Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 May 2016 11:51:13 +0300
From: Solar Designer <solar@...nwall.com>
To: Yue Liu <liuyue0310@...il.com>
Cc: oss-security@...ts.openwall.com, David Anderson <davea42@...uxmail.org>
Subject: Re: CVE request: Multiple vunerabilities in libdwarf & dwarfdump

Hi,

On oss-security it is strongly preferred that actual content (rather
than just links) be included in the postings for long-term archival,
as long as the message doesn't exceed 200 KB (including MIME overhead).

On Tue, May 24, 2016 at 04:01:42PM +0800, Yue Liu wrote:
> There are multiple vunerabilities in libdwarf&dwarfdump which were
> discovered by Yue Liu(lieanu <liuyue0310@...il.com>) and Qixue Xiao.
> 
> Vulnerabilities DW201605-001 to DW201605-019 in
> https://www.prevanders.net/dwarfbug.html

I've attached the current content of the above web page to this message,
as text/plain.

> And anther one https://bugzilla.redhat.com/show_bug.cgi?id=1330237

Here it is:

---
Description of problem:
There is a NULL pointer dereference bug in libdwarf-20160115 and latest git code.

The bug is at file dwarf_leb.c:147
 143             byte_length++;
 144             if (byte_length > BYTESLEBMAX) {
 145                 /*  Erroneous input. What to do?
 146                     Abort? Return error? Just stop here?*/
 147                 *leb128_length = BYTESLEBMAX;               <- $pc
 148                 return number;
 149             }
 150         }

which triggered by dwarf_form.c:918
 913             *return_sval = (Dwarf_Signed) ret_value;
 914             return DW_DLV_OK;
 915             }
 916
 917         case DW_FORM_sdata:
 918             ret_value =
 919                 (_dwarf_decode_s_leb128(attr->ar_debug_ptr, NULL));
 920             *return_sval = ret_value;
 921             return DW_DLV_OK;
 922

Version-Release number of selected component (if applicable):
Tested in libdwarf-20160115 and latest git code
---

> All vulnerabilities have been fixed in upstream.
> 
> POC: https://sourceforge.net/p/libdwarf/regressiontests/ci/master/tree/liu/

Unfortunately, some of the PoCs are a bit too large to attach.  While
the above directory is ~110 KB under tar.xz, the PoC attached to Red Hat
Bugzilla Bug 1330237 is ~150 KB under xz.

So let's keep just the vulnerability detail in here for now.

One of the reasons why I am posting this is to provide an example of
what content to include in oss-security postings going forward.  Also,
it's a call for smaller PoCs (for further occasions; no need to rework
these PoCs now), so that those could be included as well.

Alexander

View attachment "dwarfbug.txt" of type "text/plain" (17124 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ