Bug 1610169 (CVE-2018-14447)

Summary: CVE-2018-14447 libconfuse: Out-of-bounds read in src/lexer.l:trim_whitespace()
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, gwync, jarodwilson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:34:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1610170, 1610171, 1610172    
Bug Blocks:    

Description Sam Fowler 2018-07-31 06:00:26 UTC 
libConfuse through version 3.2.1 is vulnerable to an out-of-bounds read in the src/lexer.l:trim_whitespace() function. An attacker could exploit this to cause a denial of service via crafted config file.


Upstream Issue:

https://github.com/martinh/libconfuse/issues/109
Comment 1 Sam Fowler 2018-07-31 06:00:54 UTC 
Created libconfuse tracking bugs for this issue:

Affects: epel-all [bug 1610172]
Affects: fedora-all [bug 1610170]


Created mingw-libconfuse tracking bugs for this issue:

Affects: fedora-all [bug 1610171]
Comment 2 Sam Fowler 2018-07-31 06:04:34 UTC 
Reproduced on f28 with libconfuse-3.2.1-2.fc28.x86_64

Using /usr/share/doc/libconfuse-devel/examples/simple.c from libconfuse-devel-3.2.1-2.fc28.x86_64

# mv libconfuse_poc.txt simple.conf
# gcc simple.c -lconfuse -fsanitize=address
# ./a.out 
=================================================================
==93==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000060 at pc 0x7f0b4158143f bp 0x7ffd0ddf3920 sp 0x7ffd0ddf3910
READ of size 1 at 0x603000000060 thread T0
    #0 0x7f0b4158143e in trim_whitespace /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:398
    #1 0x7f0b41581774 in qend /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:420
    #2 0x7f0b4157c4b4 in cfg_yylex /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:106
    #3 0x7f0b4157588e in cfg_parse_internal /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/confuse.c:1060
    #4 0x7f0b41576f6a in cfg_parse_fp /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/confuse.c:1437
    #5 0x7f0b415774d3 in cfg_parse /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/confuse.c:1530
    #6 0x4010bb in main (/builddir/a.out+0x4010bb)
    #7 0x7f0b411cd24a in __libc_start_main (/lib64/libc.so.6+0x2324a)
    #8 0x400b59 in _start (/builddir/a.out+0x400b59)

0x603000000060 is located 0 bytes to the right of 32-byte region [0x603000000040,0x603000000060)
allocated by thread T0 here:
    #0 0x7f0b41878088 in __interceptor_realloc (/lib64/libasan.so.5+0xef088)
    #1 0x7f0b4158119c in qputc /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:366
    #2 0x7f0b41581312 in qput /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:382
    #3 0x7f0b4157c496 in cfg_yylex /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:105
    #4 0x7f0b4157588e in cfg_parse_internal /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/confuse.c:1060
    #5 0x7f0b41576f6a in cfg_parse_fp /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/confuse.c:1437
    #6 0x7f0b415774d3 in cfg_parse /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/confuse.c:1530
    #7 0x4010bb in main (/builddir/a.out+0x4010bb)
    #8 0x7f0b411cd24a in __libc_start_main (/lib64/libc.so.6+0x2324a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/libconfuse-3.2.1-2.fc28.x86_64/src/lexer.l:398 in trim_whitespace
Shadow bytes around the buggy address:
  0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00 fa fa 00 00 00 00[fa]fa fa fa
  0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==93==ABORTING
Comment 3 Product Security DevOps Team 2019-06-10 10:34:34 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.