Your message dated Wed, 9 Sep 2020 17:06:34 +0200 with message-id <20200909150634.GA1471@curuxu> and subject line Re: Bug#862708: overread of heap-data in TNEFDefaultHandler by a missing null byte has caused the Debian Bug report #862708, regarding overread of heap-data in TNEFDefaultHandler by a missing null byte to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 862708: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862708 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libytnef0 Version: 1.9.2-1 Severity: normal Tags: security Hi, We find the following code may cause over-read of buffer and leak extra bytes to the output. The reason is that the data char array is user controlled value and not guaranteed to end with a '\0' byte. So it needs extra checking or we can force the last byte to be '\0'. libytnef.c: 246 int TNEFDefaultHandler STD_ARGLIST { if (TNEF->Debug >= 1){ + data[size-1]='\0'; printf("%s: [%i] %s\n", TNEFList[id].name, size, data);} return 0; } To verify this, use the testcase from: https://github.com/bingosxs/fuzzdata/raw/master/ytnef-1.9/18-TNEFDefaultHandler.tnef run the sample with command: ytnef/.libs/ytnef -v 18-TNEFDefaultHandler.tnef The tracelog is: ================================================================= canicula@canicula-Lenovo-Product-64:~/afl/test/libytnef0/testenv$ valgrind ./bin/ytnef -v ../../libytnef0/testenv/out/crashes/id\:000018\,sig\:06\,src\:000011\,op\:int16\,pos\:1141\,val\:+16 ==16517== Memcheck, a memory error detector ==16517== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==16517== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==16517== Command: ./bin/ytnef -v ../../libytnef0/testenv/out/crashes/id:000018,sig:06,src:000011,op:int16,pos:1141,val:+16 ==16517== Attempting to parse ../../libytnef0/testenv/out/crashes/id:000018,sig:06,src:000011,op:int16,pos:1141,val:+16... Request Response: [2] � ==16517== Invalid read of size 1 ==16517== at 0x50A8CC0: vfprintf (vfprintf.c:1632) ==16517== by 0x50AF898: printf (printf.c:33) ==16517== by 0x4E3BE42: TNEFDefaultHandler (ytnef.c:250) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Address 0x5424b71 is 0 bytes after a block of size 1 alloc'd ==16517== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E46450: TNEFParse (ytnef.c:1154) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Message Status: [1] ! ==16517== Invalid write of size 4 ==16517== at 0x4E3F381: TNEFFillMapi (ytnef.c:543) ==16517== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Address 0x5427cd8 is 8 bytes after a block of size 0 alloc'd ==16517== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==16517== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== ==16517== Invalid write of size 8 ==16517== at 0x4E3F39A: TNEFFillMapi (ytnef.c:544) ==16517== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Address 0x5427cd0 is 0 bytes after a block of size 0 alloc'd ==16517== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==16517== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== ==16517== Invalid read of size 4 ==16517== at 0x4E3F437: TNEFFillMapi (ytnef.c:548) ==16517== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Address 0x5427cd8 is 8 bytes after a block of size 0 alloc'd ==16517== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E3F213: TNEFFillMapi (ytnef.c:482) ==16517== by 0x4E3D582: TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Corrupted file detected at ytnef.c : 546 ERROR Parsing MAPI block calendar.ics ==16517== ==16517== HEAP SUMMARY: ==16517== in use at exit: 2,124 bytes in 531 blocks ==16517== total heap usage: 607 allocs, 76 frees, 17,132 bytes allocated ==16517== ==16517== LEAK SUMMARY: ==16517== definitely lost: 2,124 bytes in 531 blocks ==16517== indirectly lost: 0 bytes in 0 blocks ==16517== possibly lost: 0 bytes in 0 blocks ==16517== still reachable: 0 bytes in 0 blocks ==16517== suppressed: 0 bytes in 0 blocks ==16517== Rerun with --leak-check=full to see details of leaked memory ==16517== ==16517== For counts of detected and suppressed errors, rerun with: -v ==16517== ERROR SUMMARY: 1593 errors from 4 contexts (suppressed: 0 from 0) -------------------------------------------------------- self ref:: https://github.com/Yeraze/ytnef/issues/48 Credits: National Computer Network Emergency Response Technical Team/Coordination Center of China. Wang Bo, Fan Lejun, Wu Qian. TCA, ISCAS.
--- End Message ---
--- Begin Message ---control: fixed -1 libytnef/1.9.3-1 Hi, Sorry for the late response, unfortunately this mail didn't reach my inbox for some cause. On Tue, May 16, 2017 at 10:10:56AM +0800, bingosxs wrote: > Package: libytnef0 > Version: 1.9.2-1 > Severity: normal > Tags: security > > Hi, > > We find the following code may cause over-read of buffer and leak extra bytes > to the output. According upstream this was fixed with 1.9.3 release, which has been in Debian for some time. Hence closing and tagging accordingly. Thanks for reporting, -- Ricardo Mones http://people.debian.org/~mones «Truth will out this morning. (Which may really mess things up.)»
signature.asc
Description: PGP signature
--- End Message ---
