Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1610887 - (CVE-2018-10922) CVE-2018-10922 ttembed: use of untrusted length field may lead to denial of service
CVE-2018-10922 ttembed: use of untrusted length field may lead to denial of s...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20180802:1545,repor...
: Security
Depends On: 1611681 1611682 1611683
Blocks: 1608880 1610916
  Show dependency treegraph
 
Reported: 2018-08-01 10:41 EDT by Scott Gayou
Modified: 2018-08-02 12:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An input validation flaw exists in ttembed. With a crafted input file, an attacker may be able to trigger a denial of service condition due to ttembed trusting attacker controlled values.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Scott Gayou 2018-08-01 10:41:46 EDT 
A failure to validate an untrusted length field could potentially lead to a denial of service condition.
Comment 1 Scott Gayou 2018-08-01 10:41:49 EDT 
Acknowledgments:

Name: Scott Gayou (Red Hat)
Comment 3 Scott Gayou 2018-08-01 10:52:10 EDT 
time ttembed hang.useme 

real	13m6.415s
user	3m47.487s
sys	9m16.191s
Comment 6 Scott Gayou 2018-08-02 11:45:56 EDT 
Unembargoed due to very low impact. Upstream notified.
Comment 7 Scott Gayou 2018-08-02 11:47:38 EDT 
Created ttembed tracking bugs for this issue:

Affects: fedora-all [bug 1611683]
Comment 9 Scott Gayou 2018-08-02 12:16:15 EDT 
Upstream Issue:

https://github.com/hisdeedsaredust/ttembed/issues/2
Comment 10 Scott Gayou 2018-08-02 12:25:36 EDT 
If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:

    for (x=length;x>0;x-=4)
        sum += readbe32(inways);

As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.

time ttembed hang.useme 


real	13m6.415s
user	3m47.487s
sys	9m16.191s

Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.