Bug 1196153 (CVE-2015-4471)

Summary: CVE-2015-4471 libmspack: off-by-one buffer under-read in mspack/lzxd.c
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dan, jrusnack, pertusus
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1196154, 1196155    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-02-25 11:51:54 UTC 
Off-by-one buffer under-read was reported [1] in libmspack.
Reproducer is available at [1] as well.

$ test/cabd_md5 lzxd-under-read.cab
*** lzxd-under-read.cab
ERROR; file "test1.txt" cannot be extracted, cabinet set is incomplete.
lzxd-under-read.cab: error extracting "test1.txt": error in data format
=================================================================
==8354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a028ff at pc 0x80604a7 bp 0xffdf8028 sp 0xffdf801c
READ of size 1 at 0xf4a028ff thread T0
   #0 0x80604a6 in lzxd_decompress mspack/lzxd.c:516
   #1 0x80568c7 in cabd_extract mspack/cabd.c:1067
   #2 0x804a8e3 in main test/cabd_md5.c:145
   #3 0xf707ca62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
   #4 0x8048f10 (/home/jwilk/libmspack-0.4/test/cabd_md5+0x8048f10)

0xf4a028ff is located 1 bytes to the left of 4096-byte region [0xf4a02900,0xf4a03900)
allocated by thread T0 here:
   #0 0xf725c6e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
   #1 0x80497af in m_alloc test/md5_fh.h:111
   #2 0x805c27b in lzxd_init mspack/lzxd.c:313
   #3 0x8057264 in cabd_init_decomp mspack/cabd.c:1126
   #4 0x805634f in cabd_extract mspack/cabd.c:1034
   #5 0x804a8e3 in main test/cabd_md5.c:145
   #6 0xf707ca62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)


The relevant code is:

         /* read 1-16 (not 0-15) bits to align to bytes */
         ENSURE_BITS(16);
         if (bits_left > 16) i_ptr -= 2;
         bits_left = 0; bit_buffer = 0;

         /* read 12 bytes of stored R0 / R1 / R2 values */
         for (rundest = &buf[0], i = 0; i < 12; i++) {
           READ_IF_NEEDED;
           *rundest++ = *i_ptr++;
         }

As I understand it, ENSURE_BITS can rewind i_ptr to the beginning of 
the buffer, and then "i_ptr -= 2" makes the pointer go one (or two?) 
bytes prior to the buffer.
Comment 1 Vasyl Kaigorodov 2015-02-25 11:57:27 UTC 
Created libmspack tracking bugs for this issue:

Affects: fedora-all [bug 1196154]
Affects: epel-all [bug 1196155]
Comment 2 Fedora Update System 2015-03-13 17:00:31 UTC 
libmspack-0.5-0.1.alpha.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-03-13 17:02:07 UTC 
libmspack-0.5-0.1.alpha.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-13 17:14:30 UTC 
libmspack-0.5-0.1.alpha.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-03-25 20:04:20 UTC 
libmspack-0.5-0.1.alpha.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-03-25 20:04:52 UTC 
libmspack-0.5-0.1.alpha.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vasyl Kaigorodov 2015-06-11 14:56:05 UTC 
Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775499

CVE assigned: http://seclists.org/oss-sec/2015/q2/691
Comment 8 Product Security DevOps Team 2019-06-08 02:39:04 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.