stack-overflow libpff_item_tree_create_node #48

leonzhao7 · 2017-10-10T02:49:53Z

If you're here about CVE-2018-20348 please read #66.

Note that the work done by Mitre-CVE and NIST-NVD for CVE-2018-20348 to provide security advise is incomplete and useless.

Tested Version

Lastest (cloned from github)

Command and argument

./pffexport ${POCfile}

Crash Information

The output of pffexport with address sanitizer enabled, it seems the program falls into an infinite loop.

./pffexport libpff-libpff_item_tree_create_node-798.crash 
pffexport 20171008

Opening file.
ASAN:SIGSEGV
=================================================================
==47345==ERROR: AddressSanitizer: stack-overflow on address 0x7fffd2c88f48 (pc 0x7f4bb8bce568 bp 0x7fffd2c89790 sp 0x7fffd2c88f30 T0)
    #0 0x7f4bb8bce567 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98567)
    #1 0x7f4bb861ee3a in libpff_item_descriptor_initialize /root/libpff-master/libpff/libpff_item_descriptor.c:66
    #2 0x7f4bb86208e9 in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:637
    #3 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #4 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #5 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #6 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #7 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #8 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #9 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #10 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #11 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #12 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #13 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #14 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #15 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #16 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #17 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #18 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #19 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #20 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #21 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #22 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #23 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #24 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #25 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #26 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #27 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #28 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #29 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #30 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #31 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #32 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #33 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #34 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #35 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #36 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #37 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #38 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #39 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #40 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #41 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #42 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #43 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #44 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #45 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #46 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #47 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #48 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #49 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #50 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #51 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #52 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #53 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #54 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #55 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #56 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #57 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #58 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #59 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #60 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #61 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #62 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #63 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #64 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #65 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #66 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #67 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #68 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #69 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #70 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #71 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #72 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #73 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #74 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #75 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #76 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #77 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #78 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #79 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #80 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #81 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #82 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #83 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #84 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #85 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #86 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #87 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #88 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #89 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #90 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #91 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #92 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #93 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #94 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #95 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #96 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #97 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #98 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #99 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #100 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #101 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #102 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #103 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #104 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #105 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #106 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #107 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #108 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #109 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #110 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #111 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #112 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #113 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #114 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #115 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #116 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #117 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #118 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #119 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #120 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #121 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #122 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #123 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #124 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #125 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #126 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #127 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #128 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #129 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #130 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #131 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #132 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #133 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #134 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #135 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #136 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #137 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #138 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #139 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #140 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #141 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #142 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #143 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #144 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #145 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #146 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #147 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #148 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #149 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #150 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #151 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #152 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #153 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #154 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #155 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #156 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #157 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #158 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #159 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #160 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #161 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #162 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #163 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #164 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #165 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #166 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #167 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #168 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #169 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #170 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #171 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #172 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #173 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #174 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #175 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #176 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #177 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #178 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #179 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #180 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #181 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #182 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #183 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #184 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #185 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #186 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #187 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #188 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #189 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #190 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #191 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #192 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #193 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #194 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #195 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #196 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #197 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #198 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #199 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #200 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #201 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #202 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #203 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #204 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #205 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #206 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #207 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #208 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #209 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #210 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #211 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #212 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #213 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #214 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #215 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #216 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #217 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #218 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #219 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #220 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #221 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #222 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #223 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #224 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #225 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #226 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #227 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #228 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #229 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #230 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #231 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #232 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #233 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #234 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #235 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #236 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #237 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #238 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #239 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #240 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #241 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #242 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #243 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #244 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #245 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #246 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #247 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #248 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #249 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #250 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798
    #251 0x7f4bb8620dbb in libpff_item_tree_create_node /root/libpff-master/libpff/libpff_item_tree.c:798

SUMMARY: AddressSanitizer: stack-overflow ??:0 malloc
==47345==ABORTING

gdb and backtrace

(gdb) run libpff-libpff_item_tree_create_node-798.crash 
Starting program: /opt/normal/bin/pffexport libpff-libpff_item_tree_create_node-798.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pffexport 20171008

Opening file.

Program received signal SIGSEGV, Segmentation fault.
libfdata_tree_get_node_value (tree=0x7056e0, file_io_handle=file_io_handle@entry=0x6e5260, cache=cache@entry=0x705890, node=node@entry=0x70ac70, 
    node_value=node_value@entry=0x7fffff7ff100, read_flags=read_flags@entry=0 '\000', error=0x7fffffffe378) at libfdata_tree.c:438
438     {
(gdb) bt
#0  libfdata_tree_get_node_value (tree=0x7056e0, file_io_handle=file_io_handle@entry=0x6e5260, cache=cache@entry=0x705890, node=node@entry=0x70ac70, 
    node_value=node_value@entry=0x7fffff7ff100, read_flags=read_flags@entry=0 '\000', error=0x7fffffffe378) at libfdata_tree.c:438
#1  0x00007ffff7b1d1c9 in libfdata_tree_node_get_node_value (node=0x70ac70, file_io_handle=file_io_handle@entry=0x6e5260, cache=cache@entry=0x705890, 
    node_value=node_value@entry=0x7fffff7ff100, read_flags=read_flags@entry=0 '\000', error=error@entry=0x7fffffffe378) at libfdata_tree_node.c:848
#2  0x00007ffff7aada15 in libpff_index_tree_node_get_leaf_node_by_identifier (index_tree_node=0x706010, file_io_handle=file_io_handle@entry=0x6e5260, cache=cache@entry=0x705890, 
    identifier=identifier@entry=1094795585, leaf_node_index=leaf_node_index@entry=0x7fffff7ff290, leaf_index_tree_node=leaf_index_tree_node@entry=0x7fffff7ff2a8, 
    error=0x7fffffffe378) at libpff_index_tree.c:530
#3  0x00007ffff7aadb4d in libpff_index_tree_node_get_leaf_node_by_identifier (index_tree_node=0x705730, file_io_handle=file_io_handle@entry=0x6e5260, cache=cache@entry=0x705890, 
    identifier=identifier@entry=1094795585, leaf_node_index=leaf_node_index@entry=0x7fffff7ff290, leaf_index_tree_node=leaf_index_tree_node@entry=0x7fffff7ff2a8, 
    error=0x7fffffffe378) at libpff_index_tree.c:726
#4  0x00007ffff7aaddba in libpff_index_tree_get_leaf_node_by_identifier (index_tree=index_tree@entry=0x7056e0, file_io_handle=file_io_handle@entry=0x6e5260, 
    cache=cache@entry=0x705890, identifier=1094795585, leaf_node_index=leaf_node_index@entry=0x7fffff7ff290, leaf_index_tree_node=leaf_index_tree_node@entry=0x7fffff7ff2a8, 
    error=0x7fffffffe378) at libpff_index_tree.c:436
#5  0x00007ffff7ab3403 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:772
#6  0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#7  0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#8  0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#9  0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#10 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#11 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#12 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#13 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#14 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#15 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#16 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#17 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#18 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#19 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#20 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
    descriptor_index_tree=descriptor_index_tree@entry=0x7056e0, descriptor_index_tree_node=<optimized out>, index_tree_cache=index_tree_cache@entry=0x705890, 
    orphan_node_list=orphan_node_list@entry=0x705b20, root_folder_item_tree_node=0x6e5170, error=0x7fffffffe378) at libpff_item_tree.c:798
#21 0x00007ffff7ab3581 in libpff_item_tree_create_node (item_tree_root_node=item_tree_root_node@entry=0x705b70, file_io_handle=file_io_handle@entry=0x6e5260, 
---Type <return> to continue, or q <return> to quit---q
descriptor_index_treeQuit
(gdb) l
433          libfcache_cache_t *cache,
434          libfdata_tree_node_t *node,
435          intptr_t **node_value,
436          uint8_t read_flags,
437          libcerror_error_t **error )
438     {
439             libfcache_cache_value_t *cache_value    = NULL;
440             libfdata_internal_tree_t *internal_tree = NULL;
441             static char *function                   = "libfdata_tree_get_node_value";
442             off64_t cache_value_offset              = (off64_t) -1;

POC file

libpff-libpff_item_tree_create_node-798.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

The text was updated successfully, but these errors were encountered:

joachimmetz · 2017-10-10T04:30:37Z

Thx for the report, I'll have a look when time permits.

hongxuchen · 2018-06-23T06:36:32Z

Another two pocs to help fix.

so_libpff_item_descriptor.c:66_1.input.txt
so_libpff_item_descriptor.c:66_2.input.txt

joachimmetz · 2018-07-13T16:18:02Z

Lastest (cloned from github)

FYI git HEAD is work in progress

joachimmetz · 2018-07-13T17:59:59Z

The issue here is that there are cyclic index nodes. Added a maximum recursion bound.

joachimmetz · 2018-07-13T18:03:56Z

@hongxuchen FYI the POC so_libpff_item_descriptor.c:66_2.input.txt is not representative for this issue. To be verbose POC so_libpff_item_descriptor.c:66_1.input.txt is representative.

From so_libpff_item_descriptor.c:66_2.input.txt

libpff_index_node_read_footer_data: unsupported index node type: 0x00.
libpff_index_node_read_data: unable to read index node footer.
libpff_index_node_read_file_io_handle: unable to read index node.
...

abergmann · 2019-01-03T14:44:52Z

CVE-2018-20348 was assigned to this issue.

joachimmetz · 2019-01-03T14:52:39Z

@abergmann

why do you hijack a closed issue?
why do you want to assigning CVE for this issue? This project is clearly marked as alpha status. See here for the uselessness of such information Incorrect and misleading security advisories CVE-2018-11723 and CVE-2018-20348 #66 without any form of follow up by Mitre and/or NIST.
can you point me to your vulnerability analysis? Why this is a vulnerability and which binary versions of libpff this affects on which platforms, with which build parameters and compilers?

I again refer to the CWE definition of vulnerability https://cwe.mitre.org/about/faq.html#A.2 not the arbitrary definition uphold by Mitre CVE (see libyal/libevt#5 for context).

The current claims "libpff_item_tree_create_node in libpff_item_tree.c in libpff before experimental-20180714 allows attackers to cause a denial of service (infinite recursion) via a crafted file, related to libfdata_tree_get_node_value in libfdata_tree.c."

This is very hypothetical, libpff is a library that runs locally, not a network service. So this assessment is incomplete and useless as security advisory.

So these claims are dependent on many factors:

on compiler flags/build settings.
additional security measures

Where is the analysis of these?

joachimmetz · 2019-01-13T15:55:10Z

And again a completely worthless assessment by NIST-NVD https://nvd.nist.gov/vuln/detail/CVE-2018-20348

CVSS v2.0 Severity and Metrics:
Base Score: 4.3 MEDIUM 
Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) (V2 legend) 
Impact Subscore: 2.9 
Exploitability Subscore: 8.6

Access Vector (AV): Network 
Access Complexity (AC): Medium 
Authentication (AU): None 
Confidentiality (C): None 
Integrity (I): None 
Availability (A): Partial 
Additional Information: 
Victim must voluntarily interact with attack mechanism
Allows disruption of service

This library has no network capabilities, so this assessment is BS. Seeing that NIST NVD has been informed about the lack of network capabilities in this library before I can only conclude that they are incapable of making accurate "vulnerability" impact assessments.

joachimmetz self-assigned this Jul 13, 2018

joachimmetz added the bug label Jul 13, 2018

joachimmetz added a commit that referenced this issue Jul 13, 2018

Added additional sanity checks for corrupt files #48

7f21459

joachimmetz closed this as completed Jul 13, 2018

joachimmetz mentioned this issue Jan 3, 2019

Incorrect and misleading security advisories CVE-2018-11723 and CVE-2018-20348 #66

Closed

libyal locked as resolved and limited conversation to collaborators Jan 13, 2019

joachimmetz changed the title ~~A stack-overflow vulneribility in libpff_item_tree_create_node~~ stack-overflow libpff_item_tree_create_node Jan 13, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

stack-overflow libpff_item_tree_create_node #48

stack-overflow libpff_item_tree_create_node #48

leonzhao7 commented Oct 10, 2017 •

edited by joachimmetz

joachimmetz commented Oct 10, 2017

hongxuchen commented Jun 23, 2018

joachimmetz commented Jul 13, 2018

joachimmetz commented Jul 13, 2018

joachimmetz commented Jul 13, 2018

abergmann commented Jan 3, 2019

joachimmetz commented Jan 3, 2019 •

edited

joachimmetz commented Jan 13, 2019 •

edited

stack-overflow libpff_item_tree_create_node #48

stack-overflow libpff_item_tree_create_node #48

Comments

leonzhao7 commented Oct 10, 2017 • edited by joachimmetz

Tested Version

Command and argument

Crash Information

POC file

CREDIT

joachimmetz commented Oct 10, 2017

hongxuchen commented Jun 23, 2018

joachimmetz commented Jul 13, 2018

joachimmetz commented Jul 13, 2018

joachimmetz commented Jul 13, 2018

abergmann commented Jan 3, 2019

joachimmetz commented Jan 3, 2019 • edited

joachimmetz commented Jan 13, 2019 • edited

leonzhao7 commented Oct 10, 2017 •

edited by joachimmetz

joachimmetz commented Jan 3, 2019 •

edited

joachimmetz commented Jan 13, 2019 •

edited