Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2018-19497. #1374

Merged
merged 3 commits into from Nov 29, 2018
Merged

Fix CVE-2018-19497. #1374

merged 3 commits into from Nov 29, 2018

Conversation

JordyZomer
Copy link
Contributor

An issue was discovered in The Sleuth Kit (TSK) through 4.6.4.
The "tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2])" call in hfs_dir_open_meta_cb in
tsk/fs/hfs_dent.c does not properly check boundaries. This results in
a crash (SEGV on unknown address
READ memory access)
when reading too much in the destination buffer.

this is because the boundary check in hfs_traverse_cat wasn't done properly.

Kind Regards,

Jordy Zomer

Jordy Zomer added 3 commits November 24, 2018 12:19
An issue was discovered in The Sleuth Kit (TSK) through 4.6.4.
The "tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2])" call in hfs_dir_open_meta_cb in
tsk/fs/hfs_dent.c does not properly check boundaries. This results in
a crash (SEGV on unknown address
READ memory access)
when reading too much in the destination buffer.
Also fix the length in printf next to comit dd679ad
make it >= because if keylen == nodesize - rec_off it's already past it's destination.
Also fix the sprintf
@JordyZomer
Copy link
Contributor Author

Validated the patch, now it returns:

General file system error (hfs_cat_traverse: length of key 3 in leaf node 1 too large (65537 vs 4096))

On the proof of concept.

@JordyZomer
Copy link
Contributor Author

@rcordovano Any updates? The ticket has been open for 5 days (Sorry for directly mentioning you).

@bcarrier bcarrier merged commit bc04aa0 into sleuthkit:develop Nov 29, 2018
@bcarrier
Copy link
Member

Thanks for the fix!

gentoo-bot pushed a commit to gentoo/gentoo that referenced this pull request Nov 29, 2018
Bug: https://bugs.gentoo.org/661160
Bug: sleuthkit/sleuthkit#1374
Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants