libplist: CVE-2017-7982: denial of service (heap-based buffer over-read and application crash) via a crafted plist file

Debian Bug report logs - #860945
libplist: CVE-2017-7982: denial of service (heap-based buffer over-read and application crash) via a crafted plist file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libplist: CVE-2017-7982: denial of service (heap-based buffer over-read and application crash) via a crafted plist file

Date: Sat, 22 Apr 2017 12:58:13 +0200

Source: libplist
Version: 1.12+git+1+e37ca00-0.2
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/libimobiledevice/libplist/issues/103

Hi,

the following vulnerability was published for libplist.

CVE-2017-7982[0]:
| Integer overflow in the plist_from_bin function in bplist.c in
| libimobiledevice/libplist before 2017-04-19 allows remote attackers to
| cause a denial of service (heap-based buffer over-read and application
| crash) via a crafted plist file.

Reproducible to verify a fix with an ASAN build on i386:

# ASAN_OPTIONS="detect_leaks=0" ./tools/plistutil -i /root/bplist_c_733.txt
=================================================================
==18545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53018c8 at pc 0x800d9181 bp 0xbfe441d8 sp 0xbfe441cc
READ of size 8 at 0xb53018c8 thread T0
    #0 0x800d9180 in parse_bin_node_at_index /root/libplist-1.12+git+1+e37ca00/src/bplist.c:733
    #1 0x800da0d1 in plist_from_bin /root/libplist-1.12+git+1+e37ca00/src/bplist.c:857
    #2 0x800c9db5 in main /root/libplist-1.12+git+1+e37ca00/tools/plistutil.c:150
    #3 0xb6feb275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #4 0x800c9280  (/root/libplist-1.12+git+1+e37ca00/tools/plistutil+0x2280)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libplist-1.12+git+1+e37ca00/src/bplist.c:733 in parse_bin_node_at_index
Shadow bytes around the buggy address:
  0x36a602c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a602d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a602e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a602f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 05 fa
  0x36a60300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a60310: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x36a60320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18545==ABORTING

The issue is, AFAICT, "covered" for previous versions due to
dccd9290745345896e3a4a73154576a599fd8b7b, wich is CVE-2017-6440 (no-dsa in
jessie)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7982
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7982
[1] https://github.com/libimobiledevice/libplist/issues/103
[2] https://github.com/libimobiledevice/libplist/commit/fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 860945@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860945@bugs.debian.org

Subject: libplist: diff for NMU version 1.12+git+1+e37ca00-0.3

Date: Sat, 22 Apr 2017 15:30:57 +0200

[Message part 1 (text/plain, inline)]

Control: tags 860945 + pending

Dear maintainer,

I've prepared an NMU for libplist (versioned as 1.12+git+1+e37ca00-0.3) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer, or if -- unless you want to do an own update
obviously -- I can rescheule it earlier.

Regards,
Salvatore

[libplist-1.12+git+1+e37ca00-0.3-nmu.diff (text/x-diff, attachment)]

Message #19 received at 860945-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860945-close@bugs.debian.org

Subject: Bug#860945: fixed in libplist 1.12+git+1+e37ca00-0.3

Date: Tue, 02 May 2017 14:55:27 +0000

Source: libplist
Source-Version: 1.12+git+1+e37ca00-0.3

We believe that the bug you reported is fixed in the latest version of
libplist, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libplist package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Apr 2017 15:20:37 +0200
Source: libplist
Binary: libplist3 libplist++3v5 libplist-dev libplist++-dev libplist-dbg python-plist libplist-utils libplist-doc
Architecture: all source
Version: 1.12+git+1+e37ca00-0.3
Distribution: unstable
Urgency: high
Maintainer: gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860945
Description: 
 libplist++-dev - Library for handling Apple binary and XML property lists
 libplist++3v5 - Library for handling Apple binary and XML property lists
 libplist-dbg - Library for handling Apple binary and XML property lists
 libplist-dev - Library for handling Apple binary and XML property lists
 libplist-doc - Library for handling Apple binary and XML property lists - docs
 libplist-utils - Apple property list converter
 libplist3  - Library for handling Apple binary and XML property lists
 python-plist - Library for handling Apple binary and XML property lists
Changes:
 libplist (1.12+git+1+e37ca00-0.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * bplist: Fix integer overflow check (offset table size) (CVE-2017-7982)
     (Closes: #860945)
Checksums-Sha1: 
 4ec13ad0ceb358f93b8e171d469dbfbf3b849c0a 2740 libplist_1.12+git+1+e37ca00-0.3.dsc
 724151ae2898e2e404e5997964b824e50701313d 11240 libplist_1.12+git+1+e37ca00-0.3.debian.tar.xz
 cf6ea7d01739f95527fa5ef90be63ffc841d0ab6 37490 libplist-doc_1.12+git+1+e37ca00-0.3_all.deb
Checksums-Sha256: 
 c94e711c4982f0718ab5cc81516f30ccbaa414f083a53451c5668503880844cd 2740 libplist_1.12+git+1+e37ca00-0.3.dsc
 af381c17239984eae57269d929bed0fe53887ef0a4f101f4ed8f4bdfdcbfad45 11240 libplist_1.12+git+1+e37ca00-0.3.debian.tar.xz
 aa4c70644dc6d110f8f162850c591855fac068180e6251953a98d5826fda13f7 37490 libplist-doc_1.12+git+1+e37ca00-0.3_all.deb
Files: 
 b896e68d455f3af10ab1fbb82f3c779c 2740 libs optional libplist_1.12+git+1+e37ca00-0.3.dsc
 79c84edbd2727be7c4882134fa6d3f45 11240 libs optional libplist_1.12+git+1+e37ca00-0.3.debian.tar.xz
 59344d9abb660633450001ff512e6dad 37490 doc optional libplist-doc_1.12+git+1+e37ca00-0.3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlj7WW1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEgUP/2nCA6MIsvB78DDnQcLHCQXyWoP/sXxk
2z/ni0xjCPfVo6QcooM85ZAgI7AmaSn26bs61W6xPj2ZmEU+7K0eukW4ARURiHNa
v+z8Lm4Qgwund7infrcipve5l+mxOlgh6QJagjQ2Se/1sbOvff3gu7OJy8H7XWHp
+C1Kk6c4/jvNmS8SPd3Fmi/rxv6miIlSH7B5OHIzeQr3NwAQG6ElGH4q3745/D3M
kEyUfinIxaRxVqGKsQmMdvJwguFuFl4FUhUYlwEpbYt8JsneQIvmNuQxQ2aBsfXV
xJkib68XGTBVtZFUMV5qcRKKtAbm+resOuekqIF9UlTydp9xF8wkhSc8uhov4Q25
ySBKw+qk/gQhDv0a9eObGWmCBavgIgECyS3Csv4X1tHiM6SvfCY3cjTYtaYl2ZT+
y1D6U+QkQ6Mn+AEAisZSUdvPIi/PKUmGRaIWglzHikMBhF9UrptW+I/guH8CEcj7
oFh4OblHBuaXshEHWeV6ghqo3GyHxbr9jM9wdJJ/Kd0nsvC7dbXkbtBGqyVgaGuk
pR877u1wEye46TOMSGsNC8ra6oviDeemktAZtM4O+pxadQBaaS95OwDPCjpcrJqh
4B63R47HeY1yqMX7zQ8IPAPSlmR0QV5kxnWkXtOx9KpL17MqQtnUthswM7no/waO
9mslxKCpYb2C
=+lnV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.