Bug#893525: CVE-2018-1000097
For completeness, I'm attaching here (so that it's also stored in our BTS) the test file from the original report in decrypted and uncompressed from. To reproduce: unshar heap-buffer-overflow.bin Thanks. heap-buffer-overflow.bin Description: Binary data
Bug#893525: CVE-2018-1000097
Hi Santiago, hi Moritz, On Mon, Mar 19, 2018 at 06:20:44PM +0100, Santiago Vila wrote: > On Mon, Mar 19, 2018 at 05:58:04PM +0100, Moritz Muehlenhoff wrote: > > Source: sharutils > > Severity: grave > > Tags: security > > > > This has been assigned CVE-2018-197: > > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg4.html > > > > Proposed patch at: > > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg5.html > > Thanks for the report. Simple question: Is this the same problem as this one? > > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg3.html > > or there will be another different CVE for that? That's an issue on it's own, but I do not think it has a CVE assigned yet. The most recent assigned CVE is for the msg4.html message, which was adressed with the proposed fix (and can be verified with the reproducer which first needs to be extracted). The issue from the msg3.html is in src/unshar.c 391 for (;;) 392 { 393 size_t len = fread (rw_buffer, 1, rw_base_size, file); 394 if (len == 0) 395 break; 396 fwrite (rw_buffer, 1, len, shell_fp); 397 } specifically at the write in line 396. There is no reply on https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg3.html so either it has been lost or ignored, might be worth reping the mail. Regards, Salvatore
Bug#893525: CVE-2018-1000097
On Mon, Mar 19, 2018 at 06:20:44PM +0100, Santiago Vila wrote: > On Mon, Mar 19, 2018 at 05:58:04PM +0100, Moritz Muehlenhoff wrote: > > Source: sharutils > > Severity: grave > > Tags: security > > > > This has been assigned CVE-2018-197: > > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg4.html > > > > Proposed patch at: > > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg5.html > > Thanks for the report. Simple question: Is this the same problem as this one? > > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg3.html > > or there will be another different CVE for that? > > (I will apply the proposed patch anyway, since it's a one-liner). I'm not sure yet, http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg3.html might be a different issue, the CVE assignment is apparently only for "msg4.html". Cheers, Moritz
Bug#893525: CVE-2018-1000097
On Mon, Mar 19, 2018 at 05:58:04PM +0100, Moritz Muehlenhoff wrote: > Source: sharutils > Severity: grave > Tags: security > > This has been assigned CVE-2018-197: > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg4.html > > Proposed patch at: > http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg5.html Thanks for the report. Simple question: Is this the same problem as this one? http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg3.html or there will be another different CVE for that? (I will apply the proposed patch anyway, since it's a one-liner). Thanks.
Bug#893525: CVE-2018-1000097
Source: sharutils Severity: grave Tags: security This has been assigned CVE-2018-197: http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg4.html Proposed patch at: http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg5.html Cheers, Moritz