[Bug 1931709] [NEW] mysql-5.7.34 segfault in net_field_length_size

2021-06-11 Thread Bugs SysSec 
Public bug reported:

Steps to reproduce this bug (see files attached):

```
$ cat /etc/os-release | grep VERSION=
VERSION="18.04.5 LTS (Bionic Beaver)"
$ mysql --version
mysql  Ver 14.14 Distrib 5.7.34, for Linux (x86_64) using  EditLine wrapper
$ python server_output.py | nc -vvvlp 3306 &
$ mysql --ssl-mode=DISABLED -h 127.0.0.1 -u root --password=root < stdin.txt
[...]
Segmentation fault (core dumped)
```

ASAN log of crash:
```
ASAN:DEADLYSIGNAL
=
==141==ERROR: AddressSanitizer: SEGV on unknown address 0x2bf27fffa12e (pc 
0x004eac0d bp 0x7fffbf34db50 sp 0x7fffbf34d7e8 T0)
==141==The signal is caused by a READ memory access.
#0 0x4eac0c in net_field_length_size 
/tmp/deb-src/mysql-5.7-5.7.34/sql-common/pack.c:198
#1 0x4a8b40 in net_field_length_ll_safe 
/tmp/deb-src/mysql-5.7-5.7.34/sql-common/client.c:725
#2 0x4a8b40 in read_ok_ex 
/tmp/deb-src/mysql-5.7-5.7.34/sql-common/client.c:823
#3 0x4adfd2 in cli_read_query_result 
/tmp/deb-src/mysql-5.7-5.7.34/sql-common/client.c:4989
#4 0x4b2b77 in mysql_real_query 
/tmp/deb-src/mysql-5.7-5.7.34/sql-common/client.c:5068
#5 0x40d11d in server_version_string 
/tmp/deb-src/mysql-5.7-5.7.34/client/mysql.cc:5340
#6 0x4075c8 in main /tmp/deb-src/mysql-5.7-5.7.34/client/mysql.cc:1357
#7 0x7f42ceed0bf6 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#8 0x4093a9 in _start (/mnt/mysql-asan+0x4093a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/tmp/deb-src/mysql-5.7-5.7.34/sql-common/pack.c:198 in net_field_length_size
==141==ABORTING
```

** Affects: mysql-5.7 (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "mysql-SEGV-net_field_length_size.zip"
   
https://bugs.launchpad.net/bugs/1931709/+attachment/5504089/+files/mysql-SEGV-net_field_length_size.zip

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1931709

Title:
  mysql-5.7.34 segfault in net_field_length_size

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1931709/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1830752] Re: Upstream security fixes in VirtualBox

2019-09-01 Thread Bugs SysSec 
Hi,

sorry we don't have more information than provided. Oracle just noted
that it's fixed in later versions.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1830752

Title:
  Upstream security fixes in VirtualBox

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1830752/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1854223] [NEW] Integer overflow causes heap corruption

2019-11-27 Thread Bugs SysSec 
Public bug reported:

integer overflow leading to heap corruption in dmg2img.c
```
//+1 overflows if XMLLength = 0x
// then plist is a valid pointer to an allocation of length 0 (it can 
be freed, but not written to)
220 plist = (char *)malloc(kolyblk.XMLLength + 1);
221 
//plist is not zero, therfore no exit
222 if (!plist)
223 mem_overflow();
224 
225 fseeko(FIN, kolyblk.XMLOffset, SEEK_SET);
//fails to read enough, but return code is not checked
226 fread(plist, kolyblk.XMLLength, 1, FIN);
//sets the byte at plist-1 to zero, this corrupts malloc meta data
227 plist[kolyblk.XMLLength] = '\0';
228 
229 if (debug && verbose >= 3) {
230 fprintf(FDBG, "%s\n", plist);
231 }
232 char *_blkx_begin = strstr(plist, blkx_begin);
233 blkx_size = strstr(_blkx_begin, list_end) - _blkx_begin;
//because the meta data was corrupted in line 227, this segfaults.
234 blkx = (char *)malloc(blkx_size + 1);
```
Steps to reproduce:
```
apt-get source dmg2img 
cd dmg2img-1.6.7/
make
./dmg2img ../crash
```

** Affects: dmg2img (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "dmg2img_heap_corruption.tar"
   
https://bugs.launchpad.net/bugs/1854223/+attachment/5308300/+files/dmg2img_heap_corruption.tar

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854223

Title:
  Integer overflow causes heap corruption

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1854223/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1854230] [NEW] integer underflow causes OOB write

2019-11-27 Thread Bugs SysSec 
Public bug reported:

Heap Out Of Bound Write

Similar bug to: https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1835461
However, this time its the second strstr that fails and as a consequence, it 
causes a more or less arbitrary OOB write. 

232 char *_blkx_begin = strstr(plist, blkx_begin); //this 
call returns a non null value
233 blkx_size = strstr(_blkx_begin, list_end) - 
_blkx_begin; // however, list_end is not found. blkx_size is now underflowing
234 blkx = (char *)malloc(blkx_size + 1); 
235 memcpy(blkx, _blkx_begin, blkx_size); //and memcpy 
writes far to many bytes


apt-get source dmg2img 
cd dmg2img-1.6.7/
make
./dmg2img ../crash

** Affects: dmg2img (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "dmg2img_arbitrary_OOB_write.tar"
   
https://bugs.launchpad.net/bugs/1854230/+attachment/5308310/+files/dmg2img_arbitrary_OOB_write.tar

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854230

Title:
  integer underflow causes OOB write

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1854230/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1854231] [NEW] Heap OOB read

2019-11-27 Thread Bugs SysSec 
Public bug reported:

Heap Out Of Bound Read

A variant of
https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1835463 at
another position.

324 parts[i].Data = (char *)malloc(0x28 * 
mishblk.BlocksRunCount);
325 if (!parts[i].Data)
326 mem_overflow();
   // dmg2img doesn't check if mish_bgin contains enough data. In this 
case BlocksRunCount is a large value, and read 
327 memcpy(parts[i].Data, mish_begin + 0xCC, 0x28 * 
mishblk.BlocksRunCount);

#Steps to reproduce:

apt-get source dmg2img 
cd dmg2img-1.6.7/
make
./dmg2img ../crash

** Affects: dmg2img (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "dmg2img_arbitrary_OOB_read.tar"
   
https://bugs.launchpad.net/bugs/1854231/+attachment/5308311/+files/dmg2img_arbitrary_OOB_read.tar

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854231

Title:
  Heap OOB read

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1854231/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs