Bug 1492701 (CVE-2014-8184)

Summary: CVE-2014-8184 liblouis: stack-based buffer overflow in findTable()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, martin.gieseking, rasanche, rmatos, rsprudencio, samuel.thibault, security-response-team, yjog
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-03 16:05:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1492708, 1492709    
Bug Blocks: 1488949    
Attachments:
Description Flags
proposed fix none

Description Pedro Sampaio 2017-09-18 13:48:40 UTC 
A stack-based buffer overflow was found in findTable() in liblouis. An attacker could create a malicious file that would cause applications that use liblouis (such as Orca) to crash, or potentially execute arbitrary code when opened.
Comment 1 Pedro Sampaio 2017-09-18 13:48:43 UTC 
Acknowledgments:

Name: Raphael Sanchez Prudencio (Red Hat)
Comment 5 Salvatore Bonaccorso 2017-11-01 05:33:27 UTC 
Hi

Can you share details on this issue? Is upstream aware of the details?

I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream on it.

Regards,
Salvatore
Comment 7 Raphael Sanchez Prudencio 2017-11-02 13:52:57 UTC 
(In reply to Salvatore Bonaccorso from comment #5)
> Hi
> 
> Can you share details on this issue? Is upstream aware of the details?
> 
> I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream
> on it.
> 
> Regards,
> Salvatore

Hi Salvatore, this vulnerability (actually several buffer overflows in that same function) was sitting in our package because it was outdated. It was probably unknowingly fixed as this function was totally refactored during this merge: https://github.com/liblouis/liblouis/commit/dc97ef791a4fae9da11592c79f9f79e010596e0c#diff-7ade83431f79d2120c82012aee3b05c9L4524

This specific vulnerability does not exists in upstream version and it was introduced in commit 26ca8619.
Comment 8 errata-xmlrpc 2017-11-02 15:52:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3111 https://access.redhat.com/errata/RHSA-2017:3111
Comment 9 Salvatore Bonaccorso 2017-11-02 21:11:20 UTC 
Hi RAphael,

(In reply to Raphael Sanchez Prudencio from comment #7)
> (In reply to Salvatore Bonaccorso from comment #5)
> > Hi
> > 
> > Can you share details on this issue? Is upstream aware of the details?
> > 
> > I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream
> > on it.
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore, this vulnerability (actually several buffer overflows in that
> same function) was sitting in our package because it was outdated. It was
> probably unknowingly fixed as this function was totally refactored during
> this merge:
> https://github.com/liblouis/liblouis/commit/
> dc97ef791a4fae9da11592c79f9f79e010596e0c#diff-
> 7ade83431f79d2120c82012aee3b05c9L4524
> 
> This specific vulnerability does not exists in upstream version and it was
> introduced in commit 26ca8619.

Thanks for this, this was really helpfull to narrow down the affected status for us in Debian.

Regards,
Salvatore
Comment 10 Samuel Thibault 2017-11-03 01:05:13 UTC 
Created attachment 1347137 [details]
proposed fix

Hello,
As mentioned upstream, this is not enough, the strncpy call does not catch buffer overflows and missing \0.
This patch should be fixing it.
Samuel
Comment 11 Raphael Sanchez Prudencio 2017-11-03 13:20:32 UTC 
(In reply to Samuel Thibault from comment #10)
> Created attachment 1347137 [details]
> proposed fix
> 
> Hello,
> As mentioned upstream, this is not enough, the strncpy call does not catch
> buffer overflows and missing \0.
> This patch should be fixing it.
> Samuel

* Edited *

Good catch Samuel, thanks!

I will request a new CVE for this incomplete fix and link it here when I get it.
Comment 12 Raphael Sanchez Prudencio 2017-11-08 15:09:49 UTC 
New CVE was generated for the incomplete fix: CVE-2017-15101.

https://bugzilla.redhat.com/show_bug.cgi?id=1511023
Comment 13 Pedro Sampaio 2019-07-31 21:37:03 UTC 
External References:

https://github.com/liblouis/liblouis/issues/425