Bug 1271165

Summary: m2crypto: pbkdf2 function crashes when given 74 byte result as argument
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, cbillett, chrisw, dallan, gholms, gkotton, gmollett, jmatthew, jrusnack, jschluet, katello-bugs, kseifried, lhh, lpeer, markmc, mcepl, mitr, rbryant, rhos-maint, sclewis, tdecacqu, tomckay, tsanders, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-30 19:11:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1276630    
Bug Blocks: 1271166    

Description Adam Mariš 2015-10-13 10:03:05 UTC 
A bug was found in pbkdf2 function of m2crypto package, such that when given a 74 byte result, a buffer overflow occurs leading to crash of the application.

For reproducer and backtrace, see product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1270318
Comment 1 Stefan Cornelius 2015-10-29 16:52:31 UTC 
The root cause is a stack-based buffer overflow in the pkcs5_pbkdf2_hmac_sha1() function in SWIG/_evp.i 

It defines the following stack-based buffer:
 unsigned char key[EVP_MAX_KEY_LENGTH];   // usually 64byte

and later calls this function, which takes in "keylen" and fills "key". if "keylen" is larger than EVP_MAX_KEY_LENGTH, it overflows the stack-based buffer.

    PKCS5_PBKDF2_HMAC_SHA1(passbuf, passlen, saltbuf, saltlen, iter,
                           keylen, key);

A simple sanity check of keylen (both that it's not larger than EVP_MAX_KEY_LENGTH and not negative) before calling PKCS5_PBKDF2_HMAC_SHA1 should be enough to prevent this. This function should be protected by stack canaries, so code execution is mitigated, but there may be a minimal remaining risk that it's still possible.
Comment 2 Stefan Cornelius 2015-10-30 10:13:41 UTC 
*** Bug 1270318 has been marked as a duplicate of this bug. ***
Comment 3 Stefan Cornelius 2015-10-30 10:35:11 UTC 
Created m2crypto tracking bugs for this issue:

Affects: fedora-all [bug 1276630]
Comment 4 Miloslav Trmač 2015-11-02 20:28:11 UTC 
https://gitlab.com/m2crypto/m2crypto/merge_requests/8
Comment 5 Fedora Update System 2015-11-19 09:59:47 UTC 
m2crypto-0.22.5-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-11-19 12:22:41 UTC 
m2crypto-0.22.5-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-11-20 23:24:17 UTC 
m2crypto-0.22.5-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Matěj Cepl 2015-11-30 19:11:29 UTC 
This has been fixed, right?