Debian Bug report logs -
#850017
icoutils: CVE-2017-5208: exploitable crash in wrestool
Reported by: Choongwoo Han <cwhan.tunz@gmail.com>
Date: Tue, 3 Jan 2017 08:15:02 UTC
Severity: grave
Tags: security, upstream
Found in version icoutils/0.31.0-2
Fixed in versions icoutils/0.31.0-4, icoutils/0.31.0-2+deb8u1, icoutils/0.31.1-1
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Forwarded to Frank Richter <frank.richter@gmail.com>
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#850017; Package icoutils.
(Tue, 03 Jan 2017 08:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Choongwoo Han <cwhan.tunz@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>.
(Tue, 03 Jan 2017 08:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: icoutils
Version: 0.31.0-2
Severity: grave
Tags: security upstream
Calling ``wrestool -x [filename]`` with the attached file
makes an exploitable crash. We can control register and control flow.
-----------------------------------------
Reading symbols from wrestool...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/bin/wrestool -x ./test2
Program received signal SIGSEGV, Segmentation fault.
0xb7f3d1f6 in _IO_old_file_close_it (fp=fp@entry=0x8054860)
at oldfileops.c:155
(gdb) x/i $pc
=> 0xb7f3d1f6 <_IO_old_file_close_it+198>: call *0x44(%eax)
(gdb) i r eax
eax 0x41414141 1094795585
(gdb) bt
#0 0xb7f3d1f6 in _IO_old_file_close_it (fp=fp@entry=0x8054860)
at oldfileops.c:155
#1 0xb7f3b998 in _IO_old_fclose (fp=fp@entry=0x8054860) at oldiofclose.c:55
#2 0xb7e78cc8 in _IO_new_fclose (fp=0x8054860) at iofclose.c:50
#3 0x0804940c in ?? ()
#4 0xb7e2fa63 in __libc_start_main (main=0x8048df0, argc=3,
argv=0xbffff4c4, init=0x804e770, fini=0x804e7e0,
rtld_fini=0xb7fedc50 <_dl_fini>, stack_end=0xbffff4bc)
at libc-start.c:287
#5 0x080496f0 in ?? ()
(gdb) q
A debugging session is active.
Inferior 1 [process 9302] will be killed.
Quit anyway? (y or n)
-------------------------------------------
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages icoutils depends on:
ii libc6 2.19-18+deb8u6
ii libpng12-0 1.2.50-2+deb8u2
ii libwww-perl 6.08-1
ii perl 5.20.2-3+deb8u6
ii zlib1g 1:1.2.8.dfsg-2+b1
icoutils recommends no packages.
Versions of packages icoutils suggests:
pn libterm-readline-gnu-perl | libterm-readline-perl-perl <none>
-- no debconf information
[crash.zip (application/zip, attachment)]
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have marked Bug as forwarded.
(Sat, 07 Jan 2017 15:45:06 GMT) (full text, mbox, link).
Message #8 received at 850017-forwarded@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Here's a security vulnerability reported to me via the Debian bug
tracking system. I've also attached a patch that fixes the bug in the
offset checking code that allowed this. Could you please review it?
Thanks,
--
Colin Watson [cjwatson@debian.org]
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Package: icoutils
Version: 0.31.0-2
Severity: grave
Tags: security upstream
Calling ``wrestool -x [filename]`` with the attached file
makes an exploitable crash. We can control register and control flow.
-----------------------------------------
Reading symbols from wrestool...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/bin/wrestool -x ./test2
Program received signal SIGSEGV, Segmentation fault.
0xb7f3d1f6 in _IO_old_file_close_it (fp=fp@entry=0x8054860)
at oldfileops.c:155
(gdb) x/i $pc
=> 0xb7f3d1f6 <_IO_old_file_close_it+198>: call *0x44(%eax)
(gdb) i r eax
eax 0x41414141 1094795585
(gdb) bt
#0 0xb7f3d1f6 in _IO_old_file_close_it (fp=fp@entry=0x8054860)
at oldfileops.c:155
#1 0xb7f3b998 in _IO_old_fclose (fp=fp@entry=0x8054860) at oldiofclose.c:55
#2 0xb7e78cc8 in _IO_new_fclose (fp=0x8054860) at iofclose.c:50
#3 0x0804940c in ?? ()
#4 0xb7e2fa63 in __libc_start_main (main=0x8048df0, argc=3,
argv=0xbffff4c4, init=0x804e770, fini=0x804e7e0,
rtld_fini=0xb7fedc50 <_dl_fini>, stack_end=0xbffff4bc)
at libc-start.c:287
#5 0x080496f0 in ?? ()
(gdb) q
A debugging session is active.
Inferior 1 [process 9302] will be killed.
Quit anyway? (y or n)
-------------------------------------------
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages icoutils depends on:
ii libc6 2.19-18+deb8u6
ii libpng12-0 1.2.50-2+deb8u2
ii libwww-perl 6.08-1
ii perl 5.20.2-3+deb8u6
ii zlib1g 1:1.2.8.dfsg-2+b1
icoutils recommends no packages.
Versions of packages icoutils suggests:
pn libterm-readline-gnu-perl | libterm-readline-perl-perl <none>
-- no debconf information
[crash.zip (application/zip, attachment)]
[0001-Fix-check_offset-overflow-on-64-bit-systems.patch (text/x-diff, attachment)]
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Sat, 07 Jan 2017 16:09:05 GMT) (full text, mbox, link).
Notification sent
to Choongwoo Han <cwhan.tunz@gmail.com>:
Bug acknowledged by developer.
(Sat, 07 Jan 2017 16:09:05 GMT) (full text, mbox, link).
Message #13 received at 850017-close@bugs.debian.org (full text, mbox, reply):
Source: icoutils
Source-Version: 0.31.0-4
We believe that the bug you reported is fixed in the latest version of
icoutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated icoutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 07 Jan 2017 15:46:30 +0000
Source: icoutils
Binary: icoutils
Architecture: source
Version: 0.31.0-4
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
icoutils - Create and extract MS Windows icons and cursors
Closes: 850017
Changes:
icoutils (0.31.0-4) unstable; urgency=high
.
* Fix check_offset overflow on 64-bit systems (reported by Choongwoo Han;
closes: #850017).
Checksums-Sha1:
16c938b1d3393787a94813d1d337ab9646bcb20f 1952 icoutils_0.31.0-4.dsc
e30d1d9e78dfe1bc02624a504d75a6921e85f318 5256 icoutils_0.31.0-4.debian.tar.xz
Checksums-Sha256:
feb311814ab6a2badfbbe2e221e971b7bff5b9f7c99e36b24fe4d649aff3cc2a 1952 icoutils_0.31.0-4.dsc
95475de6c9ea55366d6b6f06ed1f95c8bd5e9f4f3f9c32c81d342a119a2f2e83 5256 icoutils_0.31.0-4.debian.tar.xz
Files:
6d206c3a35faa69c42187548a6efc232 1952 graphics optional icoutils_0.31.0-4.dsc
a515499d6563fcc1e7f5ede7f2022a4f 5256 graphics optional icoutils_0.31.0-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhxDWEACgkQOTWH2X2G
UAv5kA/9ENZhSbxsZ3upT8moTdcocwJ4Xw4sXd0UO9GWAnaZz8fyfPWf/LfZ7r1H
TT1a5AHxF0HhbwizBgvvlRRCD6NR257xPdOv4ZIihk5wbjOh9xDJUcpMJ+dU0qlI
0XCLccrMoGAMNx926pqqxpcwQoagkCE6P9xR+cGxc9MRtV1qr9USLEXJQ24gjJIP
zVl4S5s8MyPKKKYmiHMsGdgaZuowLg+TeE6qft9CnFaDYeGey5N6f6wkXU+ewAEq
3hXv+iQqvr/blMye+FBHlQyxRiKmoY/4ffJc2H5PgM21eiHED8qbkE5qilKTSxJz
ST3aqSxQrphopn+PWi9vMA7iETuQWRlbEM8I7/mkNLO5vUJHSdfoW4Nk3Q5xQ147
tGk8Fvm4WH64iMmnGueopdujRQjYGYFMwcORevQicrOypm8cxY10vTt0zNtXWX1M
iIYvD3N9NLK45lqS1vxHMwrdGwxMD+QIQCQv2SPByDLaCvwE1i6AEtQNCfB+KHbV
hUnvqwxohbRxdlBd6imwblvHWBFuafASpJNwSGXKf4wbyJqFJI6UPUavKGsCEiO/
CDfeRk5dgxvgNO/RGdbxGqU10pMXLEfjat7Q557OQrdRoYx5W29HDSxrNG/FowDN
EY6IpeJDEhMBA5X9hecrmemq5wCWx2V5v6rPCQz7wnaPY60aTXE=
=eQ42
-----END PGP SIGNATURE-----
Marked as fixed in versions icoutils/0.31.0-2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 09 Jan 2017 05:48:02 GMT) (full text, mbox, link).
Message sent on
to Choongwoo Han <cwhan.tunz@gmail.com>:
Bug#850017.
(Mon, 09 Jan 2017 05:48:05 GMT) (full text, mbox, link).
Message #18 received at 850017-submitter@bugs.debian.org (full text, mbox, reply):
close 850017 0.31.0-2+deb8u1
thanks
Changed Bug title to 'icoutils: CVE-2017-5208: exploitable crash in wrestool' from 'Exploitable crash in wrestool'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 09 Jan 2017 05:57:03 GMT) (full text, mbox, link).
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Mon, 09 Jan 2017 18:57:22 GMT) (full text, mbox, link).
Notification sent
to Choongwoo Han <cwhan.tunz@gmail.com>:
Bug acknowledged by developer.
(Mon, 09 Jan 2017 18:57:22 GMT) (full text, mbox, link).
Message #25 received at 850017-close@bugs.debian.org (full text, mbox, reply):
Source: icoutils
Source-Version: 0.31.1-1
We believe that the bug you reported is fixed in the latest version of
icoutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 850017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated icoutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 09 Jan 2017 18:31:05 +0000
Source: icoutils
Binary: icoutils
Architecture: source
Version: 0.31.1-1
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
icoutils - Create and extract MS Windows icons and cursors
Closes: 850017
Changes:
icoutils (0.31.1-1) unstable; urgency=high
.
* New upstream release.
- CVE-2017-5208: Further fixes for uses of unallocated memory in
wrestool (closes: #850017).
Checksums-Sha1:
50349d1c775ea32681413581941b7356abafad8e 1952 icoutils_0.31.1-1.dsc
751aa911164aea06e3b88cb1625aad8e0a96f5d0 573484 icoutils_0.31.1.orig.tar.bz2
28d455a9324a8e8c6323bd0ef3d86e3375ca65a8 4736 icoutils_0.31.1-1.debian.tar.xz
Checksums-Sha256:
d1baef3c9703b53fc6e0044412b9234d8112c1e59868bcdc2320c298fdfbc6de 1952 icoutils_0.31.1-1.dsc
26e29d3c78f25d4cdf402501ac0414c51a9a092daebf6c9dee3b837dee693093 573484 icoutils_0.31.1.orig.tar.bz2
1a4c5b4c4fe9392e41acaff4ae6941fc279372b602f8b171fc02e2a2421a7074 4736 icoutils_0.31.1-1.debian.tar.xz
Files:
57cc91c856f84f5912a2497cd801d105 1952 graphics optional icoutils_0.31.1-1.dsc
950a5339f328e1836d6e53a26c1eaf16 573484 graphics optional icoutils_0.31.1.orig.tar.bz2
655ea3880bf699ff830065fe69ca31b1 4736 graphics optional icoutils_0.31.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhz1zsACgkQOTWH2X2G
UAviRg//YCSTQjRqOKdjHWgQIwOI664U/ZWQK7JElObgXNvCqVs5mDB8DAc+DB+s
mE6/wLPSvSWtw/Xl0MT1PAkCTAIKuzdaeMJX5XRqbABqqDF4+BSlnki/OdT9f5vu
PKPP8aDKti1gfOtGyxGaXcVry0BsFwwl0IMO7B/USd3sqbeHs7eL4TyDxH9qMT4Y
uGiE7/IkzDiGKSE8uC4AiiT1OfqWGWfs6IhoZndULD+BsWhZ7g3yvqvbbc++c1qv
8k7yc+AwSI3wpQN5ToSicjMVhXzLvsiwuCaJdkPYf1mi+IvG8zQAJrQzUHaldKJM
m+CNhJqkMXcq4ZnpdxYQ1WG6soGL1iXDrFxFQgaWFjDFDg0NHZ4pyOXounLgNe+E
ckp5x0lAZ3si1GmpJzEk728KoLQKJ8Bzdb+PskcVy9xZO7CMnYQWPo3ovr+DyjrX
zyI/B9HtikdynEti3jJ3Cc/h4CImvI+radraHf9LZYZOtHJ6SF3piCVG+l+Zt++W
nZQvPJ+qZ4BlEmMB+POXilZn55VIbooqua/g6xgvdOcWdHtT+b1TB2X5YyP5/Bw1
Vg6zA7D4yf0Lmh4SNLFRNg0kzPthBH+m2/iOQKQ13CSDqejqUlIzggk4oa755Ug6
3aa+fcke8z/yPGkXK/Y/gzzGDx81jEnrPVO6Y+puCEIVNETAi7k=
=GGbw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 May 2017 07:26:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:16:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
From: Choongwoo Han <cwhan.tunz@gmail.com>To: Debian Bug Tracking System <submit@bugs.debian.org>Subject: Bug#850017: Exploitable crash in wrestoolDate: Thu, 29 Dec 2016 03:55:33 -0500[Message part 3 (text/plain, inline)][crash.zip (application/zip, attachment)]
Vulmon