Bug#862556: marked as done (CVE-2017-9058: Heap-based buffer overflow due to incorrect boundary checking)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 24 May 2017 09:05:44 +0000
with message-id <E1dDSEi-000AwV-Mk@fasolo.debian.org>
and subject line Bug#862556: fixed in libytnef 1.9.2-2
has caused the Debian Bug report #862556,
regarding CVE-2017-9058: Heap-based buffer overflow due to incorrect boundary checking
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862556
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit" <submit@bugs.debian.org>
• Subject: heap-buffer-overflow vulnerability in the SIZECHCK
• From: "bingosxs" <bingosxs@qq.com>
• Date: Sun, 14 May 2017 22:55:03 +0800
• Message-id: <[🔎] tencent_7E4DD5E715806EEE0F64D50A@qq.com>

Package: libytnef
Version:  1.5-6+deb8u1
Severity:  normal
Tags: security


Hi,
  We found a heap-buffer-overflow vulnerability in the libytnef.
This affects both 1.5-6+deb8u1 and 1.9.1 .
The cause is an incorrect boundary checking in SIZECHCK macro in  lib/ytnef.c:39
-- #define SIZECHECK(x) { if ((((char *)d - (char *)data) + x) > size) {  printf("Corrupted file detected at %s : %i\n", __FILE__, __LINE__); return(-1); } }
++ #define SIZECHECK(x) { if ((((char *)d - (char *)data) + x) >= size) {  printf("Corrupted file detected at %s : %i\n", __FILE__, __LINE__); return(-1); } }


To verify this, use the testcase from:
https://github.com/bingosxs/fuzzdata/blob/master/ytnef-1.9/TNEFFreeMapiProps-Invalid-read.tnef?raw=true

run the sample with command:


ytnef/.libs/ytnef -v @@


The tracelog is:
=================================================================
==15221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef90 at pc 0x7f7f8986e69f bp 0x7ffe3fc1b820 sp 0x7ffe3fc1b818
READ of size 4 at 0x60200000ef90 thread T0
    #0 0x7f7f8986e69e in SwapDWord /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:136:12
    #1 0x7f7f8986e69e in TNEFPriority /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:670
    #2 0x7f7f8987ac87 in TNEFParse /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:1076:29
    #3 0x7f7f8987997f in TNEFParseFile /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:936:12
    #4 0x4ea71b in main /home/canicula/afl/test/ytnef.0/ytnef/main.c:125:9
    #5 0x7f7f8897782f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x418bd8 in _start (/data/canicula/afl/test/ytnef.0/ytnef/.libs/ytnef+0x418bd8)

0x60200000ef92 is located 0 bytes to the right of 2-byte region [0x60200000ef90,0x60200000ef92)
allocated by thread T0 here:
    #0 0x4b8e90 in calloc (/data/canicula/afl/test/ytnef.0/ytnef/.libs/ytnef+0x4b8e90)
    #1 0x7f7f8987a29d in TNEFParse /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:1046:20
    #2 0x7f7f8987997f in TNEFParseFile /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:936:12
    #3 0x4ea71b in main /home/canicula/afl/test/ytnef.0/ytnef/main.c:125:9
    #4 0x7f7f8897782f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/canicula/afl/test/libytnef0/libytnef-1.5.x/ytnef.c:136:12 in SwapDWord
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa[02]fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15221==ABORTING

--- End Message ---

--- Begin Message ---

• To: 862556-close@bugs.debian.org
• Subject: Bug#862556: fixed in libytnef 1.9.2-2
• From: Jordi Mallach <jordi@debian.org>
• Date: Wed, 24 May 2017 09:05:44 +0000
• Message-id: <E1dDSEi-000AwV-Mk@fasolo.debian.org>

Source: libytnef
Source-Version: 1.9.2-2

We believe that the bug you reported is fixed in the latest version of
libytnef, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862556@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated libytnef package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 May 2017 23:51:52 +0200
Source: libytnef
Binary: libytnef0 libytnef0-dev ytnef-tools
Architecture: source amd64
Version: 1.9.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description:
 libytnef0  - improved decoder for application/ms-tnef attachments
 libytnef0-dev - headers for application/ms-tnef attachments decoder
 ytnef-tools - ytnef decoder commandline tools
Closes: 862556
Changes:
 libytnef (1.9.2-2) unstable; urgency=medium
 .
   * Add CVE information to previous changelog entry.
   * Add CVE-2017-9058.patch: Fix a heap buffer overflow in SIZECHECK macro
     (closes: #862556).
Checksums-Sha1:
 b4d233b9302c976f28185e2503eb383fcc7dea94 1950 libytnef_1.9.2-2.dsc
 bfe7827a79fc6a5e1260c847088a7dea735e881b 4628 libytnef_1.9.2-2.debian.tar.xz
 72b47158560736cea511cb1a30147a6046c1d09f 29166 libytnef0-dbgsym_1.9.2-2_amd64.deb
 e819f959c89191e23f414cbead00c0f39f7bda1c 31370 libytnef0-dev_1.9.2-2_amd64.deb
 b732f318b482e11a64641fb19e0f6eb4a5ec318e 24866 libytnef0_1.9.2-2_amd64.deb
 990f6e2d6ce2a58cc320449f2881bbe72ab8bdd1 6534 libytnef_1.9.2-2_amd64.buildinfo
 cc9a3be334d3ced5982b801b0f80a8faf303e52c 31980 ytnef-tools-dbgsym_1.9.2-2_amd64.deb
 2b22b220a75369b234910aaf7f53edfafadc08f9 20548 ytnef-tools_1.9.2-2_amd64.deb
Checksums-Sha256:
 0c2ec01a02ff8f91d32274a84a2bf26764ef803d51aa2b2182ce497385fcd7ff 1950 libytnef_1.9.2-2.dsc
 a06aaf2c2825ac4c44616789bf7228540c54073a10df30dbe9b218d58053598f 4628 libytnef_1.9.2-2.debian.tar.xz
 562c1f42323df3bbb7277f9037de0f2ad98bc64ac7282dec69af0c351f5841f0 29166 libytnef0-dbgsym_1.9.2-2_amd64.deb
 0304c5265f2dff1fe7ff578fb1f79f19dfe5091640fcac47763228632cd9d8a2 31370 libytnef0-dev_1.9.2-2_amd64.deb
 b13456240527b60901d943ab4dcd5c038df8b8a72b72c88ce9b7079227114c7d 24866 libytnef0_1.9.2-2_amd64.deb
 66c93f0576b54d83c876225f33aadf1838b16f552cdf162e70cb903856a13cc6 6534 libytnef_1.9.2-2_amd64.buildinfo
 65aca82ac362cc5b555dde24aa4667183851565803db6223c4326326ecf947b0 31980 ytnef-tools-dbgsym_1.9.2-2_amd64.deb
 222a4531b08d5fc0e43216dee2f2b26c98268cb225deb35a735d6c8011f4cebf 20548 ytnef-tools_1.9.2-2_amd64.deb
Files:
 2249def91c97a2065318f76e21899e84 1950 utils extra libytnef_1.9.2-2.dsc
 8687934ec21061787b84098092fae3f3 4628 utils extra libytnef_1.9.2-2.debian.tar.xz
 72d4a4d39975e34345a37f591c28c90d 29166 debug extra libytnef0-dbgsym_1.9.2-2_amd64.deb
 9c49b3d506b70c806ae07dcc70e08c94 31370 libdevel extra libytnef0-dev_1.9.2-2_amd64.deb
 e9a5c9885687ebd257e4cd5d33e369c5 24866 libs extra libytnef0_1.9.2-2_amd64.deb
 96e25d14e46dfddd8ff561dfc8197282 6534 utils extra libytnef_1.9.2-2_amd64.buildinfo
 85c8865ceff2df5b7262a4ae4093f381 31980 debug extra ytnef-tools-dbgsym_1.9.2-2_amd64.deb
 7cca14ef47ab4fd4f401b8b2a483e54e 20548 utils extra ytnef-tools_1.9.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAlkjXjwACgkQJVAvb8vj
ywSmSxAAov7E+yqUQ7ZCXgNk720ttqDBIs/IQUKaON+O9mC5g+SYQhL0Wr2VNiwA
Jk41+napkakyUd0zSqEj9i9lXkrhsCBJ3tLs4ln0MAMmSWiv8pAbjQmsWSrwXfYO
rSdH9OQ2Xx7VJf7DSNGbytFAJiLdrV0Fv1H4It4stcGQh86Cw6lOG/D1lZI3Uvxm
o2gF3wQh1ila65wrqoc0vhj/bbNQ+YOTuhuAgE/a3GGnVBAtwD3EzSj+M1vu9Uld
3C02yCU9GbzE2dW0T+EO/fcolSxwGxRnzgRBWukiVNUc4tXlfzDs0rwCGERVvyo+
qq7E8mVqLyJH1ciHr2JVYaYP7Wn8XTnKdPLrzZStQXCWwl791Vj6FzD5jR7h/5O1
XtDLEm59yma6w8G2L5DPoLZP66FwHTzfHag7aVF6MJ+8Lgu3XuOzUG6PM6Y2X3QN
bKwIyMQmIWRT/CODKL0gSWbOaMeIxOqwD0Q0jKeL+KeXLZypI2eLyWkYFmqqJKS9
o1Yp3gDwabfSgCr/xuN+PoWm1QiPPcc6FhwuMHxbpDyEmOrmaVTWVtUC5G2Bo7PJ
4bYhEuVSR9v7P0Zg/+mQMqHjqR4yY3axAIEOt9C1oJfuSmJenLnWCA+hdJLrQJWt
T1XGTAUZTLxMh+Df64sNH17oa8OHvVQ5YrEQFLhqdzFRtZ+LTaw=
=Ak1m
-----END PGP SIGNATURE-----

--- End Message ---