pax-utils is a set of tools that check files for security relevant properties.
A fuzz on scanelf exposed an out-of bound read. It was reported to vapier which fixed the issue immediately.
Unfortunately I can’t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb.
# scanelf -s '*' -axetrnibSDIYZB $FILE ==32758==ERROR: AddressSanitizer: unknown-crash on address 0x7f8f9fa252dc at pc 0x00000053c6a0 bp 0x7ffe93a19910 sp 0x7ffe93a19908 READ of size 4 at 0x7f8f9fa252dc thread T0 #0 0x53c69f (/usr/bin/scanelf+0x53c69f) #1 0x51d649 (/usr/bin/scanelf+0x51d649) #2 0x51b97e (/usr/bin/scanelf+0x51b97e) #3 0x51ad43 (/usr/bin/scanelf+0x51ad43) #4 0x51922e (/usr/bin/scanelf+0x51922e) #5 0x7f8f9e7fd61f (/lib64/libc.so.6+0x2061f) #6 0x41a008 (/usr/bin/scanelf+0x41a008) (gdb) bt #8 0x000000000053c6a0 in scanelf_file_get_symtabs (elf=, sym=0x7fffffffcc00, str=0x7fffffffcc20) at scanelf.c:357 #9 0x000000000051d64a in scanelf_file_sym (elf=0x60700000de60, found_sym=) at scanelf.c:1327 #10 scanelf_elfobj (elf=) at scanelf.c:1547 #11 0x000000000051b97f in scanelf_elf (filename=0x7fffffffe50e "1.crashes", fd=, len=) at scanelf.c:1612 #12 scanelf_fileat (dir_fd=, filename=, st_cache=) at scanelf.c:1679 #13 0x000000000051ad44 in scanelf_dirat (dir_fd=, path=) at scanelf.c:1713 #14 0x000000000051922f in scanelf_dir (path=) at scanelf.c:1763 #15 parseargs (argc=5, argv=0x7fffffffe258) at scanelf.c:2273 #16 main (argc=5, argv=) at scanelf.c:2361
This bug was discovered by Agostino Sarubbo of Gentoo.
2017-01-23: bug discovered and reported to upstream
2017-01-24: upstream realeased a patch and 1.2.1
2017-02-01: blog post about the issue
This bug was found with American Fuzzy Lop.
I’d suggest to go to 1.2.2 because of a functionality bug(s) in 1.2.1