Bug 21494 - nasm new security issues CVE-2017-10686 and CVE-2017-11111
Summary: nasm new security issues CVE-2017-10686 and CVE-2017-11111
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-11 01:32 CEST by David Walser
Modified: 2017-08-21 22:28 CEST (History)
4 users (show)

See Also:
Source RPM: nasm-2.12.02-1.mga6.src.rpm
CVE:
Status comment:


Attachments
PoC for CVE-2017-10686 (1.03 KB, application/octet-stream)
2017-08-21 10:12 CEST, Len Lawrence
Details
PoC file for CVE-2017-11111 (4.64 KB, application/octet-stream)
2017-08-21 10:15 CEST, Len Lawrence
Details

Description David Walser 2017-08-11 01:32:36 CEST
openSUSE has issued an advisory today (August 10):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00030.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-11 01:32:56 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-08-18 14:02:57 CEST
Fedora has issued an advisory for this on August 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/42GU6DEIECFVC2MBUJQ4WYIKXX6GQ3K5/
Comment 2 Nicolas LĂ©cureuil 2017-08-20 00:29:45 CEST
pushed in updates_testing
src.rpm:
        nasm-2.11.07-2.1.mga5
        nasm-2.12.02-1.1.mga6

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: tmb => qa-bugs
CC: (none) => mageia
Version: Cauldron => 6

Comment 3 David Walser 2017-08-20 00:44:29 CEST
Advisory:
========================

Updated nasm packages fix security vulnerabilities:

Multiple heap use after free vulnerabilities (CVE-2017-10686).

Heap-based buffer overflow and application crash (CVE-2017-11111).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11111
https://lists.opensuse.org/opensuse-updates/2017-08/msg00030.html
========================

Updated packages in core/updates_testing:
========================
nasm-2.11.07-2.1.mga5
nasm-doc-2.11.07-2.1.mga5
nasm-rdoff-2.11.07-2.1.mga5
nasm-2.12.02-1.1.mga6
nasm-doc-2.12.02-1.1.mga6
nasm-rdoff-2.12.02-1.1.mga6

from SRPMS:
nasm-2.11.07-2.1.mga5.src.rpm
nasm-2.12.02-1.1.mga6.src.rpm
Comment 4 Len Lawrence 2017-08-21 10:10:24 CEST
Testing this in mga6 on x86_64.

There are PoC files available, four as I understand it, for CVE-2017-10686 and one for CVE-2017-11111, to be attached.  As usual these are expected to be run with the ASAN framework or using a debugger like gdb.  We shall pass on that.

When run with the command:
$ nasm -f bin POC{1,2,3,4,5} -o nasm.out
they generate core dumps and either abort or segfault and there is no output file.

For CVE-2017-10686:
$ nasm -f bin POC1 -o nasm.out
For CVE-2017-11111:
$ nasm -f bin POC5 -o nasm.out

POC5 is specific to 11111.

After the update the tests each produce a list of warnings and errors and finish without a segfault, abort or core dump.  Again, there is no output file. 

This would seem to endorse the patches.

The only application which uses nasm is the syntax-checker syntactic-nasm and being way out of touch with nasm I must look for a tutorial online.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-08-21 10:12:53 CEST
Created attachment 9618 [details]
PoC for CVE-2017-10686
Comment 6 Len Lawrence 2017-08-21 10:15:14 CEST
Created attachment 9619 [details]
PoC file for CVE-2017-11111

Run this and the other files with a command of this form:
$ $ nasm -f bin POC5 -o nasm.out
Comment 7 Len Lawrence 2017-08-21 10:43:01 CEST
'Hello world' program test based on the instructions at http://asmtutor.com.

Compile with
$ nasm -f elf hello.asm
This outputs hello.o
Load it with the elf_i386 option.
$ ld -m elf_i386 hello.o -o helloworld
$ file helloworld
helloworld: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
$ ./helloworld
Hello World!

It works.  This uses the eax, ebx, ecx, and edx registers and calls libc via the interrupt stack.  The code from the second lesson worked fine as well.
Len Lawrence 2017-08-21 10:43:24 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 8 Len Lawrence 2017-08-21 11:34:11 CEST
Note for those who might want to pursue nasm as a career.
The link to an example of a linux system call table in the tutorial referenced in comment 7 is corrupt.  A good alternative might be https://filippo.io/linux-syscall-table/
Comment 9 Len Lawrence 2017-08-21 12:09:29 CEST
Sorry folks.  Forgot that there was an IDE.
Installed rdoff-nasm and noted that there is are associated utilities called rdfdump, ldrdf, rdx and rdflib with their own man pages and documentation for rdoff in /usr/share/doc/.

Could not figure out how to start the IDE.  Perhaps the collection of utilities is the IDE.

nasm-rdoff updated OK.
Comment 10 Len Lawrence 2017-08-21 12:44:03 CEST
Testing on mga5, x86_64
Before the updates:
$ nasm -f bin POC1 -o nasm.out
*** Error in `nasm': corrupted double-linked list: 0x0000000000efda10 ***
and hung.
POC2 and POC3 caused aborts and POC4 segfaulted.

After the updates:
All the PoCs from POC1 to POC5 issued a series of error messages and terminated cleanly.

This vindicates the patches.

Repeated the helloworld compilation and linking tests re comment 7.  The executable files ran fine.

The rdoff documentation is all there and the utilities /bin/{rdfdump,ldrdf,rdx,rdflib}.
$ ls /usr/share/doc/nasm*
/usr/share/doc/nasm:
AUTHORS  CHANGES  internal.doc  LICENSE  README  TODO
/usr/share/doc/nasm-doc:
html/  nasmdoc.ps.bz2  nasmdoc.txt.bz2
/usr/share/doc/nasm-rdoff:
README  v1-v2.txt

This bug could be validated if we are willing to ignore 32-bits.  If not I could do vbox tests later.
Len Lawrence 2017-08-21 12:45:10 CEST

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 11 Lewis Smith 2017-08-21 20:07:29 CEST
Validating with 1 64-bit OK M5 & M6; sterling work Len.
Advisory to do.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Lewis Smith 2017-08-21 22:04:56 CEST

Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK advisory

Comment 12 Mageia Robot 2017-08-21 22:28:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0294.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.