Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Dec 2015 03:16:33 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: cve-assign@...re.org, kseifried@...hat.com
Cc: oss-security@...ts.openwall.com
Subject: Re: mail-client/claws-mail-3.13.1: Stack Overflow - CVE needed?

On Mon, 2015-12-21 at 21:31 -0500, cve-assign@...re.org wrote:
> > https://bugs.gentoo.org/show_bug.cgi?id=569010
> 
> > http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557
> 
> > > So in codeconv.c there is a function for japanese character set
> > > conversion called conv_jistoeuc(). There is no bounds checking on the
> > > output buffer, which is created on the stack with alloca().
> 
> > > http://git.claws-mail.org/?p=claws.git;a=commit;h=d390fa07f5548f3173dd9cc13b233db5ce934c82
> > > 
> > > conv_jistoeuc
> > > conv_euctojis
> > > conv_sjistoeuc
> 
> The original discoverer found a conv_jistoeuc issue, and then the
> vendor apparently also found conv_euctojis and conv_sjistoeuc issues.
> However, we don't see an indication that these issues arose in
> independent ways. (Also, there is no vendor statement that
> conv_euctojis or conv_sjistoeuc is exploitable.) It seems best to
> assign CVE-2015-8614 to the combination of the conv_jistoeuc,
> conv_euctojis, and conv_sjistoeuc issues.
[...]

Note that two of the bounds checks added in that commit are incorrect:

1. In conv_jistoeuc() the check uses > rather than <, which causes all
   conversions to return an empty string.  This is presumably not a
   security issue, but is a regression.

3. In conv_euctojis() the comparison is with outlen - 3, but each pass
   through the loop uses up to 5 bytes and the rest of the function may
   add another 4 bytes.  The comparison should presumably be 
   '<= outlen - 9' or equivalently '< outlen - 8'.

The first check is fixed by a later commit:
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e3ffcb455e0376053451ce968e6c71ef37708222

Ben.

-- 
Ben Hutchings
All the simple programs have been written, and all the good names taken.
Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.