Am 04.12.2017 um 20:53 schrieb Salvatore Bonaccorso: > Hi > > On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote: >> Hi Markus, >> >> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote: >>> Package: src:libextractor >>> Version: 1:1.6-1 >>> Severity: important >>> Tags: security >>> >>> Hi, >>> >>> while I was working on the security update for Wheezy I discovered >>> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600 >>> and CVE-2017-15602. I could reproduce two segmentation faults with the >>> provided POCs. They are attached to the upstream bug report: >>> >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html >>> >>> Just run "extract -i $POC" >>> >>> I'm attaching my gdb log files to this bug report. >> >> Since the issues happen in different places from the original reports, >> can you request two new CVEs for those issues? >> >> So for tracking purposes these are two new raised issues, different >> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two >> new ones. Can you as well report it to upstream in case Bertrand >> cannot cime in? >> >> In case not let me know, and I can take care of it tomorrow. > > Interestignly the issues you describe does not seem triggerable with a > fresh build of 1.6 in sid (with --enable-shared=no, > --enable-static=yes with -O0). > > sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044 > Keywords for file /root/1338044: > sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin > Keywords for file /root/bin_6iRW3tXve.bin: > sid:~/libextractor-1.6# > > and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129). > > It is though with the Debian package (re)build. What is different?
I can still reproduce it when I rebuild the package. If you disable optimization with -O0 some compiler behaviors will change. I don't know the details but what is undefined behavior with -O2 is somehow OK with -O0. I just wanted to forward this upstream but if you say that it is not reproducible with upstream HEAD, it's probably pointless. Maybe we should wait for the next release which will also fix CVE-2017-15922 or Bertrand could package the latest Git snapshot? Shall I remove the fixed versions for both CVE in the security tracker? Regards, Markus
signature.asc
Description: OpenPGP digital signature
