Package: libmspack0
Version: 0.4-3
Tags: patch
Usertags: afl
There's an off-by-one buffer over-read in mspack/mszipd.c; please see
the attached patch. I don't believe it's exploitable, but I could be
wrong.
To reproduce the bug, rebuild libmspack with -fsanitize=address and
run:
$ test/cabd_md5 mszip-over-read.cab
*** mszip-over-read.cab
=================================================================
==761==ERROR: AddressSanitizer: global-buffer-overflow on address 0x08076dde at pc 0x806adc0 bp 0xffeb3998 sp 0xffeb398c
READ of size 1 at 0x08076dde thread T0
#0 0x806adbf in inflate mspack/mszipd.c:268
#1 0x806c3a7 in mszipd_decompress mspack/mszipd.c:426
#2 0x8056b04 in cabd_extract mspack/cabd.c:1074
#3 0x804a8e3 in main test/cabd_md5.c:145
#4 0xf70f1a62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
#5 0x8048f10 (/home/jwilk/libmspack-0.4/test/cabd_md5+0x8048f10)
0x08076dde is located 0 bytes to the right of global variable 'dist_extrabits' from 'mspack/mszipd.c' (0x8076dc0) of size 30
0x08076dde is located 34 bytes to the left of global variable 'bitlen_order' from 'mspack/mszipd.c' (0x8076e00) of size 19
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libmspack0 depends on:
ii libc6 2.19-13
ii multiarch-support 2.19-13
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>: Bug#775498; Package libmspack0.
(Sun, 18 Jan 2015 15:24:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Stuart Caie <kyzer@cabextract.org.uk>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>.
(Sun, 18 Jan 2015 15:24:08 GMT) (full text, mbox, link).
Source: libmspack
Source-Version: 0.5-1
We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775498@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Feb 2015 19:41:59 +0100
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
libmspack-dbg - library for Microsoft compression formats (debugging symbols)
libmspack-dev - library for Microsoft compression formats (development files)
libmspack-doc - library for Microsoft compression formats (documentation)
libmspack0 - library for Microsoft compression formats (shared library)
Closes: 774665775498775499775687
Changes:
libmspack (0.5-1) unstable; urgency=medium
.
* New upstream fix-only release:
+ Fix previously reported bugs with an upstream approved patch
(#773041, #774725, #774726)
+ Fixes many security-sensitive bugs (Closes: #775687, #775498,
#774665, #775499).
Checksums-Sha1:
5ee31e4bee00c8d898f8748cc57d7783dc533dc3 2064 libmspack_0.5-1.dsc
226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
0b25b953e95874cd6f3c4faff1d89b5080f5460e 2732 libmspack_0.5-1.debian.tar.xz
3455afb116161bb800208c5e5315c9c0ef74931d 46518 libmspack0_0.5-1_amd64.deb
e039f7f9a29d0369e7bca3216d1711b906badf64 64864 libmspack-dev_0.5-1_amd64.deb
d7e03f123dd5ac4b8744d9aeb7acf4aeb84aeab1 83962 libmspack-dbg_0.5-1_amd64.deb
aa481d5f1bfc4b234005d542a79c4c542380573e 101792 libmspack-doc_0.5-1_all.deb
Checksums-Sha256:
eb9e63d0dd75cb28180f5ed02178c436a723697dab285b5a484729acc4039a2c 2064 libmspack_0.5-1.dsc
8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 libmspack_0.5.orig.tar.gz
42bf17c5b1dd0a44da06117ff4deb52ee06063b002bd8289f8d1ca9df1753cc3 2732 libmspack_0.5-1.debian.tar.xz
805a49cc478460e920930864770071184dc90818bdaf23b81a36bbf6deafa96a 46518 libmspack0_0.5-1_amd64.deb
703badb6b5ca7eaeac15779030c4dbe07fc6d355870da9acdc31a2e7b90c54c4 64864 libmspack-dev_0.5-1_amd64.deb
5992fa23531e125ae07437ca0fc78c1da0dcf573f558fcf1fec3259ec0b6620d 83962 libmspack-dbg_0.5-1_amd64.deb
6852556f9e730725b9820365eeaced90b8affeb648a385ec0fab82d5cffcb6e8 101792 libmspack-doc_0.5-1_all.deb
Files:
6a821d5a21543cac7e931cb2d574f906 2064 libs optional libmspack_0.5-1.dsc
3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
e795c2066af466550f9a19c79addb364 2732 libs optional libmspack_0.5-1.debian.tar.xz
bdacfcaa023672fbd2d6e5351775c85b 46518 libs optional libmspack0_0.5-1_amd64.deb
c88a0b861ce8ef9de6ea119f6db22c9f 64864 libdevel optional libmspack-dev_0.5-1_amd64.deb
6a47691d38eb3bcaeac00b051e1e6f86 83962 debug extra libmspack-dbg_0.5-1_amd64.deb
60e609c122d314710d819847ac9c3e8a 101792 doc optional libmspack-doc_0.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUz8edAAoJEFXp+fesHEQ/vzYP+gI2sbMP3ABuE6rOJeLdLtcH
JZyPz+xkqzFgQENkKboo8IRYRp9JUSmQjJGLXDjTd3SmMZ7zJzl+miVvMHYZuMJm
K9UJRtDw+0nXphYIZ86Jci0/UbgvMrwMDhgDbR8hZMdzanoAul0oyynDLqINc/q4
Myl+fG8c8hEgY96dWxkytRJkOIWiZ7F+vdjPtP1ASuT+3MFGql5nLRaQDXFQh7me
UQAmq32baaD/9HdEQHCbjVyzSGIMPmO+sTutqu+mmRKCrJUBhucb4ALj4Z1cBsGA
/r72kMKx1jeDmzisvFCSweVIBzukVAuOhndzdv1tpZedgNuKaJhPNFz4sb6aFvuY
r6X4Zr5o3qv8VzizcRoSmuI+eR52FZQ77z1ydqRqxMdi2bJgDj2YN3XKsZ6IQnod
YVMPujdeSVCe40m5ZC6eAvC/LHW6AfpbDrWamvBAZZZfRd/mkq3ZXA55BQE5GixD
cfv7FNv0050is1H8mWiS4r9Qjb0np4MeGPYqJQxiQcKyXMvZdt3gk60dFFVdqsrN
rbdHKdKlncTLaNtGllCiwylozaGctgnoGPBfaSEaurfZmZirV+dezcJ7xnGBiIIq
V9kKQNnT73iMHQnwChXKZa7YZEPxEDnFiNFXRqHnksUVCIO+tRumk2hfKTKVxLJP
3/Ri1tZ38Kmjl+Pwg1wB
=F8TC
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 07 Mar 2015 07:36:08 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 11 Jun 2015 15:21:09 GMT) (full text, mbox, link).
Changed Bug title to 'libmspack: CVE-2015-4470: off-by-one buffer over-read in mspack/mszipd.c' from 'libmspack: off-by-one buffer over-read in mspack/mszipd.c'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 11 Jun 2015 15:21:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Jul 2015 07:33:23 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.