[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Stack overflows and out of bounds read in dpkg (Debian)
From:       Hanno =?UTF-8?B?QsO2Y2s=?= <hanno () hboeck ! de>
Date:       2015-11-26 20:25:40
Message-ID: 20151126212540.2e57f9e6 () pc1
[Download RAW message or body]


https://blog.fuzzing-project.org/30-Stack-overflows-and-out-of-bounds-read-in-dpkg-Debian.html

Two stack overflows and one stack out of bounds access were fixed in
dpkg, the package management tool from Debian.

A call to the function read_line didn't consider a trailing zero byte
in the target buffer and thus could cause a one byte stack overflow
with a zero byte. This issue was already fixed in the testing code when
I reported it, but the fix wasn't backported to stable yet.
https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/dpkg-deb/extract.c?id=e65aa3db04eb908c9507d5d356a95cedb890814d
Git commit / fix
https://crashes.fuzzing-project.org/dpkg-stack-overflow-write-read_line-extracthalf-133.deb
Minimal PoC file

A second almost identical stack overflow due to a call to the function
read_line was in the same file.
https://crashes.fuzzing-project.org/dpkg-stack-overflow-write-read_line-extracthalf-248.deb
Minimal PoC file

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0860
These issues got the id CVE-2015-0860.

A stack out of bounds read can happen in the function
dpkg_ar_normalize_name. There is a read access to an array where the
index can have the value -1. A check if the index is a positive value
fixes this.
https://crashes.fuzzing-project.org/dpkg-stack-oob-read-dpkg_ar_normalize_name.deb
Minimal PoC file

All issues were found with the help of american fuzzy lop and address
sanitizer.

https://lists.debian.org/debian-security-announce/2015/msg00312.html
Debian has published the advisory DSA 3407-1. Fixes packages for both
stable (Jessie) and oldstable (Wheezy) have been published.

http://www.ubuntu.com/usn/usn-2820-1/
Ubuntu has published the advisory USN-2820-1. Fixed packages for Ubuntu
15.10, 15.04 and the LTS versions 14.04 and 12.04 have been published.

All users of Ubuntu, Debian and other dpkg/apt-based distributions
should update.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]