Bug 1959585 (CVE-2021-3548)

Summary: CVE-2021-3548 dmg2img: OOB in dmg2img.c memcpy() causing undefined behavior
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: lemenkov, lkundrak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in dmg2img through 20170502. dmg2img did not validate the size of the read buffer during memcpy() inside the main() function. This possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-13 02:33:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1959587    
Bug Blocks: 1955789, 1959678    

Description Cedric Buissart 2021-05-11 20:15:09 UTC
dmg2img did not validate the size of the read buffer during memcpy() inside the main() function. This possibly leads to memory layout information leaking in the data. This might be used in a chain of vulnerability in order to reach code execution.

The vulnerability appears at the following code :

```
memcpy(parts[i].Data, base64data + 0xCC, parts[i].BlocksRunCount * 0x28);
```


An attacker could request a specially crafted DMG image to be converted by the dmg2img command. The attacker has the ability to control the size of the memcpy(), via `parts[i].BlocksRunCount` thus forcing an OOB read, and memory information to be written in the parts[i].Data allocation, or possibly crashing the command.


Upstream bug report :
https://github.com/Lekensteyn/dmg2img/issues/9

Comment 1 Cedric Buissart 2021-05-11 20:15:36 UTC
Created dmg2img tracking bugs for this issue:

Affects: fedora-all [bug 1959587]

Comment 2 Cedric Buissart 2021-05-11 20:15:53 UTC
Acknowledgments:

Name: Anshunkang Zhou

Comment 4 Product Security DevOps Team 2021-05-13 02:33:47 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.