Debian Bug report logs - #775499
libmspack: CVE-2015-4471: off-by-one buffer under-read in mspack/lzxd.c

version graph

Package: libmspack0; Maintainer for libmspack0 is Marc Dequènes (Duck) <Duck@DuckCorp.org>; Source for libmspack0 is src:libmspack (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Fri, 16 Jan 2015 12:33:06 UTC

Severity: normal

Found in version libmspack/0.4-3

Fixed in version libmspack/0.5-1

Done: Marc Dequènes (Duck) <Duck@DuckCorp.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, pkg-clamav-devel@lists.alioth.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#775499; Package libmspack0. (Fri, 16 Jan 2015 12:33:10 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmspack: off-by-one(?) buffer under-read in mspack/lzxd.c
Date: Fri, 16 Jan 2015 13:32:22 +0100
[Message part 1 (text/plain, inline)]
Package: libmspack0
Version: 0.4-3
Usertags: afl

There's an off-by-one(?) buffer under-read in mspack/lzxd.c. To 
reproduce the bug, rebuild libmspack with -fsanitize=address and run:

$ test/cabd_md5 lzxd-under-read.cab
*** lzxd-under-read.cab
ERROR; file "test1.txt" cannot be extracted, cabinet set is incomplete.
lzxd-under-read.cab: error extracting "test1.txt": error in data format
=================================================================
==8354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a028ff at pc 0x80604a7 bp 0xffdf8028 sp 0xffdf801c
READ of size 1 at 0xf4a028ff thread T0
   #0 0x80604a6 in lzxd_decompress mspack/lzxd.c:516
   #1 0x80568c7 in cabd_extract mspack/cabd.c:1067
   #2 0x804a8e3 in main test/cabd_md5.c:145
   #3 0xf707ca62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
   #4 0x8048f10 (/home/jwilk/libmspack-0.4/test/cabd_md5+0x8048f10)

0xf4a028ff is located 1 bytes to the left of 4096-byte region [0xf4a02900,0xf4a03900)
allocated by thread T0 here:
   #0 0xf725c6e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
   #1 0x80497af in m_alloc test/md5_fh.h:111
   #2 0x805c27b in lzxd_init mspack/lzxd.c:313
   #3 0x8057264 in cabd_init_decomp mspack/cabd.c:1126
   #4 0x805634f in cabd_extract mspack/cabd.c:1034
   #5 0x804a8e3 in main test/cabd_md5.c:145
   #6 0xf707ca62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)


The relevant code is:

         /* read 1-16 (not 0-15) bits to align to bytes */
         ENSURE_BITS(16);
         if (bits_left > 16) i_ptr -= 2;
         bits_left = 0; bit_buffer = 0;

         /* read 12 bytes of stored R0 / R1 / R2 values */
         for (rundest = &buf[0], i = 0; i < 12; i++) {
           READ_IF_NEEDED;
           *rundest++ = *i_ptr++;
         }

As I understand it, ENSURE_BITS can rewind i_ptr to the beginning of 
the buffer, and then "i_ptr -= 2" makes the pointer go one (or two?) 
bytes prior to the buffer.


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmspack0 depends on:
ii  libc6              2.19-13
ii  multiarch-support  2.19-13

-- 
Jakub Wilk

[lzxd-under-read.cab (application/x-cab, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marc Dequènes (Duck) <Duck@DuckCorp.org>:
Bug#775499; Package libmspack0. (Sun, 18 Jan 2015 15:36:27 GMT) (full text, mbox, link).

Acknowledgement sent to Stuart Caie <kyzer@cabextract.org.uk>:
Extra info received and forwarded to list. Copy sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>. (Sun, 18 Jan 2015 15:36:28 GMT) (full text, mbox, link).

Message #8 received at 775499@bugs.debian.org (full text, mbox, reply):

From: Stuart Caie <kyzer@cabextract.org.uk>
To: 775499@bugs.debian.org
Subject: Re: libmspack: off-by-one(?) buffer under-read in mspack/lzxd.c
Date: Sun, 18 Jan 2015 14:30:32 +0000
This happens because of the presumption i_ptr can be wound back 2 bytes. It 
could, until this change in 2006:

2006-08-31:  Stuart Caie   <kyzer@4u.net>

        * lzxd_decompress(): [...] the LZX decompression stream can 
sometimes become
        odd-aligned (after an uncompressed block) and the next 16 bit
        fetch needs to be split across two input buffers

Since this point, it has been possible for READ_BYTES to add 16 bits to the 
bit-buffer but only have consumed 1 byte of the byte buffer.

A fix has been committed to the libmspack repository.

Regards
Stuart

Reply sent to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility. (Mon, 02 Feb 2015 19:09:17 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Mon, 02 Feb 2015 19:09:17 GMT) (full text, mbox, link).

Message #13 received at 775499-close@bugs.debian.org (full text, mbox, reply):

From: Marc Dequènes (Duck) <Duck@DuckCorp.org>
To: 775499-close@bugs.debian.org
Subject: Bug#775499: fixed in libmspack 0.5-1
Date: Mon, 02 Feb 2015 19:04:56 +0000
Source: libmspack
Source-Version: 0.5-1

We believe that the bug you reported is fixed in the latest version of
libmspack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated libmspack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Feb 2015 19:41:59 +0100
Source: libmspack
Binary: libmspack0 libmspack-dev libmspack-dbg libmspack-doc
Architecture: source amd64 all
Version: 0.5-1
Distribution: unstable
Urgency: medium
Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
 libmspack-dbg - library for Microsoft compression formats (debugging symbols)
 libmspack-dev - library for Microsoft compression formats (development files)
 libmspack-doc - library for Microsoft compression formats (documentation)
 libmspack0 - library for Microsoft compression formats (shared library)
Closes: 774665 775498 775499 775687
Changes:
 libmspack (0.5-1) unstable; urgency=medium
 .
   * New upstream fix-only release:
     + Fix previously reported bugs with an upstream approved patch
       (#773041, #774725, #774726)
     + Fixes many security-sensitive bugs (Closes: #775687, #775498,
       #774665, #775499).
Checksums-Sha1:
 5ee31e4bee00c8d898f8748cc57d7783dc533dc3 2064 libmspack_0.5-1.dsc
 226f19b1fc58e820671a1749983b06896e108cc4 654193 libmspack_0.5.orig.tar.gz
 0b25b953e95874cd6f3c4faff1d89b5080f5460e 2732 libmspack_0.5-1.debian.tar.xz
 3455afb116161bb800208c5e5315c9c0ef74931d 46518 libmspack0_0.5-1_amd64.deb
 e039f7f9a29d0369e7bca3216d1711b906badf64 64864 libmspack-dev_0.5-1_amd64.deb
 d7e03f123dd5ac4b8744d9aeb7acf4aeb84aeab1 83962 libmspack-dbg_0.5-1_amd64.deb
 aa481d5f1bfc4b234005d542a79c4c542380573e 101792 libmspack-doc_0.5-1_all.deb
Checksums-Sha256:
 eb9e63d0dd75cb28180f5ed02178c436a723697dab285b5a484729acc4039a2c 2064 libmspack_0.5-1.dsc
 8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 654193 libmspack_0.5.orig.tar.gz
 42bf17c5b1dd0a44da06117ff4deb52ee06063b002bd8289f8d1ca9df1753cc3 2732 libmspack_0.5-1.debian.tar.xz
 805a49cc478460e920930864770071184dc90818bdaf23b81a36bbf6deafa96a 46518 libmspack0_0.5-1_amd64.deb
 703badb6b5ca7eaeac15779030c4dbe07fc6d355870da9acdc31a2e7b90c54c4 64864 libmspack-dev_0.5-1_amd64.deb
 5992fa23531e125ae07437ca0fc78c1da0dcf573f558fcf1fec3259ec0b6620d 83962 libmspack-dbg_0.5-1_amd64.deb
 6852556f9e730725b9820365eeaced90b8affeb648a385ec0fab82d5cffcb6e8 101792 libmspack-doc_0.5-1_all.deb
Files:
 6a821d5a21543cac7e931cb2d574f906 2064 libs optional libmspack_0.5-1.dsc
 3aa3f6b9ef101463270c085478fda1da 654193 libs optional libmspack_0.5.orig.tar.gz
 e795c2066af466550f9a19c79addb364 2732 libs optional libmspack_0.5-1.debian.tar.xz
 bdacfcaa023672fbd2d6e5351775c85b 46518 libs optional libmspack0_0.5-1_amd64.deb
 c88a0b861ce8ef9de6ea119f6db22c9f 64864 libdevel optional libmspack-dev_0.5-1_amd64.deb
 6a47691d38eb3bcaeac00b051e1e6f86 83962 debug extra libmspack-dbg_0.5-1_amd64.deb
 60e609c122d314710d819847ac9c3e8a 101792 doc optional libmspack-doc_0.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUz8edAAoJEFXp+fesHEQ/vzYP+gI2sbMP3ABuE6rOJeLdLtcH
JZyPz+xkqzFgQENkKboo8IRYRp9JUSmQjJGLXDjTd3SmMZ7zJzl+miVvMHYZuMJm
K9UJRtDw+0nXphYIZ86Jci0/UbgvMrwMDhgDbR8hZMdzanoAul0oyynDLqINc/q4
Myl+fG8c8hEgY96dWxkytRJkOIWiZ7F+vdjPtP1ASuT+3MFGql5nLRaQDXFQh7me
UQAmq32baaD/9HdEQHCbjVyzSGIMPmO+sTutqu+mmRKCrJUBhucb4ALj4Z1cBsGA
/r72kMKx1jeDmzisvFCSweVIBzukVAuOhndzdv1tpZedgNuKaJhPNFz4sb6aFvuY
r6X4Zr5o3qv8VzizcRoSmuI+eR52FZQ77z1ydqRqxMdi2bJgDj2YN3XKsZ6IQnod
YVMPujdeSVCe40m5ZC6eAvC/LHW6AfpbDrWamvBAZZZfRd/mkq3ZXA55BQE5GixD
cfv7FNv0050is1H8mWiS4r9Qjb0np4MeGPYqJQxiQcKyXMvZdt3gk60dFFVdqsrN
rbdHKdKlncTLaNtGllCiwylozaGctgnoGPBfaSEaurfZmZirV+dezcJ7xnGBiIIq
V9kKQNnT73iMHQnwChXKZa7YZEPxEDnFiNFXRqHnksUVCIO+tRumk2hfKTKVxLJP
3/Ri1tZ38Kmjl+Pwg1wB
=F8TC
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 07 Mar 2015 07:36:23 GMT) (full text, mbox, link).

Bug unarchived. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 11 Jun 2015 15:21:10 GMT) (full text, mbox, link).

Changed Bug title to 'libmspack: CVE-2015-4471: off-by-one buffer under-read in mspack/lzxd.c' from 'libmspack: off-by-one(?) buffer under-read in mspack/lzxd.c' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 11 Jun 2015 15:21:11 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jul 2015 07:33:30 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Feb 19 23:10:56 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.