Bug 1018756 - (CVE-2017-5208) VUL-0: CVE-2017-5208,CVE-2017-5331,CVE-2017-5332,CVE-2017-5333: icoutils: exploitable crash in wrestool programm
(CVE-2017-5208)
VUL-0: CVE-2017-5208,CVE-2017-5331,CVE-2017-5332,CVE-2017-5333: icoutils: exp...
Status: RESOLVED FIXED
: 1019328 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.2
: P5 - None : Normal
: unspecified
Assigned To: Kyrill Detinov
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-08 11:13 UTC by Mikhail Kasimov
Modified: 2017-01-16 23:09 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-08 11:13:43 UTC
Ref: http://seclists.org/oss-sec/2017/q1/38
=============================================
Hi

Choongwoo Han reported[0] an exploitable crash in wrestool from the
icoutils[1]. The command line tools is e.g. used in KDE's
metadataparsing, c.f. [2]. A patch is available in the Debian
packaging[3].

Could you please assign a CVE for this issue?

Regards,
Salvatore

 [0] https://bugs.debian.org/850017
 [1] http://www.nongnu.org/icoutils/
 [2] https://codesearch.debian.net/search?q=wrestool&perpkg=1
 [3] https://anonscm.debian.org/git/users/cjwatson/icoutils.git/plain/debian/patches/check-offset-overflow.patch
=============================================

https://software.opensuse.org/package/icoutils
Comment 1 Mikhail Kasimov 2017-01-10 11:18:03 UTC
Don't know about filing separate report for this: http://seclists.org/oss-sec/2017/q1/48

=============================================================
Thanks for the CVE assignment. Ftr, this was upstreamed as

http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=0d569f458f306b88f60156d60c9cf058125cf173

It turns out that this is not enough, so upstream has issued

http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3

to make the checks more stringent. Quoting a reply from upstream to the Debian
maintainer "But as I see it there are still combinations of the arguments which
make the test succeed even though the the memory block identified by
offset&size is not fully inside memory&total_size ??? e.g. offset < memory, but
size is larger than the difference.  I have attached another patch (applies on
top of yours) that more stringently checks all the memory bounds. Hopefully
that will preempt shenanigans with specially crafted files containing weird
offsets and sizes."

Could you please assign a further CVE for this follow up fix?

Furthermore I would like to ask if the following two commits from upstream,
can have as well an identifier assigned:

http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a

They relate to the Red Hat bugzilla entry at

https://bugzilla.redhat.com/show_bug.cgi?id=1249276

All the three followup commits are included in Debian with the recent
upload to Debian unstable, versioned as 0.31.1-1.

Regards,
Salvatore
=============================================================
Comment 2 Andreas Stieger 2017-01-11 12:55:35 UTC
http://seclists.org/oss-sec/2017/q1/48

> It turns out that this is not enough, so upstream has issued
>
> http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3
>
> Could you please assign a further CVE for this follow up fix?

Use CVE-2017-5331.


> Furthermore I would like to ask if the following two commits from upstream,
> can have as well an identifier assigned:
>
> http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
> http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a

Yes, but because these are immediately consecutive commits, the CVE
mapping may seem unusual.

Use CVE-2017-5332 for all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
and also the index correction in
1a108713ac26215c7568353f6e02e727e6d4b24a. In other words, the change
from "entries[c]" to "entries[c-skipped]" in
1a108713ac26215c7568353f6e02e727e6d4b24a cannot have a new CVE ID
because the code was never "shipped" with "entries[c]" in use. There
aren't two independent problems related to establishing a maximum
allowable value of the size variable.

Use CVE-2017-5333 for the separate vulnerability fixed by the
introduction of the "size >= sizeof(uint16_t)*2" test in
1a108713ac26215c7568353f6e02e727e6d4b24a.
Comment 3 Andreas Stieger 2017-01-11 12:57:40 UTC
*** Bug 1019328 has been marked as a duplicate of this bug. ***
Comment 4 Bernhard Wiedemann 2017-01-11 17:00:30 UTC
This is an autogenerated message for OBS integration:
This bug (1018756) was mentioned in
https://build.opensuse.org/request/show/449712 13.2 / icoutils
https://build.opensuse.org/request/show/449713 42.1 / icoutils
https://build.opensuse.org/request/show/449715 42.2 / icoutils
Comment 5 Andreas Stieger 2017-01-16 19:46:40 UTC
releasing
Comment 6 Swamp Workflow Management 2017-01-16 23:08:50 UTC
openSUSE-SU-2017:0166-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1018756
CVE References: CVE-2017-5208,CVE-2017-5331,CVE-2017-5332,CVE-2017-5333
Sources used:
openSUSE Leap 42.1 (src):    icoutils-0.31.1-7.1
Comment 7 Swamp Workflow Management 2017-01-16 23:09:07 UTC
openSUSE-SU-2017:0167-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1018756
CVE References: CVE-2017-5208,CVE-2017-5331,CVE-2017-5332,CVE-2017-5333
Sources used:
openSUSE Leap 42.2 (src):    icoutils-0.31.1-8.1
Comment 8 Swamp Workflow Management 2017-01-16 23:09:22 UTC
openSUSE-SU-2017:0168-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1018756
CVE References: CVE-2017-5208,CVE-2017-5331,CVE-2017-5332,CVE-2017-5333
Sources used:
openSUSE 13.2 (src):    icoutils-0.31.1-4.3.1