Package: genisoimage Version: 9:1.1.11-3+b2 Severity: normal Tags: security
Dear Maintainer, Fuzzing the isoinfo binary from genisoimage using afl-fuzz identified a vulnerable function, parse_dir which contains a buffer overflow vulnerability. This seems to be related to the length of idr->name passed to the parse_dir function on line 1230. Steps to reproduce: $ isoinfo -i crash.iso *** stack smashing detected ***: isoinfo terminated Aborted (core dumped) Crash Information: $ gdb isoinfo (gdb) set args -i crash/crash.iso (gdb) r Starting program: /usr/bin/isoinfo -i crash/crash.iso [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". *** stack smashing detected ***: /usr/bin/isoinfo terminated Program received signal SIGABRT, Aborted. (gdb) >From cwtriage: Command: isoinfo -i crash/crash.iso Faulting Frame: parse_dir @ 0x00000000004081ac: in /usr/bin/isoinfo Disassembly: Stack Head (23 entries): __GI_raise @ 0x00007ffff7825428: in /lib/x86_64-linux-gnu/ libc-2.23.so (BL) __GI_abort @ 0x00007ffff782702a: in /lib/x86_64-linux-gnu/ libc-2.23.so (BL) __libc_message @ 0x00007ffff78677ea: in /lib/x86_64-linux-gnu/ libc-2.23.so (BL) __GI___fortify_fail @ 0x00007ffff790911c: in /lib/x86_64-linux-gnu/ libc-2.23.so (BL) __stack_chk_fail @ 0x00007ffff79090c0: in /lib/x86_64-linux-gnu/ libc-2.23.so (BL) parse_dir @ 0x00000000004081ac: in /usr/bin/isoinfo None @ 0xd2d2d2d2d2d2d2d2: in ? None @ 0xd2d2d2d2d2d2d2d2: in ? None @ 0xd2d2d2d2d2d2d2d2: in ? None @ 0xd2d2d2d2d2d2d2d2: in ? None @ 0xd2d2d2d2d2d2d2d2: in ? None @ 0xd2d2d2d2d2d2d2d2: in ? None @ 0x00000000d2d2d2d2: in ? None @ 0x0001313030444301: in ? None @ 0x20202058554e494c: in ? None @ 0x2020202020202020: in ? Registers: rax=0x0000000000000000 rbx=0x000000000000003d rcx=0x00007ffff7825428 rdx=0x0000000000000006 rsi=0x0000000000004b55 rdi=0x0000000000004b55 rbp=0x00007fffffffb990 rsp=0x00007fffffffb678 r8=0x6f666e696f73692f r9=0x0000000000000000 r10=0x0000000000000008 r11=0x0000000000000206 r12=0x000000000000003d r13=0x00007fffffffb808 r14=0x00007fffffffb808 r15=0x0000000000000001 rip=0x00007ffff7825428 efl=0x0000000000000206 cs=0x0000000000000033 ss=0x000000000000002b ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x000000000000000 A sample crashing test case is attached. More can be provided if necessary. -Julian -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.10.0-42-generic (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages genisoimage depends on: ii libbz2-1.0 1.0.6-8.1 ii libc6 2.24-11+deb9u1 ii libmagic1 1:5.30-1+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 genisoimage recommends no packages. Versions of packages genisoimage suggests: pn cdrkit-doc <none> pn wodim <none> -- no debconf information
crash.iso
Description: application/cd-image