Bug 1026090 - (CVE-2017-6060) VUL-0: CVE-2017-6060: mupdf: mujstest: stack-based buffer overflow in main jstest_main.c
(CVE-2017-6060)
VUL-0: CVE-2017-6060: mupdf: mujstest: stack-based buffer overflow in main js...
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 42.2
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Ismail Dönmez
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-20 09:42 UTC by Marcus Meissner
Modified: 2017-04-29 16:57 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
stackoverflow example (6.24 KB, application/octet-stream)
2017-02-20 10:02 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-02-20 09:42:20 UTC
OSS:2017/Q1/458 References: http://seclists.org/oss-sec/2017/q1/458

 mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c) From: Agostino Sarubbo <ago () gentoo org>
Date: Sat, 18 Feb 2017 12:38:45 +0100

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A crafted image posted early for another issue, causes a stack overflow.

The complete ASan output:

# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
    #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
    #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:358:7
    #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)

Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in 
frame
    #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:293

  This frame has 7 object(s):
    [32, 1056) 'path'
    [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows 
this variable
    [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows 
this variable
    [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows 
this variable
    [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows 
this variable
    [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows 
this variable
    [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 
f2 f2
  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32127==ABORTING

Affected version:
1.10a

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6060

Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main

Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org

Note:
This bug was found with Address Sanitizer.

Permalink:
https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
Comment 1 Marcus Meissner 2017-02-20 09:59:03 UTC
we do not seem to ship this binary.
Comment 2 Marcus Meissner 2017-02-20 10:02:22 UTC
Created attachment 714732 [details]
stackoverflow example

stackoverflow example
Comment 3 Dr. Werner Fink 2017-02-20 10:26:28 UTC
Not maintainer of mupdf ... what mupdf is?
Comment 4 Ismail Dönmez 2017-02-20 10:44:59 UTC
We don't ship test binaries.
Comment 5 Marcus Meissner 2017-02-20 10:46:10 UTC
I used "osc bugowner"; which fell back to bzugowner (Publishing).

sorry for that.

I agree with closing
Comment 6 Ismail Dönmez 2017-02-20 10:47:58 UTC
(In reply to Marcus Meissner from comment #5)
> I used "osc bugowner"; which fell back to bzugowner (Publishing).
> 
> sorry for that.

My fault, I added myself as bugowner now.
 
> I agree with closing

Thanks.
Comment 7 Mikhail Kasimov 2017-04-29 15:29:06 UTC
Ref: http://seclists.org/oss-sec/2017/q2/156
==============================================
Fixed by:

http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=blobdiff;f=platform/x11/jstest_main.c;h=f158d9628ed0c0a84e37fe128277679e8334422a;hp=13c3a0a3ba3ff4aae29f6882d23740833c1d842f;hb=06a012a42c9884e3cd653e7826cff1ddec04eb6e;hpb=34e18d127a02146e3415b33c4b67389ce1ddb614
==============================================

> we do not seem to ship this binary

https://software.opensuse.org/package/mupdf

(open-)SUSE: https://software.opensuse.org/package/mupdf

1.10a (TW, 42.2, official repo)
1.7a (42.1, official repo)

REOPENED?
Comment 8 Ismail Dönmez 2017-04-29 16:57:46 UTC
Hi Mikhail,

(In reply to Mikhail Kasimov from comment #7)
> Ref: http://seclists.org/oss-sec/2017/q2/156
> ==============================================
> Fixed by:
> 
> http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=blobdiff;f=platform/
> x11/jstest_main.c;h=f158d9628ed0c0a84e37fe128277679e8334422a;
> hp=13c3a0a3ba3ff4aae29f6882d23740833c1d842f;
> hb=06a012a42c9884e3cd653e7826cff1ddec04eb6e;
> hpb=34e18d127a02146e3415b33c4b67389ce1ddb614
> ==============================================
> 
> > we do not seem to ship this binary
> 
> https://software.opensuse.org/package/mupdf
> 
> (open-)SUSE: https://software.opensuse.org/package/mupdf
> 
> 1.10a (TW, 42.2, official repo)
> 1.7a (42.1, official repo)
> 
> REOPENED?

We don't ship the mujstest binary.