Bug 17013

Summary: exfat-utils new security issues fixed upstream in 1.2.1 (CVE-2015-8026)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, jani.valimaa, sysadmin-bugs, yann.cantin
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/662905/
Whiteboard: advisory has_procedure mga5-32-ok
Source RPM: exfat-utils-1.1.1-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2015-10-25 17:01:03 CET 
Two security issues were reported in exfat-utils:
http://openwall.com/lists/oss-security/2015/10/24/1

The upstream commits to fix the issues are linked in the message above.  They are also fixed in 1.2.1.

Reproducible: 

Steps to Reproduce:
David Walser 2015-10-25 17:01:19 CET

CC: (none) => yann.cantin
Whiteboard: (none) => MGA5TOO

Comment 1 Jani Välimaa 2015-10-25 17:49:29 CET 
Pushed 1.2.1 to Cauldron and added patches from upstream to mga5's 1.1.0.

RPM/SRPM: exfat-utils-1.1.0-3.1.mga5

Suggested advisory:
####
Fix heap overflow and endless loop in exfatfsck

exfat-utils is a collection of tools to work with the exFAT filesystem.
Fuzzing the exfatfsck with american fuzzy lop led to the discovery of a
write heap overflow and an endless loop.

Especially at risk are systems that are configured to run filesystem
checks automatically on external devices like USB flash drives.

A malformed input can cause a write heap overflow in the function
verify_vbr_checksum. It might be possible to use this for code
execution.

Another malformed input can cause an endless loop, leading to a
possible denial of service.

References:
https://bugs.mageia.org/show_bug.cgi?id=17013
http://openwall.com/lists/oss-security/2015/10/24/1
####

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Dave Hodgins 2015-10-25 23:46:27 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5TOO => MGA5TOO advisory

David Walser 2015-10-26 02:46:17 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO advisory => advisory

Comment 2 David Walser 2015-10-29 21:54:26 CET 
CVE-2015-8026 assigned for the heap overflow:
http://openwall.com/lists/oss-security/2015/10/29/13

There's no CVE for the endless loop.

Please update the advisory.

Summary: exfat-utils new security issues fixed upstream in 1.2.1 => exfat-utils new security issues fixed upstream in 1.2.1 (CVE-2015-8026)

Comment 3 claire robinson 2015-11-02 16:46:24 CET 
Testing complete mga5 32

Used test file from openwall report.

$ curl -O  https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum


Before
======
# exfatfsck /home/claire/test/exfatfsck-heap-overflow-write-verify_vbr_checksum
exfatfsck 1.1.0
ERROR: invalid VBR checksum 0x45303030 (expected 0xbb38a2da).
*** Error in `exfatfsck': free(): invalid next size (fast): 0x08b9d080 ***
*** Error in `exfatfsck': malloc(): memory corruption: 0x08b9d090 ***

^C


After
=====
# exfatfsck /home/claire/test/exfatfsck-heap-overflow-write-verify_vbr_checksum
exfatfsck 1.1.0
ERROR: too big cluster size: 2^(48+48).

Whiteboard: advisory => advisory has_procedure mga5-32-ok

claire robinson 2015-11-02 16:51:51 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-11-02 21:22:23 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0422.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-11-03 20:48:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/662905/