[Secure-testing-team] Bug#779573: bibtool: heap buffer overflow in the bibtool tests
Vincent Lefevre
vincent at vinc17.net
Mon Mar 2 15:10:43 UTC 2015
Package: bibtool
Version: 2.57+ds-2
Severity: grave
Tags: security upstream
Justification: causes non-serious data loss
As I get random output corruption (see bug 747519) and valgrind
errors, I tried to rebuild the package with:
DEB_CFLAGS_APPEND="-fsanitize=address" debuild -i -us -uc -b
but one test failed with the following error in Test/rewrite_rule_3.err:
=================================================================
==31050==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e218 at pc 0x7fa1ceab91e9 bp 0x7fffbca6c470 sp 0x7fffbca6c468
WRITE of size 8 at 0x60200000e218 thread T0
#0 0x7fa1ceab91e8 in add_rule /home/vlefevre/software/bibtool-2.57+ds/rewrite.c:313
#1 0x7fa1ceabd9f3 in set_rsc include/bibtool/resource.h:60
#2 0x7fa1ceab3e7c in read_rsc /home/vlefevre/software/bibtool-2.57+ds/parse.c:1029
#3 0x7fa1cea9c4f9 in main /home/vlefevre/software/bibtool-2.57+ds/main.c:472
#4 0x7fa1cd3f1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x7fa1cea9d6a6 (/home/vlefevre/software/bibtool-2.57+ds/bibtool+0x116a6)
0x60200000e218 is located 0 bytes to the right of 8-byte region [0x60200000e210,0x60200000e218)
allocated by thread T0 here:
#0 0x7fa1cd9e673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x7fa1ceab9123 in add_rule /home/vlefevre/software/bibtool-2.57+ds/rewrite.c:285
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vlefevre/software/bibtool-2.57+ds/rewrite.c:313 add_rule
Shadow bytes around the buggy address:
0x0c047fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c30: fa fa 06 fa fa fa fd fa fa fa 07 fa fa fa fd fa
=>0x0c047fff9c40: fa fa 00[fa]fa fa 00 00 fa fa 00 fa fa fa 00 fa
0x0c047fff9c50: fa fa 00 03 fa fa 00 04 fa fa 00 04 fa fa 00 03
0x0c047fff9c60: fa fa 00 05 fa fa 00 04 fa fa 00 03 fa fa 05 fa
0x0c047fff9c70: fa fa 00 03 fa fa 00 06 fa fa 07 fa fa fa 00 06
0x0c047fff9c80: fa fa 00 05 fa fa 00 01 fa fa 00 06 fa fa 06 fa
0x0c047fff9c90: fa fa 00 06 fa fa 00 06 fa fa 00 05 fa fa 00 05
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==31050==ABORTING
The 2.58 version in experimental is affected too.
rewrite.c:313 is:
stack[stackp++] = field;
With the context:
if ( stackp > stacksize ) /* */
{ stacksize += 8; /* */
if ( (stack=(Uchar**)realloc((char*)stack, /* */
stacksize*sizeof(char*)))==NULL)/* */
{ OUT_OF_MEMORY("rule stack"); } /* */
} /* */
stack[stackp++] = field; /* */
If I understand correctly, it seems that the 8-byte increase is not
sufficient.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages bibtool depends on:
ii dpkg 1.17.24
ii libc6 2.19-15
ii libkpathsea6 2014.20140926.35254-6
ii tex-common 5.03
bibtool recommends no packages.
bibtool suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list