Bug 1194246 - (CVE-2021-45927) VUL-1: CVE-2021-45927: mdbtools: stack-based buffer overflow in mdb_numeric_to_string
(CVE-2021-45927)
VUL-1: CVE-2021-45927: mdbtools: stack-based buffer overflow in mdb_numeric_t...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319378/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-03 15:14 UTC by Alexander Bergmann
Modified: 2022-02-09 16:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Hans de Goede 2022-01-25 13:58:24 UTC
Fedora mdbtools package maintainer here. I spend this morning looking into:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45927

And I thought it would be good to share my findings from:
https://bugzilla.redhat.com/show_bug.cgi?id=2044864

This is somewhat weird the original oss-fuzz report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187

Links to 2 configs, one where it hit the bug and one where it was fixed:

https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107120613:202107140601
https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107140601:202107150603

What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit.

Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there.

Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce.

So all in all this feels like some weird false-positive from oss-fuzz.

I've also filed an issue with upstream mdbtools asking for their input:
https://github.com/mdbtools/mdbtools/issues/375

And here is the pull-req for fixing the NULL ptr deref:
https://github.com/mdbtools/mdbtools/pull/376
Comment 2 Petr Gajdos 2022-02-09 16:42:56 UTC
https://github.com/mdbtools/mdbtools/issues/375

Hans, thank you a LOT for your information. I remember I tried to reproduce CVE-2021-45926 (bsc#1194245), without big success, though.

I also can confirm that
https://github.com/mdbtools/mdbtools/pull/376
fixes the null ptr deref you pointed out.
Comment 3 Petr Gajdos 2022-02-09 16:49:20 UTC
(I have tried to reproduce with mdb-tables command)
Comment 4 Petr Gajdos 2022-02-09 16:51:12 UTC
Hi security team,

could you please consider to help us to find any info which would lead to identify the issue this CVE describes? There is no obvious commit related and reproduction is unsuccessful sofar. See also bug 1194245.