On Sun, Mar 26, 2017 at 09:38:20PM +0200, Salvatore Bonaccorso wrote:
> Source: libplist
> Version: 1.12+git+1+e37ca00-0.1
> Severity: important
> Forwarded: https://github.com/libimobiledevice/libplist/issues/100
>
> Hi,
>
> the following vulnerability was published for libplist.
>
> CVE-2017-6437[0]:
> | The base64encode function in base64.c in libimobiledevice libplist
> | 1.12 allows local users to cause a denial of service (out-of-bounds
> | read) via a crafted plist file.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-6437
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
> [1] https://github.com/libimobiledevice/libplist/issues/100
>
> Please adjust the affected versions in the BTS as needed.
Additionally confirmed by running the reproducer (against the newest version in
sid):
==16290==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5900791 at
pc 0xb71e2c2a bp 0xbfdc04a8 sp 0xbfdc049c
READ of size 1 at 0xb5900791 thread T0
#0 0xb71e2c29 in base64encode src/base64.c:58
#1 0xb71ea5c7 in node_to_xml src/xplist.c:303
#2 0xb71eb2e4 in plist_to_xml src/xplist.c:408
#3 0x804954a in main tools/plistutil.c:151
#4 0xb7024275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
#5 0x8048ac0
(/root/libplist-1.12+git+1+e37ca00/tools/.libs/plistutil+0x8048ac0)
0xb5900791 is located 0 bytes to the right of 1-byte region
[0xb5900790,0xb5900791)
allocated by thread T0 here:
#0 0xb72cb194 in malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xbe194)
#1 0xb71f44c2 in parse_data_node src/bplist.c:408
#2 0xb71f7671 in parse_bin_node src/bplist.c:661
#3 0xb71f876f in parse_bin_node_at_index src/bplist.c:759
#4 0xb71f8de0 in plist_from_bin src/bplist.c:853
#5 0x804952a in main tools/plistutil.c:150
#6 0xb7024275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/base64.c:58 in base64encode
Shadow bytes around the buggy address:
0x36b200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b200e0: fa fa fa fa fa fa fa fa fa fa 00 04 fa fa 00 04
=>0x36b200f0: fa fa[01]fa fa fa fd fd fa fa fd fd fa fa 00 04
0x36b20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16290==ABORTING
Regards,
Salvatore
