A stack-based buffer overflow was found in findTable() in liblouis. An attacker could create a malicious file that would cause applications that use liblouis (such as Orca) to crash, or potentially execute arbitrary code when opened.
Acknowledgments: Name: Raphael Sanchez Prudencio (Red Hat)
Hi Can you share details on this issue? Is upstream aware of the details? I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream on it. Regards, Salvatore
(In reply to Salvatore Bonaccorso from comment #5) > Hi > > Can you share details on this issue? Is upstream aware of the details? > > I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream > on it. > > Regards, > Salvatore Hi Salvatore, this vulnerability (actually several buffer overflows in that same function) was sitting in our package because it was outdated. It was probably unknowingly fixed as this function was totally refactored during this merge: https://github.com/liblouis/liblouis/commit/dc97ef791a4fae9da11592c79f9f79e010596e0c#diff-7ade83431f79d2120c82012aee3b05c9L4524 This specific vulnerability does not exists in upstream version and it was introduced in commit 26ca8619.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3111 https://access.redhat.com/errata/RHSA-2017:3111
Hi RAphael, (In reply to Raphael Sanchez Prudencio from comment #7) > (In reply to Salvatore Bonaccorso from comment #5) > > Hi > > > > Can you share details on this issue? Is upstream aware of the details? > > > > I found only https://github.com/liblouis/liblouis/issues/425 asking Upstream > > on it. > > > > Regards, > > Salvatore > > Hi Salvatore, this vulnerability (actually several buffer overflows in that > same function) was sitting in our package because it was outdated. It was > probably unknowingly fixed as this function was totally refactored during > this merge: > https://github.com/liblouis/liblouis/commit/ > dc97ef791a4fae9da11592c79f9f79e010596e0c#diff- > 7ade83431f79d2120c82012aee3b05c9L4524 > > This specific vulnerability does not exists in upstream version and it was > introduced in commit 26ca8619. Thanks for this, this was really helpfull to narrow down the affected status for us in Debian. Regards, Salvatore
Created attachment 1347137 [details] proposed fix Hello, As mentioned upstream, this is not enough, the strncpy call does not catch buffer overflows and missing \0. This patch should be fixing it. Samuel
(In reply to Samuel Thibault from comment #10) > Created attachment 1347137 [details] > proposed fix > > Hello, > As mentioned upstream, this is not enough, the strncpy call does not catch > buffer overflows and missing \0. > This patch should be fixing it. > Samuel * Edited * Good catch Samuel, thanks! I will request a new CVE for this incomplete fix and link it here when I get it.
New CVE was generated for the incomplete fix: CVE-2017-15101. https://bugzilla.redhat.com/show_bug.cgi?id=1511023
External References: https://github.com/liblouis/liblouis/issues/425