Debian Bug report logs - #773041
libmspack: CVE-2014-9556: frame_end overflow which could cause infinite loop

version graph

Package: libmspack0; Maintainer for libmspack0 is Marc Dequènes (Duck) <Duck@DuckCorp.org>; Source for libmspack0 is src:libmspack (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Thu, 11 Dec 2014 23:51:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version libmspack/0.4-1

Fixed in version libmspack/0.4-2

Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#772891; Package cabextract. (Thu, 11 Dec 2014 23:51:07 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cabextract: hangs on a crafted CAB file
Date: Fri, 12 Dec 2014 00:47:21 +0100
[Message part 1 (text/plain, inline)]
Package: cabextract
Version: 1.4-4+b1
Severity: minor
Usertags: afl

The attached file makes cabextract hang forever (or at least for two 
minutes, after which I lost my patience :-P).

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages cabextract depends on:
ii  libc6  2.19-13

-- 
Jakub Wilk
[hang.cab (application/x-cab, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#772891; Package cabextract. (Fri, 12 Dec 2014 05:03:04 GMT) (full text, mbox, link).


Acknowledgement sent to Eric Sharkey <eric@lisaneric.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>. (Fri, 12 Dec 2014 05:03:04 GMT) (full text, mbox, link).


Message #8 received at 772891@bugs.debian.org (full text, mbox, reply):

From: Eric Sharkey <eric@lisaneric.org>
To: Jakub Wilk <jwilk@debian.org>, 772891@bugs.debian.org
Cc: kyzer@4u.net
Subject: Re: Bug#772891: cabextract: hangs on a crafted CAB file
Date: Fri, 12 Dec 2014 00:00:37 -0500
On Thu, Dec 11, 2014 at 6:47 PM, Jakub Wilk <jwilk@debian.org> wrote:
> Package: cabextract
> Version: 1.4-4+b1
> Severity: minor
> Usertags: afl
>
> The attached file makes cabextract hang forever (or at least for two
> minutes, after which I lost my patience :-P).
>
> This bug was found using American fuzzy lop:
> http://lcamtuf.coredump.cx/afl/

It's definitely an infinite loop.  It gets caught in qtmd_decompress()
and never gets out of the loop on line 290.

The problem seems to be on this line:

    /* decode more, up to the number of bytes needed, the frame boundary,
     * or the window boundary, whichever comes first */
    frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));

out_bytes is an off_t (8 bytes) but frame_end is an unsigned int (4
bytes) and it overflows.

If I change the "unsigned int" to "off_t" in the first line of this
function, the function terminates properly and declares the file
corrupt:


marvin% ./cabextract ~/Download/hang.cab
Extracting cabinet: /home/sharkey/Download/hang.cab
  extracting limerick
limerick: error in CAB data format

All done, errors in processing 1 file(s)


Stuart, is this the right fix in your opinion?

Eric



Information forwarded to debian-bugs-dist@lists.debian.org, Eric Sharkey <sharkey@debian.org>:
Bug#772891; Package cabextract. (Sat, 13 Dec 2014 14:48:04 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Ramacher <sramacher@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Sharkey <sharkey@debian.org>. (Sat, 13 Dec 2014 14:48:04 GMT) (full text, mbox, link).


Message #13 received at 772891@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: Jakub Wilk <jwilk@debian.org>, 772891@bugs.debian.org
Subject: Re: Bug#772891: cabextract: hangs on a crafted CAB file
Date: Sat, 13 Dec 2014 15:44:29 +0100
[Message part 1 (text/plain, inline)]
Control: clone -1 -2
Control: reassign -2 libmspack0 0.4-1
Control: retitle -2 libmspack: hangs on a crafted CAB file

On 2014-12-12 00:47:21, Jakub Wilk wrote:
> Package: cabextract
> Version: 1.4-4+b1
> Severity: minor
> Usertags: afl
> 
> The attached file makes cabextract hang forever (or at least for two
> minutes, after which I lost my patience :-P).
> 
> This bug was found using American fuzzy lop:
> http://lcamtuf.coredump.cx/afl/

This issue also affects libmspack. I noticed this while clamav was
scanning Jakub's mail for malware and it was stuck in an infinite loop.

The issue is easy to reproduce with the crafted file and the following
example code:

#include <stdio.h>
#include <unistd.h>
#include <mspack.h>

int main()
{
  struct mscab_decompressor *cabd;
  struct mscabd_cabinet *cab;
  struct mscabd_file *file;
  int test;

  MSPACK_SYS_SELFTEST(test);
  if (test != MSPACK_ERR_OK) exit(0);
  if ((cabd = mspack_create_cab_decompressor(NULL))) {
    if ((cab = cabd->open(cabd, "hang.cab"))) {
      for (file = cab->files; file; file = file->next) {
        printf("%s\n", file->filename);
        cabd->extract(cabd, file, file->filename);
      }
      cabd->close(cabd, cab);
    }
    mspack_destroy_cab_decompressor(cabd);
  }
  return 0;
}

(From https://github.com/cooljeanius/libmspack/blob/master/README with a
call to extract added.)

Cheers
-- 
Sebastian Ramacher
[signature.asc (application/pgp-signature, inline)]

Bug 772891 cloned as bug 773041 Request was from Sebastian Ramacher <sramacher@debian.org> to 772891-submit@bugs.debian.org. (Sat, 13 Dec 2014 14:48:04 GMT) (full text, mbox, link).


Bug reassigned from package 'cabextract' to 'libmspack0'. Request was from Sebastian Ramacher <sramacher@debian.org> to 772891-submit@bugs.debian.org. (Sat, 13 Dec 2014 14:48:05 GMT) (full text, mbox, link).


No longer marked as found in versions cabextract/1.4-4. Request was from Sebastian Ramacher <sramacher@debian.org> to 772891-submit@bugs.debian.org. (Sat, 13 Dec 2014 14:48:06 GMT) (full text, mbox, link).


Marked as found in versions libmspack/0.4-1. Request was from Sebastian Ramacher <sramacher@debian.org> to 772891-submit@bugs.debian.org. (Sat, 13 Dec 2014 14:48:06 GMT) (full text, mbox, link).


Changed Bug title to 'libmspack: hangs on a crafted CAB file' from 'cabextract: hangs on a crafted CAB file' Request was from Sebastian Ramacher <sramacher@debian.org> to 772891-submit@bugs.debian.org. (Sat, 13 Dec 2014 14:48:07 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Sat, 20 Dec 2014 11:15:05 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Sat, 20 Dec 2014 11:15:05 GMT) (full text, mbox, link).


Message #28 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
To: James Cloos <cloos@jhcloos.com>
Cc: 773318@bugs.debian.org, 773041@bugs.debian.org
Subject: Re: Bug#773318: clamav dies/hangs
Date: Sat, 20 Dec 2014 12:12:13 +0100
Control: tags 773041 security
Control: severity 773041 grave
Justification: causes remote denial of service

Hi James,

On 19.12.2014 23:12, James Cloos wrote:
> Even w/ the milter not called, one of the MXs has one clamd thread
> consuming 100% cpu right now.  gdb says:
>
> #0  0x00007fd0b4791ed0 in ?? () from /usr/lib/x86_64-linux-gnu/libmspack.so.0
> #1  0x00007fd0b47863ea in ?? () from /usr/lib/x86_64-linux-gnu/libmspack.so.0
> #2  0x00007fd0b55c1e26 in cli_scanmscab (ctx=0x7fd096dfb6b0, sfx_offset=256) at libmspack.c:384
> #3  0x00007fd0b5597aa0 in magic_scandesc (ctx=0x7fd096dfb6b0, type=CL_TYPE_ANY)
>      at scanners.c:2703
> #4  0x00007fd0b5598059 in cli_base_scandesc (desc=12, ctx=0x7fd096dfb6b0, type=CL_TYPE_ANY)
>      at scanners.c:3051
> #5  0x00007fd0b559bf33 in fileblobScan (fb=0x7fd088003910) at blob.c:641
> #6  0x00007fd0b559c01d in fileblobScanAndDestroy (fb=fb@entry=0x7fd088003910) at blob.c:399
> #7  0x00007fd0b55a08db in do_multipart (mainMessage=0x0, messages=<optimized out>,
>      i=<optimized out>, rc=0x7fd096dfa35c, mctx=0x7fd096dfa420, messageIn=<optimized out>,
>      tptr=0x7fd096dfa360, recursion_level=0) at mbox.c:3712
> #8  0x00007fd0b55a0019 in parseEmailBody (messageIn=0x7fd095df4000,
>      messageIn@entry=0x7fd088004940, textIn=0x100, textIn@entry=0x0, mctx=0x7fd0880047b1,
>      recursion_level=32512, recursion_level@entry=0) at mbox.c:1533
> #9  0x00007fd0b55a1232 in cli_parse_mbox (
>      dir=dir@entry=0x7fd088000e50 "/tmp/clamav-4b94ddbad0a132b5af6d2f6db3a76e40.tmp",
>      ctx=ctx@entry=0x7fd096dfb6b0) at mbox.c:508
> #10 0x00007fd0b55a1b1a in cli_mbox (
>      dir=dir@entry=0x7fd088000e50 "/tmp/clamav-4b94ddbad0a132b5af6d2f6db3a76e40.tmp",
>      ctx=ctx@entry=0x7fd096dfb6b0) at mbox.c:309
> #11 0x00007fd0b5579218 in cli_scanmail (ctx=0x7fd096dfb6b0) at scanners.c:1702

Thanks for the backtrace!

As it shows that clamd hangs in libmspack, I think this is bug #773041 
[1]. A possible fix is mentioned in [2]. We'll have to include it in the 
libmspack copy embedded in clamav, which is used in wheezy.

Best regards,
Andreas


1: https://bugs.debian.org/773041
2: https://bugs.debian.org/773041#8



Added tag(s) security. Request was from Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> to 773041-submit@bugs.debian.org. (Sat, 20 Dec 2014 11:15:05 GMT) (full text, mbox, link).


Severity set to 'grave' from 'minor' Request was from Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> to 773041-submit@bugs.debian.org. (Sat, 20 Dec 2014 11:15:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Sun, 21 Dec 2014 21:21:04 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Sun, 21 Dec 2014 21:21:05 GMT) (full text, mbox, link).


Message #37 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>, 773318@bugs.debian.org
Cc: James Cloos <cloos@jhcloos.com>, 773041@bugs.debian.org, Josselin Mouette <joss@debian.org>
Subject: Re: Bug#773318: clamav dies/hangs
Date: Sun, 21 Dec 2014 22:16:09 +0100
On 2014-12-20 12:12:13 [+0100], Andreas Cadhalpun wrote:
> As it shows that clamd hangs in libmspack, I think this is bug #773041 [1].
> A possible fix is mentioned in [2]. We'll have to include it in the
> libmspack copy embedded in clamav, which is used in wheezy.

Oh great. So for clamav we have to fix it stable since sid uses the
external library (jay!).
This "type fix" does not look that bad. Do we wait for the upstream
maintainer on this atm?

Is the security team aware of the various in-tree copy of this library?
#675555 tries / tried to track them.

> Best regards,
> Andreas

Sebastian



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Mon, 22 Dec 2014 01:57:05 GMT) (full text, mbox, link).


Acknowledgement sent to duck@duckcorp.org:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Mon, 22 Dec 2014 01:57:05 GMT) (full text, mbox, link).


Message #42 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (duck) <duck@duckcorp.org>
To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 773041@bugs.debian.org
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Mon, 22 Dec 2014 02:52:02 +0100
Coin,

On 2014-12-21 22:16, Sebastian Andrzej Siewior wrote:
> On 2014-12-20 12:12:13 [+0100], Andreas Cadhalpun wrote:
>> As it shows that clamd hangs in libmspack, I think this is bug #773041 
>> [1].
>> A possible fix is mentioned in [2].

I can upload this simple fix quickly, nevertheless i did not have time 
to proofread it. Any comment?

> Is the security team aware of the various in-tree copy of this library?
> #675555 tries / tried to track them.

Joss filled #675560 tagged security.

I tested the cabextract build using the library but had no reply. I 
wanted to have at least one real user for the lib before pinging the 
other related packages. I should probably have been more aggressive on 
this front, my bad.

Regards.

-- 
Marc Dequènes



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Mon, 22 Dec 2014 12:45:05 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Mon, 22 Dec 2014 12:45:05 GMT) (full text, mbox, link).


Message #47 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Marc Dequènes (duck) <duck@duckcorp.org>
Cc: 773041@bugs.debian.org
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Mon, 22 Dec 2014 13:37:09 +0100
* Marc Dequènes (duck) | 2014-12-22 02:52:02 [+0100]:

>Coin,
>
>On 2014-12-21 22:16, Sebastian Andrzej Siewior wrote:
>>On 2014-12-20 12:12:13 [+0100], Andreas Cadhalpun wrote:
>>>As it shows that clamd hangs in libmspack, I think this is bug #773041
>>>[1].
>>>A possible fix is mentioned in [2].
>
>I can upload this simple fix quickly, nevertheless i did not have time to
>proofread it. Any comment?

It would be nice if we could keep this in sync. I will look at this in
tonight at the latest and give more feedback.

>>Is the security team aware of the various in-tree copy of this library?
>>#675555 tries / tried to track them.
>
>Joss filled #675560 tagged security.

Yes. Atleast clamav can be triggered via remote. Not sure about the
others.

>Regards.

Sebastian



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Mon, 22 Dec 2014 21:57:20 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Mon, 22 Dec 2014 21:57:21 GMT) (full text, mbox, link).


Message #52 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Marc Dequènes (duck) <duck@duckcorp.org>
Cc: 773041@bugs.debian.org, 773318@bugs.debian.org, kyzer@4u.net
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Mon, 22 Dec 2014 22:52:03 +0100
On 2014-12-22 02:52:02 [+0100], Marc Dequènes (duck) wrote:
> I can upload this simple fix quickly, nevertheless i did not have time to
> proofread it. Any comment?

I plan to add the following patch to clamav. I added a small comment
why we have the busy loop there. So far it looks like a good idea. The
only problem is that we need off_t beeing 64bit (LFS) or it won't work
on 32bit. No problem on Debian side…

I added upstream on CC hoping that they will take this or do something
about it :)

If nobody objects, I push this tomorrow into the clamav repo.

From 9041fefc0d48aa3c307baa20c5cc4b7eceafe616 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 22 Dec 2014 22:10:47 +0100
Subject: [PATCH] make frame_end off_t

Debian bts #773041, #772891 contains a report of a .cab file which
causes an endless loop.
Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
and the result the loop makes no progress. He also added that making
it off_t (and so 64bit with LFS) fixes the problem.

The problem seems that after the overflow, window_posn is larger than
frame_end and therefore we never enter the loop to make progress. But we
still have out_bytes >0 so we don't leave the outer loop either.

This patch is based on Eric Sharkey comments.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
 mspack/qtmd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mspack/qtmd.c b/mspack/qtmd.c
index 12b27f5608c4..6e1640579119 100644
--- a/mspack/qtmd.c
+++ b/mspack/qtmd.c
@@ -253,7 +253,8 @@ struct qtmd_stream *qtmd_init(struct mspack_system *system,
 }
 
 int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) {
-  unsigned int frame_todo, frame_end, window_posn, match_offset, range;
+  unsigned int frame_todo, window_posn, match_offset, range;
+  off_t frame_end;
   unsigned char *window, *i_ptr, *i_end, *runsrc, *rundest;
   int i, j, selector, extra, sym, match_length;
   unsigned short H, L, C, symf;
-- 
2.1.3

Sebastian



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Tue, 23 Dec 2014 17:18:05 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Tue, 23 Dec 2014 17:18:05 GMT) (full text, mbox, link).


Message #57 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 773041@bugs.debian.org, Marc Dequènes (duck) <duck@duckcorp.org>
Cc: 773318@bugs.debian.org, kyzer@4u.net
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Tue, 23 Dec 2014 18:15:45 +0100
Hi,

On 22.12.2014 22:52, Sebastian Andrzej Siewior wrote:
> On 2014-12-22 02:52:02 [+0100], Marc Dequènes (duck) wrote:
>> I can upload this simple fix quickly, nevertheless i did not have time to
>> proofread it. Any comment?
>
> I plan to add the following patch to clamav. I added a small comment
> why we have the busy loop there. So far it looks like a good idea. The
> only problem is that we need off_t beeing 64bit (LFS) or it won't work
> on 32bit. No problem on Debian side…

I think there is a better way than changing the type of frame_end to off_t.
It is possible to avoid the overflow by reordering the code:

--- libmspack-0.4.orig/mspack/qtmd.c
+++ libmspack-0.4/mspack/qtmd.c
@@ -296,10 +296,12 @@ int qtmd_decompress(struct qtmd_stream *

     /* decode more, up to the number of bytes needed, the frame boundary,
      * or the window boundary, whichever comes first */
-    frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
-    if ((window_posn + frame_todo) < frame_end) {
+    if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
       frame_end = window_posn + frame_todo;
     }
+    else {
+      frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+    }
     if (frame_end > qtm->window_size) {
       frame_end = qtm->window_size;
     }

This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.

Merry Christmas,
Andreas




Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Tue, 23 Dec 2014 20:48:09 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Tue, 23 Dec 2014 20:48:09 GMT) (full text, mbox, link).


Message #62 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Cc: 773041@bugs.debian.org, Marc Dequènes (duck) <duck@duckcorp.org>, 773318@bugs.debian.org, kyzer@4u.net
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Tue, 23 Dec 2014 21:44:04 +0100
tags 773318 - moreinfo + patch
thanks

On 2014-12-23 18:15:45 [+0100], Andreas Cadhalpun wrote:
> Hi,
Hi Andreas,

> I think there is a better way than changing the type of frame_end to off_t.
> It is possible to avoid the overflow by reordering the code:

Even better, I like it. The patch at the end of the email is what I
pushed into the wheezy branch for clamav [0]. So after an upload for
stable, we have Wheezy fixed. I have no idea how to close this bug for
unstable since it has to be fixed in a different package. Probably
manually with a comment…
Side question: In case someone has unattended-upgrades running, how does
he get clamd restarted after a libmspack update?

From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue, 23 Dec 2014 21:20:43 +0100
Subject: libmspack: qtmd: fix frame_end overflow

Debian bts #773041, #772891 contains a report of a .cab file which
causes an endless loop.
Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
and the result the loop makes no progress.
The problem seems that after the overflow, window_posn is larger than
frame_end and therefore we never enter the loop to make progress. But we
still have out_bytes >0 so we don't leave the outer loop either.

Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could
avoid the overflow by reordering the code the following way:

original, with just out_bytes (without (qtm->o_end - qtm->o_ptr))
| frame_end = window_posn + out_bytes;
| if ((window_posn + frame_todo) < frame_end) {
|         frame_end = window_posn + frame_todo;
| }

replace frame_end in "if" with its content (and move the first frame_end
into the else path)
| if ((window_posn + frame_todo) < (window_posn + out_bytes))
|         frame_end = window_posn + frame_todo;
| else
|         frame_end = window_posn + out_bytes;

remove window_posn from "if" since it is the same both times.
| if (frame_todo <  out_bytes)
|         frame_end = window_posn + frame_todo;
| else
|         frame_end = window_posn + out_bytes;

Andreas added:
|This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.

Suggested-as-patch: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
[sebastian@breakpoint: added patch description]
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
 libclamav/libmspack-0.4alpha/mspack/qtmd.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libclamav/libmspack-0.4alpha/mspack/qtmd.c b/libclamav/libmspack-0.4alpha/mspack/qtmd.c
index 12b27f5608c4..e584aef8e576 100644
--- a/libclamav/libmspack-0.4alpha/mspack/qtmd.c
+++ b/libclamav/libmspack-0.4alpha/mspack/qtmd.c
@@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) {
 
     /* decode more, up to the number of bytes needed, the frame boundary,
      * or the window boundary, whichever comes first */
-    frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
-    if ((window_posn + frame_todo) < frame_end) {
+    if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
       frame_end = window_posn + frame_todo;
+    } else {
+      frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
     }
     if (frame_end > qtm->window_size) {
       frame_end = qtm->window_size;


[0] https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/tree/debian/patches/0018-libmspack-qtmd-fix-frame_end-overflow.patch?h=wheezy

Sebastian



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Tue, 23 Dec 2014 22:45:09 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Tue, 23 Dec 2014 22:45:09 GMT) (full text, mbox, link).


Message #67 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Cc: 773041@bugs.debian.org, Marc Dequènes (duck) <duck@duckcorp.org>, 773318@bugs.debian.org, kyzer@4u.net
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Tue, 23 Dec 2014 23:41:53 +0100
Control: found 773318 0.98.5+dfsg-0+deb7u1
Control: notfound 773318 0.98.5+dfsg-3
# 0.98.5+dfsg-3 uses the system libmspack
# see bug #773041 for progress there

Hi Sebastian,

On 23.12.2014 21:44, Sebastian Andrzej Siewior wrote:
> Even better, I like it. The patch at the end of the email is what I
> pushed into the wheezy branch for clamav [0]. So after an upload for
> stable, we have Wheezy fixed.

Yes, thanks.

> I have no idea how to close this bug for
> unstable since it has to be fixed in a different package. Probably
> manually with a comment…

I'm marking the unstable version as not affected, because we have #773041
to track the progress for libmspack. So the upload of the fixed wheezy
version will close this bug.

> Side question: In case someone has unattended-upgrades running, how does
> he get clamd restarted after a libmspack update?

I think needrestart can do that.

Best regards,
Andreas



Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#773041; Package libmspack0. (Tue, 30 Dec 2014 16:12:05 GMT) (full text, mbox, link).


Acknowledgement sent to duck@duckcorp.org:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Tue, 30 Dec 2014 16:12:05 GMT) (full text, mbox, link).


Message #72 received at 773041@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (duck) <duck@duckcorp.org>
To: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>, 773041@bugs.debian.org
Subject: Re: Bug#773041: Bug#773318: clamav dies/hangs
Date: Tue, 30 Dec 2014 17:08:52 +0100
Control: tag 773041 + pending

Coin,

Thanks a lot Andreas.

Have a pleasant end of year time.

-- 
Marc Dequènes



Added tag(s) pending. Request was from Marc Dequènes (duck) <duck@duckcorp.org> to 773041-submit@bugs.debian.org. (Tue, 30 Dec 2014 16:12:05 GMT) (full text, mbox, link).


Reply sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility. (Tue, 30 Dec 2014 17:06:05 GMT) (full text, mbox, link).


Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Tue, 30 Dec 2014 17:06:05 GMT) (full text, mbox, link).


Message #79 received at 773041-close@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <Duck@DuckCorp.org>
To: 773041-close@bugs.debian.org
Subject: Bug#773041: fixed in libmspack 0.4-2
Date: Tue, 30 Dec 2014 17:03:39 +0000
Source: libmspack
Source-Version: 0.4-2

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773041@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Dec 2014 17:40:47 +0100
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.4-2
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
 libmspack-dbg - library for Microsoft compression formats (debugging symbols)
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 773041
Changes:
 libmspack (0.4-2) unstable; urgency=medium
 .
   * Added patch 'qtmd-fix-frame_end-overflow.patch' to fix an overflow
     causing an infinite loop in some situation (Closes: #773041).
Checksums-Sha1:
 f84986daa0318462b156e739abfa10a83e3c3f35 2064 libmspack_0.4-2.dsc
 fb6cbf08a9fc2fbfd713ba2d048f06d7aeeccceb 3516 libmspack_0.4-2.debian.tar.xz
 a9ea854769dcd26dad3a965daee1cc8d5f42fc20 45570 libmspack0_0.4-2_amd64.deb
 bebc11d8e2e89c1e87998a913d6ece23d768a946 63944 libmspack-dev_0.4-2_amd64.deb
 583b9ab31401e42fb336e2d5e085e83fff638192 82966 libmspack-dbg_0.4-2_amd64.deb
 6a6ed210f9125f7a11b2f1a835197a38b2189609 87766 libmspack-doc_0.4-2_all.deb
Checksums-Sha256:
 45c8f9a2280a0857b1dc2a3b1ed2a1c593eefc25b003dcb1e8ccdd9d5201c008 2064 libmspack_0.4-2.dsc
 cc59f38c4661112139817ddbb177ec966b7ffbb8fa215ccf9fa6531e9b1c6e54 3516 libmspack_0.4-2.debian.tar.xz
 d5bfe0ddfd7eae30bf5dff7b68053f28f8844f1fa204fc6419992e3e6d623091 45570 libmspack0_0.4-2_amd64.deb
 60bd8c1fcbce7a165fc62313b048b02d1d4c0cda19ec86e713f1f2c429019e6b 63944 libmspack-dev_0.4-2_amd64.deb
 e5a5a5da15bcedcaf6439732e08941ba9619f72718bd630978d20bee0c901aad 82966 libmspack-dbg_0.4-2_amd64.deb
 578913a0c8bc6bba3abf7b045f10a73f55449f0219a97a653b5c2f1bc7c298e5 87766 libmspack-doc_0.4-2_all.deb
Files:
 2f4d81be6b8025ba24d3318678200fd7 2064 libs optional libmspack_0.4-2.dsc
 40301461d418e010cd6fbbf3d3fd6a55 3516 libs optional libmspack_0.4-2.debian.tar.xz
 a1f869d6e77d53784d9cdcd089c64366 45570 libs optional libmspack0_0.4-2_amd64.deb
 d4258fb2c2747ec3c0edfafe8ff7db11 63944 libdevel optional libmspack-dev_0.4-2_amd64.deb
 6bb0e11c8893f0fc0b1a0f701f9d5b32 82966 debug extra libmspack-dbg_0.4-2_amd64.deb
 fb93a34a6279963a791dcc6e09448ba0 87766 doc optional libmspack-doc_0.4-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUotguAAoJEFXp+fesHEQ/WVgQAKZMKwZpeaGokq9RqOp4rsbr
ADo7kRd/h8eceZRVhWllB3HdBgSOJXSOPfltNloUiNdXMhRRVpQd5/LJT/g9ObGG
wz44AfCm4o311P5hKekv05H69LJSK1GvOIAPJpxVXgdfI4u67HGBPesq19UNdobf
oDbuDxICgkymAB/QqoqFrKBW9aOpwWgqpqugG7l0EUhLx7HeBmcLL9lXA6FWACWb
88XDneCPkeYs/H+LfsYEPVyIyo1sWVP+3ZnJ8SkDzqu2WoLP9dK0fFa69eERiy5n
hT6gIX+jIS4VrEjPXkv9GDdCe8/Nw/p/BR6vf+39liN372hyvo0A0aJa7XXYJDdU
Civ6IdQ02UIAmMjf3/yY7orBYV5+6vR2rorSfg/wzQG22LXkCK/D2DJFrBiJdcvo
p3cB9qz/2rwyz4uCvXAoGCPJZBxYQJBhcqExIgOPIODnnHGmo3lzyc265LI0avly
BZ66rrPPflaP7fc+FOVmZcJvAf4PTvZTT5JX6WXFJMKoPzBzdJ4iLAmR8i4PhKiz
/1hMJNYlp8SMYuYB6f75qdL1Wo01AT4Edc+p8YT5pevVuWNiPoOApAXNKDYwv9vm
ktMmy7G7leEnVY4s9DhEmm/zMZr+jMTvzlmli4IUoAkPd0xXPqoxaWraODQV+WPp
zK0J4mgyKmMNZ0X5JiUi
=aOVn
-----END PGP SIGNATURE-----




Added tag(s) upstream and patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 01 Jan 2015 13:15:07 GMT) (full text, mbox, link).


Changed Bug title to 'libmspack: CVE-2014-9556: frame_end overflow which could cause infinite loop' from 'libmspack: hangs on a crafted CAB file' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 07 Jan 2015 13:45:15 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 05 Feb 2015 07:27:05 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:18:21 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.