Bug 831322 (CVE-2010-5109)

Summary: [PATCH] fix possible buffer overflow
Product: [Fedora] Fedora Reporter: Igor Vlasenko <viy>
Component: libytnefAssignee: Andreas Bierfert <andreas.bierfert>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: andreas.bierfert, ppisar
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 838449 (view as bug list) Environment:
Last Closed: 2012-07-14 17:53:07 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
proposed patch to fix possible buffer overflows.
none
Better fix for the heap overflow none

Description Igor Vlasenko 2012-06-12 15:03:45 EDT
Created attachment 591258 [details]
proposed patch to fix possible buffer overflows.

Description of problem:
compiler warning: call ... will always overflow destination buffer.
indeed, there is a trivial bug in the code, no space is reserved for trailing \0.
patch to fix:
--- libytnef-1.5/ytnef.c        2004-08-26 17:09:05.000000000 +0000
+++ libytnef-1.5/ytnef.c        2012-06-08 19:34:07.826123387 +0000
@@ -1327,7 +1327,7 @@
     ULONG compressedSize, uncompressedSize, magic, crc32;
 
     comp_Prebuf.size = strlen(RTF_PREBUF);
-    comp_Prebuf.data = calloc(comp_Prebuf.size, 1);
+    comp_Prebuf.data = calloc(comp_Prebuf.size+1, 1);
     strcpy(comp_Prebuf.data, RTF_PREBUF);
 
     src = p->data;


Version-Release number of selected component (if applicable):
libytnef-1.5-7.fc17
Comment 1 Petr Pisar 2012-07-04 09:59:40 EDT
The comp_Prebuf.data[] is never accessed beyond the end. I think more suitable is do memcpy() instead of strcpy() to copy comp_Prebuf.size only bytes without the trailing zero.

Actually the comp_Prebuf.data is never freed which leaks memory.
Comment 2 Petr Pisar 2012-07-04 10:07:56 EDT
This issue has been already tracked by upstream <http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487>.
Comment 3 Petr Pisar 2012-07-04 10:40:26 EDT
Reproducer:

(1) Obtain a tnef archive with binary document (e.g. the winmail.dat from <http://sourceforge.net/tracker/?func=detail&aid=756215&group_id=70352&atid=533948>).

(2) Explore the archive with ytnefprint tool (from ytnef package) that uses the libytnef library:

$ ytnefprint winmail.dat
Attempting to parse winmail.dat...
---> In TNEF1.0 format
Message Priority: normal
Date Received: Tuesday June 17, 2003 10:23:00 am
Message Class: IPM.Microsoft Mail.Note
    MAPI Properties: 39
   #0: Type: [ BOOLEAN ]  Code: [PR_ALTERNATE_RECIPIENT_ALLOWED]
    Size: 4    Value: True
   #1: Type: [ BOOLEAN ]  Code: [PR_ORIGINATOR_DELIVERY_REPORT_REQUESTED]
    Size: 4    Value: False
   #2: Type: [  LONG   ]  Code: [PR_PRIORITY]
    Size: 4    Value: 0
   #3: Type: [ BOOLEAN ]  Code: [PR_READ_RECEIPT_REQUESTED]
    Size: 4    Value: False
   #4: Type: [  LONG   ]  Code: [PR_SENSITIVITY]
    Size: 4    Value: 0
   #5: Type: [ STRING8 ]  Code: [PR_CONVERSATION_TOPIC]
    Size: 5    Value: [test]
   #6: Type: [ BINARY  ]  Code: [PR_CONVERSATION_INDEX]
    Size: 22    Value: [..4.p...s,j~O...I....L]
   #7: Type: [ BINARY  ]  Code: [PR_SENDER_SEARCH_KEY]
    Size: 26    Value: [SMTP:JGERLAND@SYNACOR.COM.]
   #8: Type: [ BOOLEAN ]  Code: [PR_DELETE_AFTER_SUBMIT]
    Size: 4    Value: False
   #9: Type: [SYS TIME ]  Code: [PR_MESSAGE_DELIVERY_TIME]
    Size: 8    Value: Tuesday June 17, 2003 3:23:00 pm
   #10: Type: [ BINARY  ]  Code: [PR_SENTMAIL_ENTRYID]
    Size: 24    Value: [......3.v#'N..I..G......]
   #11: Type: [  LONG   ]  Code: [PR_SUBMIT_FLAGS]
    Size: 4    Value: 0
   #12: Type: [ BOOLEAN ]  Code: [PR_RTF_IN_SYNC]
    Size: 4    Value: True
   #13: Type: [ BINARY  ]  Code: [PR_RTF_COMPRESSED]
    Size: 217    Detected Compressed RTF.Decompressed text follows
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
*** buffer overflow detected ***: ytnefprint terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3045708af7]
/lib64/libc.so.6[0x3045706a70]
/usr/lib64/libytnef.so.0(DecompressRTF+0x3a)[0x3045a0470a]
/usr/lib64/libytnef.so.0(MAPIPrint+0x4c8)[0x3045a04e08]
ytnefprint[0x4010e9]
ytnefprint[0x400909]
/lib64/libc.so.6(__libc_start_main+0xed)[0x304562169d]
ytnefprint[0x40097d]
Comment 4 Petr Pisar 2012-07-04 10:53:35 EDT
One need to configure with CFLAGS='-O2 -g -Wp,-D_FORTIFY_SOURCE=2' to provoke the abort.
Comment 5 Petr Pisar 2012-07-04 11:10:12 EDT
Created attachment 596239 [details]
Better fix for the heap overflow

This fixes the bug by copying only needed bytes.
Comment 6 Fedora Update System 2012-07-04 13:12:50 EDT
libytnef-1.5-8.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/libytnef-1.5-8.fc17
Comment 7 Fedora Update System 2012-07-04 13:12:59 EDT
libytnef-1.5-8.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libytnef-1.5-8.fc16
Comment 8 Fedora Update System 2012-07-05 19:30:55 EDT
Package libytnef-1.5-8.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libytnef-1.5-8.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10250/libytnef-1.5-8.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-07-14 17:53:07 EDT
libytnef-1.5-8.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-07-14 18:02:55 EDT
libytnef-1.5-8.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Kurt Seifried 2013-04-10 22:21:16 EDT
Added CVE as per http://openwall.com/lists/oss-security/2013/04/11/1