Bug#874060: unrar-free: CVE-2017-14122: stack overread vulnerability

Sat, 14 Oct 2017 07:10:09 -0700 

On 2017年10月14日 21:43, Ying-Chun Liu (PaulLiu) wrote:
> Hi Salvatore,
> 
> How to reproduce your bug?
> 
> I'm currently using valgrind with the rar file you provided. And found
> that there are some unconditional jump based some uninit value. Please
> see the attachment [1].
> 
> After fixing that [2], valgrind is happy now without any errors.
> Not sure if this is related to this bug.
> 
> Attaching the autopkgtest scripts [3] for testing the package.
> 
> If this looks good for you I'll upload this soon.
> 
> [1] val_log1.txt
> [2] 0002-CVE-2017-14122.patch
> [3] 0003-CVE-2017-14122
> 
> Yours Sincerely,
> Paul
> 

I'm not quite familiar on how to use asan. Need some instructions.

But here are some relations:

In the bug report.
==2585==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff76184120 at pc 0x000000445d25 bp 0x7fff76183ef0 sp 0x7fff761836a0
READ of size 519 at 0x7fff76184120 thread T0
    #0 0x445d24 in __interceptor_strchr.part.33
(/r/unrar-gpl/unrar+0x445d24)
    #1 0x516d0d in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:851:19
    #2 0x511613 in ExtrFile /f/unrar-gpl/unrar/src/unrarlib.c:745:20
    #3 0x510b02 in urarlib_get /f/unrar-gpl/unrar/src/unrarlib.c:303:13
    #4 0x50b249 in unrar_extract_file /f/unrar-gpl/unrar/src/unrar.c:343:8
    #5 0x50be32 in unrar_extract /f/unrar-gpl/unrar/src/unrar.c:483:9
    #6 0x50c69c in main /f/unrar-gpl/unrar/src/unrar.c:556:14
    #7 0x7f632d3834f0 in __libc_start_main (/lib64/libc.so.6+0x204f0)
    #8 0x419e19 in _start (/r/unrar-gpl/unrar+0x419e19)

And in the valgrind. There is
==4627== Conditional jump or move depends on uninitialised value(s)
==4627==    at 0x4C2F405: __strncpy_sse2_unaligned (vg_replace_strmem.c:552)
==4627==    by 0x10C7DB: strncpy (string3.h:126)
==4627==    by 0x10C7DB: stricomp (unrarlib.c:852)
==4627==    by 0x10E6D9: ExtrFile (unrarlib.c:745)
==4627==    by 0x10EA7B: urarlib_get (unrarlib.c:303)
==4627==    by 0x10A70F: unrar_extract_file (unrar.c:343)
==4627==    by 0x10AA03: unrar_extract (unrar.c:487)
==4627==    by 0x109CB4: main (unrar.c:561)

Seems to be just the same place.

Yours Sincerely,
Paul

-- 
                                PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) <paul...@debian.org>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to