Bug 1040917 (CVE-2016-10375)

Summary: VUL-0: CVE-2016-10375: yodl: invalid memory read in queue_push()
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-10375:3.6:(AV:L/AC:L/Au:N/C:P/I:N/A:P) CVSSv3:SUSE:CVE-2016-10375:5.1:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVSSv2:NVD:CVE-2016-10375:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2017-05-26 09:25:38 UTC 
https://github.com/fbb-git/yodl/issues/1

Compiling yodl with address sanitizer (-fsanitize=address) shows an invalid memory read in the function queue_push().

==19388==ERROR: AddressSanitizer: unknown-crash on address 0x61400000ee40 at pc 0x418d47 bp 0x7ffe39342bc0 sp 0x7ffe39342bb0
READ of size 613 at 0x61400000ee40 thread T0
    #0 0x418d46 in queue_push /tmp/yodl-3.05.01/src/queue/queuepush.c:51
    #1 0x41436d in lexer_push_str /tmp/yodl-3.05.01/src/lexer/lexerpushstr.c:28
    #2 0x41c6b0 in p_expand_macro /tmp/yodl-3.05.01/src/parser/pexpandmacro.c:51
    #3 0x41c0d7 in p_default_symbol /tmp/yodl-3.05.01/src/parser/pdefaultesymbol.c:20
    #4 0x4167b3 in p_handle_default_symbol /tmp/yodl-3.05.01/src/parser/phandledefaultsymbol.c:5
    #5 0x40dd26 in p_parse /tmp/yodl-3.05.01/src/parser/pparse.c:18
    #6 0x40cbe6 in parser_process /tmp/yodl-3.05.01/src/parser/parserprocess.c:39
    #7 0x407e5a in main /tmp/yodl-3.05.01/src/yodl/yodl.c:14
    #8 0x7f0ed56d761f in __libc_start_main (/lib64/libc.so.6+0x2061f)
    #9 0x401e28 in _start (/tmp/yodl-3.05.01/tmp/install/usr/bin/yodl+0x401e28)

0x61400000efd7 is located 0 bytes to the right of 407-byte region [0x61400000ee40,0x61400000efd7)
allocated by thread T0 here:
    #0 0x7f0ed5aab7d7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x577d7)
    #1 0x409c4b in n_malloc /tmp/yodl-3.05.01/src/new/nmalloc.c:11
    #2 0x418533 in new_memory ../new/new.h:42
    #3 0x4185e1 in queue_construct /tmp/yodl-3.05.01/src/queue/queueconstruct.c:11
    #4 0x41499b in l_media_construct_memory /tmp/yodl-3.05.01/src/lexer/lmediaconstructmemory.c:9
    #5 0x4150a8 in l_push /tmp/yodl-3.05.01/src/lexer/lpush.c:15
    #6 0x414171 in lexer_push_str /tmp/yodl-3.05.01/src/lexer/lexerpushstr.c:20
    #7 0x41c6b0 in p_expand_macro /tmp/yodl-3.05.01/src/parser/pexpandmacro.c:51
    #8 0x41c0d7 in p_default_symbol /tmp/yodl-3.05.01/src/parser/pdefaultesymbol.c:20
    #9 0x4167b3 in p_handle_default_symbol /tmp/yodl-3.05.01/src/parser/phandledefaultsymbol.c:5
    #10 0x40dd26 in p_parse /tmp/yodl-3.05.01/src/parser/pparse.c:18
    #11 0x40cbe6 in parser_process /tmp/yodl-3.05.01/src/parser/parserprocess.c:39
    #12 0x407e5a in main /tmp/yodl-3.05.01/src/yodl/yodl.c:14
    #13 0x7f0ed56d761f in __libc_start_main (/lib64/libc.so.6+0x2061f)

SUMMARY: AddressSanitizer: unknown-crash /tmp/yodl-3.05.01/src/queue/queuepush.c:51 queue_push
Shadow bytes around the buggy address:
  0x0c287fff9d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c287fff9d80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fff9d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c287fff9db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c287fff9dc0: fa fa fa fa fa fa fa fa[00]00 00 00 00 00 00 00
  0x0c287fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9df0: 00 00 00 00 00 00 00 00 00 00 07 fa fa fa fa fa
  0x0c287fff9e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c287fff9e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==19388==ABORTING



Fixed in https://github.com/fbb-git/yodl/commit/fd85f8c94182558ff1480d06a236d6fb927979a3
Unknown effect, likely DoS through specially crafted files at most.
Comment 1 Marcus Meissner 2017-05-26 15:08:56 UTC 
CVE requested
Comment 2 Marcus Meissner 2017-05-26 15:22:41 UTC 
sle12 version affected, sle11 apparently not
Comment 3 Marcus Meissner 2017-05-26 21:01:05 UTC 
CVE-2016-10375
Comment 4 Petr Gajdos 2017-05-29 09:08:32 UTC 
Packages submitted.
Comment 5 Bernhard Wiedemann 2017-05-29 10:00:43 UTC 
This is an autogenerated message for OBS integration:
This bug (1040917) was mentioned in
https://build.opensuse.org/request/show/498899 42.2 / yodl
Comment 7 Swamp Workflow Management 2017-06-08 13:10:17 UTC 
SUSE-SU-2017:1504-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040917
CVE References: CVE-2016-10375
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    yodl-3.03.0-3.1
Comment 8 Swamp Workflow Management 2017-06-08 16:26:01 UTC 
openSUSE-SU-2017:1516-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1040917
CVE References: CVE-2016-10375
Sources used:
openSUSE Leap 42.2 (src):    yodl-3.05.01-3.3.1
Comment 9 Marcus Meissner 2017-10-26 06:15:18 UTC 
released