Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 14 May 2016 09:55:43 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: dosfstools / fsck.vfat: Several invalid memory accesses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

These reports are about command-line programs that realistically
encounter untrusted input. However,
https://github.com/dosfstools/dosfstools/blob/master/README.md says
"dosfstools consists of the programs mkfs.fat, fsck.fat and fatlabel
to create, check and label file systems of the FAT family." It does
not state that dosfstools provides a library that can be used to build
other programs that a user may want. In particular, there does not
seem to be a use case in which a provided program needs to remain
running to process additional filesystems after encountering an
invalid filesystem.


> https://github.com/dosfstools/dosfstools/issues/11
> Global out of bounds read file_stat() / check_dir()
> https://github.com/dosfstools/dosfstools/commit/2aad1c83c7d010de36afbe79c9fde22c50aa2f74
> Git commit / fix

As far as we can tell, this one is not a vulnerability in the
above-described context. It seems to be an out-of-bounds read that
doesn't affect the flow of control.


> https://github.com/dosfstools/dosfstools/issues/12
> Unclear invalid memory access in get_fat()
> https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
> Git commit / fix
> 
> that was a nasty one: FAT12 corruption when a certain FAT entry at the
> end is changed.
> 
> set_fat(): Fix off-by-2 error leading to corruption in FAT12
> 
> If the third to last entry was written on a FAT12 filesystem with an
> odd number of clusters, the second to last entry would be corrupted.
> This corruption may also lead to invalid memory accesses when the
> corrupted entry becomes out of bounds and is used later.

Use CVE-2015-8872.


> https://github.com/dosfstools/dosfstools/issues/25
> Heap overflow in read_fat()
> https://github.com/dosfstools/dosfstools/issues/26
> Heap out of bounds read in get_fat()
> https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52
> Git commit / fix for both issues
> 
> it's a failure to properly catch a zero length FAT in read_fat() and
> continuing with that and the other corrupt values
> 
> read_boot(): Handle excessive FAT size specifications
> 
> The variable used for storing the FAT size (in bytes) was an unsigned
> int. Since the size in sectors read from the BPB was not sufficiently
> checked, this could end up being zero after multiplying it with the
> sector size while some offsets still stayed excessive. Ultimately it
> would cause segfaults when accessing FAT entries for which no memory
> was allocated.

Use CVE-2016-4804 (this applies to both issues/25 and issues/26, even
though the impact in 25 is a heap-based buffer overflow with write
access, and the impact in 26 is a heap-based buffer over-read).

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXNy15AAoJEHb/MwWLVhi25VEP/iMdL0X84Xo9ysSMP9D0hxZz
1v3OtKF16jmGPpKBiC++PHoBN533jVi+K7epBhkvHC2ycKTsHHK6ImmWCguRU2C5
w+rpoqEHMsqmiCf9M/XjutMHvgCdsFbNf4pe4dkJBt5oAK+oqThzUZ2kFK1Jvs0U
HBDQHs9XKWIMals6N+FyF1TanIX2dUtchaky+Ba92piL3rdN95vs1/Mt1C6l+7bw
ZUt8uqIZMNOCgr5Cq1gMvc16VFYOi8ZYWol1FBq0kFpxzjsOn8dpeJ4lxn+JKyyp
hpAKUBPAgv+OWogtq+LsklD9qoGuaBKClrZiVL6qbr9YYA9NBabXuMqJJghGHUTy
omKQsTOE+SuQXLLiV/gKs0bCUkWbK7yScSRUG2lEb1qtbWqHByZTq/FHTC2Kc5IY
n0VUEayp2IFwfny11pM+D1O6VeWBFRvZNgc849VHNSo5KbTo1z9aFQSmld38t5sW
DOzg6IvV86P+jP/OzCv7uDbJG6aSDoy8fELv4xisCp4cFq+K+9aLUqWj9HrPr+on
3AEntSjDmvrEMvmNxY6I7ayan2AphcEGblUNnuu+2k0KnOEKjS1oIcCXSbnS8F0J
NGI1jYf+Y5LPMX6aLmJEazyU0fXtNJx6BAKhmaGNzTBXpZdhD9nkw88puLQKMBv2
TZGsWop91NEPNGjtPSRa
=tWe9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ