Bug 1051448 - (CVE-2017-11114) VUL-0: CVE-2017-11114: links: buffer over-read vulnerability
(CVE-2017-11114)
VUL-0: CVE-2017-11114: links: buffer over-read vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.3
: P3 - Medium : Normal
: ---
Assigned To: Berthold Gunreben
Security Team bot
https://smash.suse.de/issue/189353/
CVSSv3:SUSE:CVE-2017-11735:3.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-31 09:58 UTC by Andreas Stieger
Modified: 2022-02-13 11:24 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poc.zip (1.40 KB, application/zip)
2017-07-31 09:58 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-07-31 09:58:36 UTC
Created attachment 734534 [details]
poc.zip

From http://seclists.org/fulldisclosure/2017/Jul/76

Links buffer over-read vulnerability
Author : qflb.wu
Affected version: 2.14

the put_chars function in html_r.c in Links 2.14 can cause a denial of service(buffer over-read) via a crafted html  file.

./links -dump links_2.14_buffer_over_read.html

=================================================================
==10690==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002303d00 at pc 0x667c5e bp 0x7ffca2e786f0 sp 
0x7ffca2e786e8
READ of size 1 at 0x000002303d00 thread T0
    #0 0x667c5d in put_chars /home/a/Documents/links-2.14/html_r.c:662
    #1 0x635815 in put_chars_conv /home/a/Documents/links-2.14/html.c:725
    #2 0x5e92ec in put_chrs /home/a/Documents/links-2.14/html.c:764
    #3 0x5d23f0 in parse_html /home/a/Documents/links-2.14/html.c:2865
    #4 0x64814e in do_format /home/a/Documents/links-2.14/html_r.c:1015
    #5 0x64814e in format_html_part /home/a/Documents/links-2.14/html_r.c:1092
    #6 0x64c42b in really_format_html /home/a/Documents/links-2.14/html_r.c:1248
    #7 0x7e528e in format_html /home/a/Documents/links-2.14/session.c:1177
    #8 0x7e528e in cached_format_html /home/a/Documents/links-2.14/session.c:1420
    #9 0x73fe2a in end_dump /home/a/Documents/links-2.14/main.c:306
    #10 0x77a08e in object_timer /home/a/Documents/links-2.14/objreq.c:425
    #11 0x7beaf2 in check_timers /home/a/Documents/links-2.14/select.c:468
    #12 0x7bc09d in select_loop /home/a/Documents/links-2.14/select.c:890
    #13 0x73bdc9 in main /home/a/Documents/links-2.14/main.c:616
    #14 0x7f2765871ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #15 0x48619c in _start (/home/a/Documents/links-2.14/links+0x48619c)


0x000002303d00 is located 0 bytes to the right of global variable 'put_chars_conv.buffer' from 'html.c' (0x2303c00) of 
size 256
SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Documents/links-2.14/html_r.c:662 put_chars
Shadow bytes around the buggy address:
  0x000080458750: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080458760: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x000080458770: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080458780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080458790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000804587a0:[f9]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000804587b0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000804587c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000804587d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000804587e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000804587f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==10690==ABORTING

POC: links_2.14_buffer_over_read.html
Comment 1 Johannes Segitz 2017-07-31 11:25:09 UTC
BSK only
Comment 2 Andreas Stieger 2018-03-24 20:02:40 UTC
This is fixed in links 2.15.
https://build.opensuse.org/request/show/590855
https://build.opensuse.org/request/show/590856
Comment 3 Andreas Stieger 2018-03-30 09:12:50 UTC
Release for Leap 42.3. It was decided not to update SLE 12.
Comment 4 Swamp Workflow Management 2018-03-30 13:07:15 UTC
openSUSE-SU-2018:0853-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1051448
CVE References: CVE-2017-11114
Sources used:
openSUSE Leap 42.3 (src):    links-2.15-7.3.1