New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2018-19497. #1374

Merged
merged 3 commits into from Nov 29, 2018

Conversation

Projects
None yet
2 participants
@JordyZomer
Contributor

JordyZomer commented Nov 24, 2018

An issue was discovered in The Sleuth Kit (TSK) through 4.6.4.
The "tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2])" call in hfs_dir_open_meta_cb in
tsk/fs/hfs_dent.c does not properly check boundaries. This results in
a crash (SEGV on unknown address
READ memory access)
when reading too much in the destination buffer.

this is because the boundary check in hfs_traverse_cat wasn't done properly.

Kind Regards,

Jordy Zomer

JordyZomer added some commits Nov 24, 2018

Fix CVE-2018-19497.
An issue was discovered in The Sleuth Kit (TSK) through 4.6.4.
The "tsk_getu16(hfs->fs_info.endian, &rec_buf[rec_off2])" call in hfs_dir_open_meta_cb in
tsk/fs/hfs_dent.c does not properly check boundaries. This results in
a crash (SEGV on unknown address
READ memory access)
when reading too much in the destination buffer.
fix length in printf of nodesize
Also fix the length in printf next to comit dd679ad
UPDATE on CVE-2018-19497.
make it >= because if keylen == nodesize - rec_off it's already past it's destination.
Also fix the sprintf
@JordyZomer

This comment has been minimized.

Contributor

JordyZomer commented Nov 24, 2018

Validated the patch, now it returns:

General file system error (hfs_cat_traverse: length of key 3 in leaf node 1 too large (65537 vs 4096))

On the proof of concept.

@JordyZomer

This comment has been minimized.

Contributor

JordyZomer commented Nov 29, 2018

@rcordovano Any updates? The ticket has been open for 5 days (Sorry for directly mentioning you).

@bcarrier bcarrier merged commit bc04aa0 into sleuthkit:develop Nov 29, 2018

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details
Codacy/PR Quality Review Up to standards. A positive pull request.
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
@bcarrier

This comment has been minimized.

Member

bcarrier commented Nov 29, 2018

Thanks for the fix!

gentoo-bot pushed a commit to gentoo/gentoo that referenced this pull request Nov 29, 2018

app-forensics/sleuthkit: backport fix for CVE-2018-19497 to 4.6.4
Bug: https://bugs.gentoo.org/661160
Bug: sleuthkit/sleuthkit#1374
Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment