A CVE has been requested for a crash issue in wrestool in icoutils: http://openwall.com/lists/oss-security/2017/01/08/1 Patched packages uploaded for Mageia 5 and Cauldron. Advisory pending CVE. Updated packages in core/updates_testing: ======================== icoutils-0.31.0-4.1.mga5 from icoutils-0.31.0-4.1.mga5.src.rpm
MGA5-32 on AcerD620 Xfce No installation issues. Copied some .ico file from Win10 and tried some commands $ wrestool -l folder.ico wrestool: folder.ico: premature end $ icotool -l folder.ico --icon --index=1 --width=48 --height=48 --bit-depth=4 --palette-size=16 --icon --index=2 --width=32 --height=32 --bit-depth=4 --palette-size=16 --icon --index=3 --width=16 --height=16 --bit-depth=4 --palette-size=16 folder.ico: clr_important field in bitmap should be zero --icon --index=4 --width=48 --height=48 --bit-depth=8 --palette-size=256 folder.ico: clr_important field in bitmap should be zero --icon --index=5 --width=32 --height=32 --bit-depth=8 --palette-size=256 folder.ico: clr_important field in bitmap should be zero --icon --index=6 --width=16 --height=16 --bit-depth=8 --palette-size=256 --icon --index=7 --width=256 --height=256 --bit-depth=32 --palette-size=0 --icon --index=8 --width=48 --height=48 --bit-depth=32 --palette-size=0 --icon --index=9 --width=32 --height=32 --bit-depth=32 --palette-size=0 --icon --index=10 --width=16 --height=16 --bit-depth=32 --palette-size=0 no success (my knowledge fails) getting something usefull from extresso command (dumps what is probably hex graphic info to CLI) Is there something special with W10 ico files??? Attaching zip file with ico files
CC: (none) => herman.viaene
Created attachment 8848 [details] ico files from Win10
CVE assigned: http://openwall.com/lists/oss-security/2017/01/08/5 Advisory: ======================== Updated icoutils package fixes security vulnerability: An integer overflow on 64-bit systems in the wrestool utility in icoutils can cause a crash (CVE-2017-5208). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208 http://openwall.com/lists/oss-security/2017/01/08/5
Summary: icoutils new security issue in wrestool => icoutils new security issue in wrestool (CVE-2017-5208)
Debian has issued an advisory for this today (January 9): https://www.debian.org/security/2017/dsa-3756
URL: (none) => https://lwn.net/Vulnerabilities/711047/
Additional fixes in 0.31.1, freeze push requested: http://openwall.com/lists/oss-security/2017/01/10/4
Whiteboard: (none) => feedback
Updated packages in core/updates_testing: ======================== icoutils-0.31.1-1.mga5 from icoutils-0.31.1-1.mga5.src.rpm
Whiteboard: feedback => (none)
More CVEs assigned: http://openwall.com/lists/oss-security/2017/01/11/3 Advisory: ======================== Updated icoutils package fixes security vulnerability: Multiple programming errors in the wrestool tool of the icoutils suite allows denial of service or the execution of arbitrary code if a malformed binary is parsed (CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5332 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5333 http://openwall.com/lists/oss-security/2017/01/08/5 http://openwall.com/lists/oss-security/2017/01/11/3 https://www.debian.org/security/2017/dsa-3756
Summary: icoutils new security issue in wrestool (CVE-2017-5208) => icoutils new security issues in wrestool (CVE-2017-5208, CVE-2017-533[1-3])
Tried new version, same output as per Comment 1
(In reply to David Walser from comment #7) > More CVEs assigned: > http://openwall.com/lists/oss-security/2017/01/11/3 Debian has issued an advisory for this today (January 14): https://www.debian.org/security/2017/dsa-3765
(In reply to David Walser from comment #9) > (In reply to David Walser from comment #7) > > More CVEs assigned: > > http://openwall.com/lists/oss-security/2017/01/11/3 > > Debian has issued an advisory for this today (January 14): > https://www.debian.org/security/2017/dsa-3765 LWN reference: https://lwn.net/Vulnerabilities/711775/
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Testing M5_64 I too wasted time finding .ico files in a Win 8.1 system, and trying 'wrestool' on them with various options -l|x -t icon|--type=+icon. Everything ended in "wrestool: <pathname> premature end" You can manipulate such icon files directly - no need for wrestool: "The icoutils are a set of program for extracting and converting bitmaps from Microsoft Windows icon and cursor files. These files usually have the extension .ico or .cur, but they can also be embedded in executables and libraries (.dll-files). (Such embedded files are referred to as resources.)" I tried finding a DLL with emebedded .ico files; a mug's game. Back to the beginning: look at the refs: http://openwall.com/lists/oss-security/2017/01/08/5 -> https://bugs.debian.org/850017 "Calling ``wrestool -x [filename]`` with the attached file makes an exploitable crash." Downloaded the attachment crash.zip which contains (+ a core file) 'crashfile' which I shall attach to this bug. BEFORE this update: icoutils-0.31.0-4.mga5 $ wrestool -x ./crashfile Segmentation fault AFTER the update: icoutils-0.31.1-1.mga5 $ wrestool -x ./crashfile wrestool: ./crashfile: premature end which is OK for me. @Herman: like to have another go?
CC: (none) => lewyssmithWhiteboard: advisory => advisory MGA5-64-OK
Created attachment 8941 [details] A PoC for the bug Run this with wrestool: $ wrestool -x ./crashfile It gives a Segmentation fault before the update; "premature end" after (in my case).
@ Lewis I am not very willing to spend more time on this. These tools might be useful for some people willing to search and delve into the usage of these progs. The messages I get are not very helpful to say the least. As long as they don't crash or corrupt anything else, I would let them go.
> I am not very willing to spend more time on this. These tools might be > useful for some people willing to search and delve into the usage of these > progs. The messages I get are not very helpful to say the least. As long as > they don't crash or corrupt anything else, I would let them go. OK. I simply wondered whether you might be tempted by the simplicity of the POC test at the end of my Comment 11. Never mind. I am validating this anyway. Grateful as always for your contribution.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0044.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED