[Secure-testing-team] Bug#874060: unrar-free: stack overread vulnerability
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 2 15:20:04 UTC 2017
Source: unrar-free
Version: 1:0.0.1+cvs20140707-1
Severity: grave
Tags: security upstream
Hi
>From http://www.openwall.com/lists/oss-security/2017/08/20/1
Issue 2: Stack overread
A malformed archive can cause a stack overread, detectable with asan.
This issue doesn't happen reliably, I haven't investigated further.
==2585==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff76184120 at pc 0x000000445d25 bp 0x7fff76183ef0 sp 0x7fff761836a0
READ of size 519 at 0x7fff76184120 thread T0
#0 0x445d24 in __interceptor_strchr.part.33 (/r/unrar-gpl/unrar+0x445d24)
#1 0x516d0d in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:851:19
#2 0x511613 in ExtrFile /f/unrar-gpl/unrar/src/unrarlib.c:745:20
#3 0x510b02 in urarlib_get /f/unrar-gpl/unrar/src/unrarlib.c:303:13
#4 0x50b249 in unrar_extract_file /f/unrar-gpl/unrar/src/unrar.c:343:8
#5 0x50be32 in unrar_extract /f/unrar-gpl/unrar/src/unrar.c:483:9
#6 0x50c69c in main /f/unrar-gpl/unrar/src/unrar.c:556:14
#7 0x7f632d3834f0 in __libc_start_main (/lib64/libc.so.6+0x204f0)
#8 0x419e19 in _start (/r/unrar-gpl/unrar+0x419e19)
Address 0x7fff76184120 is located in stack of thread T0 at offset 544 in frame
#0 0x516c1f in stricomp /f/unrar-gpl/unrar/src/unrarlib.c:844
This frame has 2 object(s):
[32, 544) 'S1'
[608, 1120) 'S2' <== Memory access at offset 544 partially
underflows this variable
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unrar-gpl-stack-overread.rar
Type: application/x-rar
Size: 26 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20170902/824784b2/attachment.bin>
More information about the Secure-testing-team
mailing list