Bug 2044864 (CVE-2021-45927) - CVE-2021-45927 mdbtools: a stack-based buffer overflow in mdb_numeric_to_string
Summary: CVE-2021-45927 mdbtools: a stack-based buffer overflow in mdb_numeric_to_string
Alias: CVE-2021-45927
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2044866 2044868 2044865
TreeView+ depends on / blocked
Reported: 2022-01-25 10:31 UTC by Marian Rehak
Modified: 2022-01-31 12:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-01-25 11:30:49 UTC

Attachments (Terms of Use)

Description Marian Rehak 2022-01-25 10:31:56 UTC
MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and _mdb_attempt_bind).



Comment 1 Marian Rehak 2022-01-25 10:32:31 UTC
Created mdbtools tracking bugs for this issue:

Affects: epel-7 [bug 2044868]
Affects: fedora-34 [bug 2044865]
Affects: fedora-35 [bug 2044866]

Comment 2 Product Security DevOps Team 2022-01-25 11:30:47 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 3 Hans de Goede 2022-01-25 13:46:28 UTC
This is somewhat weird the original oss-fuzz report:

Links to 2 configs, one where it hit the bug and one where it was fixed:


What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit.

Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there.

Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce.

So all in all this feels like some weird false-positive from oss-fuzz and I think this bug-report can be closed. Please advice how to continue.

I've created a fix for the NULL pointer deref (with the clusterfuzz-testcase-minimized-... file) and I will submit a pull-req for the fix for that upstream.

Comment 4 Hans de Goede 2022-01-25 14:09:10 UTC
I just noticed that there is a second report for what seems to be more or less the same mysterious issue:


The clusterfuzz-testcase-minimized-fuzz_mdb-6321096314978304 attached there gives a whole bunch of mdbtools errors when running ./test_script.sh, but no crashes / sanitizer reports.

Note You need to log in before you can comment on or make changes to this bug.