agostino's blog

WiRouterKeyRec: signed shift in agpf_check_agpf (agpf.c)

Posted on August 8, 2016 by ago

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config shows the presence of a signed shift in agpf_check_agpf

The complete UBSan output:

# WiRouterKeyRec --config crash.agpf -s Alice-48230959

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

src/agpf.c:466:45: runtime error: left shift of 142 by 24 places cannot be represented in type 'int'

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-08: bug discovered
2016-08-08: bug reported to upstream
2016-08-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: signed shift in agpf_check_agpf (agpf.c)

Posted in advisories, security | Leave a comment

libav: heap-based buffer overflow in ff_audio_resample (resample.c)

Posted on August 7, 2016 by ago

Description:
Libav is an open source set of tools for audio and video processing.

A crafted file can cause an overflow in the heap. This bug was discovered the last year, but I didn’t have time to do anything else.
Now, after more digging I discovered that it was reported independently by nfxjfg on the libav bugtracker.
He triggered the crash with a C program using the libav api; the difference with this crash resides in the size of the write out of the bound. In his case it is of 4.
In any case, the commit address both the issues.

The complete ASan output:

# avconv -i $file -f null -
==501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000b0e0 at pc 0x0000004aab36 bp 0x7ffc0c199fd0 sp 0x7ffc0c199780
WRITE of size 2 at 0x60800000b0e0 thread T0
    #0 0x4aab35 in __asan_memcpy /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435:3
    #1 0x7fb0ce8c7a49 in ff_audio_resample /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavresample/resample.c:444:21
    #2 0x7fb0ce8cfa3e in avresample_convert /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavresample/utils.c:449:15
    #3 0x7fb0d291c8de in request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/af_resample.c:197:15
    #4 0x7fb0d292c578 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:254:16
    #5 0x7fb0d292c648 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:256:16
    #6 0x7fb0d294c6ad in request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/fifo.c:234:20
    #7 0x7fb0d292c578 in ff_request_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/avfilter.c:254:16
    #8 0x7fb0d29414f3 in av_buffersink_get_frame /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavfilter/buffersink.c:69:16
    #9 0x540f19 in poll_filter /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:663:15
    #10 0x540f19 in poll_filters /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:747
    #11 0x538eab in transcode /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2492:15
    #12 0x538eab in main /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2646
    #13 0x7fb0cd2e4aa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #14 0x43a5d6 in _start (/usr/bin/avconv+0x43a5d6)

0x60800000b0e0 is located 0 bytes to the right of 64-byte region [0x60800000b0a0,0x60800000b0e0)
allocated by thread T0 here:
    #0 0x4c1f4c in __interceptor_posix_memalign /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
    #1 0x7fb0ce21aa16 in av_malloc /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavutil/mem.c:81:9
    #2 0x7fb0ce2401ef in av_samples_alloc /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavutil/samplefmt.c:171:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.6.1/work/llvm-3.6.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:435 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c107fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c107fff9610: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c107fff9620: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c107fff9630: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c107fff9640: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c107fff9650: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c107fff9660: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==501==ABORTING

Affected version:
11.3 (and maybe past versions)

Fixed version:
11.4

Commit fix:
https://git.libav.org/?p=libav.git;a=commit;h=0ac8ff618c5e6d878c547a8877e714ed728950ce

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was reported independently and in a different way by nfxjfg in the libav bugtracker.

CVE:
CVE-2016-6832

Timeline:
2015-07-27: bug discovered
2016-08-07: blog post about the issue
2016-08-18: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.

Permalink:

libav: heap-based buffer overflow in ff_audio_resample (resample.c)

Posted in advisories, security | 2 Comments

WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

Posted on August 5, 2016 by ago

Description:
WiRouterKeyRec is a recovery tool for wpa passphrase.

A crafted AGPF config causes a divide-by-zero in agpf_get_serial.

The complete ASan output:

WiRouterKeyRec --config crash.agpf -s Alice-48230959  

WiRouter KeyRec 1.1.2 - (C) 2011 Salvatore Fresta
http://www.salvatorefresta.net

ASAN:DEADLYSIGNAL
=================================================================
==27225==ERROR: AddressSanitizer: FPE on unknown address 0x0000005019fc (pc 0x0000005019fc bp 0x7fffe1f6fbe0 sp 0x7fffe1f6fa00 T0)
    #0 0x5019fb in agpf_get_serial /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20
    #1 0x5019fb in agpf_get_config /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:355                                                                       
    #2 0x4f510f in wr_get_keys /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:480:28                                                              
    #3 0x4f2238 in main /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/wirouterkeyrec.c:307:18                                                                     
    #4 0x7fdbc7f6161f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #5 0x418c28 in getenv (/usr/bin/WiRouterKeyRec+0x418c28)                                                                                                                                   
                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/app-crypt/WiRouterKeyRec-1.1.2/work/WiRouter_KeyRec_1.1.2/src/agpf.c:445:20 in agpf_get_serial                                                     
==27225==ABORTING

Affected version:
1.1.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-08-04: bug discovered
2016-08-05: bug reported to upstream
2016-08-05: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

Posted in advisories, security | Leave a comment

logrotate: heap-based buffer overflow in readConfigFile (config.c)

Posted on August 3, 2016 by ago

Description:
logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.

A crafted config causes an out-of-bounds read in readConfigFile.
The complete ASan output:

logrotate -d $crafted_file
=================================================================
==809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000df8f at pc 0x00000050b244 bp 0x7ffd4cab50f0 sp 0x7ffd4cab50e8
READ of size 1 at 0x60200000df8f thread T0
    #0 0x50b243 in readConfigFile /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969:11
    #1 0x4fa61b in readConfigPath /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:578:6
    #2 0x4f99a7 in readAllConfigPaths /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:645:6
    #3 0x4f193e in main /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/logrotate.c:2554:6
    #4 0x7f37cad0662f in __libc_start_main (/lib64/libc.so.6+0x2062f)
    #5 0x436988 in _start (/usr/sbin/logrotate+0x436988)

0x60200000df8f is located 1 bytes to the left of 1-byte region [0x60200000df90,0x60200000df91)
allocated by thread T0 here:
    #0 0x4bd952 in __interceptor_malloc (/usr/sbin/logrotate+0x4bd952)
    #1 0x7f37cad67359 in strndup (/lib64/libc.so.6+0x81359)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-admin/logrotate-3.9.2/work/logrotate-3.9.2/config.c:969 readConfigFile
Shadow bytes around the buggy address:
  0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9bf0: fa[fa]01 fa fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c047fff9c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff9c20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c30: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9c40: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==809==ABORTING

Affected version:
3.9.2

Fixed version:
N/A

Commit fix:
https://github.com/logrotate/logrotate/commit/f53ed9c968fe92ba6e50b9b394a891350503469f

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-05-05: bug discovered
2016-05-06: bug reported to upstream (github)
2016-08-03: no upstream response
2016-08-03: blog post about the issue
2016-12-12: upstream added a patch

Note:
This bug was found with American Fuzzy Lop.

Permalink:

logrotate: heap-based buffer overflow in readConfigFile (config.c)

Posted in advisories, security | Leave a comment

syslog-ng: NULL pointer dereference in report_syntax_error (cfg-parser.c)

Posted on August 2, 2016 by ago

Description:
syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, message queues, databases (SQL and NoSQL alike) and more.

A crafted config crashes the process because of a NULL pointer access.

The complete ASan output:

syslog-ng -s -f $file
ASAN:SIGSEGV
=================================================================
==8120==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7efcda07e49d bp 0x7ffd06c89ef0 sp 0x7ffd06c89980 T0)
    #0 0x7efcda07e49c in report_syntax_error /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250:3
    #1 0x7efcda1adc91 in pragma_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/pragma-grammar.c:3003:9
    #2 0x7efcda0759ba in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
    #3 0x7efcda0759ba in cfg_lexer_lex /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-lexer.c:822
    #4 0x7efcda19b2a7 in main_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-grammar.c:3070:16
    #5 0x7efcda06ac8b in cfg_parser_parse /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/./lib/cfg-parser.h:83:14
    #6 0x7efcda06ac8b in cfg_run_parser /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:420
    #7 0x7efcda06b920 in cfg_read_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg.c:492:13
    #8 0x7efcda101975 in main_loop_read_and_init_config /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/mainloop.c:450:8
    #9 0x4b8eba in main /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/syslog-ng/main.c:258:8
    #10 0x7efcd8feeaa4 in __libc_start_main (/lib64/libc.so.6+0x21aa4)
    #11 0x4b7cdc in _start (/usr/sbin/syslog-ng+0x4b7cdc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-admin/syslog-ng-3.7.3/work/syslog-ng-3.7.3/lib/cfg-parser.c:250 report_syntax_error
==8120==ABORTING

Affected version:
3.7.3

Fixed version:
N/A

Commit fix:
https://github.com/balabit/syslog-ng/pull/1067/commits/a460630d310014fde914d86f6024674653557ec1

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-05-17: bug discovered
2016-05-17: bug reported to upstream
2016-05-27: upstream released a fix
2016-08-02: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

syslog-ng: NULL pointer dereference in report_syntax_error (cfg-parser.c)

Posted in advisories, security | Leave a comment

desktop-file-utils: desktop-file-validate: heap-based buffer overflow in validate.c

Posted on August 1, 2016 by ago

Description:
desktop-file-utils is command line set of utilities to work with desktop menu entries
A fuzz against desktop-file-utils binary revealed that there was an heap overflow.

The complete ASan output:

# desktop-file-validate crafted.desktop 
=================================================================
==29796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e843 at pc 0x0000004dda86 bp 0x7ffe7c643bd0 sp 0x7ffe7c643bc8
READ of size 1 at 0x60300000e843 thread T0
    #0 0x4dda85 in handle_exec_key /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:1229:10
    #1 0x4da3b6 in validate_known_key /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2248:12
    #2 0x4d9671 in validate_action_key /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2284:10
    #3 0x4d9671 in validate_keys_for_current_group /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2376
    #4 0x4d3c78 in validate_flush_parse_buffer /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2945:5
    #5 0x4d3c78 in validate_parse_from_fd /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:2993
    #6 0x4d3c78 in validate_load_and_parse /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:3011
    #7 0x4d3c78 in desktop_file_validate /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:3078
    #8 0x4e5302 in main /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validator.c:81:17
    #9 0x7f0e05f6f854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #10 0x4191f8 in _init (/usr/bin/desktop-file-validate+0x4191f8)

0x60300000e843 is located 0 bytes to the right of 19-byte region [0x60300000e830,0x60300000e843)
allocated by thread T0 here:
    #0 0x4a7f4b in malloc /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3                                                                                                                                    
    #1 0x7f0e06f2a653 in g_malloc /tmp/portage/dev-libs/glib-2.44.1-r1/work/glib-2.44.1/glib/gmem.c:97:13                                                                                                                                                                      
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-util/desktop-file-utils-0.22/work/desktop-file-utils-0.22/src/validate.c:1229:10 in handle_exec_key                                                                                                           
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0c067fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c067fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c067fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c067fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c067fff9cf0: fa fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa                                                                                                                                                                                                              
=>0x0c067fff9d00: 00 00 00 03 fa fa 00 00[03]fa fa fa fd fd fd fa                                                                                                                                                                                                              
  0x0c067fff9d10: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd                                                                                                                                                                                                              
  0x0c067fff9d20: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa                                                                                                                                                                                                              
  0x0c067fff9d30: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd                                                                                                                                                                                                              
  0x0c067fff9d40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd                                                                                                                                                                                                              
  0x0c067fff9d50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                                                  
  Heap right redzone:      fb                                                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                                                  
==29796==ABORTING

Affected version:
All, tested on 0.22

Fixed version:
0.23

Commit fix:
https://cgit.freedesktop.org/xdg/desktop-file-utils/commit/?id=cddcd6612b66cb3963920b5f2734850a217d7020

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-02-16: bug discovered
2016-02-16: downstream report (Gentoo)
2016-02-26: upstream report
2016-02-29: upstream released a fix
2016-08-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

desktop-file-utils: desktop-file-validate: heap-based buffer overflow in validate.c

Posted in advisories, security | Leave a comment

postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)

Posted on July 29, 2016 by ago

Description:
PostgreSQL is a powerful, open source object-relational database system.
After the blog post of lcamtuf and hanno I tried to fuzz psql which is the PostgreSQL interactive terminal.
After make the first call on postgresql security contact they state that they don’t treat it as a security bug or maybe it is not a security bug at all because:
1) Is not safe/supposed that you pass untrusted input to psql;
2) The READ of size 1 and the conditions of the bug make it difficult to exploit and eventually cause damage.

The complete ASan output:

~ # psql -U ago -d ago -f query.sql 
BEGIN
CREATE SCHEMA
COMMENT
CREATE TABLE
COMMENT
CREATE TABLE
CREATE INDEX
COMMENT
INSERT 0 1
INSERT 0 1
psql:query.sql:38: ERROR:  invalid byte sequence for encoding "UTF8": 0xff
psql:query.sql:39: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:40: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:57: ERROR:  syntax error at or near ""
RIGA 3: jobjclid            int4                 NOT NULL REFERENCE...
                         ^
psql:query.sql:58: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:59: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:66: comando errato \LT
psql:query.sql:74: ERROR:  invalid byte sequence for encoding "UTF8": 0x80
psql:query.sql:75: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:76: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:77: ERROR:  current transaction is aborted, commands ignored until end of transaction block
psql:query.sql:78: ERROR:  current transaction is aborted, commands ignored until end of transaction block
=================================================================
==20648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000084bf at pc 0x000000520685 bp 0x7ffc1e04f410 sp 0x7ffc1e04f408
READ of size 1 at 0x6110000084bf thread T0
    #0 0x520684 in gets_fromFile /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7
    #1 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11
    #2 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11
    #3 0x566dcd in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:296:19
    #4 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x41b2d8 in _init (/usr/lib64/postgresql-9.5/bin/psql+0x41b2d8)

0x6110000084bf is located 1 bytes to the left of 256-byte region [0x6110000084c0,0x6110000085c0)
allocated by thread T0 here:
    #0 0x4c2828 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f636705274e in initPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:91:23
    #2 0x7f636705274e in createPQExpBuffer /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/interfaces/libpq/pqexpbuffer.c:77
    #3 0x52cbfc in MainLoop /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/mainloop.c:140:11
    #4 0x506cf7 in process_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/command.c:2249:11
    #5 0x569ae0 in process_psqlrc_file /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:684:10
    #6 0x566d80 in main /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/startup.c:294:4
    #7 0x7f6365eac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/dev-db/postgresql-9.5.3/work/postgresql-9.5.3/src/bin/psql/input.c:221:7 in gets_fromFile
Shadow bytes around the buggy address:
  0x0c227fff9040: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff9050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c227fff9070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fff9090: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
  0x0c227fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff90b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c227fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff90d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff90e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20648==ABORTING

Affected version:
All.
Tested on 9.4.8 and 9.5.3

Fixed version:
N/A

Commit fix:
https://github.com/postgres/postgres/commit/ed0b228d7a6b5186adc099f6a31dc33c499ff077

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-07-10: bug discovered
2016-07-12: bug reported privately to upstream
2016-07-12: upstream response
2016-07-29: upstream fix
2016-07-29: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)

Posted in advisories, security | Leave a comment

paps: heap-based buffer overflow in read_file() (paps.c)

Posted on July 28, 2016 by ago

Description:
Paps is an UTF-8 to PostScript converter that makes use of pango. It provides both a stand alone command line tool as well as a library

It was discovered that a crafted/empty file is able to cause an heap-based buffer overflow.
Apparently, the project does not have release(s) since 2007 and seems to be dead, but I just discovered right now that the project has moved silently to github where the PR has been sent.

The complete ASan output:

# paps $crafted.file
=================================================================                                                                                                                                                                                                              
==30527==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dfaf at pc 0x0000004e122d bp 0x7ffd8f3dfe90 sp 0x7ffd8f3dfe88                                                                                                                                      
READ of size 1 at 0x60200000dfaf thread T0                                                                                                                                                                                                                                     
    #0 0x4e122c in read_file /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:573:7                                                                                                                                                                              
    #1 0x4e122c in main /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:493                                                                                                                                                                                     
    #2 0x7fd8aff707af in __libc_start_main (/lib64/libc.so.6+0x207af)                                                                                                                                                                                                          
    #3 0x436968 in _start (/usr/bin/paps+0x436968)                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                               
0x60200000dfaf is located 1 bytes to the left of 4-byte region [0x60200000dfb0,0x60200000dfb4)                                                                                                                                                                                 
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4bdc75 in realloc (/usr/bin/paps+0x4bdc75)                                                                                                                                                                                                                            
    #1 0x7fd8b111c35d in g_realloc (/usr/lib64/libglib-2.0.so.0+0x4e35d)                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:573 read_file                                                                                                                                                   
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
=>0x0c047fff9bf0: fa fa fa fa fa[fa]04 fa fa fa 00 02 fa fa 00 02                                                                                                                                                                                                              
  0x0c047fff9c00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa                                                                                                                                                                                                              
  0x0c047fff9c10: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 00                                                                                                                                                                                                              
  0x0c047fff9c20: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa fd fa                                                                                                                                                                                                              
  0x0c047fff9c30: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00                                                                                                                                                                                                              
  0x0c047fff9c40: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                                                  
  Heap right redzone:      fb                                                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                                                  
==30527==ABORTING

Affected version:
All versions.

Fixed version:
0.6.8-r2 (in Gentoo)

Commit fix:
https://gitweb.gentoo.org/repo/gentoo.git/tree/app-text/paps/files/paps-0.6.8-fix-empty-file.patch

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was fixed by Jason A. Donenfeld of Gentoo.

Timeline:
2015-06-09: bug discovered
2015-11-17: bug reported downstream (Gentoo)
2016-07-12: fixed produced downstream
2016-07-28: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

paps: heap-based buffer overflow in read_file() (paps.c)

Posted in advisories, security | Leave a comment

portage-utils: stack-based buffer overflow in qfile.c

Posted on February 16, 2016 by ago

Description:
Portage-utils is small and fast portage helper tools written in C.

I discovered that a crafted file is able to cause a stack-based buffer overflow.

The complete ASan output:

~ # qfile -f qfile-OOB-crash.log                                                                                                                                                                                                                                          
=================================================================                                                                                                                                                                                                              
==12240==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd067c1ac1 at pc 0x000000495bdc bp 0x7ffd067bd6f0 sp 0x7ffd067bceb0                                                                                                                                     
READ of size 4095 at 0x7ffd067c1ac1 thread T0                                                                                                                                                                                                                                  
    #0 0x495bdb in strncpy /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:632:5                                                                                                                                  
    #1 0x4fb5b9 in prepare_qfile_args /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:297:3                                                                                                                                                      
    #2 0x4fb5b9 in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:530                                                                                                                                                                
    #3 0x4e7f22 in q_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./q.c:79:10                                                                                                                                                                      
    #4 0x4e7afe in main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/main.c:1405:9                                                                                                                                                                      
    #5 0x7f5ccc29e854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289                                                                                                                                                            
    #6 0x4192f8 in _init (/usr/bin/q+0x4192f8)                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                               
Address 0x7ffd067c1ac1 is located in stack of thread T0 at offset 17345 in frame                                                                                                                                                                                               
    #0 0x4f8b3f in qfile_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qfile.c:394                                                                                                                                                                
                                                                                                                                                                                                                                                                               
  This frame has 10 object(s):                                                                                                                                                                                                                                                 
    [32, 4128) 'pkg.i'                                                                                                                                                                                                                                                         
    [4256, 8353) 'rpath.i'                                                                                                                                                                                                                                                     
    [8624, 8632) 'fullpath.i'                                                                                                                                                                                                                                                  
    [8656, 8782) 'slot.i'                                                                                                                                                                                                                                                      
    [8816, 8824) 'slot_hack.i'                                                                                                                                                                                                                                                 
    [8848, 8856) 'slot_len.i'                                                                                                                                                                                                                                                  
    [8880, 12977) 'tmppath.i'                                                                                                                                                                                                                                                  
    [13248, 17345) 'abspath.i'                                                                                                                                                                                                                                                 
    [17616, 17736) 'state' <== Memory access at offset 17345 partially underflows this variable                                                                                                                                                                                
    [17776, 17784) 'p' 0x100020cf0350: 00 00 00 00 00 00 00 00[01]f2 f2 f2 f2 f2 f2 f2
  0x100020cf0360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100020cf0370: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x100020cf0380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 f3
  0x100020cf0390: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020cf03a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12240==ABORTING

Affected version:
All versions.

Fixed version:
0.61

Commit fix:
https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=070f64a84544f74ad633f08c9c07f99a06aea551

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-02-01: bug discovered
2016-02-01: bug reported to upstream
2016-02-04: upstream release a fix
2016-02-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
As the commit clearly state, the ability to read directly from a file was removed.

Permalink:

portage-utils: stack-based buffer overflow in qfile.c

Posted in advisories, gentoo, security | 3 Comments

portage-utils: heap-based buffer overflow in qlop.c

Posted on February 16, 2016 by ago

Description:
Portage-utils is small and fast portage helper tools written in C.

I discovered that a crafted file is able to cause an heap-based buffer overflow.

The complete ASan output:

~ # qlop -f $CRAFTED_FILE -s
Mon Jan 25 11:38:31 2016 >>> gentoo
=================================================================
==14281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900001e44a at pc 0x000000425676 bp 0x7fff2b3f3970 sp 0x7fff2b3f3130
READ of size 1 at 0x61900001e44a thread T0
    #0 0x425675 in __interceptor_strncmp /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:218:3
    #1 0x50d5b1 in show_sync_history /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qlop.c:350:7
    #2 0x50d5b1 in qlop_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./qlop.c:687
    #3 0x4e7f22 in q_main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/./q.c:79:10
    #4 0x4e7afe in main /tmp/portage/app-portage/portage-utils-0.60/work/portage-utils-0.60/main.c:1405:9
    #5 0x7fafd8594854 in __libc_start_main /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #6 0x4192f8 in _init (/usr/bin/q+0x4192f8)

0x61900001e44a is located 0 bytes to the right of 970-byte region [0x61900001e080,0x61900001e44a)
allocated by thread T0 here:
    #0 0x4a839e in realloc /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61:3
    #1 0x7fafd85dc95f in getdelim /tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/libio/iogetdelim.c:106

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/llvm-3.7.1/work/llvm-3.7.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:218:3 in __interceptor_strncmp
Shadow bytes around the buggy address:
  0x0c327fffbc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffbc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffbc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fffbc80: 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa
  0x0c327fffbc90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffbca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                                                  
  Heap right redzone:      fb                                                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                                                  
==14281==ABORTING

Affected version:
All versions.

Fixed version:
0.61

Commit fix:
https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=7aff0263204d80304108dbe4f0061f44ed8f189f

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-01-26: bug discovered
2016-01-27: bug reported to upstream
2016-01-29: upstream release a fix
2016-02-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

portage-utils: heap-based buffer overflow in qlop.c

Posted in advisories, security | Leave a comment

WiRouterKeyRec: signed shift in agpf_check_agpf (agpf.c)

libav: heap-based buffer overflow in ff_audio_resample (resample.c)

WiRouterKeyRec: divide-by-zero in agpf_get_serial (agpf.c)

logrotate: heap-based buffer overflow in readConfigFile (config.c)

syslog-ng: NULL pointer dereference in report_syntax_error (cfg-parser.c)

desktop-file-utils: desktop-file-validate: heap-based buffer overflow in validate.c

postgresql: psql: heap-based buffer overflow in gets_fromFile (input.c)

paps: heap-based buffer overflow in read_file() (paps.c)

portage-utils: stack-based buffer overflow in qfile.c

portage-utils: heap-based buffer overflow in qlop.c

Recent Posts

Recent Comments

Archives

Categories

Meta