New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stack-overflow libpff_item_tree_create_node #48
Comments
Thx for the report, I'll have a look when time permits. |
Another two pocs to help fix. so_libpff_item_descriptor.c:66_1.input.txt |
FYI git HEAD is work in progress |
The issue here is that there are cyclic index nodes. Added a maximum recursion bound. |
@hongxuchen FYI the POC so_libpff_item_descriptor.c:66_2.input.txt is not representative for this issue. To be verbose POC so_libpff_item_descriptor.c:66_1.input.txt is representative. From so_libpff_item_descriptor.c:66_2.input.txt
|
CVE-2018-20348 was assigned to this issue. |
I again refer to the CWE definition of vulnerability https://cwe.mitre.org/about/faq.html#A.2 not the arbitrary definition uphold by Mitre CVE (see libyal/libevt#5 for context). The current claims "libpff_item_tree_create_node in libpff_item_tree.c in libpff before experimental-20180714 allows attackers to cause a denial of service (infinite recursion) via a crafted file, related to libfdata_tree_get_node_value in libfdata_tree.c." This is very hypothetical, libpff is a library that runs locally, not a network service. So this assessment is incomplete and useless as security advisory. So these claims are dependent on many factors:
Where is the analysis of these? |
And again a completely worthless assessment by NIST-NVD https://nvd.nist.gov/vuln/detail/CVE-2018-20348
This library has no network capabilities, so this assessment is BS. Seeing that NIST NVD has been informed about the lack of network capabilities in this library before I can only conclude that they are incapable of making accurate "vulnerability" impact assessments. |
If you're here about CVE-2018-20348 please read #66.
Note that the work done by Mitre-CVE and NIST-NVD for CVE-2018-20348 to provide security advise is incomplete and useless.
Tested Version
Lastest (cloned from github)
Command and argument
./pffexport ${POCfile}
Crash Information
The output of pffexport with address sanitizer enabled, it seems the program falls into an infinite loop.
gdb and backtrace
POC file
libpff-libpff_item_tree_create_node-798.zip
CREDIT
Zhao Liang, Huawei Weiran Labs
The text was updated successfully, but these errors were encountered: