GNU Libextractor before version 1.7 is vulnerable to a Stack-based buffer overflow in the unzip.c:ec_read_file_func() function. An attacker could exploit this to cause a denial of service via crafted file. Reference: http://lists.gnu.org/archive/html/bug-libextractor/2018-07/msg00001.html Upstream Patch: https://gnunet.org/git/libextractor.git/commit/?id=ad19e7fe0adc99d5710eff1ed48d91a7b75a950e
Created libextractor tracking bugs for this issue: Affects: fedora-all [bug 1608160]
Reproduced with libextractor-1.6-4.fc28.x86_64: # ASAN_OPTIONS=detect_leaks=0 libextractor-extract binhsQxywt6QK.bin Keywords for file binhsQxywt6QK.bin: mimetype - audio/ogg ================================================================= ================================================================= ==74==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd43b98fa4 at pc 0x7f3839ebf30d bp 0x7ffd43b98a60 sp 0x7ffd43b98208 WRITE of size 1028 at 0x7ffd43b98fa4 thread T0 ==64==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd43b98f34 at pc 0x7f3839ebf30d bp 0x7ffd43b989f0 sp 0x7ffd43b98198 WRITE of size 1028 at 0x7ffd43b98f34 thread T0 #0 0x7f3839ebf30c (/usr/lib64/libasan.so.5+0x4030c) #0 0x7f3839ebf30c (/usr/lib64/libasan.so.5+0x4030c) #1 0x7f38293cab74 in ec_read_file_func /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1353 #2 0x7f38293c5fa3 in locate_central_directory /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:492 #3 0x7f38293c7484 in unzip_open_using_ffd /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:740 #4 0x7f38293cae3e in EXTRACTOR_common_unzip_open /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1413 #1 0x7f38293c8b74 in ec_read_file_func /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1353 #5 0x7f38295cdd8b in EXTRACTOR_zip_extract_method zip_extractor.c:44 #2 0x7f38293c3fa3 in locate_central_directory /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:492 #3 0x7f38293c5484 in unzip_open_using_ffd /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:740 #4 0x7f38293c8e3e in EXTRACTOR_common_unzip_open /usr/src/debug/libextractor-1.6-4.fc28.x86_64/src/common/unzip.c:1413 #6 0x7f3839c67fcb in handle_start_message extractor_plugin_main.c:480 #7 0x7f3839c68369 in process_requests extractor_plugin_main.c:531 #8 0x7f3839c68764 in EXTRACTOR_plugin_main_ extractor_plugin_main.c:632 #5 0x7f38295ccd68 in EXTRACTOR_odf_extract_method odf_extractor.c:167 #9 0x7f3839c60fe4 in EXTRACTOR_IPC_channel_create_ extractor_ipc_gnu.c:352 #6 0x7f3839c67fcb in handle_start_message extractor_plugin_main.c:480 #7 0x7f3839c68369 in process_requests extractor_plugin_main.c:531 #10 0x7f3839c6a914 in EXTRACTOR_extract extractor.c:659 #8 0x7f3839c68764 in EXTRACTOR_plugin_main_ extractor_plugin_main.c:632 #11 0x404716 (/usr/bin/libextractor-extract+0x404716) #12 0x7f38398b218a in __libc_start_main (/usr/lib64/libc.so.6+0x2318a) #9 0x7f3839c60fe4 in EXTRACTOR_IPC_channel_create_ extractor_ipc_gnu.c:352 #13 0x4016f9 (/usr/bin/libextractor-extract+0x4016f9)
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.