Bug 934529 (CVE-2015-4472)

Summary: VUL-1: CVE-2015-4472: cabextract,libmspack: denial of service while processing crafted CHM file (floating point exception)
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: meissner, sbrabec, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/117592/
Whiteboard: CVSSv2:NVD:CVE-2015-4472:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4472:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-4467:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-06-12 09:24:31 UTC
rh#1180175

Off-by-one error in the READ_ENCINT macro in chmd.c in libmspack before 0.5
allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted CHM file.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1180175
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4472
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775687

For SLE 11, this needs to be fixed libmspack and cabextract.
For SLE 12, cabextract builds --with-external-libmspack, so only libmspack needs to be fixed.
Comment 1 Swamp Workflow Management 2015-06-12 09:40:03 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61986
Comment 2 Swamp Workflow Management 2015-06-12 22:02:52 UTC
bugbot adjusting priority
Comment 3 Stanislav Brabec 2015-06-15 19:52:10 UTC
The fix overwrites changes fix-pointer-arithmetic-overflow.patch from https://github.com/kyz/libmspack/commit/5692b75a21bf71dd86ac84bcfeb9ce8c0830658e (i. e. bug 934526) with a better fix.

This is the first attempt to fix it:
https://github.com/kyz/libmspack/commit/bef420ede1039dbdc8d6acafa2f115be2ec86bef

Next commit reverts it completely and moves fixes to the macro. It also adds one additional chunk, which seems to represent the bug reported here: https://github.com/kyz/libmspack/commit/3f8a171b95b858f2d98e60b6da8a427ef530516b

I can either apply all three patches as they are, or merge them in a logic way, skipping partial fixes.
Comment 4 Stanislav Brabec 2015-06-15 20:22:03 UTC
I did a logical merge and created libmspack-chmd-READ_ENCINT-one-off.patch

https://build.suse.de/package/show/home:sbrabec:branches:libmspack-security/libmspack.SUSE_SLE-12_Update
Comment 5 Stanislav Brabec 2015-06-15 20:30:24 UTC
SLE12: https://build.suse.de/request/show/60400

SLE11 and openSUSE will be prepared tomorrow.
Comment 6 Stanislav Brabec 2015-06-16 18:47:23 UTC
As SLE11 libmspack has no READ_ENCINT, patch was expanded to all uses, reusing some new code introduced by the backport of fix-name-field-boundaries.patch.

Note that SLE11 libmspack had no boundary check at all, so it could not only cause this special overflow, but it was also vulnerable to other attack vectors.

https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11
Comment 7 Stanislav Brabec 2015-06-16 19:12:21 UTC
Done.

https://build.suse.de/project/show/home:sbrabec:branches:libmspack-security-sle11
libmspack: https://build.suse.de/request/show/60558
cabextract: not affected CHM decompression is not implemented
Comment 13 Swamp Workflow Management 2015-12-07 17:12:36 UTC
SUSE-SU-2015:2215-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 934524,934525,934526,934527,934528,934529
CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Server 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libmspack-0.0.20060920alpha-74.10.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libmspack-0.0.20060920alpha-74.10.1
Comment 14 Swamp Workflow Management 2016-01-04 13:13:49 UTC
SUSE-SU-2016:0011-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 934524,934525,934526,934527,934528,934529
CVE References: CVE-2014-9732,CVE-2015-4467,CVE-2015-4468,CVE-2015-4469,CVE-2015-4470,CVE-2015-4471,CVE-2015-4472
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Software Development Kit 12 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Server 12-SP1 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Server 12 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    libmspack-0.4-14.4
SUSE Linux Enterprise Desktop 12 (src):    libmspack-0.4-14.4