Date: Thu, 26 Nov 2015 21:25:40 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security <oss-security@...ts.openwall.com> Subject: Stack overflows and out of bounds read in dpkg (Debian) https://blog.fuzzing-project.org/30-Stack-overflows-and-out-of-bounds-read-in-dpkg-Debian.html Two stack overflows and one stack out of bounds access were fixed in dpkg, the package management tool from Debian. A call to the function read_line didn't consider a trailing zero byte in the target buffer and thus could cause a one byte stack overflow with a zero byte. This issue was already fixed in the testing code when I reported it, but the fix wasn't backported to stable yet. https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/dpkg-deb/extract.c?id=e65aa3db04eb908c9507d5d356a95cedb890814d Git commit / fix https://crashes.fuzzing-project.org/dpkg-stack-overflow-write-read_line-extracthalf-133.deb Minimal PoC file A second almost identical stack overflow due to a call to the function read_line was in the same file. https://crashes.fuzzing-project.org/dpkg-stack-overflow-write-read_line-extracthalf-248.deb Minimal PoC file https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0860 These issues got the id CVE-2015-0860. A stack out of bounds read can happen in the function dpkg_ar_normalize_name. There is a read access to an array where the index can have the value -1. A check if the index is a positive value fixes this. https://crashes.fuzzing-project.org/dpkg-stack-oob-read-dpkg_ar_normalize_name.deb Minimal PoC file All issues were found with the help of american fuzzy lop and address sanitizer. https://lists.debian.org/debian-security-announce/2015/msg00312.html Debian has published the advisory DSA 3407-1. Fixes packages for both stable (Jessie) and oldstable (Wheezy) have been published. http://www.ubuntu.com/usn/usn-2820-1/ Ubuntu has published the advisory USN-2820-1. Fixed packages for Ubuntu 15.10, 15.04 and the LTS versions 14.04 and 12.04 have been published. All users of Ubuntu, Debian and other dpkg/apt-based distributions should update. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ