Bug 1194246 - (CVE-2021-45927) VUL-1: CVE-2021-45927: mdbtools: stack-based buffer overflow in mdb_numeric_to_string
VUL-1: CVE-2021-45927: mdbtools: stack-based buffer overflow in mdb_numeric_t...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-01-03 15:14 UTC by Alexander Bergmann
Modified: 2022-02-09 16:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Hans de Goede 2022-01-25 13:58:24 UTC
Fedora mdbtools package maintainer here. I spend this morning looking into:

And I thought it would be good to share my findings from:

This is somewhat weird the original oss-fuzz report:

Links to 2 configs, one where it hit the bug and one where it was fixed:


What is weird here is both point to the same mdbtools commit (the 0.9.3 release) and to the same mdbtools-data commit, the only difference between the issue being detected and it being reported fixed is the Aflplusplus commit.

Also upstream is using oss-fuzz in mdbtools CI and there are no issues being reported there.

Still I tried to reproduce downloading the clusterfuzz-testcase-minimized-fuzz_mdb-4756071066501120 file from the oss-fuzz report, replacing test/data/nwind.mdb with it and then running ./test_script.sh . This does hit a crash with a NULL pointer deref with both 0.9.3 and 1.0.0 build with CFLAGS="-g -O1 -fsanitize=address", but the original report of a "Dynamic-stack-buffer-overflow WRITE 16" issue does not reproduce.

So all in all this feels like some weird false-positive from oss-fuzz.

I've also filed an issue with upstream mdbtools asking for their input:

And here is the pull-req for fixing the NULL ptr deref:
Comment 2 Petr Gajdos 2022-02-09 16:42:56 UTC

Hans, thank you a LOT for your information. I remember I tried to reproduce CVE-2021-45926 (bsc#1194245), without big success, though.

I also can confirm that
fixes the null ptr deref you pointed out.
Comment 3 Petr Gajdos 2022-02-09 16:49:20 UTC
(I have tried to reproduce with mdb-tables command)
Comment 4 Petr Gajdos 2022-02-09 16:51:12 UTC
Hi security team,

could you please consider to help us to find any info which would lead to identify the issue this CVE describes? There is no obvious commit related and reproduction is unsuccessful sofar. See also bug 1194245.