Bugzilla – Bug 1216103
AUDIT-1: hcode: Hangul text conversion utility
Last modified: 2024-04-29 14:06:24 UTC
OBS: https://build.opensuse.org/package/show/openSUSE:Factory/hcode Upstream: http://ftp.kaist.ac.kr/hangul/code/hcode/ `hcode` converts text files with legacy 8-bit Korean character sets. Its intended use case appears to be in conjunction emails clients such as pine and elm. It's written in very old-fashioned C, hard to read, and contains a lot of low-level bit manipulation. A preliminary static analysis provides indications of possible problems, for example: > mail.c:239 static int cp; `cp` is used as an index for `ibuf[1024]`. It is range-checked, but incremented later on, possibly leading to an OOB write. Someone should have a look. Low priority.
Fuzzed with afl++, using a corpus of EUC-KR encoded samples and multiple text conversion modes: no crashes.
This audit is mostly finished, just needs documentation. Done: - manual review - static analysis - fuzzing
Created attachment 874541 [details] POC for hcode's putSDN function 1. Compile with -fsanitize=address 2. ./hcode -kd hcode_putSDN_poc output
================================================================= ==4721==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f35ab508420 at pc 0x000000407ba0 bp 0x7ffdf1513680 sp 0x7ffdf1513678 WRITE of size 1 at 0x7f35ab508420 thread T0 #0 0x407b9f in putSDN /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/mail.c:282 #1 0x4029ef in main /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/hcode.c:114 #2 0x7f35ad42a1ef in __libc_start_call_main (/lib64/libc.so.6+0x2a1ef) (BuildId: 96b8eb5a4407af753cc31c18e7c116279f2eab1f) #3 0x7f35ad42a2b8 in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a2b8) (BuildId: 96b8eb5a4407af753cc31c18e7c116279f2eab1f) #4 0x4022d4 in _start ../sysdeps/x86_64/start.S:115 Address 0x7f35ab508420 is located in stack of thread T0 at offset 1056 in frame #0 0x4074fa in putSDN /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/mail.c:238 This frame has 3 object(s): [32, 1056) 'ibuf' (line 240) <== Memory access at offset 1056 overflows this variable [1184, 2208) 'obuf' (line 240) [2336, 3360) 'tbuf' (line 240) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/wfrisch/audit/hcode/hcode2.1-mailpatch3/mail.c:282 in putSDN Shadow bytes around the buggy address: 0x7f35ab508180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7f35ab508400: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x7f35ab508480: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f35ab508680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4721==ABORTING
- wrote a brief report - submitted fix to openSUSE - requested CVE from Mitre Resolved.