[Pkg-gtkpod-devel] Bug#860945: libplist: CVE-2017-7982: denial of service (heap-based buffer over-read and application crash) via a crafted plist file

Salvatore Bonaccorso carnil at debian.org
Sat Apr 22 10:58:13 UTC 2017 

Source: libplist
Version: 1.12+git+1+e37ca00-0.2
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/libimobiledevice/libplist/issues/103

Hi,

the following vulnerability was published for libplist.

CVE-2017-7982[0]:
| Integer overflow in the plist_from_bin function in bplist.c in
| libimobiledevice/libplist before 2017-04-19 allows remote attackers to
| cause a denial of service (heap-based buffer over-read and application
| crash) via a crafted plist file.

Reproducible to verify a fix with an ASAN build on i386:

# ASAN_OPTIONS="detect_leaks=0" ./tools/plistutil -i /root/bplist_c_733.txt
=================================================================
==18545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53018c8 at pc 0x800d9181 bp 0xbfe441d8 sp 0xbfe441cc
READ of size 8 at 0xb53018c8 thread T0
    #0 0x800d9180 in parse_bin_node_at_index /root/libplist-1.12+git+1+e37ca00/src/bplist.c:733
    #1 0x800da0d1 in plist_from_bin /root/libplist-1.12+git+1+e37ca00/src/bplist.c:857
    #2 0x800c9db5 in main /root/libplist-1.12+git+1+e37ca00/tools/plistutil.c:150
    #3 0xb6feb275 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18275)
    #4 0x800c9280  (/root/libplist-1.12+git+1+e37ca00/tools/plistutil+0x2280)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libplist-1.12+git+1+e37ca00/src/bplist.c:733 in parse_bin_node_at_index
Shadow bytes around the buggy address:
  0x36a602c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a602d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a602e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a602f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 05 fa
  0x36a60300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a60310: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x36a60320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a60360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18545==ABORTING

The issue is, AFAICT, "covered" for previous versions due to
dccd9290745345896e3a4a73154576a599fd8b7b, wich is CVE-2017-6440 (no-dsa in
jessie)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7982
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7982
[1] https://github.com/libimobiledevice/libplist/issues/103
[2] https://github.com/libimobiledevice/libplist/commit/fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-gtkpod-devel mailing list