Description:
ytnef is Yeraze’s TNEF Stream Reader – for winmail.dat files.
The complete ASan output of the issue:
# ytnefprint $FILE
==12467==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f59364c62b6 bp 0x7ffe1b8d4af0 sp 0x7ffe1b8d4278 T0)
==12467==The signal is caused by a READ memory access.
==12467==Hint: address points to the zero page.
#0 0x7f59364c62b5 in strlen /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/strlen.S:76
#1 0x43e99c in __interceptor_strlen.part.31 /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:282
#2 0x7f593734a162 in MAPIPrint /tmp/ytnef-1.9.2/lib/ytnef.c:1437:15
#3 0x508f50 in PrintTNEF /tmp/ytnef-1.9.2/ytnefprint/main.c:169:5
#4 0x50882e in main /tmp/ytnef-1.9.2/ytnefprint/main.c:84:5
#5 0x7f593646878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#6 0x419c38 in _start (/usr/bin/ytnefprint+0x419c38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/string/../sysdeps/x86_64/strlen.S:76 in strlen
==12467==ABORTING
Affected version:
1.9.2
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-9470
Reproducer:
https://github.com/asarubbo/poc/blob/master/00241-ytnef-nullptr-MAPIPrint
Timeline:
2017-03-27: bug discovered and reported to upstream
2017-05-24: blog post about the issue
2017-06-07: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
Pingback: CVE-2017-9470 – 安百科技