On Sun, Mar 26, 2017 at 09:37:32PM +0200, Salvatore Bonaccorso wrote:
> Source: libplist
> Version: 1.12+git+1+e37ca00-0.1
> Severity: important
> Tags: security patch upstream
> Forwarded: https://github.com/libimobiledevice/libplist/issues/98
>
> Hi,
>
> the following vulnerability was published for libplist.
>
> CVE-2017-6438[0]:
> | Heap-based buffer overflow in the parse_unicode_node function in
> | bplist.c in libimobiledevice libplist 1.12 allows local users to cause
> | a denial of service (out-of-bounds write) and possibly code execution
> | via a crafted plist file.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-6438
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438
> [1] https://github.com/libimobiledevice/libplist/issues/98
>
> Please adjust the affected versions in the BTS as needed.
Confirmed as well via the reproducer for the newest version in sid
(1.12+git+1+e37ca00-0.1):
==16332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5800750 at
pc 0xb71620d5 bp 0xbf8ffe48 sp 0xbf8ffe3c
WRITE of size 2 at 0xb5800750 thread T0
#0 0xb71620d4 in parse_unicode_node src/bplist.c:384
#1 0xb716580a in parse_bin_node src/bplist.c:679
#2 0xb716676f in parse_bin_node_at_index src/bplist.c:759
#3 0xb71634f5 in parse_dict_node src/bplist.c:461
#4 0xb7165a1a in parse_bin_node src/bplist.c:701
#5 0xb716676f in parse_bin_node_at_index src/bplist.c:759
#6 0xb7166de0 in plist_from_bin src/bplist.c:853
#7 0x804952a in main tools/plistutil.c:150
#8 0xb6f92275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
#9 0x8048ac0
(/root/libplist-1.12+git+1+e37ca00/tools/.libs/plistutil+0x8048ac0)
0xb5800751 is located 0 bytes to the right of 1-byte region
[0xb5800750,0xb5800751)
allocated by thread T0 here:
#0 0xb7239194 in malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xbe194)
#1 0xb7161f97 in parse_unicode_node src/bplist.c:377
#2 0xb716580a in parse_bin_node src/bplist.c:679
#3 0xb716676f in parse_bin_node_at_index src/bplist.c:759
#4 0xb71634f5 in parse_dict_node src/bplist.c:461
#5 0xb7165a1a in parse_bin_node src/bplist.c:701
#6 0xb716676f in parse_bin_node_at_index src/bplist.c:759
#7 0xb7166de0 in plist_from_bin src/bplist.c:853
#8 0x804952a in main tools/plistutil.c:150
#9 0xb6f92275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/bplist.c:384 in
parse_unicode_node
Shadow bytes around the buggy address:
0x36b00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36b000e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 00 04
0x36b000f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x36b00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16332==ABORTING
Regards,
Salvatore
