[Bug 1023610] New: VUL-0: pax-utils: dumpelf: multiple divide-by-zero in dumpelf.c
http://bugzilla.opensuse.org/show_bug.cgi?id=1023610 Bug ID: 1023610 Summary: VUL-0: pax-utils: dumpelf: multiple divide-by-zero in dumpelf.c Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/309 ============================================== Description: pax-utils is a set of tools that check files for security relevant properties. A fuzz on dumpelf shows multiple divide-by-zero . They was reported to vapier which fixed the issues immediately. Unfortunately I can’t get the ASan stacktrace, so I will show only the useful(not at all) part of the crash. # dumpelf $FILE FPE on unknown address 0x00000051ca65 (pc 0x00000051ca65 bp 0x7ffc31bb6f80 sp 0x7ffc31bb6e40 T0) Reproducer: https://github.com/asarubbo/poc/blob/master/00137-pax-utils-dumpelf-fpe1 # dumpelf $FILE FPE on unknown address 0x00000051d335 (pc 0x00000051d335 bp 0x7ffc17babf80 sp 0x7ffc17babe40 T0) Reproducer: https://github.com/asarubbo/poc/blob/master/00138-pax-utils-dumpelf-fpe2 # dumpelf $FILE FPE on unknown address 0x00000051db76 (pc 0x00000051db76 bp 0x7ffdf90fff80 sp 0x7ffdf90ffe40 T0) Reproducer: https://github.com/asarubbo/poc/blob/master/00139-pax-utils-dumpelf-fpe3 Affected version: 1.2.2 Fixed version: N/A Commit fix: https://github.com/gentoo/pax-utils/commit/4609f57a690b4a5670baeb93167dab530... Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. CVE: N/A Timeline: 2017-01-30: bug discovered and reported to upstream 2017-02-01: upstream released a patch 2017-02-04: blog post about the issue Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/04/pax-utils-dumpelf-multiple-divide-by... -- Agostino Sarubbo Gentoo Linux Developer ============================================== -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com