Bug 1492701 (CVE-2014-8184) - CVE-2014-8184 liblouis: stack-based buffer overflow in findTable()
Summary: CVE-2014-8184 liblouis: stack-based buffer overflow in findTable()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171009,repor...
Depends On: 1492708 1492709
Blocks: 1488949
TreeView+ depends on / blocked
 
Reported: 2017-09-18 13:48 UTC by Pedro Sampaio
Modified: 2019-07-31 21:37 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-03 16:05:13 UTC


Attachments (Terms of Use)
proposed fix (1.21 KB, patch)
2017-11-03 01:05 UTC, Samuel Thibault
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3111 normal SHIPPED_LIVE Moderate: liblouis security update 2017-11-02 19:51:34 UTC

Description Pedro Sampaio 2017-09-18 13:48:40 UTC
A stack-based buffer overflow was found in findTable() in liblouis. An attacker could create a malicious file that would cause applications that use liblouis (such as Orca) to crash, or potentially execute arbitrary code when opened.

Comment 1 Pedro Sampaio 2017-09-18 13:48:43 UTC
Acknowledgments:

Name: Raphael Sanchez Prudencio (Red Hat)

Comment 5 Salvatore Bonaccorso 2017-11-01 05:33:27 UTC
Hi

Can you share details on this issue? Is upstream aware of the details?

I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream on it.

Regards,
Salvatore

Comment 7 Raphael Sanchez Prudencio 2017-11-02 13:52:57 UTC
(In reply to Salvatore Bonaccorso from comment #5)
> Hi
> 
> Can you share details on this issue? Is upstream aware of the details?
> 
> I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream
> on it.
> 
> Regards,
> Salvatore

Hi Salvatore, this vulnerability (actually several buffer overflows in that same function) was sitting in our package because it was outdated. It was probably unknowingly fixed as this function was totally refactored during this merge: https://github.com/liblouis/liblouis/commit/dc97ef791a4fae9da11592c79f9f79e010596e0c#diff-7ade83431f79d2120c82012aee3b05c9L4524

This specific vulnerability does not exists in upstream version and it was introduced in commit 26ca8619.

Comment 8 errata-xmlrpc 2017-11-02 15:52:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3111 https://access.redhat.com/errata/RHSA-2017:3111

Comment 9 Salvatore Bonaccorso 2017-11-02 21:11:20 UTC
Hi RAphael,

(In reply to Raphael Sanchez Prudencio from comment #7)
> (In reply to Salvatore Bonaccorso from comment #5)
> > Hi
> > 
> > Can you share details on this issue? Is upstream aware of the details?
> > 
> > I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream
> > on it.
> > 
> > Regards,
> > Salvatore
> 
> Hi Salvatore, this vulnerability (actually several buffer overflows in that
> same function) was sitting in our package because it was outdated. It was
> probably unknowingly fixed as this function was totally refactored during
> this merge:
> https://github.com/liblouis/liblouis/commit/
> dc97ef791a4fae9da11592c79f9f79e010596e0c#diff-
> 7ade83431f79d2120c82012aee3b05c9L4524
> 
> This specific vulnerability does not exists in upstream version and it was
> introduced in commit 26ca8619.

Thanks for this, this was really helpfull to narrow down the affected status for us in Debian.

Regards,
Salvatore

Comment 10 Samuel Thibault 2017-11-03 01:05:13 UTC
Created attachment 1347137 [details]
proposed fix

Hello,
As mentioned upstream, this is not enough, the strncpy call does not catch buffer overflows and missing \0.
This patch should be fixing it.
Samuel

Comment 11 Raphael Sanchez Prudencio 2017-11-03 13:20:32 UTC
(In reply to Samuel Thibault from comment #10)
> Created attachment 1347137 [details]
> proposed fix
> 
> Hello,
> As mentioned upstream, this is not enough, the strncpy call does not catch
> buffer overflows and missing \0.
> This patch should be fixing it.
> Samuel

* Edited *

Good catch Samuel, thanks!

I will request a new CVE for this incomplete fix and link it here when I get it.

Comment 12 Raphael Sanchez Prudencio 2017-11-08 15:09:49 UTC
New CVE was generated for the incomplete fix: CVE-2017-15101.

https://bugzilla.redhat.com/show_bug.cgi?id=1511023

Comment 13 Pedro Sampaio 2019-07-31 21:37:03 UTC
External References:

https://github.com/liblouis/liblouis/issues/425


Note You need to log in before you can comment on or make changes to this bug.