Bug 1196146 (CVE-2014-9732)

Summary: CVE-2014-9732 cabextract: null pointer dereference on a crafted CAB
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, janfrode, jorti, jrusnack, pertusus, rdieter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-02 13:19:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1196148, 1196149    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-02-25 11:43:11 UTC
Null pointer dereference on a crafted CAB was reported [1] in cabextract.
Reproducer file can be found at [1] as well.

$ gpg -d nullderef.cab.asc > nullderef.cab
$ cabextract -t nullderef.cab
nullderef.cab: WARNING; possible 1626 extra bytes at end of file.
Testing cabinet: nullderef.cab
   failed (error in CAB data format)
   failed (Success)
 E  failed (error in CAB data format)
Segmentation fault


Backtrace:
#0  0x00000000 in ?? ()
#1  0x0804e094 in cabd_extract (base=0x805b008, file=0x8063600, filename=0x8056643 "test") at mspack/cabd.c:1068
#2  0x080493b4 in process_cabinet (basename=0xffffd9b8 "nullderef.cab") at src/cabextract.c:467
#3  0x08048fc4 in main (argc=3, argv=0xffffd804) at src/cabextract.c:350

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774665

Comment 1 Vasyl Kaigorodov 2015-02-25 11:44:18 UTC
Created cabextract tracking bugs for this issue:

Affects: fedora-all [bug 1196148]
Affects: epel-all [bug 1196149]

Comment 2 Rex Dieter 2015-12-02 13:19:49 UTC
linked bugs confirmed fixed, closing