Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Aug 2017 15:37:42 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: libmirage: NULL pointer dereference in mirage_stream_get_filename (stream.c)

There is a NULL pointer dereference in libmirage when handling .dmg/.isz file.
The bug was found via mirage2iso (https://github.com/mgorny/mirage2iso) which 
uses limirage to convert various CD/DVD image formats into .iso
The bug was initially spotted by Michał Górny so the credit goes to him.

I hitted the bug too and I'm pointing out the security implication. The 
complete asan output of the issue:

# mirage2iso $FILE out.iso
==22879==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x7f9c67f5dde9 bp 0x7f9c5e533e26 sp 0x7ffeb47ffe20 T0)
==22879==The signal is caused by a READ memory access.
==22879==Hint: address points to the zero page.
    #0 0x7f9c67f5dde8 in mirage_stream_get_filename /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61
    #1 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open_streams 
/var/tmp/portage/dev-libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-
dmg/filter-stream.c:603
    #2 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-dmg/filter-
stream.c:719
    #3 0x7f9c67f5726c in mirage_filter_stream_open /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/filter-stream.c:209
    #4 0x7f9c67f53aa5 in mirage_context_create_input_stream 
/var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:471
    #5 0x7f9c67f53bea in mirage_context_load_image /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:359
    #6 0x50d6ca in miragewrap_open /var/tmp/portage/app-
cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage-wrapper.c:87:9
    #7 0x50a3cb in main /var/tmp/portage/app-
cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage2iso.c:281:7
    #8 0x7f9c66e38680 in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x41ab98 in _start (/usr/bin/mirage2iso+0x41ab98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61 in 
mirage_stream_get_filename
==22879==ABORTING

Testcase:
https://github.com/mgorny/mirage2iso/blob/master/tests/21_hdiutil_ulfo.dmg

Upstream bug report:
https://sourceforge.net/p/cdemu/bugs/105/

Upstream commit:
https://sourceforge.net/p/cdemu/code/ci/d874b3b1bc86b94b1f323d7df9e665279fb966cb/

A CVE request was not requested.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.