Advisory from securesoftware@list.cr.yp.to: Date: 15 Dec 2004 08:29:07 -0000 From: "D. J. Bernstein" <djb@cr.yp.to> Subject: [remote] [control] o3read 0.0.3 parse_html overflows t buffer To: securesoftware@list.cr.yp.to, o3read@siag.nu X-HELOcheck: OK: FQDN Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Mail-Followup-To: securesoftware@list.cr.yp.to, o3read@siag.nu Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. [-- Attachment #1 [details] --] [-- Type: text/plain, Encoding: 7bit, Size: 1.4K --] Wiktor Kopec, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in o3read, a converter for SXW files. I'm publishing this notice, but all the discovery credits should be assigned to Kopec. You are at risk if you take an SXW document from an email message (or a web page or any other source that could be controlled by an attacker) and feed it through o3read. (The o3read documentation does not tell users to avoid taking input from the network.) Whoever provides that document then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10, type wget ftp://siag.nu/pub/o3read/o3read-0.0.3.tar.gz gunzip < o3read-0.0.3.tar.gz | tar -xf - cd o3read-0.0.3 make to download and compile the o3read program, version 0.0.3 (current). Then save the file 58.xml attached to this message, and type ./o3read < 58.xml with the unauthorized result that a file named x is removed from the current directory. (I tested this with a 535-byte environment, as reported by printenv | wc -c.) Here's the bug: In o3read.c, parse_html copies any number of bytes into a 1024-byte t[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Created attachment 46030 [details] 58.xml from advisory
====================================================== Candidate: CAN-2004-1288 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1288 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/o3read.txt Buffer overflow in the parse_html function in o3read.c for o3read 0.0.3 allows remote attackers to execute arbitrary code via a crafted SXW file. ======================================================
Upstream looks dead. 0.0.3 version was released 26-Nov-2002. Looks like a good candidate for security masking. Jon: please let us know if you think you can fix it or if you prefer that we mask it.
Download location is dead, it survives because it's been mirrored by us. avenj did not answer, requesting a mask here too.
package masked by request of koon/security team.
Download location is now apparently up. Version 0.0.4 released. Only ChangeLog notice is this: 050107 Added range check to parse_html(). Apart from a few comments and some extra stuff in the Makefile, this is the only change. An ebuild version bump compiles and installs correctly, but I couldn't verify that the proof of concept code didn't work any more (couldn't get it to work in the first place, since it's apparently BSD shell-code and I'm using Linux).
Thanks Peter, did not notice that. avenj: care to bump ?
Sorry about the delayed response; I get a very large quantity of mail from Bugzilla, and it's easy for things to get lost. I've committed o3read 0.0.4. This app is extremely trivial, and as such 0.0.4 has been committed directly to stable.
Thanks Jon, ready for a GLSA. Package should be unmasked before sending.
Removed the mask.
GLSA 200501-20