Your message dated Thu, 17 Jan 2019 22:35:45 +0100 with message-id <sa67ef3vufi.fsf@meta.reinholdtsen.name> and subject line Fixed in version 0.5.0 has caused the Debian Bug report #883198, regarding bs1770gain: use after free while running bs1770gain with "poc output" option to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 883198: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883198 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bs1770gain: use after free while running bs1770gain with "poc output" option
- From: Joonun Jang <joonun.jang@gmail.com>
- Date: Fri, 01 Dec 2017 01:17:04 +0900
- Message-id: <151205862427.12576.3992322485376234320.reportbug@yuweol>
Package: bs1770gain Version: 0.4.12-2+b1 Severity: important Tags: security use after free while running bs1770gain with "poc output" option Running 'bs1770gain poc output' with the attached file raises use after free which may allow a remote attack to cause a denial-of-service attack or other unspecified impace with a crafted file I expected the program to terminate without segfault, but the program crashes as follow ------------------------------------------- june@yuweol:~/workspace/bugre/poc/bs1770gain/1$ ~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc output analyzing ... [1/1] "poc": Error finding decoder: ffsox_frame_reader_create(), "ffsox_frame_reader.c" (41). Error creating frame reader: ffsox_frame_reader_new(), "ffsox_frame_reader.c" (92). Error creating frame reader: ffsox_analyze(), "ffsox_analyze.c" (68). ================================================================= ==10074==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000000640 at pc 0x555555582800 bp 0x7fffffffda60 sp 0x7fffffffda58 READ of size 8 at 0x610000000640 thread T0 #0 0x5555555827ff in ffsox_packet_consumer_list_free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) #1 0x55555559b91a in pbu_list_free_full (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x4791a) #2 0x5555555773fe in ffsox_source_link_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x233fe) #3 0x5555555762b5 in source_cleanup (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x222b5) #4 0x555555570a2f in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1ca2f) #5 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #6 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #7 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #8 0x5555555614e9 in _start (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9) 0x610000000640 is located 0 bytes inside of 184-byte region [0x610000000640,0x6100000006f8) freed by thread T0 here: #0 0x7ffff6eff8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) #1 0x55555557393b in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f93b) #2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7) #3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) previously allocated by thread T0 here: #0 0x7ffff6effc20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20) #1 0x555555573841 in ffsox_frame_reader_new (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f841) #2 0x55555556fdf7 in ffsox_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7) #3 0x5555555689fd in bs1770gain_tree_analyze (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd) #4 0x55555556514e in main (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e) #5 0x7ffff44ec2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) SUMMARY: AddressSanitizer: heap-use-after-free (/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff) in ffsox_packet_consumer_list_free Shadow bytes around the buggy address: 0x0c207fff8070: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c207fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa 0x0c207fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c207fff80b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa =>0x0c207fff80c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd 0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c207fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==10074==ABORTING ------------------------------------------- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bs1770gain depends on: ii libavcodec57 7:3.4-3 ii libavformat57 7:3.4-3 ii libavutil55 7:3.4-3 ii libc6 2.24-17 ii libsox3 14.4.2-2 ii libswresample2 7:3.4-3 bs1770gain recommends no packages. bs1770gain suggests no packages. -- no debconf informationAttachment: poc
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 883198-done@bugs.debian.org
- Subject: Fixed in version 0.5.0
- From: Petter Reinholdtsen <pere@hungry.com>
- Date: Thu, 17 Jan 2019 22:35:45 +0100
- Message-id: <sa67ef3vufi.fsf@meta.reinholdtsen.name>
Version: 0.5.1-1 I believe this problem was fixed in version 0.5.0. Please reopen if this proves to be wrong. -- Happy hacking Petter Reinholdtsen
--- End Message ---