Bugzilla – Bug 1019807
VUL-1: CVE-2017-5357: ed:invalid free
Last modified: 2020-07-14 15:59:49 UTC
https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00000.html http://seclists.org/oss-sec/2017/q1/70 ed can be crashed with some malformed commands: echo -e "H\n?\{" | ed The bug seems to be a call of free on a nonallocated pointer. The bug was found with the fuzzing tool american fuzzy lop in ed 1.14. Here's a stack trace from address sanitizer: ==29974==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x0000013cc6c0 in thread T0 #0 0x4c9bd0 in __interceptor_cfree.localalias.1 (/r/ed/ed+0x4c9bd0) #1 0x51a01c in get_compiled_regex /f/ed/ed-1.14/regex.c:138:5 #2 0x51a666 in next_matching_node_addr /f/ed/ed-1.14/regex.c:193:31 #3 0x516f94 in extract_addresses /f/ed/ed-1.14/main_loop.c:224:31 #4 0x511db0 in exec_command /f/ed/ed-1.14/main_loop.c:424:24 #5 0x51162e in main_loop /f/ed/ed-1.14/main_loop.c:721:19 #6 0x5108b9 in main /f/ed/ed-1.14/main.c:197:10 #7 0x7f93e58fd78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #8 0x419c28 in _start (/r/ed/ed+0x419c28) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/r/ed/ed+0x4c9bd0) in __interceptor_cfree.localalias.1 ==29974==ABORTING l/bug-ed/2017-01/msg00000.html Reproducer: echo -e "H\n?\{" | ed This may only trigger when compiled using asan which we do not use. Proposed patch: --- a/regex.c 2017-01-06 02:06:04.000000000 +0100 +++ b/regex.c 2017-01-09 17:09:51.000000000 +0100 @@ -135,7 +135,6 @@ static regex_t * get_compiled_regex( con char buf[80]; regerror( n, exp, buf, sizeof buf ); set_error_msg( buf ); - free( exp ); exp = 0; } return exp; References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5357 http://seclists.org/oss-sec/2017/q1/78
bugbot adjusting priority
It's probably not important, but shouldn't the "free(exp)" be replaced by "regfree(exp)"?
(In reply to Peter Simons from comment #5) > It's probably not important, but shouldn't the "free(exp)" be replaced by > "regfree(exp)"? The line is in a code path where regcomp returned >0, e.g. the regex was not compiled or memory allocated that would need to be freed with regfree() > n = regcomp( exp, pat, 0 ); > if( n ) > { > char buf[80]; > regerror( n, exp, buf, sizeof buf ); > set_error_msg( buf ); > exp = 0; > } > return exp;
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2017-03-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63370
SUSE-SU-2019:14005-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1019807 CVE References: CVE-2017-5357 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): ed-0.2-1001.30.3.4 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ed-0.2-1001.30.3.4 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1608-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 1019807 CVE References: CVE-2017-5357 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): ed-1.9-4.4.5 SUSE Linux Enterprise Server 12-SP4 (src): ed-1.9-4.4.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done