Description:
desktop-file-utils is command line set of utilities to work with desktop menu entries
A fuzz against desktop-file-utils binary revealed that there was an heap overflow.
The complete ASan output:
# desktop-file-validate crafted.desktop ================================================================= ==29796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e843 at pc 0x0000004dda86 bp 0x7ffe7c643bd0 sp 0x7ffe7c643bc8 READ of size 1 at 0x60300000e843 thread T0 #0 0x4dda85 in handle_exec_key /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:1229:10 #1 0x4da3b6 in validate_known_key /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2248:12 #2 0x4d9671 in validate_action_key /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2284:10 #3 0x4d9671 in validate_keys_for_current_group /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2376 #4 0x4d3c78 in validate_flush_parse_buffer /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2945:5 #5 0x4d3c78 in validate_parse_from_fd /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2993 #6 0x4d3c78 in validate_load_and_parse /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:3011 #7 0x4d3c78 in desktop_file_validate /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:3078 #8 0x4e5302 in main /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validator.c:81:17 #9 0x7f0e05f6f854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289 #10 0x4191f8 in _init (/usr/bin/desktop-file-validate+0x4191f8) 0x60300000e843 is located 0 bytes to the right of 19-byte region [0x60300000e830,0x60300000e843) allocated by thread T0 here: #0 0x4a7f4b in malloc /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x7f0e06f2a653 in g_malloc /tmp/portage/dev-libs/glib-2.44.1-r1/work/glib-2.44.1/glib/gmem.c:97:13 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:1229:10 in handle_exec_key Shadow bytes around the buggy address: 0x0c067fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9cf0: fa fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa =>0x0c067fff9d00: 00 00 00 03 fa fa 00 00[03]fa fa fa fd fd fd fa 0x0c067fff9d10: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd 0x0c067fff9d20: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff9d30: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd 0x0c067fff9d40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff9d50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29796==ABORTING
Affected version:
All, tested on 0.22
Fixed version:
0.23
Commit fix:
https://cgit.freedesktop.org/xdg/desktop-file-utils/commit/?id=cddcd6612b66cb3963920b5f2734850a217d7020
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-02-16: bug discovered
2016-02-16: downstream report (Gentoo)
2016-02-26: upstream report
2016-02-29: upstream released a fix
2016-08-01: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
desktop-file-utils: desktop-file-validate: heap-based buffer overflow in validate.c