[Pkg-gtkpod-devel] Bug#858787: libplist: CVE-2017-6437

Salvatore Bonaccorso carnil at debian.org
Mon Mar 27 04:43:52 UTC 2017 

On Sun, Mar 26, 2017 at 09:38:20PM +0200, Salvatore Bonaccorso wrote:
> Source: libplist
> Version: 1.12+git+1+e37ca00-0.1
> Severity: important
> Forwarded: https://github.com/libimobiledevice/libplist/issues/100
> 
> Hi,
> 
> the following vulnerability was published for libplist.
> 
> CVE-2017-6437[0]:
> | The base64encode function in base64.c in libimobiledevice libplist
> | 1.12 allows local users to cause a denial of service (out-of-bounds
> | read) via a crafted plist file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-6437
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
> [1] https://github.com/libimobiledevice/libplist/issues/100
> 
> Please adjust the affected versions in the BTS as needed.

Additionally confirmed by running the reproducer (against the newest version in
sid):

==16290==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5900791 at pc 0xb71e2c2a bp 0xbfdc04a8 sp 0xbfdc049c
READ of size 1 at 0xb5900791 thread T0
    #0 0xb71e2c29 in base64encode src/base64.c:58
    #1 0xb71ea5c7 in node_to_xml src/xplist.c:303
    #2 0xb71eb2e4 in plist_to_xml src/xplist.c:408
    #3 0x804954a in main tools/plistutil.c:151
    #4 0xb7024275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #5 0x8048ac0  (/root/libplist-1.12+git+1+e37ca00/tools/.libs/plistutil+0x8048ac0)

0xb5900791 is located 0 bytes to the right of 1-byte region [0xb5900790,0xb5900791)
allocated by thread T0 here:
    #0 0xb72cb194 in malloc (/usr/lib/i386-linux-gnu/libasan.so.3+0xbe194)
    #1 0xb71f44c2 in parse_data_node src/bplist.c:408
    #2 0xb71f7671 in parse_bin_node src/bplist.c:661
    #3 0xb71f876f in parse_bin_node_at_index src/bplist.c:759
    #4 0xb71f8de0 in plist_from_bin src/bplist.c:853
    #5 0x804952a in main tools/plistutil.c:150
    #6 0xb7024275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/base64.c:58 in base64encode
Shadow bytes around the buggy address:
  0x36b200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b200e0: fa fa fa fa fa fa fa fa fa fa 00 04 fa fa 00 04
=>0x36b200f0: fa fa[01]fa fa fa fd fd fa fa fd fd fa fa 00 04
  0x36b20100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16290==ABORTING

Regards,
Salvatore

More information about the Pkg-gtkpod-devel mailing list