Bug 1196157 (CVE-2015-4470)

Summary: CVE-2015-4470 libmspack: off-by-one buffer over-read in mspack/mszipd.c
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dan, pertusus
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1196154, 1196155    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-02-25 11:59:17 UTC 
Off-by-one buffer over-read was reported in libmspack [1].
Reproducer can be found in [1] as well.

To reproduce the bug, rebuild libmspack with -fsanitize=address and 
run:

$ test/cabd_md5 mszip-over-read.cab
*** mszip-over-read.cab
=================================================================
==761==ERROR: AddressSanitizer: global-buffer-overflow on address 0x08076dde at pc 0x806adc0 bp 0xffeb3998 sp 0xffeb398c
READ of size 1 at 0x08076dde thread T0
   #0 0x806adbf in inflate mspack/mszipd.c:268
   #1 0x806c3a7 in mszipd_decompress mspack/mszipd.c:426
   #2 0x8056b04 in cabd_extract mspack/cabd.c:1074
   #3 0x804a8e3 in main test/cabd_md5.c:145
   #4 0xf70f1a62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
   #5 0x8048f10 (/home/jwilk/libmspack-0.4/test/cabd_md5+0x8048f10)

0x08076dde is located 0 bytes to the right of global variable 'dist_extrabits' from 'mspack/mszipd.c' (0x8076dc0) of size 30
0x08076dde is located 34 bytes to the left of global variable 'bitlen_order' from 'mspack/mszipd.c' (0x8076e00) of size 19
Comment 1 Vasyl Kaigorodov 2015-02-25 11:59:56 UTC 
Created libmspack tracking bugs for this issue:

Affects: fedora-all [bug 1196154]
Affects: epel-all [bug 1196155]
Comment 2 Dan HorĂ¡k 2015-03-03 13:22:01 UTC 
(In reply to Vasyl Kaigorodov from comment #0)
> Off-by-one buffer over-read was reported in libmspack [1].
> Reproducer can be found in [1] as well.

Hi Vasyl, haven't you forget to add the link for [1]?
Comment 3 Fedora Update System 2015-03-13 17:00:32 UTC 
libmspack-0.5-0.1.alpha.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-03-13 17:02:09 UTC 
libmspack-0.5-0.1.alpha.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-03-13 17:14:31 UTC 
libmspack-0.5-0.1.alpha.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-03-25 20:04:22 UTC 
libmspack-0.5-0.1.alpha.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-03-25 20:04:53 UTC 
libmspack-0.5-0.1.alpha.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Product Security DevOps Team 2019-06-08 02:39:05 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.