Bug 1047936 - (CVE-2017-10686) VUL-0: CVE-2017-10686: nasm: Multiple heap use after free vulnerabilities
(CVE-2017-10686)
VUL-0: CVE-2017-10686: nasm: Multiple heap use after free vulnerabilities
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/187634/
CVSSv3:SUSE:CVE-2017-10686:6.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-10 11:20 UTC by Johannes Segitz
Modified: 2019-12-11 20:21 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducers (2.11 KB, application/x-rar)
2017-07-10 11:20 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-07-10 11:20:14 UTC
Created attachment 731747 [details]
Reproducers

CVE-2017-10686

In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free
vulnerabilities in the tool nasm. The related heap is allocated in the token()
function and freed in the detoken() function (called by pp_getline()) - it is
used again at multiple positions later that could cause multiple damages. For
example, it causes a corrupted double-linked list in detoken(), a double free or
corruption in delete_Token(), and an out-of-bounds write in detoken(). It has a
high possibility to lead to a remote code execution attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10686
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10686.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10686
https://bugzilla.nasm.us/show_bug.cgi?id=3392414
Comment 1 Adam Majer 2017-07-11 15:45:24 UTC
The reproducer with nasm seems to cause valgrind to do funny things,

Dump of assembler code from 0x443d6f to 0x443dbf:
   0x0000000000443d6f <paste_tokens+894>:       jmp    0x443dad <paste_tokens+956>
   0x0000000000443d71 <paste_tokens+896>:       mov    -0x8(%rbp),%rax
   0x0000000000443d75 <paste_tokens+900>:       mov    0x8(%rax),%rdx
   0x0000000000443d79 <paste_tokens+904>:       mov    -0x30(%rbp),%rax
   0x0000000000443d7d <paste_tokens+908>:       mov    %rdx,%rsi
   0x0000000000443d80 <paste_tokens+911>:       mov    %rax,%rdi
   0x0000000000443d83 <paste_tokens+914>:       callq  0x401260 <strcpy@plt>
   0x0000000000443d88 <paste_tokens+919>:       mov    -0x30(%rbp),%rax
   0x0000000000443d8c <paste_tokens+923>:       mov    $0x0,%esi
   0x0000000000443d91 <paste_tokens+928>:       mov    %rax,%rdi
   0x0000000000443d94 <paste_tokens+931>:       callq  0x4012f0 <strchr@plt>
   0x0000000000443d99 <paste_tokens+936>:       mov    %rax,-0x30(%rbp)
   0x0000000000443d9d <paste_tokens+940>:       mov    -0x8(%rbp),%rax
   0x0000000000443da1 <paste_tokens+944>:       mov    %rax,%rdi
   0x0000000000443da4 <paste_tokens+947>:       callq  0x43d2b0 <delete_Token>
   0x0000000000443da9 <paste_tokens+952>:       mov    %rax,-0x8(%rbp)
   0x0000000000443dad <paste_tokens+956>:       mov    -0x8(%rbp),%rax
   0x0000000000443db1 <paste_tokens+960>:       cmp    -0x10(%rbp),%rax
   0x0000000000443db5 <paste_tokens+964>:       jne    0x443d71 <paste_tokens+896>
   0x0000000000443db7 <paste_tokens+966>:       mov    -0x48(%rbp),%rax
   0x0000000000443dbb <paste_tokens+970>:       mov    %rax,%rdi
   0x0000000000443dbe <paste_tokens+973>:       callq  0x43c28e <tokenize>
End of assembler dump.

And doing stepi results in this execution trace,

rip            0x443d6f 0x443d6f <paste_tokens+894>
rip            0x443dad 0x443dad <paste_tokens+956>
rip            0x443db1 0x443db1 <paste_tokens+960>
rip            0x443db5 0x443db5 <paste_tokens+964>
rip            0x443ca8 0x443ca8 <paste_tokens+695>   <--- HUH??

Execution has correct path running this without valgrind (3.13.0-196.d_t.1)
Comment 2 Adam Majer 2017-07-25 10:06:46 UTC
Patches submitted upstream for review.
Comment 4 Adam Majer 2017-07-25 12:25:58 UTC
Fixes submitted to all codestreams. Re-assining back to security team.
Comment 7 Bernhard Wiedemann 2017-07-26 14:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (1047936) was mentioned in
https://build.opensuse.org/request/show/512649 Factory / nasm
Comment 8 Swamp Workflow Management 2017-07-28 16:01:37 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-08-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63807
Comment 9 Swamp Workflow Management 2017-08-02 09:10:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-08-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63812
Comment 10 Swamp Workflow Management 2017-08-04 19:08:48 UTC
SUSE-SU-2017:2044-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047925,1047936
CVE References: CVE-2017-10686,CVE-2017-11111
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    nasm-2.10.09-4.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    nasm-2.10.09-4.5.1
Comment 11 Swamp Workflow Management 2017-08-04 19:09:13 UTC
SUSE-SU-2017:2045-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1047936
CVE References: CVE-2017-10686
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    nasm-2.03.90-2.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    nasm-2.03.90-2.3.1
Comment 12 Andreas Stieger 2017-08-09 20:13:16 UTC
release for Leap, done
Comment 13 Swamp Workflow Management 2017-08-10 01:12:55 UTC
openSUSE-SU-2017:2125-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047925,1047936
CVE References: CVE-2017-10686,CVE-2017-11111
Sources used:
openSUSE Leap 42.3 (src):    nasm-2.10.09-10.1
openSUSE Leap 42.2 (src):    nasm-2.10.09-7.3.1
Comment 18 Swamp Workflow Management 2019-12-11 20:21:04 UTC
SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available.

Category: security (important)
Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743
CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.