MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and _mdb_attempt_bind). Reference: https://github.com/mdbtools/mdbtools/commit/373b7ff4c4daf887269c078407cb1338942c4ea6 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mdbtools/OSV-2021-1003.yaml https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187
Created mdbtools tracking bugs for this issue: Affects: epel-7 [bug 2044868] Affects: fedora-34 [bug 2044865] Affects: fedora-35 [bug 2044866]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
This is somewhat weird the original oss-fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187 Links to 2 configs, one where it hit the bug and one where it was fixed: https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107120613:202107140601 https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107140601:202107150603 What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit. Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there. Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce. So all in all this feels like some weird false-positive from oss-fuzz and I think this bug-report can be closed. Please advice how to continue. I've created a fix for the NULL pointer deref (with the clusterfuzz-testcase-minimized-... file) and I will submit a pull-req for the fix for that upstream.
I just noticed that there is a second report for what seems to be more or less the same mysterious issue: https://bugzilla.redhat.com/show_bug.cgi?id=2044905 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35972 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-45926 The clusterfuzz-testcase-minimized-fuzz_mdb-6321096314978304 attached there gives a whole bunch of mdbtools errors when running ./test_script.sh, but no crashes / sanitizer reports.