Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-11553: illegal address access in the extend_alias_table function in localealias.c #54

Closed
rhertzog opened this issue Aug 31, 2017 · 5 comments
Closed

CVE-2017-11553: illegal address access in the extend_alias_table function in localealias.c #54

rhertzog opened this issue Aug 31, 2017 · 5 comments
Assignees
@D4N
Labels
bug
Milestone
v0.27

Comments

@rhertzog
Copy link

I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1471772

The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1299839
(this is rar archive containing the actual reproducer file)

Here's a copy of the report:

$./exiv2 POC7

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
4150	malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff60f9135 in malloc_consolidate (av=av@entry=0x7ffff643ec00 <main_arena>) at malloc.c:4150
#1  0x00007ffff60fba34 in _int_malloc (av=av@entry=0x7ffff643ec00 <main_arena>, bytes=bytes@entry=1600) at malloc.c:3417
#2  0x00007ffff60fe50e in __GI___libc_malloc (bytes=1600) at malloc.c:2895
#3  0x00007ffff60fffb8 in __libc_realloc (bytes=1600, oldmem=0x0) at malloc.c:2976
#4  realloc_hook_ini (ptr=0x0, sz=1600, caller=<optimized out>) at hooks.c:41
#5  0x00007ffff60fec17 in __GI___libc_realloc (oldmem=0x0, bytes=1600) at malloc.c:2965
#6  0x00007ffff60ac1cb in extend_alias_table () at localealias.c:397
#7  read_alias_file (fname=<optimized out>, fname_len=<optimized out>) at localealias.c:319
#8  0x00007ffff60ac3c7 in _nl_expand_alias (name=name@entry=0x7fffffffae30 "en_US.UTF-8") at localealias.c:203
#9  0x00007ffff60aa608 in _nl_find_domain (dirname=dirname@entry=0x7ffff620ea00 <_nl_default_dirname> "/usr/share/locale", locale=locale@entry=0x7fffffffae30 "en_US.UTF-8", 
    domainname=domainname@entry=0x7fffffffae50 "LC_MESSAGES/libc.mo", domainbinding=domainbinding@entry=0x0) at finddomain.c:124
#10 0x00007ffff60a9e72 in __dcigettext (domainname=0x7ffff6206229 <_libc_intl_domainname> "libc", msgid1=0x7ffff6206711 "Cannot allocate memory", msgid2=msgid2@entry=0x0, plural=plural@entry=0, 
    n=n@entry=0, category=category@entry=5) at dcigettext.c:722
#11 0x00007ffff60a8a8f in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:47
#12 0x00007ffff610558e in __GI___strerror_r (errnum=12, buf=0x7fffffffb0b0 "", buflen=1024) at _strerror.c:71
#13 0x00000000005706ef in Exiv2::strError() ()
#14 0x00000000004c11b8 in Exiv2::FileIo::mmap(bool) ()
#15 0x00000000006b8f3f in Exiv2::TiffImage::readMetadata() ()
#16 0x0000000000464434 in Action::Print::printSummary() ()
#17 0x0000000000463e5c in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#18 0x0000000000439762 in main ()

icy@ubuntu:~/real/exiv2-asan/install/bin$ ./exiv2 ../../../exiv2_coll4/coll-out1/crashes/id\:000015\,sig\:11\,src\:001021\,op\:flip32\,pos\:47 
ASAN:SIGSEGV
=================================================================
==47987==ERROR: AddressSanitizer: SEGV on unknown address 0x00a09ffca08b (pc 0x7efe16b0fec5 bp 0x7ffca809dd00 sp 0x7ffca809d600 T0)
    #0 0x7efe16b0fec4  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x434ec4)
    #1 0x7efe16b180e0  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x43d0e0)
    #2 0x7efe16d28900  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x64d900)
    #3 0x7efe16d205eb  (/home/icy/real/exiv2-asan/install/lib/libexiv2.so.26+0x6455eb)
    #4 0x518d8b  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518d8b)
    #5 0x518488  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x518488)
    #6 0x4e2ebb  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x4e2ebb)
    #7 0x7efe15888abf  (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #8 0x43b288  (/home/icy/real/exiv2-asan/install/bin/exiv2+0x43b288)

AddressSanitizer can not provide additional info.
==47987==ABORTING

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
@fgeek
Copy link

fgeek commented Sep 7, 2017

I can confirm the crash with Git 31fc5d2

D4N added a commit to D4N/exiv2 that referenced this issue Oct 2, 2017
@D4N
Add POC3, POC4, POC5, POC6, POC9, POC11, POC12 & POC13 to the test suite
751905c 
These are files which reproduce the github issues Exiv2#50, Exiv2#51, Exiv2#52, Exiv2#53,
 Exiv2#54, Exiv2#58, Exiv2#59 and Exiv2#60
@D4N D4N mentioned this issue Oct 2, 2017
Merged
@piponazo piponazo added the bug label Oct 12, 2017
D4N added a commit to D4N/exiv2 that referenced this issue Oct 15, 2017
@D4N
Add POC3, POC4, POC5, POC6, POC9, POC11, POC12 & POC13 to the test suite
751312f 
These are files which reproduce the github issues Exiv2#50, Exiv2#51, Exiv2#52, Exiv2#53,
 Exiv2#54, Exiv2#58, Exiv2#59 and Exiv2#60
@D4N D4N mentioned this issue Oct 15, 2017
Merged
@D4N D4N self-assigned this Oct 18, 2017
@D4N
Copy link
Member

D4N commented Oct 18, 2017

This has been fixed on master. I'll add the reproducer and check if it has been fixed on 0.26 too.

@carnil
Copy link

carnil commented Oct 19, 2017 via email

@D4N
Copy link
Member

D4N commented Oct 19, 2017

I'll have to find out. This issue slipped through when I was fixing them. However, it won't be a single commit that fixes this issue.

I guess you are the package maintainer of exiv2 for Debian? In that case, you'll get all the security fixes for all the CVEs from the 0.26 branch. We have backported only security fixes and the respective tests (although this will be only fully completed after #127 is merged).

D4N added a commit to D4N/exiv2 that referenced this issue Oct 19, 2017
@D4N
Corrected bugfix test number Exiv2#54 to Exiv2#56
5b52291
D4N added a commit to D4N/exiv2 that referenced this issue Oct 19, 2017
@D4N
Added reproducer for Exiv2#54 / CVE-2017-11592 to the test suite
a141ea2
@D4N D4N mentioned this issue Oct 19, 2017
Merged
@D4N
Copy link
Member

D4N commented Oct 19, 2017

@carnil This was fixed ultimately by 74cb5ba, but you'll definitely need 6e3855a and 8a8f60a for that too. If you want to include the fixes for big-tiff processing you should find the commits in #105.

This was referenced Oct 19, 2017
Closed
Closed
Closed
D4N added a commit to D4N/exiv2 that referenced this issue Oct 29, 2017
@D4N
Corrected bugfix test number Exiv2#54 to Exiv2#56
091d4ed
D4N added a commit to D4N/exiv2 that referenced this issue Oct 29, 2017
@D4N
Added reproducer for Exiv2#54 / CVE-2017-11592 to the test suite
35cb91a
D4N added a commit that referenced this issue Oct 29, 2017
@D4N
Merge pull request #130 from D4N/reproducer-for-54
8a04b76 
Added reproducer for #54 / CVE-2017-11592 to the test suite
dirkmueller pushed a commit to dirkmueller/exiv2 that referenced this issue Jan 7, 2018
@D4N @dirkmueller
Add POC3, POC4, POC5, POC6, POC9, POC11, POC12 & POC13 to the test suite
fae9762 
These are files which reproduce the github issues Exiv2#50, Exiv2#51, Exiv2#52, Exiv2#53,
 Exiv2#54, Exiv2#58, Exiv2#59 and Exiv2#60

(cherry picked from commit 751312f)
@D4N D4N closed this as completed Feb 13, 2018
@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@D4N D4N

Labels
bug
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
6 participants
@piponazo @fgeek @clanmills @carnil @D4N @rhertzog