Bug#429961: dumpasn1: Off-By-One overflow

Thu, 21 Jun 2007 06:42:20 -0700 

Package: dumpasn1
Version: 20030222-2
Severity: normal


Hi,

It is possible to cause an off-by-one overflow in the ASN1_Item structure by 
causing:
item->header[ i + index ] = ch;

To write to position 8 of the header by causing i+index to equal 8.

This is the file used:

00000000  ff d6 a3 54 84 00 10 ff  75 e0 ff d6 83 c4 14 a3  |...T....u.......|
00000010  50 84 00 10 c7 45 fc fe  ff ff ff e8 09 00 00 00  |P....E..........|
00000020  8b 45 dc e8 80 05 00 00  c3 6a 08 e8 21 05 00 00  |.E.......j..!...|
00000030  59 c3 ff 74 24 04 e8 52  ff ff ff f7 d8 1b c0 f7  |Y..t$..R........|
00000040  d8 59 48 c3 56 68 80 00  00 00 ff 15 f0 60 00 10  |.YH.Vh.......`..|
00000050  8b f0 56 ff 15 04 61 00  10 85 f6 59 59 a3 54 84  |..V...a....YY.T.|
00000060  00 10 a3 50 84 00 10 75  05 33 c0 40 5e c3 83 26  |[EMAIL PROTECTED]&|
00000070  00 e8 75 05 00 00 68 c4  57 00 10 e8 b2 ff ff ff  |..u...h.W.......|
00000080  c7 04 24 94 57 00 10 e8  a6 ff ff ff 59 33 c0 5e  |..$.W.......Y3.^|
00000090  c3 8b 44 24 08 55 33 ed  3b c5 75 0e 39 2d e0 80  |..D$.U3.;.u.9-..|
000000a0  00 10 7e 3a ff 0d e0 80  00 10 83 f8 01 8b 0d dc  |..~:............|
000000b0  60 00 10 8b 09 53 56 57  89 0d 40 84 00 10 0f 85  |[EMAIL PROTECTED]|
000000c0  d4 00 00 00 64 a1 18 00  00 00 8b 70 04 8b 1d 1c  |....d......p....|
000000d0  60 00 10 89 6c 24 18 bf  48 84 00 10 eb 16 33 c0  |`...l$..H.....3.|
000000e0  e9                                                |.|
000000e1

As corruption is very small, it appears to be non-exploitable

Proposed patch:
for( i = 0; i < length && i + index < sizeof(item->header); i++ )

Instead of the existing test.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.16
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dumpasn1 depends on:
ii  libc6                         2.5-9+b1   GNU C Library: Shared libraries

dumpasn1 recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to