Bug#868956: libmspack: CVE-2017-11423

Sun, 23 Jul 2017 09:39:30 -0700 

Hello,
I have no more infomation than you do. If you can find out who raised the issue, please ask them to send me the example of the crafted file, 


The bug says "stack-based buffer over-read and application crash" - the 
file 
https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul/stack-overflow 
doesn't show an application crash, it shows only the stack-based buffer 
over-read of 1 byte.



I've know about that one-byte buffer over-read, I fixed it in 2015, and 
I haven't yet got around to making a release of libmspack with this fix, 
because I didn't consider it a vulnerability at the time and still don't 
consider it one now.


https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191

2015-05-10  Stuart Caie <ky...@4u.net>
    * cabd_read_string(): correct rejection of empty strings. Thanks to
    Hanno Böck for finding the issue and providing a sample file.



I had a philosophical discussion with Hanno Böck about it, I wasn't 
persuaded that it's a real vulnerability. If you craft a CAB file with 
an empty CAB string, one byte will be overread. You can't make it 
over-read an arbitrary number of bytes, just the empty string -> 1 byte 
overread.



This report says "and application crash" -- I still have no evidence 
this is true (unless you've instrumented your code to monitor all 
overreads and deliberately crash yourself when you see one). If you want 
me to release libmspack to address a CVE created for a 
non-vulnerability, please let me know.


Regards
Stuart

On 23/07/17 16:17, Marc Dequènes (duck) wrote:

Quack,

I added libmspack's upstream author in case he could give a hand.

Here is the bugreport: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868956


On 2017-07-20 05:15, Salvatore Bonaccorso wrote:


Unfortunately the upstream bug [1] is locked-down.



Thanks for reporting it. Unfortunately I don't see how I can solve 
this problem. If all information are hidden on a related but not 
upstream bug tracker (which really should have one), if there's no 
patch or new release either, then I'm honestly at a loss.



If I happen to create an account on the ClamAV's bug tracker, would 
you be able to give me access?


Regards.
\_o<

























					Reply via email to