Date: Thu, 05 Nov 2015 17:30:14 +0100 From: gauri@....by To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Cc: "cve-assign@...re.org" <cve-assign@...re.org> Subject: Re: Re: CVE request: libsndfile 1.0.25 heap overflow Hello list. 03.11.2015, 21:02, "cve-assign@...re.org" <cve-assign@...re.org>: >> šUnrelated, but I recently reported an out of bounds triggered by the >> štest suite of libsndfile and got no reply: >> šhttp://permalink.gmane.org/gmane.comp.audio.libsndfile.devel/681 > >> šOut of bounds reads in psf_strlcpy_crlf when running test suite > >> šAddressSanitizer: global-buffer-overflow ... READ of size 1 > > Use CVE-2015-8075. I have followed up on this to spot the root cause of what has been assigned CVE-2015-8075; as recommended by Hanno, I am sharing my results with the wider audience. The `test_psf_strlcpy_crlf()` routine, as it is presented  in version 1.0.25, is incorrect in that it supplies an invalid argument value to the function `psf_strlcpy_crlf()` being tested: the last argument `srcmax` receives `sizeof(src)`, which is the size of the pointer `src`, and not the source string length it points to, as might have been anticipated by the author. Since the reporter tested a 64-bit build, `srcmax` gets passed 8, but the string is 7 bytes long. This triggers OOB access detected by address sanitizer, just like in the original report. At this point, it seems CVE-2015-8075 has to be rejected as there is no vulnerability, only a poorly written test case which doesn't see any action except when running `make check`. Note: Apparently, the vendor has attempted to fix the test , but it seems like `srcmax` is getting `sizeof(char)` instead of `sizeof(char *)` now. The test remains invalid, although due to a different reason. Cheers, Z. References:  https://github.com/erikd/libsndfile/blob/f66e21e0b1f1b52b544dabb5ba4fa89fa6f62a30/src/test_strncpy_crlf.c  https://github.com/erikd/libsndfile/blob/495c2877e1c841fbb420383551547d2ca60533c6/src/test_strncpy_crlf.c
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ