[Secure-testing-team] Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Markus Koschany apo at debian.org
Mon Dec 4 19:13:38 UTC 2017 

Package: src:libextractor
Version: 1:1.6-1
Severity: important
Tags: security

Hi,

while I was working on the security update for Wheezy I discovered
that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
and CVE-2017-15602. I could reproduce two segmentation faults with the
provided POCs. They are attached to the upstream bug report:

http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html

Just run "extract -i $POC"

I'm attaching my gdb log files to this bug report.

Regards,

Markus


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
-------------- next part --------------
Starting program: /usr/bin/extract -i extract-nsf_extract_method-nsf_extractor-164.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff3e3d700 (LWP 26451)]
[New Thread 0x7fffd8f13700 (LWP 26452)]
[Thread 0x7fffd8f13700 (LWP 26452) exited]

Thread 1 "extract" received signal SIGSEGV, Segmentation fault.
0x00007fffd810b6cc in EXTRACTOR_xm_extract_method () from /usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so
#0  0x00007fffd810b6cc in EXTRACTOR_xm_extract_method () from /usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so
No symbol table info available.
#1  0x00007ffff7bd316d in ?? () from /usr/lib/x86_64-linux-gnu/libextractor.so.3
No symbol table info available.
#2  0x00007ffff7bd34b4 in EXTRACTOR_extract () from /usr/lib/x86_64-linux-gnu/libextractor.so.3
No symbol table info available.
#3  0x0000555555556360 in main (argc=<optimized out>, argv=<optimized out>) at extract.c:983
        i = 2
        plugins = 0x5555557642e0
        option_index = 0
        c = <optimized out>
        libraries = <optimized out>
        nodefault = <optimized out>
        defaultAll = <optimized out>
        bibtex = 0
        grepfriendly = 0
        ret = 0
        processor = 0x5555555569f0 <print_selected_keywords>
-------------- next part --------------
Starting program: /usr/bin/extract -i bin_6iRW3tXve.bin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff3e3d700 (LWP 27320)]

Thread 1 "extract" received signal SIGSEGV, Segmentation fault.
0x00007ffff755061e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#0  0x00007ffff755061e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1  0x00007fffe90bce6d in ?? () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#2  0x00007fffe90bcc8a in ?? () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#3  0x00007fffe90e0232 in ?? () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#4  0x00007fffe90e05f3 in ?? () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#5  0x00007fffe90c094e in ?? () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#6  0x00007fffe90bfb7c in gme_load_data () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#7  0x00007fffe90bfc34 in gme_open_data () from /usr/lib/x86_64-linux-gnu/libgme.so.0
No symbol table info available.
#8  0x00007ffff0f46582 in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
No symbol table info available.
#9  0x00007ffff1035170 in avformat_open_input () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
No symbol table info available.
#10 0x00007ffff1571a36 in EXTRACTOR_previewopus_extract_method ()
   from /usr/lib/x86_64-linux-gnu/libextractor/libextractor_previewopus.so
No symbol table info available.
#11 0x00007ffff7bd316d in ?? () from /usr/lib/x86_64-linux-gnu/libextractor.so.3
No symbol table info available.
#12 0x00007ffff7bd34b4 in EXTRACTOR_extract () from /usr/lib/x86_64-linux-gnu/libextractor.so.3
No symbol table info available.
#13 0x0000555555556360 in main (argc=<optimized out>, argv=<optimized out>) at extract.c:983
        i = 2
        plugins = 0x5555557642c0
        option_index = 0
        c = <optimized out>
        libraries = <optimized out>
        nodefault = <optimized out>
        defaultAll = <optimized out>
        bibtex = 0
        grepfriendly = 0
        ret = 0
        processor = 0x5555555569f0 <print_selected_keywords>

More information about the Secure-testing-team mailing list