CVE-2017-6419
reavertm opened this issue · 2 comments
https://access.redhat.com/security/cve/CVE-2017-6419:
mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows
remote attackers to cause a denial of service (heap-based buffer
overflow and application crash) or possibly have unspecified other
impact via a crafted CHM file.
Patch from ClamAV:
Cisco-Talos/clamav@a837736
There is also https://access.redhat.com/security/cve/CVE-2017-11423
I see you commited 6139a0b - is it fixing metioned CVE?
Yes, CVE-2017-6419 was found by a fuzzer against ClamAV's use of libmspack. The ClamAV team added a bounds check at the exact place that AddressSanitizer listed, but didn't look at the wider picture. There shouldn't be a bounds check necessary there, as per the logic of the comment immediately preceding it. My commit 6139a0b addresses the root cause, which is chmd.c not rejecting negative values in SpanInfo, and lzxd.c not rejecting invalid LZX output_length values, thus resulting in frame_size, bytes_todo and this_run becoming a value larger than LZX_FRAME_SIZE.
CVE-2017-11423 is a separate issue, fixed by commit 1703820, where cabd_read_string didn't check the return code of mspack_system.read for errors, and interprets negative error codes as a large number of bytes read. However, only ClamAV is susceptible to this being triggered from crafted file contents alone, because it also had a bug in its custom mspack_system implementation. Anything using the default mspack_system which passes reads to fread() cannot be made to generate a read error based on file contents.
Thank you.