Bug 1711098 - Segmentation Fault in UUlib.so (ScanData) used in perl-Convert-UUlib
Summary: Segmentation Fault in UUlib.so (ScanData) used in perl-Convert-UUlib
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: perl-Convert-UUlib
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-17 00:21 UTC by Noel Duffy
Modified: 2019-11-10 01:58 UTC (History)
2 users (show)

Fixed In Version: perl-Convert-UUlib-1.6-1.fc29 perl-Convert-UUlib-1.6-1.fc30 perl-Convert-UUlib-1.6-1.fc31 perl-Convert-UUlib-1.6-1.el7 perl-Convert-UUlib-1.6-1.el8 perl-Convert-UUlib-1.6-1.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-02 01:44:18 UTC
Type: Bug


Attachments (Terms of Use)

Description Noel Duffy 2019-05-17 00:21:16 UTC
Description of problem:

When processing certain text, a segmentation fault is generated in the ScanData method in UUlib.so.

Version-Release number of selected component (if applicable):

perl-Convert-UUlib-1.5-1.el7.x86_64

How reproducible:

Always

Steps to Reproduce:
1. The following Perl script uses UUlib to read files and process them.

-- >8 cut here --
use Convert::UUlib ':all';

LoadFile 'badfile';                                                                                      
-- >8 cut here --

2. The following input file, when passed to the above Perl, causes the Segmentation Fault. Save this text to a file named "badfile".

-- >8 cut here --
a

a

Content-Type: text/plain
-- >8 cut here --

This is a hexdump of badfile to show the bytes.

$ hexdump -C badfile
00000000  61 0a 0a 61 0a 0a 43 6f  6e 74 65 6e 74 2d 54 79  |a..a..Content-Ty|
00000010  70 65 3a 20 74 65 78 74  2f 70 6c 61 69 6e 0a     |pe: text/plain.|
0000001f

$ wc badfile
 5  4 31 badfile

3. With the Perl code saved in foo.pl and the text from step 2 saved in a file named badfile, run:

$ perl foo.pl
Segmentation fault

Actual results:
Segmentation fault.

Expected results:
Library should read text and either produce an error if badly formed, otherwise it should decode it.

Additional info:

This is what I see in gdb.

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 (Maipo)

$ gdb perl
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl...Reading symbols from /usr/lib/debug/usr/bin/perl.debug...done.
done.
(gdb) run foo.pl
Starting program: /usr/bin/perl foo.pl
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffefdb6972 in ScanData (datei=datei@entry=0x62a3c0, errcode=errcode@entry=0x7fffffffdf78, 
    boundary=boundary@entry=0x0, ismime=<optimized out>, checkheaders=checkheaders@entry=1, 
    result=result@entry=0x626c50, fname=0x6284e0 "badfile") at uuscan.c:821
821		  while (!isspace (*p2) && *p2 != ';') p2++;

(gdb) print p2
$1 = 0x7ffff7f41c0d "text/plain"

(gdb) list
816		  break;
817		}
818		if ((ptr = strchr (line, ':')) != NULL) {
819		  ptr++;
820		  while (isspace (*ptr)) ptr++; p2 = ptr;
821		  while (!isspace (*p2) && *p2 != ';') p2++;
822		  c = *p2; *p2 = '\0';
823		  if (p2 != ptr) {
824		    _FP_free (result->mimetype);
825		    result->mimetype = _FP_strdup (ptr);

(gdb) bt
#0  0x00007fffefdb6972 in ScanData (datei=datei@entry=0x62a3c0, errcode=errcode@entry=0x7fffffffdf78, 
    boundary=boundary@entry=0x0, ismime=<optimized out>, checkheaders=checkheaders@entry=1, 
    result=result@entry=0x626c50, fname=0x6284e0 "badfile") at uuscan.c:821
#1  0x00007fffefdb878c in ScanPart (datei=datei@entry=0x62a3c0, fname=fname@entry=0x6284e0 "badfile", 
    errcode=errcode@entry=0x7fffffffdf78) at uuscan.c:3141
#2  0x00007fffefda848a in UULoadFileWithPartNo (filename=filename@entry=0x6284e0 "badfile", 
    fileid=0x6284e0 "badfile", fileid@entry=0x0, delflag=delflag@entry=0, partno=partno@entry=-1, 
    partcount=partcount@entry=0x7fffffffe074) at uulib.c:790
#3  0x00007fffefda5181 in XS_Convert__UUlib_LoadFile (my_perl=<optimized out>, cv=<optimized out>)
    at UUlib.xs:382
#4  0x00007ffff7b0941f in Perl_pp_entersub (my_perl=0x603010) at pp_hot.c:2778
#5  0x00007ffff7b01b96 in Perl_runops_standard (my_perl=0x603010) at run.c:41
#6  0x00007ffff7a9e985 in S_run_body (oldscope=<optimized out>, my_perl=<optimized out>) at perl.c:2402
#7  perl_run (my_perl=0x603010) at perl.c:2320
#8  0x0000000000400ce9 in main (argc=3, argv=0x7fffffffe398, env=0x7fffffffe3b8) at perlmain.c:120

This bug is causing problems with Amavis for us because Amavis uses perl-Convert-UUlib to decode some mime attachments, and one of them is now causing crashes in the scanner. I've narrowed down the text in the attachment as much as possible. Removing any line or even a character in the file means the segmentation faults stop. The letter "a" in the first two lines can be replaced with any character or group of characters, but the last line must remain unchanged.

There are no funny characters in the input file, nor DOS line-endings, as shown by the hexdump above.

Comment 1 Robert Scheck 2019-10-24 00:34:56 UTC
Thank you very much for the long report, I've asked upstream to have a look to it.

Comment 2 Robert Scheck 2019-10-24 20:55:02 UTC
Noel, upstream was able to reproduce and fix the issue, and acknowledges you for the (unexploitable for other than denial of service) heap overflow in the changelog. I'll push an updated package to all branches in the next hours.

Comment 3 Fedora Update System 2019-10-24 22:05:54 UTC
FEDORA-2019-a9b576d1dd has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9b576d1dd

Comment 4 Fedora Update System 2019-10-24 22:06:15 UTC
FEDORA-2019-4ea3b39b9a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4ea3b39b9a

Comment 5 Fedora Update System 2019-10-24 22:06:34 UTC
FEDORA-2019-a21b8f3bbd has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a21b8f3bbd

Comment 6 Fedora Update System 2019-10-24 22:06:50 UTC
FEDORA-EPEL-2019-c259095cc1 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c259095cc1

Comment 7 Fedora Update System 2019-10-24 22:07:10 UTC
FEDORA-EPEL-2019-e1ab606cd8 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-e1ab606cd8

Comment 8 Fedora Update System 2019-10-24 22:07:33 UTC
FEDORA-EPEL-2019-7537404e9e has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-7537404e9e

Comment 9 Fedora Update System 2019-10-25 19:34:44 UTC
perl-Convert-UUlib-1.6-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4ea3b39b9a

Comment 10 Fedora Update System 2019-10-25 19:45:47 UTC
perl-Convert-UUlib-1.6-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-e1ab606cd8

Comment 11 Fedora Update System 2019-10-25 21:27:08 UTC
perl-Convert-UUlib-1.6-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a21b8f3bbd

Comment 12 Fedora Update System 2019-10-26 03:07:53 UTC
perl-Convert-UUlib-1.6-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c259095cc1

Comment 13 Fedora Update System 2019-10-26 06:07:46 UTC
perl-Convert-UUlib-1.6-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-7537404e9e

Comment 14 Fedora Update System 2019-10-26 15:31:58 UTC
perl-Convert-UUlib-1.6-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9b576d1dd

Comment 15 Fedora Update System 2019-11-02 01:44:18 UTC
perl-Convert-UUlib-1.6-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2019-11-03 00:11:50 UTC
perl-Convert-UUlib-1.6-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2019-11-04 00:53:59 UTC
perl-Convert-UUlib-1.6-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2019-11-09 21:17:38 UTC
perl-Convert-UUlib-1.6-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2019-11-10 01:44:38 UTC
perl-Convert-UUlib-1.6-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2019-11-10 01:58:54 UTC
perl-Convert-UUlib-1.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.