Bug 831322 (CVE-2010-5109)
| Summary: | [PATCH] fix possible buffer overflow | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Igor Vlasenko <viy> | ||||||
| Component: | libytnef | Assignee: | Andreas Bierfert <andreas.bierfert> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | andreas.bierfert, ppisar | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| URL: | http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487 | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 838449 (view as bug list) | Environment: | |||||||
| Last Closed: | 2012-07-14 21:53:07 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
The comp_Prebuf.data[] is never accessed beyond the end. I think more suitable is do memcpy() instead of strcpy() to copy comp_Prebuf.size only bytes without the trailing zero. Actually the comp_Prebuf.data is never freed which leaks memory. This issue has been already tracked by upstream <http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487>. Reproducer: (1) Obtain a tnef archive with binary document (e.g. the winmail.dat from <http://sourceforge.net/tracker/?func=detail&aid=756215&group_id=70352&atid=533948>). (2) Explore the archive with ytnefprint tool (from ytnef package) that uses the libytnef library: $ ytnefprint winmail.dat Attempting to parse winmail.dat... ---> In TNEF1.0 format Message Priority: normal Date Received: Tuesday June 17, 2003 10:23:00 am Message Class: IPM.Microsoft Mail.Note MAPI Properties: 39 #0: Type: [ BOOLEAN ] Code: [PR_ALTERNATE_RECIPIENT_ALLOWED] Size: 4 Value: True #1: Type: [ BOOLEAN ] Code: [PR_ORIGINATOR_DELIVERY_REPORT_REQUESTED] Size: 4 Value: False #2: Type: [ LONG ] Code: [PR_PRIORITY] Size: 4 Value: 0 #3: Type: [ BOOLEAN ] Code: [PR_READ_RECEIPT_REQUESTED] Size: 4 Value: False #4: Type: [ LONG ] Code: [PR_SENSITIVITY] Size: 4 Value: 0 #5: Type: [ STRING8 ] Code: [PR_CONVERSATION_TOPIC] Size: 5 Value: [test] #6: Type: [ BINARY ] Code: [PR_CONVERSATION_INDEX] Size: 22 Value: [..4.p...s,j~O...I....L] #7: Type: [ BINARY ] Code: [PR_SENDER_SEARCH_KEY] Size: 26 Value: [SMTP:JGERLAND.] #8: Type: [ BOOLEAN ] Code: [PR_DELETE_AFTER_SUBMIT] Size: 4 Value: False #9: Type: [SYS TIME ] Code: [PR_MESSAGE_DELIVERY_TIME] Size: 8 Value: Tuesday June 17, 2003 3:23:00 pm #10: Type: [ BINARY ] Code: [PR_SENTMAIL_ENTRYID] Size: 24 Value: [......3.v#'N..I..G......] #11: Type: [ LONG ] Code: [PR_SUBMIT_FLAGS] Size: 4 Value: 0 #12: Type: [ BOOLEAN ] Code: [PR_RTF_IN_SYNC] Size: 4 Value: True #13: Type: [ BINARY ] Code: [PR_RTF_COMPRESSED] Size: 217 Detected Compressed RTF.Decompressed text follows -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *** buffer overflow detected ***: ytnefprint terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3045708af7] /lib64/libc.so.6[0x3045706a70] /usr/lib64/libytnef.so.0(DecompressRTF+0x3a)[0x3045a0470a] /usr/lib64/libytnef.so.0(MAPIPrint+0x4c8)[0x3045a04e08] ytnefprint[0x4010e9] ytnefprint[0x400909] /lib64/libc.so.6(__libc_start_main+0xed)[0x304562169d] ytnefprint[0x40097d] One need to configure with CFLAGS='-O2 -g -Wp,-D_FORTIFY_SOURCE=2' to provoke the abort. Created attachment 596239 [details]
Better fix for the heap overflow
This fixes the bug by copying only needed bytes.
libytnef-1.5-8.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/libytnef-1.5-8.fc17 libytnef-1.5-8.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/libytnef-1.5-8.fc16 Package libytnef-1.5-8.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libytnef-1.5-8.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10250/libytnef-1.5-8.fc17 then log in and leave karma (feedback). libytnef-1.5-8.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. libytnef-1.5-8.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Added CVE as per http://openwall.com/lists/oss-security/2013/04/11/1 |
Created attachment 591258 [details] proposed patch to fix possible buffer overflows. Description of problem: compiler warning: call ... will always overflow destination buffer. indeed, there is a trivial bug in the code, no space is reserved for trailing \0. patch to fix: --- libytnef-1.5/ytnef.c 2004-08-26 17:09:05.000000000 +0000 +++ libytnef-1.5/ytnef.c 2012-06-08 19:34:07.826123387 +0000 @@ -1327,7 +1327,7 @@ ULONG compressedSize, uncompressedSize, magic, crc32; comp_Prebuf.size = strlen(RTF_PREBUF); - comp_Prebuf.data = calloc(comp_Prebuf.size, 1); + comp_Prebuf.data = calloc(comp_Prebuf.size+1, 1); strcpy(comp_Prebuf.data, RTF_PREBUF); src = p->data; Version-Release number of selected component (if applicable): libytnef-1.5-7.fc17