Hi Markus, On Mon, Dec 04, 2017 at 09:56:27PM +0100, Markus Koschany wrote: > Am 04.12.2017 um 20:53 schrieb Salvatore Bonaccorso: > > Hi > > > > On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote: > >> Hi Markus, > >> > >> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote: > >>> Package: src:libextractor > >>> Version: 1:1.6-1 > >>> Severity: important > >>> Tags: security > >>> > >>> Hi, > >>> > >>> while I was working on the security update for Wheezy I discovered > >>> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600 > >>> and CVE-2017-15602. I could reproduce two segmentation faults with the > >>> provided POCs. They are attached to the upstream bug report: > >>> > >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html > >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html > >>> > >>> Just run "extract -i $POC" > >>> > >>> I'm attaching my gdb log files to this bug report. > >> > >> Since the issues happen in different places from the original reports, > >> can you request two new CVEs for those issues? > >> > >> So for tracking purposes these are two new raised issues, different > >> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two > >> new ones. Can you as well report it to upstream in case Bertrand > >> cannot cime in? > >> > >> In case not let me know, and I can take care of it tomorrow. > > > > Interestignly the issues you describe does not seem triggerable with a > > fresh build of 1.6 in sid (with --enable-shared=no, > > --enable-static=yes with -O0). > > > > sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044 > > Keywords for file /root/1338044: > > sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin > > Keywords for file /root/bin_6iRW3tXve.bin: > > sid:~/libextractor-1.6# > > > > and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129). > > > > It is though with the Debian package (re)build. What is different? > > I can still reproduce it when I rebuild the package. If you disable > optimization with -O0 some compiler behaviors will change. I don't know > the details but what is undefined behavior with -O2 is somehow OK with > -O0. I just wanted to forward this upstream but if you say that it is > not reproducible with upstream HEAD, it's probably pointless.
Well, need to further properly investigate that. It was just a quick ASAN build of the current head. From my reply in https://bugs.debian.org/883528#20 it might actually be that the second issue is not an upstream one but. Please note that I misstyped the CVEs. > Maybe we should wait for the next release which will also fix > CVE-2017-15922 or Bertrand could package the latest Git snapshot? Yes, for CVE-2017-15922 either works, cherry-pick the commit, wait for the new upstream release or package the latest git snapshot. > Shall > I remove the fixed versions for both CVE in the security tracker? Please not. The first issue is actually a different one (happening with same reproducer for CVE-2017-15600, but in a different place, unless I'm completely mistaken. So CVE-2017-15600 should be kept associated with the 38e8933539ee9d044057b18a971c2eae3c21aba7 commit and track your finding as separate issue. For the issue reproduced with the CVE-2017-15602-reproducing file, after beeing fixed with ffab889c1710c7646af9ed360c796a2a0a619efc triggers a new issue, which is possibly in libgm or libavformat.so/ffmpeg. So still not sure if the uncovered issue is in src:libextractor. See the ASAN traces from https://bugs.debian.org/883528#20 Thanks for your work on the libextractor update and triaging. Salvatore
