[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: paps: heap overflow when processing crafted file
From:       cve-assign () mitre ! org
Date:       2016-07-29 20:43:37
Message-ID: 20160729204337.9530672E027 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The bug comes from the fuzzer, which did not pass an empty file.
> Later, I discovered that an empty file has the same behaviour of 
> the crafted.
> 
> In other words:
> - The same crash happen for the empty and crafted file.
> - The patch covers both cases (when the file is empty and when 
> contains random data).

Right, the file does not need to be empty (file length of zero), but
inbuf->len needs to end up being zero, which means that the g_iconv
calls produce zero output bytes for every line of the input file.
After the buffer under-read, if there isn't a crash, the return value
of read_file can be the empty string, which wasn't intended to be a
possible return value. However, we haven't seen information indicating
that this causes a security problem in later code. This is a
command-line program, and the available information is that there is
sometimes a non-exploitable crash when operating on an invalid file.
For now, we are categorizing this as an inconvenience to the user, not
a vulnerability: there is no CVE ID.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXm79CAAoJEHb/MwWLVhi2N+UP+wePxHygX5ysWdiPbuqKjS8h
whEFNT7IOmFKBcZOEF1DGZs8Avwet2qbeFOvEU3HymEQEzyepLCn4vP5iPQHzqiT
ZFHD/cH/mKdr4IBwvFY6ipItanLSPd7kwXriFxwGJwwOzTWqT/2JwOxt4zUDL1xK
lFjRI2tpqPMkDFRRwogaculT/vx3c72K5tj0CgJHyXAkz+xJL4ZfKVTVnEyybJsf
1ihnu2uXQUUy9cwMb15X/a/3Zp9SwaSPmOq7U12aZMxYE1HdirFYhbfIbhQvhpvi
DZyLvu/h6T0z465Yguq+ru7Q9eArWEu3JDjr4H2uIjWnOIlcc5tifidnz+nYWS3S
8yfZnvLUf3gziwKYBPJTz+SyyEK0fba3zq+aifNpjU82jHsFSQ5jG+099QDA+ABM
GEoM++3Avi6wCwPafSi/zJgh/HV0gxsQbqw4dJ2V3PdXcU9Gd5kqEiwEabXecX7q
hbNx+Xkagip07CBLpdEdYSkaw6jbqXWjjzeYcy66GxVv1bI93VLDLfmC7vsKUY17
stgbEQEt89J+bWcVC1HpBp1zWNT42bn06JhAeYU4iAhYcuvWitUCo6qJwunuqknr
17NZqaTaG0AsWXnQIGLHpCQNlAmfXKHBph097Lj/SUxE9NpxECTY3ewQT+JKdylG
Qk0Mx1+5uqMRiN8yKRhP
=979d
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]