Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 26 Nov 2015 21:25:40 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Stack overflows and out of bounds read in dpkg (Debian)

https://blog.fuzzing-project.org/30-Stack-overflows-and-out-of-bounds-read-in-dpkg-Debian.html

Two stack overflows and one stack out of bounds access were fixed in
dpkg, the package management tool from Debian.

A call to the function read_line didn't consider a trailing zero byte
in the target buffer and thus could cause a one byte stack overflow
with a zero byte. This issue was already fixed in the testing code when
I reported it, but the fix wasn't backported to stable yet.
https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/dpkg-deb/extract.c?id=e65aa3db04eb908c9507d5d356a95cedb890814d
Git commit / fix
https://crashes.fuzzing-project.org/dpkg-stack-overflow-write-read_line-extracthalf-133.deb
Minimal PoC file

A second almost identical stack overflow due to a call to the function
read_line was in the same file.
https://crashes.fuzzing-project.org/dpkg-stack-overflow-write-read_line-extracthalf-248.deb
Minimal PoC file

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0860
These issues got the id CVE-2015-0860.

A stack out of bounds read can happen in the function
dpkg_ar_normalize_name. There is a read access to an array where the
index can have the value -1. A check if the index is a positive value
fixes this.
https://crashes.fuzzing-project.org/dpkg-stack-oob-read-dpkg_ar_normalize_name.deb
Minimal PoC file

All issues were found with the help of american fuzzy lop and address
sanitizer.

https://lists.debian.org/debian-security-announce/2015/msg00312.html
Debian has published the advisory DSA 3407-1. Fixes packages for both
stable (Jessie) and oldstable (Wheezy) have been published.

http://www.ubuntu.com/usn/usn-2820-1/
Ubuntu has published the advisory USN-2820-1. Fixed packages for Ubuntu
15.10, 15.04 and the LTS versions 14.04 and 12.04 have been published.

All users of Ubuntu, Debian and other dpkg/apt-based distributions
should update.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ