Description of problem: When processing certain text, a segmentation fault is generated in the ScanData method in UUlib.so. Version-Release number of selected component (if applicable): perl-Convert-UUlib-1.5-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. The following Perl script uses UUlib to read files and process them. -- >8 cut here -- use Convert::UUlib ':all'; LoadFile 'badfile'; -- >8 cut here -- 2. The following input file, when passed to the above Perl, causes the Segmentation Fault. Save this text to a file named "badfile". -- >8 cut here -- a a Content-Type: text/plain -- >8 cut here -- This is a hexdump of badfile to show the bytes. $ hexdump -C badfile 00000000 61 0a 0a 61 0a 0a 43 6f 6e 74 65 6e 74 2d 54 79 |a..a..Content-Ty| 00000010 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0a |pe: text/plain.| 0000001f $ wc badfile 5 4 31 badfile 3. With the Perl code saved in foo.pl and the text from step 2 saved in a file named badfile, run: $ perl foo.pl Segmentation fault Actual results: Segmentation fault. Expected results: Library should read text and either produce an error if badly formed, otherwise it should decode it. Additional info: This is what I see in gdb. $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 (Maipo) $ gdb perl GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-114.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl...Reading symbols from /usr/lib/debug/usr/bin/perl.debug...done. done. (gdb) run foo.pl Starting program: /usr/bin/perl foo.pl [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007fffefdb6972 in ScanData (datei=datei@entry=0x62a3c0, errcode=errcode@entry=0x7fffffffdf78, boundary=boundary@entry=0x0, ismime=<optimized out>, checkheaders=checkheaders@entry=1, result=result@entry=0x626c50, fname=0x6284e0 "badfile") at uuscan.c:821 821 while (!isspace (*p2) && *p2 != ';') p2++; (gdb) print p2 $1 = 0x7ffff7f41c0d "text/plain" (gdb) list 816 break; 817 } 818 if ((ptr = strchr (line, ':')) != NULL) { 819 ptr++; 820 while (isspace (*ptr)) ptr++; p2 = ptr; 821 while (!isspace (*p2) && *p2 != ';') p2++; 822 c = *p2; *p2 = '\0'; 823 if (p2 != ptr) { 824 _FP_free (result->mimetype); 825 result->mimetype = _FP_strdup (ptr); (gdb) bt #0 0x00007fffefdb6972 in ScanData (datei=datei@entry=0x62a3c0, errcode=errcode@entry=0x7fffffffdf78, boundary=boundary@entry=0x0, ismime=<optimized out>, checkheaders=checkheaders@entry=1, result=result@entry=0x626c50, fname=0x6284e0 "badfile") at uuscan.c:821 #1 0x00007fffefdb878c in ScanPart (datei=datei@entry=0x62a3c0, fname=fname@entry=0x6284e0 "badfile", errcode=errcode@entry=0x7fffffffdf78) at uuscan.c:3141 #2 0x00007fffefda848a in UULoadFileWithPartNo (filename=filename@entry=0x6284e0 "badfile", fileid=0x6284e0 "badfile", fileid@entry=0x0, delflag=delflag@entry=0, partno=partno@entry=-1, partcount=partcount@entry=0x7fffffffe074) at uulib.c:790 #3 0x00007fffefda5181 in XS_Convert__UUlib_LoadFile (my_perl=<optimized out>, cv=<optimized out>) at UUlib.xs:382 #4 0x00007ffff7b0941f in Perl_pp_entersub (my_perl=0x603010) at pp_hot.c:2778 #5 0x00007ffff7b01b96 in Perl_runops_standard (my_perl=0x603010) at run.c:41 #6 0x00007ffff7a9e985 in S_run_body (oldscope=<optimized out>, my_perl=<optimized out>) at perl.c:2402 #7 perl_run (my_perl=0x603010) at perl.c:2320 #8 0x0000000000400ce9 in main (argc=3, argv=0x7fffffffe398, env=0x7fffffffe3b8) at perlmain.c:120 This bug is causing problems with Amavis for us because Amavis uses perl-Convert-UUlib to decode some mime attachments, and one of them is now causing crashes in the scanner. I've narrowed down the text in the attachment as much as possible. Removing any line or even a character in the file means the segmentation faults stop. The letter "a" in the first two lines can be replaced with any character or group of characters, but the last line must remain unchanged. There are no funny characters in the input file, nor DOS line-endings, as shown by the hexdump above.
Thank you very much for the long report, I've asked upstream to have a look to it.
Noel, upstream was able to reproduce and fix the issue, and acknowledges you for the (unexploitable for other than denial of service) heap overflow in the changelog. I'll push an updated package to all branches in the next hours.
FEDORA-2019-a9b576d1dd has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9b576d1dd
FEDORA-2019-4ea3b39b9a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4ea3b39b9a
FEDORA-2019-a21b8f3bbd has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a21b8f3bbd
FEDORA-EPEL-2019-c259095cc1 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c259095cc1
FEDORA-EPEL-2019-e1ab606cd8 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-e1ab606cd8
FEDORA-EPEL-2019-7537404e9e has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-7537404e9e
perl-Convert-UUlib-1.6-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4ea3b39b9a
perl-Convert-UUlib-1.6-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-e1ab606cd8
perl-Convert-UUlib-1.6-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a21b8f3bbd
perl-Convert-UUlib-1.6-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c259095cc1
perl-Convert-UUlib-1.6-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-7537404e9e
perl-Convert-UUlib-1.6-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9b576d1dd
perl-Convert-UUlib-1.6-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
perl-Convert-UUlib-1.6-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
perl-Convert-UUlib-1.6-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
perl-Convert-UUlib-1.6-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
perl-Convert-UUlib-1.6-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
perl-Convert-UUlib-1.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.