architecture: source
Version: 3.22-25+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
 procmail   - Versatile e-mail processor
Closes: 876511
Changes:
 procmail (3.22-25+deb9u1) stretch-security; urgency=high
 .
   * Fix buffer overflow in loadbuf(). Closes: #876511.
     Reported by Jakub Wilk using American Fuzzy Lop.
     For reference, this is CVE-2017-16844.
Checksums-Sha1:
 0173d72fcd61cda46ca66363939704e40b4b6195 1348 procmail_3.22-25+deb9u1.dsc
 cd4e44c15559816453fd60349e5a32289f6f2965 226817 procmail_3.22.orig.tar.gz
 e4d6f9cb38c29d11521fd081fca75adeeb2486d5 20148 procmail_3.22-25+deb9u1.debian.tar.xz
 548c5a66172301a584512f2efd1973b95cbaf81f 3983 procmail_3.22-25+deb9u1_source.buildinfo
Checksums-Sha256:
 82a68568288e4a90915f03061475c3f7751bec8e3e4958f07820804d7076607b 1348 procmail_3.22-25+deb9u1.dsc
 087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117 226817 procmail_3.22.orig.tar.gz
 f5b5b88ad0227fe17550112cc6904a0f7cb4c518dd7e880d77ed262e8e0d512c 20148 procmail_3.22-25+deb9u1.debian.tar.xz
 6f5593d3e204161253b0ba2bbb49501896fe6fba23d97ef071509c8264370692 3983 procmail_3.22-25+deb9u1_source.buildinfo
Files:
 e590abc5c0af8037cc94bb9505ad1e43 1348 mail standard procmail_3.22-25+deb9u1.dsc
 1678ea99b973eb77eda4ecf6acae53f1 226817 mail standard procmail_3.22.orig.tar.gz
 7b2168bea67bf9d4cbb1278fa630d1d6 20148 mail standard procmail_3.22-25+deb9u1.debian.tar.xz
 c3d8efc6dc9eac9c3ca0b3a48c44e73c 3983 mail standard procmail_3.22-25+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAloQylQACgkQQc5/C58b
izIhQwf+PoCH4TP8TA/Okagbl+R2xRzJt9jPioTkZ5HoNTHXaznWNx6OIkikheFV
dr0up/szJuGh7yazL7nyepylWEgs5AgBvmHCt+LJv+EfRrrwG+dOlqBj6bsOkl+r
MOIdiOWNH6VI25dsyLoPEGjlSFDjFuqbWmTeyfyqatIaJEwWTtqvjr9Oy9CJzh8G
OQfEQIW8IagM7T7qik/34dMFGktQdFpDboBZUb2Ztk6EALcUKtPOMHxRfFQZcIgw
NZLic2y84aQfZYwW9Ids6yX6tps36XQnZcLETd3hzCoS55uiOP4DtP4N1WP7hr3/
ejg4+JKEz0F3XIk4LIvtXv9DuwMQjA==
=7OCt
-----END PGP SIGNATURE-----

Message #50 received at 876511-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>

To: 876511-close@bugs.debian.org

Subject: Bug#876511: fixed in procmail 3.22-24+deb8u1

Date: Sun, 19 Nov 2017 22:47:46 +0000

Source: procmail
Source-Version: 3.22-24+deb8u1

We believe that the bug you reported is fixed in the latest version of
procmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876511@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated procmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 19 Nov 2017 01:05:26 +0100
Source: procmail
Binary: procmail
Architecture: source
Version: 3.22-24+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
 procmail   - Versatile e-mail processor
Closes: 876511
Changes:
 procmail (3.22-24+deb8u1) jessie-security; urgency=high
 .
   * Fix buffer overflow in loadbuf(). Closes: #876511.
     Reported by Jakub Wilk using American Fuzzy Lop.
     For reference, this is CVE-2017-16844.
Checksums-Sha1:
 f9e080b97052103ea1a82f95415af0629b9a9aab 1333 procmail_3.22-24+deb8u1.dsc
 cd4e44c15559816453fd60349e5a32289f6f2965 226817 procmail_3.22.orig.tar.gz
 86463dccbb441a0ce3eb4ca59210fa27c1adde67 20092 procmail_3.22-24+deb8u1.debian.tar.xz
Checksums-Sha256:
 b8abb10db29e82fa3813a98e0f1b8a0a6dba93e5f99f9cabdb07381371585c94 1333 procmail_3.22-24+deb8u1.dsc
 087c75b34dd33d8b9df5afe9e42801c9395f4bf373a784d9bc97153b0062e117 226817 procmail_3.22.orig.tar.gz
 9c0e8394c03054a15d03a165c11bd8b4043405c7f5113bcad7c4074363208512 20092 procmail_3.22-24+deb8u1.debian.tar.xz
Files:
 9ef181683b1b3889b0c3c2f031e0a1bf 1333 mail standard procmail_3.22-24+deb8u1.dsc
 1678ea99b973eb77eda4ecf6acae53f1 226817 mail standard procmail_3.22.orig.tar.gz
 ac822eb2a88dc5e2d73d19ab008ff7d9 20092 mail standard procmail_3.22-24+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJaEMruAAoJEEHOfwufG4sygGsH/jWOs5yyypIWl3TwJcKTAt7w
Y3DTmvEtCYz8n7meonBZtwXlGScm1oPptdKlpOxKgfQrfafauizS0zgkzVyK1zPM
2oGwT4g+KaSYlnidekFMcL1IFvBapemfYovhDb6iKkxlkgR+JAUdjK1uD8Dk+kXq
NRqFygqU/O0QIQPwLNXcem4Eqc7R/4HEFD1eHydmYNaF4ctWI5lrHf27dLTijgbw
tjJWkFZw5Ux19QbDpHXSnkbh+zm/ePADV9statIDXhogCp4O4kKRYsm5ETxjHqdm
DbIGxlsRIqF8XrX5XWwTTG2my86cah+5qJzci8gjOcPBsV5QFksfDLzAlkvCxAk=
=LMD2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.