Bug 1610887 (CVE-2018-10922)

Summary: CVE-2018-10922 ttembed: use of untrusted length field may lead to denial of service
Product: [Other] Security Response Reporter: Scott Gayou <sgayou>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: frenaud, nick, pvoborni, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An input validation flaw exists in ttembed. With a crafted input file, an attacker may be able to trigger a denial of service condition due to ttembed trusting attacker controlled values.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:34:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1611681, 1611682, 1611683    
Bug Blocks: 1608880, 1610916    

Description Scott Gayou 2018-08-01 14:41:46 UTC 
A failure to validate an untrusted length field could potentially lead to a denial of service condition.
Comment 1 Scott Gayou 2018-08-01 14:41:49 UTC 
Acknowledgments:

Name: Scott Gayou (Red Hat)
Comment 3 Scott Gayou 2018-08-01 14:52:10 UTC 
time ttembed hang.useme 

real	13m6.415s
user	3m47.487s
sys	9m16.191s
Comment 6 Scott Gayou 2018-08-02 15:45:56 UTC 
Unembargoed due to very low impact. Upstream notified.
Comment 7 Scott Gayou 2018-08-02 15:47:38 UTC 
Created ttembed tracking bugs for this issue:

Affects: fedora-all [bug 1611683]
Comment 9 Scott Gayou 2018-08-02 16:16:15 UTC 
Upstream Issue:

https://github.com/hisdeedsaredust/ttembed/issues/2
Comment 10 Scott Gayou 2018-08-02 16:25:36 UTC 
If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:

    for (x=length;x>0;x-=4)
        sum += readbe32(inways);

As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.

time ttembed hang.useme 


real	13m6.415s
user	3m47.487s
sys	9m16.191s

Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.