Bug ID | 1023002 |
---|---|
Summary | VUL-0: pax-utils: scanelf: out of bounds read in scanelf_file_textrel (scanelf.c) |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.2 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | mikhail.kasimov@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Ref: http://seclists.org/oss-sec/2017/q1/255 ============================================== Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on scanelf exposed an out-of bound read. It was reported to vapier which fixed the issue immediately. Unfortunately I can���t get a symbolized ASan stacktrace, so I will show only the useful part of both asan and gdb. # scanelf -s '*' -axetrnibSDIYZB $FILE ==1853==ERROR: AddressSanitizer: unknown-crash on address 0x7f4099d25008 at pc 0x00000053586e bp 0x7fff335cb8b0 sp 0x7fff335cb8a8 READ of size 8 at 0x7f4099d25008 thread T0 #0 0x53586d (/usr/bin/scanelf+0x53586d) #1 0x51f526 (/usr/bin/scanelf+0x51f526) #2 0x51b97e (/usr/bin/scanelf+0x51b97e) #3 0x51ad43 (/usr/bin/scanelf+0x51ad43) #4 0x51922e (/usr/bin/scanelf+0x51922e) #5 0x7f4098afd61f (/lib64/libc.so.6+0x2061f) #6 0x41a008 (/usr/bin/scanelf+0x41a008) (gdb) bt #8 0x000000000053586e in scanelf_file_textrel (elf=, found_textrel=) at scanelf.c:560 #9 0x000000000051f527 in scanelf_elfobj (elf=) at scanelf.c:1536 #10 0x000000000051b97f in scanelf_elf (filename=0x7fffffffe50e "/tmp/afl/scanelf/report/crashes/2.crashes", fd=, len=) at scanelf.c:1612 #11 scanelf_fileat (dir_fd=, filename=, st_cache=) at scanelf.c:1679 #12 0x000000000051ad44 in scanelf_dirat (dir_fd=, path=) at scanelf.c:1713 #13 0x000000000051922f in scanelf_dir (path=) at scanelf.c:1763 #14 parseargs (argc=5, argv=0x7fffffffe258) at scanelf.c:2273 #15 main (argc=5, argv=) at scanelf.c:2361 Affected version: 1.2 Fixed version: 1.2.1 Commit fix: https://github.com/gentoo/pax-utils/commit/95e5489534ac9e9324c5096286899b688e19ae00 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00132-pax-utils-scanelf-oobread-scanelf_file_textrel Timeline: 2017-01-23: bug discovered and reported to upstream 2017-01-24: upstream realeased a patch and 1.2.1 2017-02-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. I���d suggest to go to 1.2.2 because of a functionality bug(s) in 1.2.1 Permalink: https://blogs.gentoo.org/ago/2017/02/01/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_textrel-scanelf-c -- Agostino Sarubbo Gentoo Linux Developer ============================================== https://software.opensuse.org/package/pax-utils TW: 1.1.6 42.(1|2): 0.9.2