Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

advancecomp: CVE-2018-1056: heap buffer overflow while running advzip

Related Vulnerabilities: CVE-2018-1056  

Source

Debian Bug report logs - #889270
advancecomp: CVE-2018-1056: heap buffer overflow while running advzip

version graph

Package: advancecomp; Maintainer for advancecomp is Piotr Ożarowski <piotr@debian.org>; Source for advancecomp is src:advancecomp (PTS, buildd, popcon).

Reported by: Joonun Jang <joonun.jang@gmail.com>

Date: Sat, 3 Feb 2018 07:33:46 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions advancecomp/2.0-1, advancecomp/1.19-1

Fixed in version advancecomp/2.1-1

Done: Piotr Ożarowski <piotr@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/p/advancemame/bugs/259/

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#889270; Package advancecomp. (Sat, 03 Feb 2018 07:33:48 GMT) (full text, mbox, link).

Acknowledgement sent to Joonun Jang <joonun.jang@gmail.com>:
New Bug report received and forwarded. Copy sent to joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Piotr Ożarowski <piotr@debian.org>. (Sat, 03 Feb 2018 07:33:48 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joonun Jang <joonun.jang@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: advancecomp: heap buffer overflow while running advzip
Date: Sat, 03 Feb 2018 16:26:47 +0900
[Message part 1 (text/plain, inline)]
Package: advancecomp
Version: 2.0-1
Severity: important
Tags: security

heap buffer overflow running advzip with "-l poc" option

Running 'advzip -l poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june@june:~/temp/report/advzip/00030552$ ../../binary/advancecomp-2.0/advzip -l ./poc
=================================================================
==9858==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000effd at pc 0x7ffff6e9af7f bp 0x7fffffffd6c0 sp 0x7fffffffce70
READ of size 2020 at 0x60600000effd thread T0
    #0 0x7ffff6e9af7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
    #1 0x555555579c2a in zip_entry::load_cent(unsigned char const*, unsigned int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:722
    #2 0x55555557b56f in zip::open() /home/june/temp/report/binary/advancecomp-2.0/zip.cc:867
    #3 0x55555556e7a6 in list_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122
    #4 0x55555556f8b2 in list_all(int, char**, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261
    #5 0x55555557214c in process(int, char**) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613
    #6 0x555555572446 in main /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623
    #7 0x7ffff60082b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #8 0x55555556daf9 in _start (/home/june/temp/report/binary/advancecomp-2.0/advzip+0x19af9)

0x60600000effd is located 0 bytes to the right of 61-byte region [0x60600000efc0,0x60600000effd)
allocated by thread T0 here:
    #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x555555583a4a in data_alloc(unsigned int) /home/june/temp/report/binary/advancecomp-2.0/data.cc:51
    #2 0x555555573af2 in cent_read(_IO_FILE*, unsigned int, unsigned char*&, unsigned int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:113
    #3 0x55555557b3c5 in zip::open() /home/june/temp/report/binary/advancecomp-2.0/zip.cc:847
    #4 0x55555556e7a6 in list_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122
    #5 0x55555556f8b2 in list_all(int, char**, bool) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261
    #6 0x55555557214c in process(int, char**) /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613
    #7 0x555555572446 in main /home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623
    #8 0x7ffff60082b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00[05]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9858==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages advancecomp depends on:
ii  libc6       2.24-11+deb9u1
ii  libgcc1     1:6.3.0-18
ii  libstdc++6  6.3.0-18
ii  zlib1g      1:1.2.8.dfsg-5

advancecomp recommends no packages.

advancecomp suggests no packages.

-- no debconf information

[poc (application/zip, attachment)]

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 08 Feb 2018 05:39:06 GMT) (full text, mbox, link).

Changed Bug title to 'advancecomp: CVE-2018-1056: heap buffer overflow while running advzip' from 'advancecomp: heap buffer overflow while running advzip'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 08 Feb 2018 06:57:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#889270; Package advancecomp. (Sat, 10 Feb 2018 21:21:09 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Sat, 10 Feb 2018 21:21:09 GMT) (full text, mbox, link).

Message #14 received at 889270@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: 889270@bugs.debian.org
Subject: Re: advancecomp: heap buffer overflow while running advzip
Date: Sat, 10 Feb 2018 22:16:44 +0100
Control: forwarded -1 https://sourceforge.net/p/advancemame/bugs/259/

I have forwarded this issue to the upstream bug tracker at sourceforge.net.

Set Bug forwarded-to-address to 'https://sourceforge.net/p/advancemame/bugs/259/'. Request was from Markus Koschany <apo@debian.org> to 889270-submit@bugs.debian.org. (Sat, 10 Feb 2018 21:21:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#889270; Package advancecomp. (Sun, 11 Feb 2018 20:30:11 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Sun, 11 Feb 2018 20:30:11 GMT) (full text, mbox, link).

Message #21 received at 889270@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 889270@bugs.debian.org
Subject: Re: Bug#889270: advancecomp: heap buffer overflow while running advzip
Date: Sun, 11 Feb 2018 21:27:53 +0100
Control: found -1 1.19-1

Hi

The issue is as well present back to version 1.19-1.

Regards,
Salvatore

Marked as found in versions advancecomp/1.19-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 889270-submit@bugs.debian.org. (Sun, 11 Feb 2018 20:30:11 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Ożarowski <piotr@debian.org>:
Bug#889270; Package advancecomp. (Tue, 13 Feb 2018 06:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andrea Mazzoleni <amadvance@gmail.com>:
Extra info received and forwarded to list. Copy sent to Piotr Ożarowski <piotr@debian.org>. (Tue, 13 Feb 2018 06:12:03 GMT) (full text, mbox, link).

Message #28 received at 889270@bugs.debian.org (full text, mbox, reply):

From: Andrea Mazzoleni <amadvance@gmail.com>
To: 889270@bugs.debian.org
Subject: Re: advancecomp: heap buffer overflow while running advzip
Date: Tue, 13 Feb 2018 07:09:06 +0100
[Message part 1 (text/plain, inline)]
Hi,

This issue has been fixed in AdvanceCOMP v2.1

https://github.com/amadvance/advancecomp/releases/tag/v2.1

Thanks for reporting!

Ciao,
Andrea Mazzoleni

[Message part 2 (text/html, inline)]

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 13 Feb 2018 06:48:03 GMT) (full text, mbox, link).

Reply sent to Piotr Ożarowski <piotr@debian.org>:
You have taken responsibility. (Tue, 13 Feb 2018 09:36:06 GMT) (full text, mbox, link).

Notification sent to Joonun Jang <joonun.jang@gmail.com>:
Bug acknowledged by developer. (Tue, 13 Feb 2018 09:36:06 GMT) (full text, mbox, link).

Message #35 received at 889270-close@bugs.debian.org (full text, mbox, reply):

From: Piotr Ożarowski <piotr@debian.org>
To: 889270-close@bugs.debian.org
Subject: Bug#889270: fixed in advancecomp 2.1-1
Date: Tue, 13 Feb 2018 09:34:28 +0000
Source: advancecomp
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
advancecomp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889270@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Ożarowski <piotr@debian.org> (supplier of updated advancecomp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Feb 2018 09:40:50 +0100
Source: advancecomp
Binary: advancecomp
Architecture: source amd64
Version: 2.1-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <piotr@debian.org>
Changed-By: Piotr Ożarowski <piotr@debian.org>
Description:
 advancecomp - collection of recompression utilities
Closes: 889270
Changes:
 advancecomp (2.1-1) unstable; urgency=high
 .
   * New upstream release
     - fixes CVE-2018-1056 (heap buffer overflow while running advzip)
       closes: 889270
   * Standards-version bumped to 4.1.3 (no other changes needed)
Checksums-Sha1:
 b1e5aaa66d7d3bb5bf711b141c8c417285b89669 1755 advancecomp_2.1-1.dsc
 e8da92c895aceb19a904ae0aef07921927ee36b0 1194802 advancecomp_2.1.orig.tar.gz
 f06b74363aae522121622070133138bb80b07cc6 3304 advancecomp_2.1-1.debian.tar.xz
 c8f916fb910178bdf91cc7bc72dd6d28378f0650 1794944 advancecomp-dbgsym_2.1-1_amd64.deb
 a7c0547da4e0779d0a777e1a7196ed3a23c9098f 5850 advancecomp_2.1-1_amd64.buildinfo
 6bc9e12597bff5993dac2d35bfad18c026b13de3 199988 advancecomp_2.1-1_amd64.deb
Checksums-Sha256:
 698cb639b27ca195d48f6449b3ad7d22391ccbd1b512a281f0fec516e62faf70 1755 advancecomp_2.1-1.dsc
 6113c2b6272334af710ba486e8312faa3cee5bd6dc8ca422d00437725e2b602a 1194802 advancecomp_2.1.orig.tar.gz
 7f7c5b99a7f73887aab79e75a27b4cc1a268235da4c2f8d37b6e4399ff6f3cba 3304 advancecomp_2.1-1.debian.tar.xz
 fc41980bda03d6e5035c4f21dde9ce3e5ebafafa1fa8df80d5a9388cdd160677 1794944 advancecomp-dbgsym_2.1-1_amd64.deb
 dd295126f2994b3b8ba58a8c0d03d357ca20014647910bda1b193d76a9ab66b8 5850 advancecomp_2.1-1_amd64.buildinfo
 d283aba3d5681220058cf4b476f9f051963cded50004575ab22d6a0d3752aaad 199988 advancecomp_2.1-1_amd64.deb
Files:
 9aedfca31641c576666d168c886ac1ff 1755 utils optional advancecomp_2.1-1.dsc
 0386825f49b54db731daa9186cc2258b 1194802 utils optional advancecomp_2.1.orig.tar.gz
 da846d77d535ab8e592a463e363d6dc1 3304 utils optional advancecomp_2.1-1.debian.tar.xz
 cc15d207bd7edb9e9e85402f97aa8ff5 1794944 debug optional advancecomp-dbgsym_2.1-1_amd64.deb
 617106273a76a952e5fbf1bcbe348f8d 5850 utils optional advancecomp_2.1-1_amd64.buildinfo
 1c1548d73f21c8f1eb73dfcae4f69971 199988 utils optional advancecomp_2.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHS+omFjar2IXhi33rvbxoqdFdkUFAlqCpnQACgkQrvbxoqdF
dkV24A//UIVYlFF50du6jaJnsIvM2OxKUBsJ68SDX9xybiNLxqnNm7xypH8LiFff
WyoIKbwOoGBK0CgQIqseROEZTVnwGJNtq5n44V6GGkK1Gz0toHUbPazc7eOY4Xxv
IXP3g/vPYFfugOFFX4efzlNlpXR9WqT9jcLOThkQ8jnXTytRfKfEpUbqvw7hjhtc
9C1mfME7VuZBgZQrWOlSvowYBHhHuKLwngb7mcpD83qkxakIYgSz42wvSRGtW734
0Bpj8GSfYjtVXuCR9vBl57l4UB8qmoOZjbWxq20XqpmzNcrcJpYdNEfc2I5zZMjv
DDKR7WfEYEqVkuMqkJWw3m2mszbtyyMWkzRhEczT7tbjfR6i5NfAy/reUIxNEjs/
ob6sb/7LMTlZG/aq//J91yrUxbRi8TAZ9ivXR+lIMP1Ftjq9QfGChCe2DSJ515WQ
qT2T+soRxQa2B6DG2SjHi6Gxas/ddJgY9Nc4RAd3RhEdAZyKGvGRk3WFxYs3OFJN
vLwsQSw/NxN8fFzAdEAUcl8atGCPrgS3qRuNwaPk3yteht1CQ/y/pRF91uPzL2cc
xg2Mhw1E+7kaXfNBfPEWIr+9/KZVo9VSYfcyydrusrYF5KbYnHd15oG+3vqNGXkf
ZEcH0pSUcK0Jxu8QMHMn2Cw8hba6rzQCaKtoMXXQITJDjRZnCGg=
=pMmd
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 May 2018 07:31:44 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:56:29 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started