Bugzilla – Bug 1194246
VUL-1: CVE-2021-45927: mdbtools: stack-based buffer overflow in mdb_numeric_to_string
Last modified: 2022-02-09 16:51:12 UTC
CVE-2021-45927 MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_data and _mdb_attempt_bind). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45927 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45927 https://github.com/mdbtools/mdbtools/commit/373b7ff4c4daf887269c078407cb1338942c4ea6 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mdbtools/OSV-2021-1003.yaml http://www.cvedetails.com/cve/CVE-2021-45927/
Fedora mdbtools package maintainer here. I spend this morning looking into: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45927 And I thought it would be good to share my findings from: https://bugzilla.redhat.com/show_bug.cgi?id=2044864 This is somewhat weird the original oss-fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187 Links to 2 configs, one where it hit the bug and one where it was fixed: https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107120613:202107140601 https://oss-fuzz.com/revisions?job=afl_asan_mdbtools&range=202107140601:202107150603 What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit. Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there. Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce. So all in all this feels like some weird false-positive from oss-fuzz. I've also filed an issue with upstream mdbtools asking for their input: https://github.com/mdbtools/mdbtools/issues/375 And here is the pull-req for fixing the NULL ptr deref: https://github.com/mdbtools/mdbtools/pull/376
https://github.com/mdbtools/mdbtools/issues/375 Hans, thank you a LOT for your information. I remember I tried to reproduce CVE-2021-45926 (bsc#1194245), without big success, though. I also can confirm that https://github.com/mdbtools/mdbtools/pull/376 fixes the null ptr deref you pointed out.
(I have tried to reproduce with mdb-tables command)
Hi security team, could you please consider to help us to find any info which would lead to identify the issue this CVE describes? There is no obvious commit related and reproduction is unsuccessful sofar. See also bug 1194245.