Bug 1547885

Summary: heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
Product: [Fedora] Fedora Reporter: Leon <leon.zhao.7>
Component: freexlAssignee: Volker Fröhlich <volker27>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: carnil, volker27
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: freexl-1.0.5-1.fc26 freexl-1.0.5-1.el6 freexl-1.0.5-1.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-15 02:35:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
POC file that crashing FreeXL in freexl.c:1866 parse_SST none

Description Leon 2018-02-22 08:28:04 UTC
Created attachment 1399222 [details]
POC file that crashing FreeXL in freexl.c:1866 parse_SST

Description of problem:
The freexl.c:1866 parse_SST function in FreeXL 1.0.4 may result a heap-buffer-overflow via a crafted xls file.

Version-Release number of selected component (if applicable):
1.0.4

How reproducible:
/examples/test_xl $POC

Steps to Reproduce:
/examples/test_xl $POC

Actual results:
Segmentation fault

Expected results:


Additional info:
The output of test_xl with address sanitizer enabled

./test_xl /root/fuzz/freexl/freexl-freexl-1866-overflow 
=================================================================
==17075==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001a53b at pc 0x00000040d5c7 bp 0x7ffd00ce4940 sp 0x7ffd00ce4930
READ of size 2 at 0x63100001a53b thread T0
    #0 0x40d5c6 in parse_SST /root/asan/freexl-1.0.4/src/freexl.c:1866
    #1 0x414660 in parse_biff_record /root/asan/freexl-1.0.4/src/freexl.c:3017
    #2 0x419afe in read_biff_next_record /root/asan/freexl-1.0.4/src/freexl.c:3867
    #3 0x41b59c in common_open /root/asan/freexl-1.0.4/src/freexl.c:4131
    #4 0x41be70 in freexl_open /root/asan/freexl-1.0.4/src/freexl.c:4231
    #5 0x401709 in main /root/asan/freexl-1.0.4/examples/test_xl.c:84
    #6 0x7f7f169d682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x4013a8 in _start (/root/asan/freexl-1.0.4/examples/test_xl+0x4013a8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asan/freexl-1.0.4/src/freexl.c:1866 parse_SST
Shadow bytes around the buggy address:
  0x0c627fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c627fffb4a0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c627fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffb4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==17075==ABORTING

Weiran Labs, Zhaoliang
leon.zhao.7@gmail.com

Comment 1 Fedora Update System 2018-02-22 23:37:49 UTC
freexl-1.0.5-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eb691e7d7

Comment 2 Fedora Update System 2018-02-22 23:38:11 UTC
freexl-1.0.5-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-9111777f91

Comment 3 Fedora Update System 2018-02-23 08:54:33 UTC
freexl-1.0.5-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2ffe688829

Comment 4 Fedora Update System 2018-02-23 08:54:50 UTC
freexl-1.0.5-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5573046c3b

Comment 5 Fedora Update System 2018-02-23 16:27:32 UTC
freexl-1.0.5-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5573046c3b

Comment 6 Fedora Update System 2018-02-23 16:29:53 UTC
freexl-1.0.5-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2ffe688829

Comment 7 Fedora Update System 2018-02-23 16:30:56 UTC
freexl-1.0.5-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-9111777f91

Comment 8 Fedora Update System 2018-02-23 16:57:54 UTC
freexl-1.0.5-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eb691e7d7

Comment 9 Salvatore Bonaccorso 2018-02-23 21:08:43 UTC
Hi

MITRE has assigned CVE-2018-7437 for this issue.

Regards,
Salvatore

Comment 10 Fedora Update System 2018-03-06 17:23:35 UTC
freexl-1.0.5-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-03-06 17:29:45 UTC
freexl-1.0.5-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2018-03-11 19:44:24 UTC
freexl-1.0.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2018-03-13 17:07:49 UTC
freexl-1.0.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2018-04-08 20:36:46 UTC
freexl-1.0.5-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-62268d69c9

Comment 15 Fedora Update System 2018-04-09 21:53:59 UTC
freexl-1.0.5-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-62268d69c9

Comment 16 Fedora Update System 2018-04-15 02:35:13 UTC
freexl-1.0.5-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.