New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2021-46141] .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs #121
Comments
|
@afosscontact thanks for the detailed report, I will have a closer look. |
Commit is viewed best with "git show --ignore-all-space <sha1>"
|
@afosscontact confirming as a bug, fixed by pull request #124 (along with issue #122). Thanks for the report again! |
|
Thank you for the fix |
|
Related: #122 (comment) |
|
@junsik-kim0 I'm in the process of making a new release (see #128 and #129). Regarding the two issues you reported, my best knowledge so far is that they can be can cause denial of service. Are you aware of any other potential impact? Also, have you decided if you want to share your name with me and/or Mitre for the CVE finding credits? A soon reply would be great, and I would then request two CVEs, ideally before making the release. Thanks in advance! |
|
Hello, I agree to share a name |
I had a real name in mind, but okay, I can put "Autofuzz" in the Mitre form for discovery credits.
I'm still in the dark about the worst that could be done with an exploit on #121 and #122. Anything beyond a crash-caused denial-of-service? Are you aware of anything more? CWE-590: Free of Memory not on the Heap mentions "potential for arbitrary code execution" (emphasis mine) but I'm unsure if that's realistic for our case here. There is mention of "undefined behavior" elsewhere. |
|
I can not be sure that this remort exploit(potential for arbitrary code execution) is possible |
|
Is CVE ID Issuance Are Is Isuable? |
|
Hi @junsik-kim0, I requested two CVEs from Mitre about four hours ago today at https://cveform.mitre.org/ . With some luck I hear back tomorrow. |
|
@junsik-kim0 I have received two CVEs now:
I would like to thank you again for your whitehat security work on uriparser |
A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.
The bug was found with a fuzzer based on the test-code"TestNormalizeSyntaxMaskRequired"
_crash log
Steps to reproduce:
cmake -DCMAKE_BUILD_TYPE=Release -DURIPARSER_BUILD_DOCS:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON ..
make -j8
clang++ -g -fsanitize=address,fuzzer-no-link -o 1 1.cpp -I uriparser/include/ -Luriparser/build -luriparser
LD_LIBRARY_PATH=uriparser/build/ ./1
OS:ubuntu 18.04
uriparser_poc1.tar.gz
The text was updated successfully, but these errors were encountered: