Bug 1019807 (CVE-2017-5357)

Summary: VUL-1: CVE-2017-5357: ed:invalid free
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: astieger, atoptsoglou, cmertens, peter.simons, smash_bz, tchvatal
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/178632/
Whiteboard: CVSSv2:SUSE:CVE-2017-5357:2.1:(AV:L/AC:L/Au:N/C:N/I:N/A:P) maint:released:sle10-sp3:63371
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2017-01-13 08:17:01 UTC 
https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html
http://seclists.org/oss-sec/2017/q1/70

ed can be crashed with some malformed commands:
echo -e "H\n?\{" | ed

The bug seems to be a call of free on a nonallocated pointer. The bug
was found with the fuzzing tool american fuzzy lop in ed 1.14.

Here's a stack trace from address sanitizer:
==29974==ERROR: AddressSanitizer: attempting free on address which was not 
malloc()-ed: 0x0000013cc6c0 in thread T0
    #0 0x4c9bd0 in __interceptor_cfree.localalias.1 (/r/ed/ed+0x4c9bd0)
    #1 0x51a01c in get_compiled_regex /f/ed/ed-1.14/regex.c:138:5
    #2 0x51a666 in next_matching_node_addr /f/ed/ed-1.14/regex.c:193:31
    #3 0x516f94 in extract_addresses /f/ed/ed-1.14/main_loop.c:224:31
    #4 0x511db0 in exec_command /f/ed/ed-1.14/main_loop.c:424:24
    #5 0x51162e in main_loop /f/ed/ed-1.14/main_loop.c:721:19
    #6 0x5108b9 in main /f/ed/ed-1.14/main.c:197:10
    #7 0x7f93e58fd78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x419c28 in _start (/r/ed/ed+0x419c28)

AddressSanitizer can not describe address in more detail (wild memory access 
suspected).
SUMMARY: AddressSanitizer: bad-free (/r/ed/ed+0x4c9bd0) in 
__interceptor_cfree.localalias.1
==29974==ABORTING

l/bug-ed/2017-01/msg00000.html


Reproducer:
echo -e "H\n?\{" | ed

This may only trigger when compiled using asan which we do not use.


Proposed patch:

--- a/regex.c   2017-01-06 02:06:04.000000000 +0100
+++ b/regex.c   2017-01-09 17:09:51.000000000 +0100
@@ -135,7 +135,6 @@ static regex_t * get_compiled_regex( con
     char buf[80];
     regerror( n, exp, buf, sizeof buf );
     set_error_msg( buf );
-    free( exp );
     exp = 0;
     }
   return exp;




References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5357
http://seclists.org/oss-sec/2017/q1/78
Comment 2 Swamp Workflow Management 2017-01-13 23:00:39 UTC 
bugbot adjusting priority
Comment 5 Peter Simons 2017-01-31 15:34:15 UTC 
It's probably not important, but shouldn't the "free(exp)" be replaced by "regfree(exp)"?
Comment 8 Andreas Stieger 2017-01-31 16:15:17 UTC 
(In reply to Peter Simons from comment #5)
> It's probably not important, but shouldn't the "free(exp)" be replaced by
> "regfree(exp)"?

The line is in a code path where regcomp returned >0, e.g. the regex was not compiled or memory allocated that would need to be freed with regfree()

>   n = regcomp( exp, pat, 0 );
>   if( n )
>     {
>     char buf[80];
>     regerror( n, exp, buf, sizeof buf );
>     set_error_msg( buf );
>     exp = 0;
>     }
>   return exp;
Comment 9 Swamp Workflow Management 2017-02-01 12:57:03 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2017-03-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63370
Comment 11 Swamp Workflow Management 2019-04-01 16:12:48 UTC 
SUSE-SU-2019:14005-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1019807
CVE References: CVE-2017-5357
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ed-0.2-1001.30.3.4
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ed-0.2-1001.30.3.4

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-06-11 19:16:01 UTC 
SUSE-SU-2020:1608-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1019807
CVE References: CVE-2017-5357
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    ed-1.9-4.4.5
SUSE Linux Enterprise Server 12-SP4 (src):    ed-1.9-4.4.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Alexandros Toptsoglou 2020-07-14 15:59:49 UTC 
Done