Bug 1610887 (CVE-2018-10922) - CVE-2018-10922 ttembed: use of untrusted length field may lead to denial of service
Summary: CVE-2018-10922 ttembed: use of untrusted length field may lead to denial of s...
Status: CLOSED WONTFIX
Alias: CVE-2018-10922
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180802:1545,repor...
Keywords: Security
Depends On: 1611683 1611681 1611682
Blocks: 1608880 1610916
TreeView+ depends on / blocked
 
Reported: 2018-08-01 14:41 UTC by Scott Gayou
Modified: 2019-06-11 11:13 UTC (History)
3 users (show)

(edit)
An input validation flaw exists in ttembed. With a crafted input file, an attacker may be able to trigger a denial of service condition due to ttembed trusting attacker controlled values.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:34:46 UTC


Attachments (Terms of Use)

Description Scott Gayou 2018-08-01 14:41:46 UTC
A failure to validate an untrusted length field could potentially lead to a denial of service condition.

Comment 1 Scott Gayou 2018-08-01 14:41:49 UTC
Acknowledgments:

Name: Scott Gayou (Red Hat)

Comment 3 Scott Gayou 2018-08-01 14:52:10 UTC
time ttembed hang.useme 

real	13m6.415s
user	3m47.487s
sys	9m16.191s

Comment 6 Scott Gayou 2018-08-02 15:45:56 UTC
Unembargoed due to very low impact. Upstream notified.

Comment 7 Scott Gayou 2018-08-02 15:47:38 UTC
Created ttembed tracking bugs for this issue:

Affects: fedora-all [bug 1611683]

Comment 9 Scott Gayou 2018-08-02 16:16:15 UTC
Upstream Issue:

https://github.com/hisdeedsaredust/ttembed/issues/2

Comment 10 Scott Gayou 2018-08-02 16:25:36 UTC
If a large length (0x7fffffff) is parsed by ttembed, the following loop will run for quite a long time causing a denial of service:

    for (x=length;x>0;x-=4)
        sum += readbe32(inways);

As readbe32 calls fgetc four times, this results in roughly 8589934588 calls to fgetc. On my computer, it takes ttembed around 13 minutes to finish looping.

time ttembed hang.useme 


real	13m6.415s
user	3m47.487s
sys	9m16.191s

Instead of looping forever, the code should fail as soon as readbe32 detects an EOF, else, the program should verify the bounds of the program and bail out when size > actual size of the file.


Note You need to log in before you can comment on or make changes to this bug.