Bug 985657 (CVE-2016-3189)

Summary: VUL-1: CVE-2016-3189: bzip2: heap use after free in bzip2recover
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, atoptsoglou, kstreitova, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/170356/
Whiteboard: CVSSv2:SUSE:CVE-2016-3189:3.3:(AV:L/AC:M/Au:N/C:N/I:P/A:P) CVSSv2:RedHat:CVE-2016-3189:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-3189:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-3189:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) maint:released:sle10-sp3:64268
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: bzip2-recover-CVE-2016-3189.patch

Description Marcus Meissner 2016-06-20 13:08:48 UTC 
From: Cedric Buissart <cbuissar@redhat.com>
Subject: [oss-security] CVE-2016-3189: bzip2 use-after-free on bzip2recover
Date: Mon, 20 Jun 2016 13:10:32 +0200

Hi all,

This is to report CVE-2016-3189: bzip2 use-after-free on bzip2recover

A heap use after free vulnerability was reported in bzip2recover.
A maliciously crafted file could cause the application to crash.

Originally reported by Aladdin Mubaied

For additional information & proposed patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1319648

== ASAN output & backtrace ==
bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.
/opt/bzip-asan/bin/bzip2recover: searching for block boundaries ...
   block 1 runs from 176 to 175
   block 2 runs from 224 to 871
   block 3 runs from 920 to 919
   block 4 runs from 968 to 1024 (incomplete)
bzip2recover: splitting into blocks
   writing block 2 to `crasherfile1' ...
Program received signal SIGSEGV, Segmentation fault.
=================================================================
==8476== ERROR: AddressSanitizer: heap-use-after-free on address
0x60060000ef8c at pc 0x40277c bp 0x7fff7f1afe90 sp 0x7fff7f1afe80
READ of size 4 at 0x60060000ef8c thread T0
    #0 0x40277b (/opt/bzip-asan/bin/bzip2recover+0x40277b)
    #1 0x401f35 (/opt/bzip-asan/bin/bzip2recover+0x401f35)
    #2 0x7f10fcae2af4 (/usr/lib64/libc-2.17.so+0x21af4)
    #3 0x4020e4 (/opt/bzip-asan/bin/bzip2recover+0x4020e4)
0x60060000ef8c is located 12 bytes inside of 24-byte region
[0x60060000ef80,0x60060000ef98)
freed by thread T0 here:
    #0 0x7f10fce98009 (/usr/lib64/libasan.so.0.0.0+0x16009)
    #1 0x40205c (/opt/bzip-asan/bin/bzip2recover+0x40205c)
previously allocated by thread T0 here:
    #0 0x7f10fce98129 (/usr/lib64/libasan.so.0.0.0+0x16129)
    #1 0x40175f (/opt/bzip-asan/bin/bzip2recover+0x40175f)
Shadow bytes around the buggy address:
  0x0c013fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c013fff9df0: fd[fd]fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
  0x0c013fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

bt
#0  0x00007ffff7a8fa11 in putc () from /lib64/libc.so.6
#1  0x00000000004046ad in bsPutBit (bit=0x0, bs=<optimized out>) at
bzip2recover.c:183
#2  bsPutUChar (c=<optimized out>, bs=<optimized out>) at bzip2recover.c:246
#3  main (argc=<optimized out>, argv=<optimized out>) at bzip2recover.c:455
#4  0x00007ffff7a3caf5 in __libc_start_main () from /lib64/libc.so.6
#5  0x0000000000405bd9 in _start ()

Regards,

-- 
Cedric Buissart,
Product Security

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1319648
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3189
http://seclists.org/oss-sec/2016/q2/568
Comment 1 Marcus Meissner 2016-06-20 13:28:32 UTC 
Created attachment 681334 [details]
bzip2-recover-CVE-2016-3189.patch

trivial patch from rh bug
Comment 2 Marcus Meissner 2016-06-20 13:29:15 UTC 
no reproducer attached to bug
Comment 3 Swamp Workflow Management 2016-06-20 22:00:36 UTC 
bugbot adjusting priority
Comment 7 Swamp Workflow Management 2019-04-26 15:19:36 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-05-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64267
Comment 8 Swamp Workflow Management 2019-05-10 19:16:06 UTC 
SUSE-SU-2019:1206-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 985657
CVE References: CVE-2016-3189
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    bzip2-1.0.6-5.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    bzip2-1.0.6-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-05-15 19:10:42 UTC 
openSUSE-SU-2019:1398-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 985657
CVE References: CVE-2016-3189
Sources used:
openSUSE Leap 15.0 (src):    bzip2-1.0.6-lp150.4.3.1
Comment 10 Swamp Workflow Management 2019-05-22 22:10:28 UTC 
openSUSE-SU-2019:1435-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 985657
CVE References: CVE-2016-3189
Sources used:
openSUSE Leap 15.1 (src):    bzip2-1.0.6-lp151.5.3.1
Comment 11 Swamp Workflow Management 2019-07-03 13:12:36 UTC 
SUSE-SU-2019:1206-2: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 985657
CVE References: CVE-2016-3189
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    bzip2-1.0.6-5.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    bzip2-1.0.6-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-07-15 16:14:08 UTC 
SUSE-SU-2019:14122-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1139083,985657
CVE References: CVE-2016-3189,CVE-2019-12900
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    bzip2-1.0.5-34.256.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    bzip2-1.0.5-34.256.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bzip2-1.0.5-34.256.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    bzip2-1.0.5-34.256.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-07-23 13:11:33 UTC 
SUSE-SU-2019:1955-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1139083,985657
CVE References: CVE-2016-3189,CVE-2019-12900
Sources used:
SUSE OpenStack Cloud 8 (src):    bzip2-1.0.6-30.5.1
SUSE OpenStack Cloud 7 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server 12-SP4 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    bzip2-1.0.6-30.5.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bzip2-1.0.6-30.5.1
SUSE Enterprise Storage 5 (src):    bzip2-1.0.6-30.5.1
SUSE Enterprise Storage 4 (src):    bzip2-1.0.6-30.5.1
SUSE CaaS Platform 3.0 (src):    bzip2-1.0.6-30.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Alexandros Toptsoglou 2020-05-12 14:17:04 UTC 
Done