Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.

CVE-2019-9706: SECURITY: Fix for possible DoS by use-after-free (40791b93) · Commits · Debian / cron · GitLab

Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.

CVE-2019-9705: Enforce maximum crontab line count of 1000 (26814a26) · Commits · Debian / cron · GitLab

In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function.

CVE-2019-9215

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.

Created attachment 11612 \[details\]
inputs that trigger bugs

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit commit 388a192d73df7439bf375d8b8042bb53a6be9c60
- run: nm -C input\_file   (We attached the inputs that trigger the bug)
- asan report:
==2003322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000d8 at pc 0x0000008957c6 bp 0x7ffdf2e36340 sp 0x7ffdf2e36338
READ of size 1 at 0x60e0000000d8 thread T0
    #0 0x8957c5 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12
    #1 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #2 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #3 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #4 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #5 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #6 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #7 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #8 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #9 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #10 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #11 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #12 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #13 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #14 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #15 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #16 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #17 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #18 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #19 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #20 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #21 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #22 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #23 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #24 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #25 0x89610c in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3416:18
    #26 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #27 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #28 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #29 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #30 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #31 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #32 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #33 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #34 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #35 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #36 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #37 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #38 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #39 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #40 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #41 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #42 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #43 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #44 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #45 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #46 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #47 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #48 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #49 0x896210 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3438:15
    #50 0x896370 in d\_expression\_1 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3449:16
    #51 0x889158 in d\_expression /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3531:9
    #52 0x887a7d in d\_array\_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3011:13
    #53 0x883aa8 in cplus\_demangle\_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2463:13
    #54 0x893cf5 in d\_parmlist /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2908:14
    #55 0x88e7a5 in d\_bare\_function\_type /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:2962:8
    #56 0x8828eb in d\_encoding /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1343:16
    #57 0x88200d in cplus\_demangle\_mangled\_name /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:1234:7
    #58 0x88c408 in d\_demangle\_callback /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6292:7
    #59 0x88b8e6 in d\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6343:12
    #60 0x88b753 in cplus\_demangle\_v3 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:6500:10
    #61 0x87f020 in cplus\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cplus-dem.c:165:13
    #62 0x517028 in bfd\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2254:9
    #63 0x4f4214 in print\_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19
    #64 0x4f2e4e in print\_symbol\_info\_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3
    #65 0x4f9c36 in print\_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3
    #66 0x4f7844 in print\_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7
    #67 0x4f5d3a in display\_rel\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5
    #68 0x4f2356 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7
    #69 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12
    #70 0x7f5777ae909a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #71 0x41d5e9 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/nm+0x41d5e9)

0x60e0000000d8 is located 0 bytes to the right of 152-byte region \[0x60e000000040,0x60e0000000d8)
allocated by thread T0 here:
    #0 0x4c42dc in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:66:3
    #1 0x52e4c5 in bfd\_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #2 0x516f6d in bfd\_demangle /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/bfd.c:2246:24
    #3 0x4f4214 in print\_symname /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:423:19
    #4 0x4f2e4e in print\_symbol\_info\_bsd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1565:3
    #5 0x4f9c36 in print\_symbol /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:903:3
    #6 0x4f7844 in print\_symbols /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1102:7
    #7 0x4f5d3a in display\_rel\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1215:5
    #8 0x4f2356 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1335:7
    #9 0x4f1a97 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/nm.c:1816:12
    #10 0x7f5777ae909a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/cp-demangle.c:3356:12 in d\_expression\_1
Shadow bytes around the buggy address:
  0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa
  0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2003322==ABORTING

Comment 1 Nick Clifton 2019-02-18 16:53:26 UTC

Hi spinpx,

  Thanks for reporting this bug.  Unfortunately the problem is in the 
  libiberty library which is maintained by the gcc project, rather than
  the binutils project.  So please could you report this bug here:

https://gcc.gnu.org/bugzilla/enter\_bug.cgi?product=gcc

Cheers
  Nick

Comment 3 spinpx 2019-02-19 09:08:00 UTC

It can be reproduced in commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019).

CVE-2019-9070: 24229 – nm: heap buffer overflow

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in elf_read_notes in elf.c.

Created attachment 11620 \[details\]
OOM input

size also has the OOM issue described in
https://sourceware.org/bugzilla/show\_bug.cgi?id=24233

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input\_file


==1671718==ERROR: AddressSanitizer failed to allocate 0xfffff80000 (1099511103488) bytes of LargeMmapAllocator (error code: 12)
==1671718==Process memory map follows:
	0x000000400000-0x00000041d000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x00000041d000-0x0000008b3000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000008b3000-0x000000987000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000988000-0x000000989000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000989000-0x0000009e8000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000009e8000-0x000001654000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60f000000000	
	0x60f000000000-0x60f000010000	
	0x60f000010000-0x60fe00000000	
	0x60fe00000000-0x60fe00010000	
	0x60fe00010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x610e00000000	
	0x610e00000000-0x610e00010000	
	0x610e00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x612e00000000	
	0x612e00000000-0x612e00010000	
	0x612e00010000-0x614000000000	
	0x614000000000-0x614000010000	
	0x614000010000-0x614e00000000	
	0x614e00000000-0x614e00010000	
	0x614e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x618000000000	
	0x618000000000-0x618000010000	
	0x618000010000-0x618e00000000	
	0x618e00000000-0x618e00010000	
	0x618e00010000-0x61a000000000	
	0x61a000000000-0x61a000010000	
	0x61a000010000-0x61ae00000000	
	0x61ae00000000-0x61ae00010000	
	0x61ae00010000-0x61d000000000	
	0x61d000000000-0x61d000010000	
	0x61d000010000-0x61de00000000	
	0x61de00000000-0x61de00010000	
	0x61de00010000-0x61f000000000	
	0x61f000000000-0x61f000010000	
	0x61f000010000-0x61fe00000000	
	0x61fe00000000-0x61fe00010000	
	0x61fe00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f1585c66000-0x7f15866e0000	/usr/lib/locale/locale-archive
	0x7f15866e0000-0x7f1586900000	
	0x7f1586a00000-0x7f1586b00000	
	0x7f1586b51000-0x7f1586b65000	
	0x7f1586b65000-0x7f1586b6c000	/usr/lib/x86\_64-linux-gnu/gconv/gconv-modules.cache
	0x7f1586b6c000-0x7f1588f14000	
	0x7f1588f14000-0x7f1588f36000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1588f36000-0x7f158907e000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f158907e000-0x7f15890ca000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890ca000-0x7f15890cb000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890cb000-0x7f15890cf000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890cf000-0x7f15890d1000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f15890d1000-0x7f15890d5000	
	0x7f15890d5000-0x7f15890d8000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890d8000-0x7f15890e9000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890e9000-0x7f15890ec000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ec000-0x7f15890ed000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ed000-0x7f15890ee000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ee000-0x7f15890ef000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f15890ef000-0x7f15890f0000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f0000-0x7f15890f1000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f1000-0x7f15890f2000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f2000-0x7f15890f3000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f3000-0x7f15890f4000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f15890f4000-0x7f1589101000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589101000-0x7f15891a0000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f15891a0000-0x7f1589275000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589275000-0x7f1589276000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589276000-0x7f1589277000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1589277000-0x7f1589279000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1589279000-0x7f158927d000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f158927d000-0x7f158927f000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f158927f000-0x7f1589280000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1589280000-0x7f1589281000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1589281000-0x7f1589287000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1589287000-0x7f1589296000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1589296000-0x7f158929c000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f158929c000-0x7f158929d000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f158929d000-0x7f158929e000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f158929e000-0x7f15892a2000	
	0x7f15892a2000-0x7f15892b1000	
	0x7f15892b1000-0x7f15892b2000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892b2000-0x7f15892d0000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892d0000-0x7f15892d8000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892d8000-0x7f15892d9000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892d9000-0x7f15892da000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f15892da000-0x7f15892db000	
	0x7fff515d3000-0x7fff515f4000	\[stack\]
	0x7fff515f6000-0x7fff515f9000	\[vvar\]
	0x7fff515f9000-0x7fff515fb000	\[vdso\]
==1671718==End of process memory map.
==1671718==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4cbc9f in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_rtl.cc:69:3
    #1 0x4df5ff in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cc:79:5
    #2 0x4d0c0e in \_\_sanitizer::ReportMmapFailureAndDie(unsigned long, char const\*, char const\*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120:3
    #3 0x4d962b in \_\_sanitizer::MmapOrDie(unsigned long, char const\*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_posix.cc:132:5
    #4 0x421e04 in \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback>::Allocate(\_\_sanitizer::AllocatorStats\*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_secondary.h:41:9
    #5 0x421bb8 in \_\_sanitizer::CombinedAllocator<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64>, \_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >, \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback> >::Allocate(\_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >\*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_combined.h:70:24
    #6 0x41f06f in \_\_asan::Allocator::Allocate(unsigned long, unsigned long, \_\_sanitizer::BufferedStackTrace\*, \_\_asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_allocator.cc:407:21
    #7 0x4c43a0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:67:10
    #8 0x526c75 in bfd\_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #9 0x5cd904 in elf\_read\_notes /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:11692:18
    #10 0x5cd6cd in bfd\_section\_from\_phdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:3024:13
    #11 0x5ade7a in bfd\_elf64\_core\_file\_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elfcore.h:277:11
    #12 0x5207e5 in bfd\_check\_format\_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #13 0x4f23c1 in display\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:347:7
    #14 0x4f1ed5 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:434:5
    #15 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #16 0x7f1588f3809a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #17 0x41d5e9 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

Comment 1 Alan Modra 2019-02-19 22:51:52 UTC

This is a different testcase and different out of memory condition to pr24233.  Unlike pr24233 we report an out of memory error.  I think that is perfectly good behaviour for user input with silly sizes, in this case a NOTE section claiming to be 0xfffff7dd00 bytes in size.  While we could test for silly section sizes by comparing against file size, that doesn't work in all situations, eg. when section contents are encoded and the decoded size is much larger than the raw size.

CVE-2019-9076: Out of memory in libbfd

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in _bfd_elf_slurp_version_tables in elf.c.

Created attachment 11615 \[details\]
inputs that trigger bugs

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run objdump -x input\_file

- asan report
==1243005==ERROR: AddressSanitizer failed to allocate 0xffffffa000 (1099511603200) bytes of LargeMmapAllocator (error code: 12)
==1243005==Process memory map follows:
	0x000000400000-0x00000041d000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x00000041d000-0x000000996000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000996000-0x000000bc9000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000bca000-0x000000bcb000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000bcb000-0x000000c78000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump
	0x000000c78000-0x0000018e9000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x606e00000000	
	0x606e00000000-0x606e00010000	
	0x606e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60f000000000	
	0x60f000000000-0x60f000010000	
	0x60f000010000-0x60fe00000000	
	0x60fe00000000-0x60fe00010000	
	0x60fe00010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x610e00000000	
	0x610e00000000-0x610e00010000	
	0x610e00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x612e00000000	
	0x612e00000000-0x612e00010000	
	0x612e00010000-0x614000000000	
	0x614000000000-0x614000010000	
	0x614000010000-0x614e00000000	
	0x614e00000000-0x614e00010000	
	0x614e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x618000000000	
	0x618000000000-0x618000010000	
	0x618000010000-0x618e00000000	
	0x618e00000000-0x618e00010000	
	0x618e00010000-0x619000000000	
	0x619000000000-0x619000010000	
	0x619000010000-0x619e00000000	
	0x619e00000000-0x619e00010000	
	0x619e00010000-0x61a000000000	
	0x61a000000000-0x61a000010000	
	0x61a000010000-0x61ae00000000	
	0x61ae00000000-0x61ae00010000	
	0x61ae00010000-0x61b000000000	
	0x61b000000000-0x61b000010000	
	0x61b000010000-0x61be00000000	
	0x61be00000000-0x61be00010000	
	0x61be00010000-0x61d000000000	
	0x61d000000000-0x61d000010000	
	0x61d000010000-0x61de00000000	
	0x61de00000000-0x61de00010000	
	0x61de00010000-0x61f000000000	
	0x61f000000000-0x61f000010000	
	0x61f000010000-0x61fe00000000	
	0x61fe00000000-0x61fe00010000	
	0x61fe00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x62d000000000	
	0x62d000000000-0x62d000020000	
	0x62d000020000-0x62de00000000	
	0x62de00000000-0x62de00010000	
	0x62de00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f1ecf066000-0x7f1ecfae0000	/usr/lib/locale/locale-archive
	0x7f1ecfae0000-0x7f1ecfd00000	
	0x7f1ecfdec000-0x7f1ecff00000	
	0x7f1ecff01000-0x7f1ecff08000	/usr/lib/x86\_64-linux-gnu/gconv/gconv-modules.cache
	0x7f1ecff08000-0x7f1ed22c2000	
	0x7f1ed22c2000-0x7f1ed22e4000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed22e4000-0x7f1ed242c000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed242c000-0x7f1ed2478000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed2478000-0x7f1ed2479000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed2479000-0x7f1ed247d000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed247d000-0x7f1ed247f000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f1ed247f000-0x7f1ed2483000	
	0x7f1ed2483000-0x7f1ed2486000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed2486000-0x7f1ed2497000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed2497000-0x7f1ed249a000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249a000-0x7f1ed249b000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249b000-0x7f1ed249c000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249c000-0x7f1ed249d000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f1ed249d000-0x7f1ed249e000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed249e000-0x7f1ed249f000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed249f000-0x7f1ed24a0000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed24a0000-0x7f1ed24a1000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed24a1000-0x7f1ed24a2000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f1ed24a2000-0x7f1ed24af000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed24af000-0x7f1ed254e000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed254e000-0x7f1ed2623000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed2623000-0x7f1ed2624000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed2624000-0x7f1ed2625000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f1ed2625000-0x7f1ed2627000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed2627000-0x7f1ed262b000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262b000-0x7f1ed262d000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262d000-0x7f1ed262e000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262e000-0x7f1ed262f000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f1ed262f000-0x7f1ed2635000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed2635000-0x7f1ed2644000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed2644000-0x7f1ed264a000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed264a000-0x7f1ed264b000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed264b000-0x7f1ed264c000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f1ed264c000-0x7f1ed2650000	
	0x7f1ed2650000-0x7f1ed265f000	
	0x7f1ed265f000-0x7f1ed2660000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2660000-0x7f1ed267e000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed267e000-0x7f1ed2686000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2686000-0x7f1ed2687000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2687000-0x7f1ed2688000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f1ed2688000-0x7f1ed2689000	
	0x7ffc80989000-0x7ffc809aa000	\[stack\]
	0x7ffc809ea000-0x7ffc809ed000	\[vvar\]
	0x7ffc809ed000-0x7ffc809ef000	\[vdso\]
==1243005==End of process memory map.
==1243005==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4cbcef in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_rtl.cc:69:3
    #1 0x4df64f in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cc:79:5
    #2 0x4d0c5e in \_\_sanitizer::ReportMmapFailureAndDie(unsigned long, char const\*, char const\*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120:3
    #3 0x4d967b in \_\_sanitizer::MmapOrDie(unsigned long, char const\*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_posix.cc:132:5
    #4 0x421e54 in \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback>::Allocate(\_\_sanitizer::AllocatorStats\*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_secondary.h:41:9
    #5 0x421c08 in \_\_sanitizer::CombinedAllocator<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64>, \_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >, \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback> >::Allocate(\_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >\*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_combined.h:70:24
    #6 0x41f0bf in \_\_asan::Allocator::Allocate(unsigned long, unsigned long, \_\_sanitizer::BufferedStackTrace\*, \_\_asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_allocator.cc:407:21
    #7 0x4c43f0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:67:10
    #8 0x605fb5 in bfd\_malloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/libbfd.c:275:9
    #9 0x6a969b in \_bfd\_elf\_slurp\_version\_tables /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:8556:31
    #10 0x6a696f in \_bfd\_elf\_print\_private\_bfd\_data /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:1798:13
    #11 0x4f65d5 in dump\_bfd\_private\_header /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3181:3
    #12 0x4f51f9 in dump\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3782:5
    #13 0x4f4c71 in display\_object\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3883:7
    #14 0x4f4b67 in display\_any\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3973:5
    #15 0x4f424a in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:3994:3
    #16 0x4f3ab0 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/objdump.c:4304:6
    #17 0x7f1ed22e609a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #18 0x41d639 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/objdump+0x41d639)

Comment 1 Alan Modra 2019-02-19 11:32:50 UTC

This also doesn't reproduce for me.

Comment 2 Alan Modra 2019-02-19 11:57:06 UTC

The testcase has a VERDEFS section claiming to be 0xffffff7f00 in size.  I suppose we should inform the user that they hit an out-of-memory here rather than just silently ignoring the failure.

Comment 3 spinpx 2019-02-19 12:07:07 UTC

(In reply to Alan Modra from comment #2)
\> The testcase has a VERDEFS section claiming to be 0xffffff7f00 in size.  I
> suppose we should inform the user that they hit an out-of-memory here rather
> than just silently ignoring the failure.

Agree.

Comment 6 Alan Modra 2019-02-20 03:25:42 UTC

objdump now reports that something went wrong when printing private headers.

CVE-2019-9073: Out of memory in libbfd.c

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an attempted excessive memory allocation in setup_group in elf.c.

size also has the OOM issue described in https://sourceware.org/bugzilla/show\_bug.cgi?id=24232

If the issue it in a library shared with nm and size and if other program use it,  it will cause DOS attacks.

- Intel Xeon Gold 5118 processors and 256 GB memory
- Linux n18-065-139 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86\_64 GNU/Linux
- clang version 4.0.0 (tags/RELEASE\_400/final)
- version: commit c72e75a64030b0f6535a80481f37968ad55c333a (Feb 19 2019)
- run: size input\_file


==1601289==ERROR: AddressSanitizer failed to allocate 0xfe01363000 (1090942021632) bytes of LargeMmapAllocator (error code: 12)
==1601289==Process memory map follows:
	0x000000400000-0x00000041d000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x00000041d000-0x0000008b3000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000008b3000-0x000000987000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000988000-0x000000989000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x000000989000-0x0000009e8000	/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size
	0x0000009e8000-0x000001654000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x606e00000000	
	0x606e00000000-0x606e00010000	
	0x606e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60f000000000	
	0x60f000000000-0x60f000010000	
	0x60f000010000-0x60fe00000000	
	0x60fe00000000-0x60fe00010000	
	0x60fe00010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x610e00000000	
	0x610e00000000-0x610e00010000	
	0x610e00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x612000000000	
	0x612000000000-0x612000010000	
	0x612000010000-0x612e00000000	
	0x612e00000000-0x612e00010000	
	0x612e00010000-0x614000000000	
	0x614000000000-0x614000010000	
	0x614000010000-0x614e00000000	
	0x614e00000000-0x614e00010000	
	0x614e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x618000000000	
	0x618000000000-0x618000010000	
	0x618000010000-0x618e00000000	
	0x618e00000000-0x618e00010000	
	0x618e00010000-0x619000000000	
	0x619000000000-0x619000010000	
	0x619000010000-0x619e00000000	
	0x619e00000000-0x619e00010000	
	0x619e00010000-0x61a000000000	
	0x61a000000000-0x61a000010000	
	0x61a000010000-0x61ae00000000	
	0x61ae00000000-0x61ae00010000	
	0x61ae00010000-0x61b000000000	
	0x61b000000000-0x61b000010000	
	0x61b000010000-0x61be00000000	
	0x61be00000000-0x61be00010000	
	0x61be00010000-0x61d000000000	
	0x61d000000000-0x61d000010000	
	0x61d000010000-0x61de00000000	
	0x61de00000000-0x61de00010000	
	0x61de00010000-0x61f000000000	
	0x61f000000000-0x61f000010000	
	0x61f000010000-0x61fe00000000	
	0x61fe00000000-0x61fe00010000	
	0x61fe00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f92d9266000-0x7f92d9ce0000	/usr/lib/locale/locale-archive
	0x7f92d9ce0000-0x7f92d9f00000	
	0x7f92da000000-0x7f92da100000	
	0x7f92da131000-0x7f92da145000	
	0x7f92da145000-0x7f92da14c000	/usr/lib/x86\_64-linux-gnu/gconv/gconv-modules.cache
	0x7f92da14c000-0x7f92dc4f4000	
	0x7f92dc4f4000-0x7f92dc516000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc516000-0x7f92dc65e000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc65e000-0x7f92dc6aa000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6aa000-0x7f92dc6ab000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6ab000-0x7f92dc6af000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6af000-0x7f92dc6b1000	/lib/x86\_64-linux-gnu/libc-2.28.so
	0x7f92dc6b1000-0x7f92dc6b5000	
	0x7f92dc6b5000-0x7f92dc6b8000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6b8000-0x7f92dc6c9000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6c9000-0x7f92dc6cc000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6cc000-0x7f92dc6cd000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6cd000-0x7f92dc6ce000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6ce000-0x7f92dc6cf000	/lib/x86\_64-linux-gnu/libgcc\_s.so.1
	0x7f92dc6cf000-0x7f92dc6d0000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d0000-0x7f92dc6d1000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d1000-0x7f92dc6d2000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d2000-0x7f92dc6d3000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d3000-0x7f92dc6d4000	/lib/x86\_64-linux-gnu/libdl-2.28.so
	0x7f92dc6d4000-0x7f92dc6e1000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc6e1000-0x7f92dc780000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc780000-0x7f92dc855000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc855000-0x7f92dc856000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc856000-0x7f92dc857000	/lib/x86\_64-linux-gnu/libm-2.28.so
	0x7f92dc857000-0x7f92dc859000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc859000-0x7f92dc85d000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc85d000-0x7f92dc85f000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc85f000-0x7f92dc860000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc860000-0x7f92dc861000	/lib/x86\_64-linux-gnu/librt-2.28.so
	0x7f92dc861000-0x7f92dc867000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc867000-0x7f92dc876000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc876000-0x7f92dc87c000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc87c000-0x7f92dc87d000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc87d000-0x7f92dc87e000	/lib/x86\_64-linux-gnu/libpthread-2.28.so
	0x7f92dc87e000-0x7f92dc882000	
	0x7f92dc882000-0x7f92dc891000	
	0x7f92dc891000-0x7f92dc892000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc892000-0x7f92dc8b0000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8b0000-0x7f92dc8b8000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8b8000-0x7f92dc8b9000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8b9000-0x7f92dc8ba000	/lib/x86\_64-linux-gnu/ld-2.28.so
	0x7f92dc8ba000-0x7f92dc8bb000	
	0x7ffced2e9000-0x7ffced30a000	\[stack\]
	0x7ffced35a000-0x7ffced35d000	\[vvar\]
	0x7ffced35d000-0x7ffced35f000	\[vdso\]
==1601289==End of process memory map.
==1601289==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4cbc9f in \_\_asan::AsanCheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_rtl.cc:69:3
    #1 0x4df5ff in \_\_sanitizer::CheckFailed(char const\*, int, char const\*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_termination.cc:79:5
    #2 0x4d0c0e in \_\_sanitizer::ReportMmapFailureAndDie(unsigned long, char const\*, char const\*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_common.cc:120:3
    #3 0x4d962b in \_\_sanitizer::MmapOrDie(unsigned long, char const\*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer\_common/sanitizer\_posix.cc:132:5
    #4 0x421e04 in \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback>::Allocate(\_\_sanitizer::AllocatorStats\*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_secondary.h:41:9
    #5 0x421bb8 in \_\_sanitizer::CombinedAllocator<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64>, \_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >, \_\_sanitizer::LargeMmapAllocator<\_\_asan::AsanMapUnmapCallback> >::Allocate(\_\_sanitizer::SizeClassAllocatorLocalCache<\_\_sanitizer::SizeClassAllocator64<\_\_asan::AP64> >\*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer\_common/sanitizer\_allocator\_combined.h:70:24
    #6 0x41f06f in \_\_asan::Allocator::Allocate(unsigned long, unsigned long, \_\_sanitizer::BufferedStackTrace\*, \_\_asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_allocator.cc:407:21
    #7 0x4c43a0 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:67:10
    #8 0x8affb0 in \_objalloc\_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/libiberty/objalloc.c:143:22
    #9 0x52e450 in bfd\_alloc /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:949:9
    #10 0x52e51f in bfd\_alloc2 /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/opncls.c:978:10
    #11 0x5b7e8c in setup\_group /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:658:9
    #12 0x5b4472 in \_bfd\_elf\_make\_section\_from\_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:1053:10
    #13 0x5c9f9b in bfd\_section\_from\_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:2452:13
    #14 0x5c7f32 in bfd\_section\_from\_shdr /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elf.c:2311:11
    #15 0x5a111f in bfd\_elf64\_object\_p /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/elfcode.h:818:7
    #16 0x5207e5 in bfd\_check\_format\_matches /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/bfd/format.c:315:14
    #17 0x4f22d5 in display\_bfd /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:331:7
    #18 0x4f1ed5 in display\_file /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:434:5
    #19 0x4f1aa5 in main /mnt/raid/user/chenpeng/FuzzingBench/binutils/binutils-gdb/binutils/size.c:260:7
    #20 0x7f92dc51809a in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2409a)
    #21 0x41d5e9 in \_start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/size+0x41d5e9)

Comment 2 Alan Modra 2019-02-19 22:37:51 UTC

This is exactly the same "bug" as 24232 but with a slightly different testcase.

\*\*\* This bug has been marked as a duplicate of bug 24232 \*\*\*

CVE-2019-9072: Out of memory in objalloc.c

The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in this directory, as demonstrated by rdf2dot. This issue is specific to use of the debian/scripts directory.

![version graph](https://bugs.debian.org/version.cgi?height=2;collapse=1;found=rdflib%2F4.2.1-2;found=rdflib%2F4.2.2-1;fixed=rdflib%2F4.2.2-2;width=2;absolute=0;package=python-rdflib-tools)

Reported by: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

Date: Fri, 8 Feb 2019 20:51:02 UTC

Severity: normal

Tags: security

Found in versions rdflib/4.2.1-2, rdflib/4.2.2-1

Fixed in version rdflib/4.2.2-2

**Done:** chrysn@fsfe.org (Christian M. Amsüss)

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, team@security.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Fri, 08 Feb 2019 20:51:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Gabriel Corona <gabriel.corona@enst-bretagne.fr>`:  
New Bug report received and forwarded. Copy sent to `team@security.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`. (Fri, 08 Feb 2019 20:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: python-rdflib-tools
Version: 4.2.2-1
Severity: normal
Tags: security

The CLI tools in python-rdflib-tools can from load python modules
found in the current directory. This happens because "python -m"
appends the current directory in the python path.

    $ echo 'print("Something")' > cgi.py
    $ rdf2dot
    INFO:rdflib:RDFLib Version: 4.2.2
    Something
    Reading from stdin as None...

The local cgi.py file is loaded instead of the system one.

There are probably other instances of this in the Debian
archive. Constructs such as:

  python -m "$some\_module"
  python -c "$some\_code"
  $some\_command | python

can lead to code injection from current working directory


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86\_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr\_FR.utf8, LC\_CTYPE=fr\_FR.utf8 (charmap=UTF-8), LANGUAGE=fr\_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-rdflib-tools depends on:
ii  python         2.7.15-4
ii  python-rdflib  4.2.2-1

python-rdflib-tools recommends no packages.

python-rdflib-tools suggests no packages.

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Fri, 08 Feb 2019 21:33:06 GMT) (full text, mbox, link).

**Removed tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Fri, 08 Feb 2019 21:45:10 GMT) (full text, mbox, link).

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Sat, 09 Feb 2019 04:15:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Salvatore Bonaccorso <carnil@debian.org>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Sat, 09 Feb 2019 04:15:03 GMT) (full text, mbox, link).

Message #14 received at 921751@bugs.debian.org (full text, mbox, reply):

Control: retitle -1 python-rdflib-tools: CVE-2019-7653: Code injection from current working directory

Hi Gabriel!

On Fri, Feb 08, 2019 at 09:49:07PM +0100, Gabriel Corona wrote:
> Package: python-rdflib-tools
> Version: 4.2.2-1
> Severity: normal
> Tags: security
> 
> The CLI tools in python-rdflib-tools can from load python modules
> found in the current directory. This happens because "python -m"
> appends the current directory in the python path.
> 
>     $ echo 'print("Something")' > cgi.py
>     $ rdf2dot
>     INFO:rdflib:RDFLib Version: 4.2.2
>     Something
>     Reading from stdin as None...
> 
> The local cgi.py file is loaded instead of the system one.
> 
> There are probably other instances of this in the Debian
> archive. Constructs such as:
> 
>   python -m "$some\_module"
>   python -c "$some\_code"
>   $some\_command | python
> 
> can lead to code injection from current working directory

MITRE has assigned CVE-2019-7653 for this issue.

For those following the bug, this likely does not affect the upstream
project itself and is Debian specifc, as the Debian packaging AFAICS
replaces the respective scripts/tools by wrappers invoking python -m
as described by Gabriel (please correct me if I'm wrong).

Regards,
Salvatore

**Changed Bug title to 'python-rdflib-tools: CVE-2019-7653: Code injection from current working directory' from 'python-rdflib-tools: Code injection from current working directory'.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `921751-submit@bugs.debian.org`. (Sat, 09 Feb 2019 04:15:03 GMT) (full text, mbox, link).

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Thu, 14 Feb 2019 16:33:05 GMT) (full text, mbox, link).

**Acknowledgement sent** to `chrysn <chrysn@fsfe.org>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Thu, 14 Feb 2019 16:33:05 GMT) (full text, mbox, link).

Message #21 received at 921751@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

On Sat, Feb 09, 2019 at 05:13:07AM +0100, Salvatore Bonaccorso wrote:
> For those following the bug, this likely does not affect the upstream
> project itself and is Debian specifc, as the Debian packaging AFAICS
> replaces the respective scripts/tools by wrappers invoking python -m
> as described by Gabriel (please correct me if I'm wrong).

I've updated the package's source to avoid the issue by using the
wrappers that setup.py/easy\_install provides rather than making our own
in Debian.

I can't directly push to the source right now (but have a PR pending at
\[1\]) and can't upload (as I don't have DMUA on that package).

Andreas or Ondřej, could you do pull that in and do a team upload on
this? (I can prepare a full DM upload to be sponsered, but it's my
impression that team uploads are the easier way to go about this now).

Best regards
Christian

\[1\]: https://salsa.debian.org/debian/rdflib/merge\_requests/1

\[signature.asc (application/pgp-signature, inline)\]

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Fri, 15 Feb 2019 08:15:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Andreas Tille <andreas@fam-tille.de>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Fri, 15 Feb 2019 08:15:04 GMT) (full text, mbox, link).

Message #26 received at 921751@bugs.debian.org (full text, mbox, reply):

On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
> 
> I can't directly push to the source right now (but have a PR pending at
> \[1\]) and can't upload (as I don't have DMUA on that package).

Hmmm, I can not merge either.  What about moving that repository to
Debian Python Modules team?
 
> Andreas or Ondřej, could you do pull that in and do a team upload on
> this? (I can prepare a full DM upload to be sponsered, but it's my
> impression that team uploads are the easier way to go about this now).

I prefer to sponsor right from the Git repository but a repository where
neither the Maintainer nor its sponsor can write to is just insane and
DPMT seems the natural team that package belongs to.

Thanks for your work on this package anyway

      Andreas.
 
> \[1\]: https://salsa.debian.org/debian/rdflib/merge\_requests/1

-- 
http://fam-tille.de

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Fri, 15 Feb 2019 08:30:06 GMT) (full text, mbox, link).

**Acknowledgement sent** to `chrysn <chrysn@fsfe.org>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Fri, 15 Feb 2019 08:30:06 GMT) (full text, mbox, link).

Message #31 received at 921751@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

On Fri, Feb 15, 2019 at 09:11:11AM +0100, Andreas Tille wrote:
> On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
> > 
> > I can't directly push to the source right now (but have a PR pending at
> > \[1\]) and can't upload (as I don't have DMUA on that package).
> 
> Hmmm, I can not merge either.  What about moving that repository to
> Debian Python Modules team?

That's odd given you created the repo – but yes, I'm fine with it being
in DPMT as well, and will request it transferred (that'll only work via
the alioth admins).

I used to be member of the DPMT group back on Alioth\[2\], can you add me on
salsa? Then I can make the package ready for sponsor-upload-from-git
once moved.

Thanks
Christian

\[2\]: https://lists.debian.org/debian-python/2016/11/msg00048.html

\[signature.asc (application/pgp-signature, inline)\]

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Fri, 15 Feb 2019 09:57:05 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Andreas Tille <andreas@fam-tille.de>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Fri, 15 Feb 2019 09:57:05 GMT) (full text, mbox, link).

Message #36 received at 921751@bugs.debian.org (full text, mbox, reply):

Hi Christian,

On Fri, Feb 15, 2019 at 09:28:08AM +0100, chrysn wrote:
> On Fri, Feb 15, 2019 at 09:11:11AM +0100, Andreas Tille wrote:
> > On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
> > > 
> > > I can't directly push to the source right now (but have a PR pending at
> > > \[1\]) and can't upload (as I don't have DMUA on that package).
> > 
> > Hmmm, I can not merge either.  What about moving that repository to
> > Debian Python Modules team?
> 
> That's odd given you created the repo – but yes, I'm fine with it being
> in DPMT as well, and will request it transferred (that'll only work via
> the alioth admins).

Yes, that's really odd.  I tried via Salsa web interface which does not
enable the "Merge" button.  When trying to do it manually the last step
fails:

  $ git push origin debian
GitLab: You are not allowed to push code to this project.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.


What is also strange: If I go to the original location on Salsa web
interface I see a hint:

  Project 'debian/rdflib' was moved to 'python-team/rdflib'. Please update any links and bookmarks that may still have the old path.

So it was somehow moved but definitely to a wrong location (that should
be rather python-team/modules/rdflib).

> I used to be member of the DPMT group back on Alioth\[2\], can you add me on
> salsa? Then I can make the package ready for sponsor-upload-from-git
> once moved.

Sorry, I can't for DPMT but I think Ondřej (re-added to CC) can.

Kind regards

      Andreas.
 
> \[2\]: https://lists.debian.org/debian-python/2016/11/msg00048.html

-- 
http://fam-tille.de

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Fri, 15 Feb 2019 15:09:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to `chrysn <chrysn@fsfe.org>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Fri, 15 Feb 2019 15:09:03 GMT) (full text, mbox, link).

Message #41 received at 921751@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

\> So it was somehow moved but definitely to a wrong location (that should
> be rather python-team/modules/rdflib).

yes, that was a mistake when moving the module and is now fixed.

> I used to be member of the DPMT group back on Alioth\[2\], can you add me on
> salsa? Then I can make the package ready for sponsor-upload-from-git
> once moved.

I've incorporated the changes from the move and an update to
standards-version, and set the changelog to indicate release readiness.
Would you sponsor the latest version (81346975) of \[1\] to close this
issue?

Thanks
Christian

\[1\]: https://salsa.debian.org/python-team/modules/rdflib

\[signature.asc (application/pgp-signature, inline)\]

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Christian M. Amsüss <chrysn@fsfe.org>`:  
`Bug#921751`; Package `python-rdflib-tools`. (Fri, 15 Feb 2019 19:27:06 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Andreas Tille <tille@debian.org>`:  
Extra info received and forwarded to list. Copy sent to `Christian M. Amsüss <chrysn@fsfe.org>`. (Fri, 15 Feb 2019 19:27:06 GMT) (full text, mbox, link).

Message #46 received at 921751@bugs.debian.org (full text, mbox, reply):

On Fri, Feb 15, 2019 at 04:04:31PM +0100, chrysn wrote:
> 
> > I used to be member of the DPMT group back on Alioth\[2\], can you add me on
> > salsa? Then I can make the package ready for sponsor-upload-from-git
> > once moved.
> 
> I've incorporated the changes from the move and an update to
> standards-version, and set the changelog to indicate release readiness.
> Would you sponsor the latest version (81346975) of \[1\] to close this
> issue?

I have uploaded with an additional change to set DPMT as Maintainer
and you as Uploader since this is policy if you are maintaining in
this repository tree.

Thanks for working on this

       Andreas.

> \[1\]: https://salsa.debian.org/python-team/modules/rdflib

-- 
http://fam-tille.de

**Reply sent** to `chrysn@fsfe.org (Christian M. Amsüss)`:  
You have taken responsibility. (Fri, 15 Feb 2019 19:36:15 GMT) (full text, mbox, link).

**Notification sent** to `Gabriel Corona <gabriel.corona@enst-bretagne.fr>`:  
Bug acknowledged by developer. (Fri, 15 Feb 2019 19:36:15 GMT) (full text, mbox, link).

Message #51 received at 921751-close@bugs.debian.org (full text, mbox, reply):

Source: rdflib
Source-Version: 4.2.2-2

We believe that the bug you reported is fixed in the latest version of
rdflib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 921751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian M. Amsüss <chrysn@fsfe.org> (supplier of updated rdflib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Feb 2019 15:50:18 +0100
Source: rdflib
Architecture: source
Version: 4.2.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Christian M. Amsüss <chrysn@fsfe.org>
Closes: 917913 921751
Changes:
 rdflib (4.2.2-2) unstable; urgency=medium
 .
   \[ Ondřej Nový \]
   \* d/control: Remove ancient X-Python(3)-Version fields
   \* d/changelog: Remove trailing whitespaces
 .
   \[ Christian Amsüss \]
   \* tools:
     - Use easy\_install provided scripts (CVE-2019-7653, closes: #921751)
     - Use Python 3
   \* d/control:
     - Update Standards-Version to 4.3.0 (no further changes)
     - Remove retired Olivier Berger from uploaders (closes: #917913)
     - Update salsa location
   \* d/patches: Acknowledge that pyparsinglatest.patch is not required any more
   \* Add bsddb3 and rdflib-jsonld to test dependencies
     - Disable broken tests for rdflib-jsonld at build time
Checksums-Sha1:
 50812e90e3bc74262b2771e4f36f4cced886cfb1 3084 rdflib\_4.2.2-2.dsc
 b731f212c620c299add8eb14f70872659798c9ee 28760 rdflib\_4.2.2-2.debian.tar.xz
 f79d0d8a9f129e493da141acf23328c4f78d71ec 8803 rdflib\_4.2.2-2\_amd64.buildinfo
Checksums-Sha256:
 9840ad126cc4387ba97051f2fa1713b301a8e57578aff59e30df52e524563f6f 3084 rdflib\_4.2.2-2.dsc
 dfc2f37a9619976023361a64c717b62d920df956a7c1bc8eeb7ff94634f60c97 28760 rdflib\_4.2.2-2.debian.tar.xz
 3d54308530b6a0dd42deb84311dbf1ff49ad8fe8dd426b0dfc0604735e6f605b 8803 rdflib\_4.2.2-2\_amd64.buildinfo
Files:
 c6291b837c791f34a89446395cb38d95 3084 python optional rdflib\_4.2.2-2.dsc
 e1f291c8a981a71dbfd7b1a83c45d86e 28760 python optional rdflib\_4.2.2-2.debian.tar.xz
 67a4f90f45acce40dce2fb974f1dbbee 8803 python optional rdflib\_4.2.2-2\_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCgAsFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAlxnDfEOHHRpbGxlYUBy
a2kuZGUACgkQV4oElNHGRtE8BQ/8Cu+1vYnVZGDPEcI8OES+Og11HzkGdGhqJLnY
VopDA17D6wapUohnkBfqQt4X7ximoqEtRF6moZKcnruOa56xwCI7zIzTGTy6TV4N
wVRnl56DWuOENFaGKNsR4Ikfl94Ij7eoRwb82cqmpsJbMiKY719sWkJqCuOjOYs+
+e47QryFcqXtvJIoCVOfptNR3RO4IPx21h2lqgIn1QH8k6mYQYxzx0aArPUAWZLM
N7+nOEatsol6ah3VV/7pGX4sIRn+UCZnFeMzlLbiJQnr4n5f82bvy2VkdReMeTGh
Ti9Um47Q+R76iGx0idAyYzPum8xSBbi9jcucp2KvZ+i90l3SEc9uJpYh43f08Prw
wxVKjGMzmFoIwwTLDx5pi8cMYdfwXQKW3wuj6AIrss3HQEcUOwykL+TlutvqtLLf
cEPB2VVoYDivWukzZj1iPI7Ppj42jcDyxK7LJ8FO2BEsbM1SDUP5u1hhXN/RN0+9
aHQ0pCMJmND4BEeHfUCWnXvN8PYmnWD9+rmB6CxTLhUwVzvlo0lsJLCLyLvxIS9Z
eqalVud3E52LVh2nOlIx2O6iJKCe5+ebqkhL/pnTgmuHdYkXyGBqmwjGdbkS1EYU
I0jmkXzSU+b29BpGc/Y/xrK59SnJU1taZzvPziaLTXE6uctun1jxyqGmZHqU5BPc
ADEPH6Q=
=q79+
-----END PGP SIGNATURE-----

**Marked as found in versions rdflib/4.2.1-2.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Fri, 15 Feb 2019 20:09:03 GMT) (full text, mbox, link).

**Bug archived.** Request was from `Debbugs Internal Request <owner@bugs.debian.org>` to `internal_control@bugs.debian.org`. (Sun, 31 Mar 2019 07:26:54 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 16:30:16 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2019-7653: #921751 - python-rdflib-tools: CVE-2019-7653: Code injection from current working directory

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

scp client multiple vulnerabilities =================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt Overview -------- SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description ----------- Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output. Impact ------ Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output. Details ------- The discovered vulnerabilities, described in more detail below, enables the attack described here in brief. 1. The attacker controlled server or Man-in-the-Middle(\*) attack drops .bash\_aliases file to victim's home directory when the victim performs scp operation from the server. The transfer of extra files is hidden by sending ANSI control sequences via stderr. For example: user@local:~$ scp user@remote:readme.txt . readme.txt 100% 494 1.6KB/s 00:00 user@local:~$ 2. Once the victim launches a new shell, the malicious commands in .bash\_aliases get executed. \*) Man-in-the-Middle attack does require the victim to accept the wrong host fingerprint. Vulnerabilities --------------- 1. CWE-20: scp client improper directory name validation \[CVE-2018-20685\] The scp client allows server to modify permissions of the target directory by using empty ("D0777 0 \\n") or dot ("D0777 0 .\\n") directory name. 2. CWE-20: scp client missing received object name validation \[CVE-2019-6111\] Due to the scp implementation being derived from 1983 rcp \[1\], the server chooses which files/directories are sent to the client. However, scp client only perform cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized\_keys). The same vulnerability in WinSCP is known as CVE-2018-20684. 3. CWE-451: scp client spoofing via object name \[CVE-2019-6109\] Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred. 4. CWE-451: scp client spoofing via stderr \[CVE-2019-6110\] Due to accepting and displaying arbitrary stderr output from the scp server, a malicious server can manipulate the client output, for example to employ ANSI codes to hide additional files being transferred. Proof-of-Concept ---------------- Proof of concept malicious scp server will be released at a later date. Vulnerable versions ------------------- The following software packages have some or all vulnerabilities: ver #1 #2 #3 #4 OpenSSH scp <=7.9 x x x x PuTTY PSCP ? - - x x WinSCP scp mode <=5.13 - x - - Tectia SSH scpg3 is not affected since it exclusively uses sftp protocol. Mitigation ---------- 1. OpenSSH 1.1 Switch to sftp if possible 1.2 Apply the following patches to scp: CVE-2018-20685: https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 CVE-2019-6109: https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c CVE-2019-6111: https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc 1.3 Alternatively apply the following patch to harden scp against most server-side manipulation attempts: https://sintonen.fi/advisories/scp-name-validator.patch NOTE: This unofficial patch may cause problems if the the remote and local shells don't agree on the way glob() pattern matching works. YMMV. 2. PuTTY 2.1 No fix is available yet 3. WinSCP 3.1. Upgrade to WinSCP 5.14 or later Similar or prior work --------------------- 1. CVE-2000-0992 - scp overwrites arbitrary files References ---------- 1. https://www.jeffgeerling.com/blog/brief-history-ssh-and-remote-access Issue tracking -------------- Arch Linux https://security.archlinux.org/CVE-2018-20685 Debian GNU/Linux https://security-tracker.debian.org/tracker/CVE-2019-6111 https://security-tracker.debian.org/tracker/CVE-2018-20685 https://security-tracker.debian.org/tracker/CVE-2019-6109 https://security-tracker.debian.org/tracker/CVE-2019-6110 Gentoo Linux https://bugs.gentoo.org/show\_bug.cgi?id=CVE-2019-6111 https://bugs.gentoo.org/show\_bug.cgi?id=CVE-2019-6109 https://bugs.gentoo.org/show\_bug.cgi?id=CVE-2019-6110 Red Hat Linux https://access.redhat.com/security/cve/cve-2019-6111 https://access.redhat.com/security/cve/cve-2018-20685 https://access.redhat.com/security/cve/cve-2019-6109 https://access.redhat.com/security/cve/cve-2019-6110 SUSE Linux https://www.suse.com/security/cve/CVE-2019-6111 https://www.suse.com/security/cve/CVE-2018-20685 https://www.suse.com/security/cve/CVE-2019-6109 https://www.suse.com/security/cve/CVE-2019-6110 Ubuntu https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6111.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20685.html https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6109.html https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6110.html WinSCP https://www.cvedetails.com/cve/CVE-2018-20684 PuTTY PSCP https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pscp-unsanitised-server-output.html Credits ------- These vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 2018.08.08 initial discovery of vulnerabilities #1 and #2 2018.08.09 reported vulnerabilities #1 and #2 to OpenSSH 2018.08.10 OpenSSH acknowledged the vulnerabilities 2018.08.14 discovered & reported vulnerability #3 to OpenSSH 2018.08.15 discovered & reported vulnerability #4 to OpenSSH 2018.08.30 reported PSCP vulnerabilities (#3 and #4) to PuTTY developers 2018.08.31 reported WinSCP vulnerability (#2) to WinSCP developers 2018.09.04 WinSCP developers reported the vulnerability #2 fixed 2018.11.12 requested a status update from OpenSSH 2018.11.16 OpenSSH fixed vulnerability #1 2019.01.07 requested a status update from OpenSSH 2019.01.08 requested CVE assignments from MITRE 2019.01.10 received CVE assignments from MITRE 2019.01.11 public disclosure of the advisory 2019.01.14 added a warning about the potential issues caused by the patch 2019.01.15 added issue tracking section (Arch, Debian, Red Hat, SUSE, Ubuntu) 2019.01.15 fixed patch for BROKEN\_ONE\_BYTE\_DIRENT\_D\_NAME 2019.01.17 updated Ubuntu issue tracking, added Gentoo issue tracking 2019.02.01 added PuTTY PSCP issue tracking 2019.02.09 added links to official patches to mitigation section 2019.02.26 fixed the unofficial patch with "dir/." src syntax

CVE-2019-6111

An issue was discovered in rcp in NetKit through 0.17. For an rcp operation, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned. A malicious rsh server (or Man-in-The-Middle attacker) can overwrite arbitrary files in a directory on the rcp client machine. This is similar to CVE-2019-6111.

Tag

#debian