Date: Wed, 3 Jun 2015 01:00:28 +0200 From: Hanno Böck <hanno@...eck.de> To: oss security list <oss-security@...ts.openwall.com> Cc: cve-assign@...re.org Subject: Stack out of bounds read access in uudecode / sharutils https://blog.fuzzing-project.org/13-Stack-out-of-bounds-read-access-in-uudecode-sharutils.html uudecode is a tool to decode uuencoded data. It is shipped with the package sharutils. An invalid input file can cause an out of bounds stack read access in the function expand_tilde(). This issue has been reported to the developers on 2015-03-04. It has been fixed in sharutils 4.15.2 (2015-05-30). To see this bug one needs to use a tool like valgrind or address sanitizer that detects out of bounds memory reads. The bug was found with american fuzzy lop. Sample file https://crashes.fuzzing-project.org/uudecode-oob-read-stack-expand_tilde.uu Address sanitizer output: ==8209==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff8a4a8690 at pc 0x40738d bp 0x7fff8a4a44a0 sp 0x7fff8a4a4490 READ of size 1 at 0x7fff8a4a8690 thread T0 #0 0x40738c in expand_tilde /mnt/ram/sharutils-4.14/src/uudecode.c:252 #1 0x40738c in decode /mnt/ram/sharutils-4.14/src/uudecode.c:437 #2 0x403660 in main /mnt/ram/sharutils-4.14/src/uudecode.c:530 #3 0x7f13d97fff9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #4 0x403c81 (/mnt/ram/sharutils-4.14/src/uudecode+0x403c81) Address 0x7fff8a4a8690 is located in stack of thread T0 at offset 16800 in frame #0 0x403da7 in decode /mnt/ram/sharutils-4.14/src/uudecode.c:362 This frame has 7 object(s): [32, 36) 'mode' [96, 104) 'outlen' [160, 168) 'ctx' [224, 368) 'attr' [416, 16800) 'buf' <== Memory access at offset 16800 overflows this variable [16832, 33216) 'buf_in' [33248, 49632) 'buf' -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ