17013 – exfat-utils new security issues fixed upstream in 1.2.1 (CVE-2015-8026)

Bug 17013 - exfat-utils new security issues fixed upstream in 1.2.1 (CVE-2015-8026)

Summary: exfat-utils new security issues fixed upstream in 1.2.1 (CVE-2015-8026)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/662905/
Whiteboard:	advisory has_procedure mga5-32-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-25 17:01 CET by David Walser
Modified:	2015-11-03 20:48 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	exfat-utils-1.1.1-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-25 17:01:03 CET

Two security issues were reported in exfat-utils:
http://openwall.com/lists/oss-security/2015/10/24/1

The upstream commits to fix the issues are linked in the message above.  They are also fixed in 1.2.1.

Reproducible: 

Steps to Reproduce:

David Walser 2015-10-25 17:01:19 CET

CC: (none) => yann.cantin
Whiteboard: (none) => MGA5TOO

Comment 1 Jani Välimaa 2015-10-25 17:49:29 CET

Pushed 1.2.1 to Cauldron and added patches from upstream to mga5's 1.1.0.

RPM/SRPM: exfat-utils-1.1.0-3.1.mga5

Suggested advisory:
####
Fix heap overflow and endless loop in exfatfsck

exfat-utils is a collection of tools to work with the exFAT filesystem.
Fuzzing the exfatfsck with american fuzzy lop led to the discovery of a
write heap overflow and an endless loop.

Especially at risk are systems that are configured to run filesystem
checks automatically on external devices like USB flash drives.

A malformed input can cause a write heap overflow in the function
verify_vbr_checksum. It might be possible to use this for code
execution.

Another malformed input can cause an endless loop, leading to a
possible denial of service.

References:
https://bugs.mageia.org/show_bug.cgi?id=17013
http://openwall.com/lists/oss-security/2015/10/24/1
####

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Dave Hodgins 2015-10-25 23:46:27 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5TOO => MGA5TOO advisory

David Walser 2015-10-26 02:46:17 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO advisory => advisory

Comment 2 David Walser 2015-10-29 21:54:26 CET

CVE-2015-8026 assigned for the heap overflow:
http://openwall.com/lists/oss-security/2015/10/29/13

There's no CVE for the endless loop.

Please update the advisory.

Summary: exfat-utils new security issues fixed upstream in 1.2.1 => exfat-utils new security issues fixed upstream in 1.2.1 (CVE-2015-8026)

Comment 3 claire robinson 2015-11-02 16:46:24 CET

Testing complete mga5 32

Used test file from openwall report.

$ curl -O  https://crashes.fuzzing-project.org/exfatfsck-heap-overflow-write-verify_vbr_checksum


Before
======
# exfatfsck /home/claire/test/exfatfsck-heap-overflow-write-verify_vbr_checksum
exfatfsck 1.1.0
ERROR: invalid VBR checksum 0x45303030 (expected 0xbb38a2da).
*** Error in `exfatfsck': free(): invalid next size (fast): 0x08b9d080 ***
*** Error in `exfatfsck': malloc(): memory corruption: 0x08b9d090 ***

^C


After
=====
# exfatfsck /home/claire/test/exfatfsck-heap-overflow-write-verify_vbr_checksum
exfatfsck 1.1.0
ERROR: too big cluster size: 2^(48+48).

Whiteboard: advisory => advisory has_procedure mga5-32-ok

claire robinson 2015-11-02 16:51:51 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-11-02 21:22:23 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0422.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-11-03 20:48:14 CET

URL: (none) => http://lwn.net/Vulnerabilities/662905/

Note You need to log in before you can comment on or make changes to this bug.