[Secure-testing-team] Bug#857466: r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality

Salvatore Bonaccorso carnil at debian.org
Sat Mar 11 16:56:57 UTC 2017 

Source: r-base
Version: 3.1.1-1
Severity: grave
Tags: patch security upstream fixed-upstream
Justification: user security hole
Control: fixed -1 3.3.3-1 

Hi,

the following vulnerability was published for r-base.

CVE-2016-8714[0]:
| An exploitable buffer overflow vulnerability exists in the
| LoadEncoding functionality of the R programming language version
| 3.3.0. A specially crafted R script can cause a buffer overflow
| resulting in a memory corruption. An attacker can send a malicious R
| script to trigger this vulnerability.

The relevant changes seem to be the following, but I might be mistaken. (btw,
is there a VCS repository for r-base or does upstream not share development
VCS?)

----cut---------cut---------cut---------cut---------cut---------cut-----
--- r-base-3.3.2/src/library/grDevices/src/devPS.c      2016-01-05 00:15:05.000000000 +0100
+++ r-base-3.3.3/src/library/grDevices/src/devPS.c      2017-01-17 00:15:12.000000000 +0100
@@ -412,10 +412,10 @@
        /* check for incomplete encoding file */
        if(!state->p) return 1;
        while (isspace((int)* state->p)) state->p++;
-       if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
+       if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; }
        state->p0 = state->p;
        while (!isspace((int)*state->p)) state->p++;
-       if (state->p != '\0') *state->p++ = '\0';
+       if (*state->p != '\0') *state->p++ = '\0';
        if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0);
        break;
     }
@@ -513,13 +513,15 @@
        if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0;
     }
     if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */
-    strcpy(encname, buf+1);
+    strncpy(encname, buf+1, 99); 
+    encname[99] = '\0';
     if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname);
     else enccode[0] = '\0';
     if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */
     for(i = 0; i < 256; i++) {
        if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; }
-       strcpy(encnames[i].cname, buf+1);
+       strncpy(encnames[i].cname, buf+1, 39);
+       encnames[i].cname[39] = '\0';
        strcat(enccode, " /"); strcat(enccode, encnames[i].cname);
        if(i%8 == 7) strcat(enccode, "\n");
     }
----cut---------cut---------cut---------cut---------cut---------cut-----

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Can you as well please make sure with the release team that the fix might enter
for stretch?

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8714
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714
[1] http://www.talosintelligence.com/reports/TALOS-2016-0227/

Regards,
Salvatore

More information about the Secure-testing-team mailing list