Bugzilla – Bug 1045315
VUL-0: CVE-2012-6706: unrar: VMSF_DELTA filter allows arbitrary memory write
Last modified: 2018-11-21 23:41:53 UTC
VMSF_DELTA filter in unrar allows arbitrary memory write It appears that the VMSF_DELTA memory corruption that was reported to Sophos AV in 2012 (and fixed there) was actually inherited from upstream unrar. For unknown reasons the information did not reach upstream rar or was otherwise lost, and the bug seems to have persisted there to this day. Base64-encoded RAR file reproducer to trigger the VMSF_DELTA issue: UmFyIRoHAPlOcwAADgAAAAAAAAAAMAh0AAAmAI4AAAAAAAAAAhBBUiEAAAAAHQAGAAAAACBzdGRv dXQgIVUMzRDNmBGByDAda+AXaSv4KvQr1K/oejL05mXmXmww5tEk8gA9k8nmieyeyeswuOR6cx69 a2Hd6zQwu3aoMDDwMEswADAAMD4P938w+dydoRFwAmwAAAAAvv////+/////+9W3QFgAAQAGAAAA Ooimhd12AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA References: https://blog.fefe.de/?ts=a7b4dd4f https://bugs.chromium.org/p/project-zero/issues/detail?id=1286&desc=6
Created attachment 729666 [details] VMSF_DELTA_reproducer.rar
Fix in version 5.5.5. http://www.rarlab.com/rar/unrarsrc-5.5.5.tar.gz
*** Bug 1045310 has been marked as a duplicate of this bug. ***
From the older (marked as duplicate) ticket: > Update to 5.5.5 is in https://build.opensuse.org/request/show/505241 This as since been accepted, so the Archiving project has the fix. The request to get this into Factory: https://build.opensuse.org/request/show/505244
This may affect clamav libclamunrar/unrarvm.c :: execute_standard_filter() > int i, j, data_size, channels, src_pos, dest_pos, border, width, PosR; > [...] > case VMSF_DELTA: > data_size = rarvm_data->R[4]; > channels = rarvm_data->R[0]; > [...] > if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) { > break; > } > for (cur_channel=0 ; cur_channel < channels ; cur_channel++) { > unsigned char prev_byte = 0; > for (dest_pos=data_size+cur_channel ; dest_pos<border ; dest_pos+=channels) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > rarvm_data->mem[dest_pos] = (prev_byte -= rarvm_data->mem[src_pos++]); > } > } > break;
This is an autogenerated message for OBS integration: This bug (1045315) was mentioned in https://build.opensuse.org/request/show/505569 42.2:NonFree / unrar
(In reply to Andreas Stieger from comment #5) > This may affect clamav libclamunrar/unrarvm.c I've tried to scan the reproducer archive with clamscan and it didn't crash. Not sure if that means it is not vulnerable or just that the vulnerability cannot be triggered the same way as with the unrar binary.
After looking at the code again, I agree that ClamAV is probably vulnerable even though the demo archive doesn't crash it. Andreas, does it make sense to handle ClamAV in a separate bug report?
Hi Reinhard! Cloned and assigned bsc#1045490.
The specific VMSF_DELTA fix was introduced between unrar version 5.5.3 and 5.5.4.
Created attachment 729820 [details] VMSF_DELTA fix
CVE-2012-6706 was assigned to this issue.
openSUSE-SU-2017:1658-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1045315 CVE References: CVE-2012-6706 Sources used: openSUSE Leap 42.2:NonFree (src): unrar-5.5.5-3.1
| Codestream | Request | |----------------------------|---------| | SLE-10-SP3:Update:Test | #134884 | | SLE-11:Update | #134879 | | SLE-12:Update | #134878 | | openSUSE:Leap:42.2:NonFree | #505569 | | openSUSE:Factory:NonFree | #505244 | Everything is done here, reassigning it back to the security-team.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-07-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63711
SUSE-SU-2017:1745-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1045315 CVE References: CVE-2012-6706 Sources used: SUSE OpenStack Cloud 6 (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Server for SAP 12 (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Server 12-SP2 (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Server 12-LTSS (src): unrar-5.0.14-3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): unrar-5.0.14-3.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-07-10. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63746
SUSE-SU-2017:1760-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1045315 CVE References: CVE-2012-6706 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): unrar-3.80.2-4.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): unrar-3.80.2-4.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): unrar-3.80.2-4.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): unrar-3.80.2-4.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): unrar-3.80.2-4.1
released
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-03-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63991
SUSE-SU-2018:0809-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1045315,1049423,1052449,1082858,1083915 CVE References: CVE-2012-6706,CVE-2017-11423,CVE-2017-6419,CVE-2018-0202,CVE-2018-1000085 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): clamav-0.99.4-33.9.1 SUSE Linux Enterprise Server 12-SP3 (src): clamav-0.99.4-33.9.1 SUSE Linux Enterprise Server 12-SP2 (src): clamav-0.99.4-33.9.1 SUSE Linux Enterprise Desktop 12-SP3 (src): clamav-0.99.4-33.9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): clamav-0.99.4-33.9.1
openSUSE-SU-2018:0825-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1045315,1049423,1052449,1082858,1083915 CVE References: CVE-2012-6706,CVE-2017-11423,CVE-2017-6419,CVE-2018-0202,CVE-2018-1000085 Sources used: openSUSE Leap 42.3 (src): clamav-0.99.4-23.1
SUSE-SU-2018:0863-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1045315,1049423,1052449,1082858,1083915 CVE References: CVE-2012-6706,CVE-2017-11423,CVE-2017-6419,CVE-2018-0202,CVE-2018-1000085 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): clamav-0.99.4-0.20.7.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): clamav-0.99.4-0.20.7.2 SUSE Linux Enterprise Point of Sale 11-SP3 (src): clamav-0.99.4-0.20.7.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): clamav-0.99.4-0.20.7.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): clamav-0.99.4-0.20.7.2