Bugzilla – Bug 1194246
VUL-1: CVE-2021-45927: mdbtools: stack-based buffer overflow in mdb_numeric_to_string
Last modified: 2022-02-09 16:51:12 UTC
MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at
0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and
Fedora mdbtools package maintainer here. I spend this morning looking into:
And I thought it would be good to share my findings from:
This is somewhat weird the original oss-fuzz report:
Links to 2 configs, one where it hit the bug and one where it was fixed:
What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit.
Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there.
Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce.
So all in all this feels like some weird false-positive from oss-fuzz.
I've also filed an issue with upstream mdbtools asking for their input:
And here is the pull-req for fixing the NULL ptr deref:
Hans, thank you a LOT for your information. I remember I tried to reproduce CVE-2021-45926 (bsc#1194245), without big success, though.
I also can confirm that
fixes the null ptr deref you pointed out.
(I have tried to reproduce with mdb-tables command)
Hi security team,
could you please consider to help us to find any info which would lead to identify the issue this CVE describes? There is no obvious commit related and reproduction is unsuccessful sofar. See also bug 1194245.