Bug 1608159 (CVE-2018-14346)

Summary: CVE-2018-14346 libextractor: Stack-based buffer overflow in unzip.c:ec_read_file_func() allows for denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync, rh-bugzilla, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libextractor 1.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:34:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1608160    
Bug Blocks:    

Description Sam Fowler 2018-07-25 05:13:24 UTC 
GNU Libextractor before version 1.7 is vulnerable to a Stack-based buffer overflow in the unzip.c:ec_read_file_func() function. An attacker could exploit this to cause a denial of service via crafted file.


Reference:

http://lists.gnu.org/archive/html/bug-libextractor/2018-07/msg00001.html


Upstream Patch:

https://gnunet.org/git/libextractor.git/commit/?id=ad19e7fe0adc99d5710eff1ed48d91a7b75a950e
Comment 1 Sam Fowler 2018-07-25 05:13:46 UTC 
Created libextractor tracking bugs for this issue:

Affects: fedora-all [bug 1608160]
Comment 2 Sam Fowler 2018-07-25 05:17:00 UTC 
Reproduced with libextractor-1.6-4.fc28.x86_64:

# ASAN_OPTIONS=detect_leaks=0 libextractor-extract binhsQxywt6QK.bin 
Keywords for file binhsQxywt6QK.bin:
mimetype - audio/ogg
=================================================================
=================================================================
==74==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd43b98fa4 at pc 0x7f3839ebf30d bp 0x7ffd43b98a60 sp 0x7ffd43b98208
WRITE of size 1028 at 0x7ffd43b98fa4 thread T0
==64==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd43b98f34 at pc 0x7f3839ebf30d bp 0x7ffd43b989f0 sp 0x7ffd43b98198
WRITE of size 1028 at 0x7ffd43b98f34 thread T0
    #0 0x7f3839ebf30c  (/usr/lib64/libasan.so.5+0x4030c)
    #0 0x7f3839ebf30c  (/usr/lib64/libasan.so.5+0x4030c)
    #1 0x7f38293cab74 in ec_read_file_func /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1353
    #2 0x7f38293c5fa3 in locate_central_directory /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:492
    #3 0x7f38293c7484 in unzip_open_using_ffd /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:740
    #4 0x7f38293cae3e in EXTRACTOR_common_unzip_open /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1413
    #1 0x7f38293c8b74 in ec_read_file_func /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1353
    #5 0x7f38295cdd8b in EXTRACTOR_zip_extract_method zip_extractor.c:44
    #2 0x7f38293c3fa3 in locate_central_directory /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:492
    #3 0x7f38293c5484 in unzip_open_using_ffd /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:740
    #4 0x7f38293c8e3e in EXTRACTOR_common_unzip_open /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1413
    #6 0x7f3839c67fcb in handle_start_message extractor_plugin_main.c:480
    #7 0x7f3839c68369 in process_requests extractor_plugin_main.c:531
    #8 0x7f3839c68764 in EXTRACTOR_plugin_main_ extractor_plugin_main.c:632
    #5 0x7f38295ccd68 in EXTRACTOR_odf_extract_method odf_extractor.c:167
    #9 0x7f3839c60fe4 in EXTRACTOR_IPC_channel_create_ extractor_ipc_gnu.c:352
    #6 0x7f3839c67fcb in handle_start_message extractor_plugin_main.c:480
    #7 0x7f3839c68369 in process_requests extractor_plugin_main.c:531
    #10 0x7f3839c6a914 in EXTRACTOR_extract extractor.c:659
    #8 0x7f3839c68764 in EXTRACTOR_plugin_main_ extractor_plugin_main.c:632
    #11 0x404716  (/usr/bin/libextractor-extract+0x404716)
    #12 0x7f38398b218a in __libc_start_main (/usr/lib64/libc.so.6+0x2318a)
    #9 0x7f3839c60fe4 in EXTRACTOR_IPC_channel_create_ extractor_ipc_gnu.c:352
    #13 0x4016f9  (/usr/bin/libextractor-extract+0x4016f9)
Comment 3 Product Security DevOps Team 2019-06-10 10:34:18 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.