Bug 1547879
| Summary: | heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Leon <leon.zhao.7> | ||||
| Component: | freexl | Assignee: | Volker Fröhlich <volker27> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | carnil, volker27 | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | freexl-1.0.5-1.fc26 freexl-1.0.5-1.el6 freexl-1.0.5-1.fc28 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-15 02:35:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Leon, did you inform the author too? Yes, I commit to mailing list: http://groups.google.com/group/spatialite-users, including all five FreeXL vulnerabilities freexl-1.0.5-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eb691e7d7 freexl-1.0.5-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-9111777f91 freexl-1.0.5-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2ffe688829 freexl-1.0.5-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5573046c3b freexl-1.0.5-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5573046c3b freexl-1.0.5-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2ffe688829 freexl-1.0.5-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-9111777f91 freexl-1.0.5-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eb691e7d7 Hi MITRE has assigned CVE-2018-7435 for this issue. Regards, Salvatore freexl-1.0.5-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. freexl-1.0.5-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. freexl-1.0.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. freexl-1.0.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. freexl-1.0.5-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-62268d69c9 freexl-1.0.5-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-62268d69c9 freexl-1.0.5-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1399206 [details] POC file that crashing FreeXL Description of problem: A heap-buffer-overflow vulnerability The destroy_cell function in FreeXL 1.0.4 may result a heap-buffer-overflow via a crafted xls file. Version-Release number of selected component (if applicable): 1.0.4 How reproducible: /examples/test_xl $POC Steps to Reproduce: /examples/test_xl $POC Actual results: Segmentation fault Expected results: Additional info: Ubuntu 16.04, x64 The output of test_xl with address sanitizer enabled ./test_xl /root/fuzz/freexl/freexl-freexl-1051-overflow ================================================================= ==10333==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efa0 at pc 0x000000408041 bp 0x7ffdc3d69ea0 sp 0x7ffdc3d69e90 READ of size 1 at 0x60200000efa0 thread T0 #0 0x408040 in destroy_cell /root/asan/freexl-1.0.4/src/freexl.c:1051 #1 0x4081e6 in destroy_sheet /root/asan/freexl-1.0.4/src/freexl.c:1080 #2 0x408ddc in destroy_workbook /root/asan/freexl-1.0.4/src/freexl.c:1195 #3 0x41bdae in common_open /root/asan/freexl-1.0.4/src/freexl.c:4222 #4 0x41be70 in freexl_open /root/asan/freexl-1.0.4/src/freexl.c:4231 #5 0x401709 in main /root/asan/freexl-1.0.4/examples/test_xl.c:84 #6 0x7faac352482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x4013a8 in _start (/root/asan/freexl-1.0.4/examples/test_xl+0x4013a8) 0x60200000efa0 is located 15 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91) allocated by thread T0 here: #0 0x7faac3c6f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x408507 in allocate_cells /root/asan/freexl-1.0.4/src/freexl.c:1113 #2 0x411556 in read_legacy_biff /root/asan/freexl-1.0.4/src/freexl.c:2493 #3 0x41b2f5 in common_open /root/asan/freexl-1.0.4/src/freexl.c:4084 #4 0x41be70 in freexl_open /root/asan/freexl-1.0.4/src/freexl.c:4231 #5 0x401709 in main /root/asan/freexl-1.0.4/examples/test_xl.c:84 #6 0x7faac352482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asan/freexl-1.0.4/src/freexl.c:1051 destroy_cell Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 02 =>0x0c047fff9df0: fa fa 01 fa[fa]fa 00 02 fa fa 01 fa fa fa fd fd 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==10333==ABORTING