Date: Sun, 16 Oct 2016 20:52:39 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: mupdf: mujstest: strcpy-param-overlap in main (jstest_main.c) A note outside the blog post: This issue does not affect any library, but it is only in the mujstest binary. There aren't known applications which use mujstest, but if you have an application or website which relies on mujstest you are invited to apply the patch or use the newer package when it will be released. Thanks. Description: Mujstest, which is part of mupdf is a scriptable tester for mupdf + js. A fuzzing revealed a strcpy-param-overlap. The complete ASan output: # mujstest $FILE ==26843==ERROR: AddressSanitizer: strcpy-param-overlap: memory ranges [0x0000013c5d40,0x0000013c62ed) and [0x0000013c6285, 0x0000013c6832) overlap #0 0x473129 in __interceptor_strcpy /var/tmp/portage/sys-devel/llvm-3.8.0- r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:545 #1 0x4f7910 in main /var/tmp/portage/app- text/mupdf-1.9a/work/mupdf-1.9a/platform/x11/jstest_main.c:353:6 #2 0x7f8af37a961f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #3 0x41ade8 in _init (/usr/bin/mujstest+0x41ade8) 0x0000013c6140 is located 0 bytes to the right of global variable 'filename' defined in 'platform/x11/jstest_main.c:15:13' (0x13c5d40) of size 1024 0x0000013c6285 is located 5 bytes inside of global variable 'getline_buffer' defined in 'platform/x11/jstest_main.c:24:13' (0x13c6280) of size 4096 SUMMARY: AddressSanitizer: strcpy-param-overlap /var/tmp/portage/sys- devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler- rt/lib/asan/asan_interceptors.cc:545 in __interceptor_strcpy ==26843==ABORTING Affected version: 1.9a Fixed version: 1.10 (not yet released) Commit fix: http://git.ghostscript.com/?p=mupdf.git;h=cfe8f35bca61056363368c343be36812abde0a06 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Timeline: 2016-08-04: bug discovered 2016-08-05: bug reported to upstream 2016-09-22: upstream released a patch 2016-09-25: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2016/09/25/mupdf-mujstest-strcpy-param-overlap-in-main-jstest_main-c/ -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.