Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 24 Oct 2015 10:31:16 +0200
From: Hanno Böck <>
  CVE ID Requests <>
Subject: Heap overflow and endless loop in exfatfsck / exfat-utils

exfat-utils is a collection of tools to work with the exFAT filesystem.
Fuzzing the exfatfsck with american fuzzy lop led to the discovery of a
write heap overflow and an endless loop.

Especially at risk are systems that are configured to run filesystem
checks automatically on external devices like USB flash drives.

A malformed input can cause a write heap overflow in the function
verify_vbr_checksum. It might be possible to use this for code

Upstream bug report

Sample file triggering the bug

Git commit for fix

Another malformed input can cause an endless loop, leading to a
possible denial of service.

Upstream bug report

Sample file triggering the bug

Git commit of fix

Both issues have been fixed in the latest release 1.2.1 of exfat-utils.

Hanno Böck


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ