1500070 – (CVE-2017-16844) CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c

Bug 1500070 (CVE-2017-16844) - CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c

Summary: CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in fo...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-16844
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1500071 1513916 1513917
Blocks:	1500771
TreeView+	depends on / blocked

Reported:	2017-10-09 19:48 UTC by Pedro Sampaio
Modified:	2021-02-17 01:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-11-29 07:46:09 UTC
Embargoed:

Attachments	(Terms of Use)
Simple fix (530 bytes, patch) 2017-10-10 21:51 UTC, Jaroslav Škarvada	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3269	0	normal	SHIPPED_LIVE	Important: procmail security update	2017-11-29 03:02:16 UTC

Description Pedro Sampaio 2017-10-09 19:48:12 UTC

A flaw was found in the loadbuf function in formisc.c. When the buffer is too small, the function tries to resize it, but only by Bsize (=128) bytes. This is not necessarily enough and could cause denial of service.

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511

Comment 1 Pedro Sampaio 2017-10-09 19:48:36 UTC

Created procmail tracking bugs for this issue:

Affects: fedora-all [bug 1500071]

Comment 4 Jaroslav Škarvada 2017-10-10 21:51:49 UTC

Created attachment 1336923 [details]
Simple fix

Well, there maybe better fixes (e.g. counting the total buffer size in one step), but the attached fix is ultimately simple (few more cycles shouldn't be problem for typical scenarios).

Before the fix is applied:
$ zcat overflow.822.gz | valgrind formail -r
==8339== Memcheck, a memory error detector
==8339== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8339== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==8339== Command: formail -r
==8339== 
==8339== Invalid write of size 1
==8339==    at 0x4C3561B: memmove (vg_replace_strmem.c:1258)
==8339==    by 0x10D98A: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339==  Address 0x5524350 is 0 bytes after a block of size 640 alloc'd
==8339==    at 0x4C30C15: realloc (vg_replace_malloc.c:785)
==8339==    by 0x10E0C8: ??? (in /usr/bin/formail)
==8339==    by 0x10D96B: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339== 
==8339== Invalid read of size 2
==8339==    at 0x4C355E0: memmove (vg_replace_strmem.c:1258)
==8339==    by 0x10D25A: ??? (in /usr/bin/formail)
==8339==    by 0x10D61F: ??? (in /usr/bin/formail)
==8339==    by 0x10B780: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339==  Address 0x5524350 is 0 bytes after a block of size 640 alloc'd
==8339==    at 0x4C30C15: realloc (vg_replace_malloc.c:785)
==8339==    by 0x10E0C8: ??? (in /usr/bin/formail)
==8339==    by 0x10D96B: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339== 
==8339== Invalid read of size 2
==8339==    at 0x4C355EF: memmove (vg_replace_strmem.c:1258)
==8339==    by 0x10D25A: ??? (in /usr/bin/formail)
==8339==    by 0x10D61F: ??? (in /usr/bin/formail)
==8339==    by 0x10B780: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339==  Address 0x5524354 is 4 bytes after a block of size 640 alloc'd
==8339==    at 0x4C30C15: realloc (vg_replace_malloc.c:785)
==8339==    by 0x10E0C8: ??? (in /usr/bin/formail)
==8339==    by 0x10D96B: ??? (in /usr/bin/formail)
==8339==    by 0x10C676: ??? (in /usr/bin/formail)
==8339==    by 0x5171509: (below main) (in /usr/lib64/libc-2.25.so)
==8339== 
To: foo@bar
References: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
In-Reply-To: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

==8339== 
==8339== HEAP SUMMARY:
==8339==     in use at exit: 1,438 bytes in 10 blocks
==8339==   total heap usage: 24 allocs, 14 frees, 9,753 bytes allocated
==8339== 
==8339== LEAK SUMMARY:
==8339==    definitely lost: 129 bytes in 4 blocks
==8339==    indirectly lost: 0 bytes in 0 blocks
==8339==      possibly lost: 0 bytes in 0 blocks
==8339==    still reachable: 1,309 bytes in 6 blocks
==8339==         suppressed: 0 bytes in 0 blocks
==8339== Rerun with --leak-check=full to see details of leaked memory
==8339== 
==8339== For counts of detected and suppressed errors, rerun with: -v
==8339== ERROR SUMMARY: 9 errors from 3 contexts (suppressed: 0 from 0)


After the fix is applied:
$ zcat overflow.822.gz | valgrind formail -r
==9409== Memcheck, a memory error detector
==9409== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9409== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9409== Command: formail -r
==9409== 
To: foo@bar
References: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
In-Reply-To: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

==9409== 
==9409== HEAP SUMMARY:
==9409==     in use at exit: 1,566 bytes in 10 blocks
==9409==   total heap usage: 25 allocs, 15 frees, 10,521 bytes allocated
==9409== 
==9409== LEAK SUMMARY:
==9409==    definitely lost: 129 bytes in 4 blocks
==9409==    indirectly lost: 0 bytes in 0 blocks
==9409==      possibly lost: 0 bytes in 0 blocks
==9409==    still reachable: 1,437 bytes in 6 blocks
==9409==         suppressed: 0 bytes in 0 blocks
==9409== Rerun with --leak-check=full to see details of leaked memory
==9409== 
==9409== For counts of detected and suppressed errors, rerun with: -v
==9409== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Comment 12 errata-xmlrpc 2017-11-28 22:04:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3269 https://access.redhat.com/errata/RHSA-2017:3269

Comment 13 Stefan Cornelius 2017-11-29 19:29:41 UTC

Statement:

This issue affects the versions of procmail as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the versions of procmail as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.