oss-sec mailing list archives
Re: Re: CVE Request: icoutils: exploitable crash in wrestool programm
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 10 Jan 2017 07:27:13 +0100
Hi, On Sun, Jan 08, 2017 at 02:47:40PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256an exploitable crash in wrestool from the icoutilshttps://bugs.debian.org/850017 https://anonscm.debian.org/git/users/cjwatson/icoutils.git/plain/debian/patches/check-offset-overflow.patchwrestool/fileread.cOn 64-bit systems, the result of subtracting two pointers exceeds the size of intUse CVE-2017-5208.
Thanks for the CVE assignment. Ftr, this was upstreamed as http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=0d569f458f306b88f60156d60c9cf058125cf173 It turns out that this is not enough, so upstream has issued http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3 to make the checks more stringent. Quoting a reply from upstream to the Debian maintainer "But as I see it there are still combinations of the arguments which make the test succeed even though the the memory block identified by offset&size is not fully inside memory&total_size ??? e.g. offset < memory, but size is larger than the difference. I have attached another patch (applies on top of yours) that more stringently checks all the memory bounds. Hopefully that will preempt shenanigans with specially crafted files containing weird offsets and sizes." Could you please assign a further CVE for this follow up fix? Furthermore I would like to ask if the following two commits from upstream, can have as well an identifier assigned: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a They relate to the Red Hat bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=1249276 All the three followup commits are included in Debian with the recent upload to Debian unstable, versioned as 0.31.1-1. Regards, Salvatore
Current thread:
- CVE Request: icoutils: exploitable crash in wrestool programm Salvatore Bonaccorso (Jan 08)
- Re: CVE Request: icoutils: exploitable crash in wrestool programm cve-assign (Jan 08)
- Re: Re: CVE Request: icoutils: exploitable crash in wrestool programm Salvatore Bonaccorso (Jan 09)
- Re: CVE Request: icoutils: exploitable crash in wrestool programm cve-assign (Jan 10)
- Re: Re: CVE Request: icoutils: exploitable crash in wrestool programm Salvatore Bonaccorso (Jan 09)
- Re: CVE Request: icoutils: exploitable crash in wrestool programm cve-assign (Jan 08)