Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 24 May 2016 11:51:13 +0300
From: Solar Designer <solar@...nwall.com>
To: Yue Liu <liuyue0310@...il.com>
Cc: oss-security@...ts.openwall.com, David Anderson <davea42@...uxmail.org>
Subject: Re: CVE request: Multiple vunerabilities in libdwarf & dwarfdump

Hi,

On oss-security it is strongly preferred that actual content (rather
than just links) be included in the postings for long-term archival,
as long as the message doesn't exceed 200 KB (including MIME overhead).

On Tue, May 24, 2016 at 04:01:42PM +0800, Yue Liu wrote:
> There are multiple vunerabilities in libdwarf&dwarfdump which were
> discovered by Yue Liu(lieanu <liuyue0310@...il.com>) and Qixue Xiao.
> 
> Vulnerabilities DW201605-001 to DW201605-019 in
> https://www.prevanders.net/dwarfbug.html

I've attached the current content of the above web page to this message,
as text/plain.

> And anther one https://bugzilla.redhat.com/show_bug.cgi?id=1330237

Here it is:

---
Description of problem:
There is a NULL pointer dereference bug in libdwarf-20160115 and latest git code.

The bug is at file dwarf_leb.c:147
 143             byte_length++;
 144             if (byte_length > BYTESLEBMAX) {
 145                 /*  Erroneous input. What to do?
 146                     Abort? Return error? Just stop here?*/
 147                 *leb128_length = BYTESLEBMAX;               <- $pc
 148                 return number;
 149             }
 150         }

which triggered by dwarf_form.c:918
 913             *return_sval = (Dwarf_Signed) ret_value;
 914             return DW_DLV_OK;
 915             }
 916
 917         case DW_FORM_sdata:
 918             ret_value =
 919                 (_dwarf_decode_s_leb128(attr->ar_debug_ptr, NULL));
 920             *return_sval = ret_value;
 921             return DW_DLV_OK;
 922

Version-Release number of selected component (if applicable):
Tested in libdwarf-20160115 and latest git code
---

> All vulnerabilities have been fixed in upstream.
> 
> POC: https://sourceforge.net/p/libdwarf/regressiontests/ci/master/tree/liu/

Unfortunately, some of the PoCs are a bit too large to attach.  While
the above directory is ~110 KB under tar.xz, the PoC attached to Red Hat
Bugzilla Bug 1330237 is ~150 KB under xz.

So let's keep just the vulnerability detail in here for now.

One of the reasons why I am posting this is to provide an example of
what content to include in oss-security postings going forward.  Also,
it's a call for smaller PoCs (for further occasions; no need to rework
these PoCs now), so that those could be included as well.

Alexander

View attachment "dwarfbug.txt" of type "text/plain" (17124 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.