I would like to report a security vulnerability in SleuthKit.
There is an out of bound read on iso9660 while parsing System Use Sharing Protocol data.
On the parse_susp function, while parsing an ER entry, it will try to read the different Extension strings.
However, there is no control of the size fields and they will read out of the buf size bound.
Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy
Thank you,
Nico Waisman
Semmle Security Research Team
The text was updated successfully, but these errors were encountered:
Dear sleuthkit team,
I would like to report a security vulnerability in SleuthKit.
There is an out of bound read on iso9660 while parsing System Use Sharing Protocol data.
On the parse_susp function, while parsing an ER entry, it will try to read the different Extension strings.
However, there is no control of the size fields and they will read out of the buf size bound.
This could be trigger through the istat tool:
nico@genmaicha:~/Semmle/Projects/SleuthKit/sleuthkit/tools/fstools$ ./istat ~/Images/sample.iso 1Entry: 1
Type: Directory
Links: 1
Flags:
Name: DIR1
Size: 2048
Rock Ridge Extension Data
ER Entry
Please let me know if you need my proof of concept ISO file since I can't attach it through github report System
The exact line could be found here:
https://lgtm.com/projects/g/sleuthkit/sleuthkit/snapshot/09ed6f84870b18aec51cbb9373e226d04264da8f/files/tsk/fs/iso9660.c?sort=name&dir=ASC&mode=heatmap#L215
Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy
Thank you,
Nico Waisman

Semmle Security Research Team
The text was updated successfully, but these errors were encountered: