Bug 1500070 (CVE-2017-16844)

Summary:

CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c

Product:

[Other] Security Response

Reporter:

Pedro Sampaio <psampaio>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

high

Docs Contact:

Priority:

high

Version:

unspecified

CC:

dmoppert, jskarvad, psampaio, scorneli

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send a specially crafted email that, when processed by formail, could cause formail to crash or, possibly, execute arbitrary code as the user running formail.

Story Points:

---

Clone Of:

Environment:

Last Closed:

2017-11-29 07:46:09 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1500071, 1513916, 1513917

Bug Blocks:

1500771

Attachments:

Description	Flags
Simple fix	none

Description Pedro Sampaio 2017-10-09 19:48:12 UTC

A flaw was found in the loadbuf function in formisc.c. When the buffer is too small, the function tries to resize it, but only by Bsize (=128) bytes. This is not necessarily enough and could cause denial of service.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511

Comment 1 Pedro Sampaio 2017-10-09 19:48:36 UTC

Created procmail tracking bugs for this issue:

Affects: fedora-all [bug 1500071]

Comment 4 Jaroslav Škarvada 2017-10-10 21:51:49 UTC

Created attachment 1336923 [details]
Simple fix

Well, there maybe better fixes (e.g. counting the total buffer size in one step), but the attached fix is ultimately simple (few more cycles shouldn't be problem for typical scenarios).

Before the fix is applied:
$ zcat overflow.822.gz | valgrind formail -r
==8339== Memcheck, a memory error detector
==8339== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8339== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==8339== Command: formail -r
==8339== 
==8339== Invalid write of size 1
==8339==    at 0x4C3561B: memmove (vg_replace_strmem.c:1258)
==8339==    by 0x10D98A: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339==  Address 0x5524350 is 0 bytes after a block of size 640 alloc'd
==8339==    at 0x4C30C15: realloc (vg_replace_malloc.c:785)
==8339==    by 0x10E0C8: ??? (in /usr/bin/formail)
==8339==    by 0x10D96B: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339== 
==8339== Invalid read of size 2
==8339==    at 0x4C355E0: memmove (vg_replace_strmem.c:1258)
==8339==    by 0x10D25A: ??? (in /usr/bin/formail)
==8339==    by 0x10D61F: ??? (in /usr/bin/formail)
==8339==    by 0x10B780: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339==  Address 0x5524350 is 0 bytes after a block of size 640 alloc'd
==8339==    at 0x4C30C15: realloc (vg_replace_malloc.c:785)
==8339==    by 0x10E0C8: ??? (in /usr/bin/formail)
==8339==    by 0x10D96B: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339== 
==8339== Invalid read of size 2
==8339==    at 0x4C355EF: memmove (vg_replace_strmem.c:1258)
==8339==    by 0x10D25A: ??? (in /usr/bin/formail)
==8339==    by 0x10D61F: ??? (in /usr/bin/formail)
==8339==    by 0x10B780: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339==  Address 0x5524354 is 4 bytes after a block of size 640 alloc'd
==8339==    at 0x4C30C15: realloc (vg_replace_malloc.c:785)
==8339==    by 0x10E0C8: ??? (in /usr/bin/formail)
==8339==    by 0x10D96B: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339== 
To: foo@bar
References: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
In-Reply-To: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

==8339== 
==8339== HEAP SUMMARY:
==8339==     in use at exit: 1,438 bytes in 10 blocks
==8339==   total heap usage: 24 allocs, 14 frees, 9,753 bytes allocated
==8339== 
==8339== LEAK SUMMARY:
==8339==    definitely lost: 129 bytes in 4 blocks
==8339==    indirectly lost: 0 bytes in 0 blocks
==8339==      possibly lost: 0 bytes in 0 blocks
==8339==    still reachable: 1,309 bytes in 6 blocks
==8339==         suppressed: 0 bytes in 0 blocks
==8339== Rerun with --leak-check=full to see details of leaked memory
==8339== 
==8339== For counts of detected and suppressed errors, rerun with: -v
==8339== ERROR SUMMARY: 9 errors from 3 contexts (suppressed: 0 from 0)


After the fix is applied:
$ zcat overflow.822.gz | valgrind formail -r
==9409== Memcheck, a memory error detector
==9409== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9409== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9409== Command: formail -r
==9409== 
To: foo@bar
References: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
In-Reply-To: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

==9409== 
==9409== HEAP SUMMARY:
==9409==     in use at exit: 1,566 bytes in 10 blocks
==9409==   total heap usage: 25 allocs, 15 frees, 10,521 bytes allocated
==9409== 
==9409== LEAK SUMMARY:
==9409==    definitely lost: 129 bytes in 4 blocks
==9409==    indirectly lost: 0 bytes in 0 blocks
==9409==      possibly lost: 0 bytes in 0 blocks
==9409==    still reachable: 1,437 bytes in 6 blocks
==9409==         suppressed: 0 bytes in 0 blocks
==9409== Rerun with --leak-check=full to see details of leaked memory
==9409== 
==9409== For counts of detected and suppressed errors, rerun with: -v
==9409== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Comment 12 errata-xmlrpc 2017-11-28 22:04:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3269 https://access.redhat.com/errata/RHSA-2017:3269

Comment 13 Stefan Cornelius 2017-11-29 19:29:41 UTC

Statement:

This issue affects the versions of procmail as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the versions of procmail as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.