Created attachment 1026348 [details] PoC to create the malformed VCF Description of problem: Adding a NULL short to the end of a VCF file allows a user to manipulate free() calls which occur during it's lexer's memory clean-up procedure. Version-Release number of selected component (if applicable): libmimedir-static 0.4-13.fc21 How reproducible: crashes every time with PoC Steps to Reproduce: 1. Run the attached script which produces a malformed VCF file 2. Open the created VCF file with a libmimedir consumer, or a psuedo-consumer: #include <stdio.h> int main() { mdir_parse_file("free.vcf"); return 0; } 3. Observe crash Actual results: Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x4141414141414141) at malloc.c:2934 2934 if (chunk_is_mmapped (p)) /* release mmapped memory. */ (gdb) bt #0 __GI___libc_free (mem=0x4141414141414141) at malloc.c:2934 #1 0x00000000004024a2 in _mdir_mem_forget2 () #2 0x00000000004024af in _mdir_mem_forget2 () #3 0x00000000004024af in _mdir_mem_forget2 () #4 0x00000000004024af in _mdir_mem_forget2 () #5 0x00000000004024af in _mdir_mem_forget2 () #6 0x00000000004024af in _mdir_mem_forget2 () #7 0x00000000004024dc in _mdir_mem_forget () #8 0x0000000000401fee in _mdir_parse () #9 0x0000000000400bfe in mdir_parse_FILE () #10 0x0000000000400c67 in mdir_parse_file () #11 0x0000000000400b39 in main () Expected results: No crash; completes parsing of the VCF file successfully Additional info: libmimedir-0.5.1.tar.gz was also confirmed vulnerable
Hello, thanks for this report. We've assigned CVE-2015-3205 for this issue. I would recommend you to disclose this on the oss-security mailing list (http://oss-security.openwall.org/wiki/mailing-lists) to make the community aware about this issue as soon as possible. -- Vasyl Kaigorodov | Red Hat Product Security PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
(In reply to Vasyl Kaigorodov from comment #1) > Hello, thanks for this report. > We've assigned CVE-2015-3205 for this issue. > I would recommend you to disclose this on the oss-security mailing list > (http://oss-security.openwall.org/wiki/mailing-lists) to make the community > aware about this issue as soon as possible. > > -- > Vasyl Kaigorodov | Red Hat Product Security > PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828 Vasyl, Correct me if I'm wrong, but the oss-security mailing list is a publicly subscribed mailing list. I'd like to get the bug fixed before public disclosure-- do you maintain the package?
Do you have a patch at hand? Upstream is long dead afaik.
(In reply to Andreas Bierfert from comment #3) > Do you have a patch at hand? Upstream is long dead afaik. I do not have a patch, but briefly looking at dirlex.c, it seems like a patch could be applied to yy_get_next_buffer(). YY_END_OF_BUFFER_CHAR and YY_END_OF_BUFFER_CHAR + 1 are appended to signify end of buffers. This explains the two bytes needed to trigger the bug as YY_END_OF_BUFFER_CHAR is simply NULL. Is the author or maintainer available to dig a bit more? FYI there is another unresolved bug to push the latest 0.5.1 in upstream to current (0.4-11) #1049214.
If the maintainer here nor anyone else is able to provide a fix, I'll make the details public after a bit. Perhaps others interested in maintaining the package will have time to take a look afterwards.
Making this bugzilla public now, since other related information is also public: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789197 https://bugzilla.redhat.com/show_bug.cgi?id=1223377
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.