Hi,
On Tue, Dec 07, 2021 at 12:29:20AM +0100, Bastian Germann wrote:
> On 07.12.21 00:22, yokota wrote:
> > Hi,
> >
> > > stretch is vulnerable (test case; misleading min. version in CVE
> > > description) and bullseye is
> > > vulnerable according to the CVE description.
> >
> > Do we needs unurar-nonfree 6.0.4 for stretch/bullseye?
> > I can make stretch/bullseye-update package for next point release.
> >
>
> I have just run the test on 6.0.3 and it also seems to be fine.
> So either the test case or the CVE description is bad.
> Since qopen.cpp is modified in 5.6.6 and not 6.0.4 I guess the CVE
> description is bad.
>
> For stretch, you would have to provide a patch based on the 5.6.6 change.
So I did a 'bisect' with the binary package builds, and the following
seems to support the above that 5.6.6 might be the right version:
With 1:5.5.8-1
$ ./CVE-2018-25018.sh
UNRAR 5.50 freeware Copyright (c) 1993-2017 Alexander Roshal
Corrupt header is found
Corrupt header is found
Corrupt header is found
QO - the file header is corrupt
Main archive header is corruptSegmentation fault
Exit status: 139
With 1:5.6.6-1
./CVE-2018-25018.sh
UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander
Roshal
Corrupt header is found
Corrupt header is found
Corrupt header is found
QO - the file header is corrupt
Main archive header is corrupt
Corrupt header is found
QO - the file header is corrupt
Corrupt header is found
Corrupt header is found
Testing archive ./9845.rar
Corrupt header is found
QO - the file header is corrupt
Corrupt header is found
Corrupt header is found
No files to extract
Exit status: 3
Double-checking with an ASAN build:
./unrar t /build/9845.rar
UNRAR 5.50 freeware Copyright (c) 1993-2017 Alexander Roshal
Corrupt header is found
Corrupt header is found
Corrupt header is found
QO - the file header is corrupt
Main archive header is
corrupt=================================================================
==22781==ERROR: AddressSanitizer: negative-size-param: (size=-65491)
#0 0x7f1e303eaa1f in __interceptor_memcpy
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x5a844c (/build/unrar-nonfree-5.5.8/unrar+0x5a844c)
#2 0x5a8c7d (/build/unrar-nonfree-5.5.8/unrar+0x5a8c7d)
#3 0x5a91c9 (/build/unrar-nonfree-5.5.8/unrar+0x5a91c9)
#4 0x42f23b (/build/unrar-nonfree-5.5.8/unrar+0x42f23b)
#5 0x472d34 (/build/unrar-nonfree-5.5.8/unrar+0x472d34)
#6 0x44fcea (/build/unrar-nonfree-5.5.8/unrar+0x44fcea)
#7 0x457601 (/build/unrar-nonfree-5.5.8/unrar+0x457601)
#8 0x435c0d (/build/unrar-nonfree-5.5.8/unrar+0x435c0d)
#9 0x4e16be (/build/unrar-nonfree-5.5.8/unrar+0x4e16be)
#10 0x4e3999 (/build/unrar-nonfree-5.5.8/unrar+0x4e3999)
#11 0x5756ae (/build/unrar-nonfree-5.5.8/unrar+0x5756ae)
#12 0x40e798 (/build/unrar-nonfree-5.5.8/unrar+0x40e798)
#13 0x7f1e2f516e49 in __libc_start_main ../csu/libc-start.c:314
#14 0x40f649 (/build/unrar-nonfree-5.5.8/unrar+0x40f649)
0x6310000247d4 is located 65492 bytes inside of 65536-byte region
[0x631000014800,0x631000024800)
allocated by thread T0 here:
#0 0x7f1e30461097 in operator new[](unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
#1 0x5a4551 (/build/unrar-nonfree-5.5.8/unrar+0x5a4551)
#2 0x42b81d (/build/unrar-nonfree-5.5.8/unrar+0x42b81d)
#3 0x4e14cd (/build/unrar-nonfree-5.5.8/unrar+0x4e14cd)
#4 0x4e3999 (/build/unrar-nonfree-5.5.8/unrar+0x4e3999)
#5 0x5756ae (/build/unrar-nonfree-5.5.8/unrar+0x5756ae)
#6 0x40e798 (/build/unrar-nonfree-5.5.8/unrar+0x40e798)
#7 0x7f1e2f516e49 in __libc_start_main ../csu/libc-start.c:314
SUMMARY: AddressSanitizer: negative-size-param
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
in __interceptor_memcpy
==22781==ABORTING
Next I have not tried to isolate the change between 5.8.8 and 5.6.6,
but https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845#c4
supports that the first fixed version ins 5.6.6, for the further
fuzzing 5.6.8 was applied via the pull request.
Regards,
Salvatore
