Bug 1167756 (CVE-2014-9273)
| Summary: | CVE-2014-9273 hivex: missing checks for small-sized files | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, alonbl, bazulay, bmcclain, carnil, dblechte, ecohen, fdeutsch, gklein, idith, iheim, lsurette, mbooth, michal.skrivanek, pstehlik, rjones, vdanen, vkrizan, ycui, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | hivex 1.3.11 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that hivex attempted to read, and possibly write, beyond its allocated buffer when reading a hive file with a very small size or with a truncated or improperly formatted content. An attacker able to supply a specially crafted hive file to an application using the hivex library could possibly use this flaw to execute arbitrary code with the privileges of the user running that application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 08:45:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1158992, 1158993, 1167795 | ||
| Bug Blocks: | 1167758, 1193283 | ||
|
Description
Martin Prpič
2014-11-25 11:07:00 UTC
(In reply to Martin Prpic from comment #0) > It was reported that hivex [1], a library that can read and write hive files > (undocumented binary files that Windows uses to store the Windows Registry > on disk), did not properly handle small-sized hive files. An attacker able > to supply a hive file of a small size to an application using the hivex > library could use this flaw to read, and possibly write, up to 4095 bytes > beyond the end of the allocated buffer, potentially resulting in arbitrary > code execution with the with the privileges of the user running that > application. > > This issue has been fixed in upstream version 3.11 of hivex. ^^ 1.3.11 CVE request: http://seclists.org/oss-sec/2014/q4/787 Created hivex tracking bugs for this issue: Affects: epel-5 [bug 1167795] For the record, Fedora 19 through 22 are fixed: https://admin.fedoraproject.org/updates/hivex-1.3.11-4.fc21 https://admin.fedoraproject.org/updates/hivex-1.3.8-4.fc20 https://admin.fedoraproject.org/updates/hivex-1.3.8-2.fc19 Debian maintainer was notified (a while back) and is going to submit an update for Jessie. Statement: (none) I think we need a RHEL 6 bug ... (In reply to Richard W.M. Jones from comment #8) > I think we need a RHEL 6 bug ... Is the impact more severe than a local (potential) elevation of privileges on a Windows registry file that you are copying to a Linux platform? If looking at it from a libguestfs perspective, the user (presumably an administrator with access to a Windows guest) would need to load the registry for that VM (something that probably requires privilege to begin with). This is a fairly unlikely scenario with a simple mitigation: don't open an untrusted hive file. I don't believe we need to provide an ASYNC erratum for this and can defer this fix to a later update. Am I missing anything that makes it more severe than that? (In reply to Vincent Danen from comment #9) > (In reply to Richard W.M. Jones from comment #8) > > I think we need a RHEL 6 bug ... > > Is the impact more severe than a local (potential) elevation of privileges > on a Windows registry file that you are copying to a Linux platform? If > looking at it from a libguestfs perspective, the user (presumably an > administrator with access to a Windows guest) would need to load the > registry for that VM (something that probably requires privilege to begin > with). This is a fairly unlikely scenario with a simple mitigation: don't > open an untrusted hive file. I don't believe we need to provide an ASYNC > erratum for this and can defer this fix to a later update. > > Am I missing anything that makes it more severe than that? No you're about right there. However I was thinking it'd be good to have it fixed for RHEL 6.7, but I'll leave it up to you to decide. MITRE assigned CVE-2014-9273 to this issue: http://seclists.org/oss-sec/2014/q4/903 hivex-1.3.5-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0301 https://rhn.redhat.com/errata/RHSA-2015-0301.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1378 https://rhn.redhat.com/errata/RHSA-2015-1378.html |