Your message dated Tue, 13 Feb 2018 09:34:28 +0000
with message-id <e1elwyq-0007v7...@fasolo.debian.org>
and subject line Bug#889270: fixed in advancecomp 2.1-1
has caused the Debian Bug report #889270,
regarding advancecomp: CVE-2018-1056: heap buffer overflow while running advzip
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
889270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: advancecomp
Version: 2.0-1
Severity: important
Tags: security

heap buffer overflow running advzip with "-l poc" option

Running 'advzip -l poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/advzip/00030552$ ../../binary/advancecomp-2.0/advzip -l 
./poc
=================================================================
==9858==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000effd 
at pc 0x7ffff6e9af7f bp 0x7fffffffd6c0 sp 0x7fffffffce70
READ of size 2020 at 0x60600000effd thread T0
    #0 0x7ffff6e9af7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
    #1 0x555555579c2a in zip_entry::load_cent(unsigned char const*, unsigned 
int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:722
    #2 0x55555557b56f in zip::open() 
/home/june/temp/report/binary/advancecomp-2.0/zip.cc:867
    #3 0x55555556e7a6 in list_single(std::__cxx11::basic_string<char, 
std::char_traits<char>, std::allocator<char> > const&, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122
    #4 0x55555556f8b2 in list_all(int, char**, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261
    #5 0x55555557214c in process(int, char**) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613
    #6 0x555555572446 in main 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623
    #7 0x7ffff60082b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #8 0x55555556daf9 in _start 
(/home/june/temp/report/binary/advancecomp-2.0/advzip+0x19af9)

0x60600000effd is located 0 bytes to the right of 61-byte region 
[0x60600000efc0,0x60600000effd)
allocated by thread T0 here:
    #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x555555583a4a in data_alloc(unsigned int) 
/home/june/temp/report/binary/advancecomp-2.0/data.cc:51
    #2 0x555555573af2 in cent_read(_IO_FILE*, unsigned int, unsigned char*&, 
unsigned int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:113
    #3 0x55555557b3c5 in zip::open() 
/home/june/temp/report/binary/advancecomp-2.0/zip.cc:847
    #4 0x55555556e7a6 in list_single(std::__cxx11::basic_string<char, 
std::char_traits<char>, std::allocator<char> > const&, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122
    #5 0x55555556f8b2 in list_all(int, char**, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261
    #6 0x55555557214c in process(int, char**) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613
    #7 0x555555572446 in main 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623
    #8 0x7ffff60082b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00[05]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9858==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages advancecomp depends on:
ii  libc6       2.24-11+deb9u1
ii  libgcc1     1:6.3.0-18
ii  libstdc++6  6.3.0-18
ii  zlib1g      1:1.2.8.dfsg-5

advancecomp recommends no packages.

advancecomp suggests no packages.

-- no debconf information

Attachment: poc
Description: Zip archive


--- End Message ---
--- Begin Message ---
Source: advancecomp
Source-Version: 2.1-1

We believe that the bug you reported is fixed in the latest version of
advancecomp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Ożarowski <pi...@debian.org> (supplier of updated advancecomp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Feb 2018 09:40:50 +0100
Source: advancecomp
Binary: advancecomp
Architecture: source amd64
Version: 2.1-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <pi...@debian.org>
Changed-By: Piotr Ożarowski <pi...@debian.org>
Description:
 advancecomp - collection of recompression utilities
Closes: 889270
Changes:
 advancecomp (2.1-1) unstable; urgency=high
 .
   * New upstream release
     - fixes CVE-2018-1056 (heap buffer overflow while running advzip)
       closes: 889270
   * Standards-version bumped to 4.1.3 (no other changes needed)
Checksums-Sha1:
 b1e5aaa66d7d3bb5bf711b141c8c417285b89669 1755 advancecomp_2.1-1.dsc
 e8da92c895aceb19a904ae0aef07921927ee36b0 1194802 advancecomp_2.1.orig.tar.gz
 f06b74363aae522121622070133138bb80b07cc6 3304 advancecomp_2.1-1.debian.tar.xz
 c8f916fb910178bdf91cc7bc72dd6d28378f0650 1794944 
advancecomp-dbgsym_2.1-1_amd64.deb
 a7c0547da4e0779d0a777e1a7196ed3a23c9098f 5850 advancecomp_2.1-1_amd64.buildinfo
 6bc9e12597bff5993dac2d35bfad18c026b13de3 199988 advancecomp_2.1-1_amd64.deb
Checksums-Sha256:
 698cb639b27ca195d48f6449b3ad7d22391ccbd1b512a281f0fec516e62faf70 1755 
advancecomp_2.1-1.dsc
 6113c2b6272334af710ba486e8312faa3cee5bd6dc8ca422d00437725e2b602a 1194802 
advancecomp_2.1.orig.tar.gz
 7f7c5b99a7f73887aab79e75a27b4cc1a268235da4c2f8d37b6e4399ff6f3cba 3304 
advancecomp_2.1-1.debian.tar.xz
 fc41980bda03d6e5035c4f21dde9ce3e5ebafafa1fa8df80d5a9388cdd160677 1794944 
advancecomp-dbgsym_2.1-1_amd64.deb
 dd295126f2994b3b8ba58a8c0d03d357ca20014647910bda1b193d76a9ab66b8 5850 
advancecomp_2.1-1_amd64.buildinfo
 d283aba3d5681220058cf4b476f9f051963cded50004575ab22d6a0d3752aaad 199988 
advancecomp_2.1-1_amd64.deb
Files:
 9aedfca31641c576666d168c886ac1ff 1755 utils optional advancecomp_2.1-1.dsc
 0386825f49b54db731daa9186cc2258b 1194802 utils optional 
advancecomp_2.1.orig.tar.gz
 da846d77d535ab8e592a463e363d6dc1 3304 utils optional 
advancecomp_2.1-1.debian.tar.xz
 cc15d207bd7edb9e9e85402f97aa8ff5 1794944 debug optional 
advancecomp-dbgsym_2.1-1_amd64.deb
 617106273a76a952e5fbf1bcbe348f8d 5850 utils optional 
advancecomp_2.1-1_amd64.buildinfo
 1c1548d73f21c8f1eb73dfcae4f69971 199988 utils optional 
advancecomp_2.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHS+omFjar2IXhi33rvbxoqdFdkUFAlqCpnQACgkQrvbxoqdF
dkV24A//UIVYlFF50du6jaJnsIvM2OxKUBsJ68SDX9xybiNLxqnNm7xypH8LiFff
WyoIKbwOoGBK0CgQIqseROEZTVnwGJNtq5n44V6GGkK1Gz0toHUbPazc7eOY4Xxv
IXP3g/vPYFfugOFFX4efzlNlpXR9WqT9jcLOThkQ8jnXTytRfKfEpUbqvw7hjhtc
9C1mfME7VuZBgZQrWOlSvowYBHhHuKLwngb7mcpD83qkxakIYgSz42wvSRGtW734
0Bpj8GSfYjtVXuCR9vBl57l4UB8qmoOZjbWxq20XqpmzNcrcJpYdNEfc2I5zZMjv
DDKR7WfEYEqVkuMqkJWw3m2mszbtyyMWkzRhEczT7tbjfR6i5NfAy/reUIxNEjs/
ob6sb/7LMTlZG/aq//J91yrUxbRi8TAZ9ivXR+lIMP1Ftjq9QfGChCe2DSJ515WQ
qT2T+soRxQa2B6DG2SjHi6Gxas/ddJgY9Nc4RAd3RhEdAZyKGvGRk3WFxYs3OFJN
vLwsQSw/NxN8fFzAdEAUcl8atGCPrgS3qRuNwaPk3yteht1CQ/y/pRF91uPzL2cc
xg2Mhw1E+7kaXfNBfPEWIr+9/KZVo9VSYfcyydrusrYF5KbYnHd15oG+3vqNGXkf
ZEcH0pSUcK0Jxu8QMHMn2Cw8hba6rzQCaKtoMXXQITJDjRZnCGg=
=pMmd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to