Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 25 Nov 2018 09:57:37 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: catdoc: out of bounds heap read and nullpointer / segfault

I reported two memory safety bugs in the command line tool catdoc.
However the mails to the developer bounced.

The first is an out of bounds heap read, to detect it catdoc needs to
be compiled with address sanitizer (test it with -fsanitize=address in
CFLAGS).

The second is a null pointer and will just crash catdoc.


ASAN crash traces:

==4036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000015d1 at pc 0x00000050560c bp 0x7ffe3d0b7d40 sp 0x7ffe3d0b7d38
READ of size 1 at 0x6020000015d1 thread T0
    #0 0x50560b in getlong /f/catdoc/catdoc-0.95/src/numutils.c:22:37
    #1 0x506c7d in ole_init /f/catdoc/catdoc-0.95/src/ole.c:254:18
    #2 0x4fa2df in analyze_format /f/catdoc/catdoc-0.95/src/analyze.c:58:17
    #3 0x4f6bec in main /f/catdoc/catdoc-0.95/src/catdoc.c:180:6
    #4 0x7fa1362ae4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #5 0x41b489 in _start (/r/catdoc/catdoc+0x41b489)

0x6020000015d1 is located 0 bytes to the right of 1-byte region [0x6020000015d0,0x6020000015d1)
allocated by thread T0 here:
    #0 0x4c5973 in malloc (/r/catdoc/catdoc+0x4c5973)
    #1 0x505e70 in ole_init /f/catdoc/catdoc-0.95/src/ole.c:119:10
    #2 0x4fa2df in analyze_format /f/catdoc/catdoc-0.95/src/analyze.c:58:17
    #3 0x4f6bec in main /f/catdoc/catdoc-0.95/src/catdoc.c:180:6
    #4 0x7fa1362ae4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)



And:

==6151==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000509f93 bp 0x0c18000000d1 sp 0x7fff4819ed80 T0)
==6151==The signal is caused by a READ memory access.
==6151==Hint: address points to the zero page.
    #0 0x509f92 in calcFileBlockOffset /f/catdoc/catdoc-0.95/src/ole.c
    #1 0x509f92 in ole_read /f/catdoc/catdoc-0.95/src/ole.c:493
    #2 0x4fa3ec in analyze_format /f/catdoc/catdoc-0.95/src/analyze.c:64:14
    #3 0x4f6bec in main /f/catdoc/catdoc-0.95/src/catdoc.c:180:6
    #4 0x7f70645a64ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #5 0x41b489 in _start (/r/catdoc/catdoc+0x41b489)


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Download attachment "catdoc-bug-samples.zip" of type "application/zip" (1855 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.