Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628502 - <dev-libs/libmirage-3.0.4: NULL pointer dereference in mirage_stream_get_filename (stream.c)
Summary: <dev-libs/libmirage-3.0.4: NULL pointer dereference in mirage_stream_get_file...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-21 13:39 UTC by Agostino Sarubbo
Modified: 2017-09-04 18:55 UTC (History)
2 users (show)

See Also:
Package list:
app-cdr/cdemu-3.1.0 app-cdr/cdemu-daemon-3.1.0 app-cdr/gcdemu-3.1.0 app-cdr/mirage2iso-0.4.2 dev-libs/libmirage-3.1.0 sys-fs/vhba-20170610
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-21 13:39:19 UTC 
From ${URL} :

There is a NULL pointer dereference in libmirage when handling .dmg/.isz file.
The bug was found via mirage2iso (https://github.com/mgorny/mirage2iso) which 
uses limirage to convert various CD/DVD image formats into .iso
The bug was initially spotted by Michał Górny so the credit goes to him.

I hitted the bug too and I'm pointing out the security implication. The 
complete asan output of the issue:

# mirage2iso $FILE out.iso
==22879==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x7f9c67f5dde9 bp 0x7f9c5e533e26 sp 0x7ffeb47ffe20 T0)
==22879==The signal is caused by a READ memory access.
==22879==Hint: address points to the zero page.
    #0 0x7f9c67f5dde8 in mirage_stream_get_filename /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61
    #1 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open_streams 
/var/tmp/portage/dev-libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-
dmg/filter-stream.c:603
    #2 0x7f9c5e5306c8 in mirage_filter_stream_dmg_open /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/filters/filter-dmg/filter-
stream.c:719
    #3 0x7f9c67f5726c in mirage_filter_stream_open /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/filter-stream.c:209
    #4 0x7f9c67f53aa5 in mirage_context_create_input_stream 
/var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:471
    #5 0x7f9c67f53bea in mirage_context_load_image /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/context.c:359
    #6 0x50d6ca in miragewrap_open /var/tmp/portage/app-
cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage-wrapper.c:87:9
    #7 0x50a3cb in main /var/tmp/portage/app-
cdr/mirage2iso-0.4.2/work/mirage2iso-0.4.2/src/mirage2iso.c:281:7
    #8 0x7f9c66e38680 in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x41ab98 in _start (/usr/bin/mirage2iso+0x41ab98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/dev-
libs/libmirage-3.0.4/work/libmirage-3.0.4/mirage/stream.c:61 in 
mirage_stream_get_filename
==22879==ABORTING

Testcase:
https://github.com/mgorny/mirage2iso/blob/master/tests/21_hdiutil_ulfo.dmg

Upstream bug report:
https://sourceforge.net/p/cdemu/bugs/105/

Upstream commit:
https://sourceforge.net/p/cdemu/code/ci/d874b3b1bc86b94b1f323d7df9e665279fb966cb/

A CVE request was not requested.

-- 
Agostino Sarubbo
Gentoo Linux Developer


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-21 15:28:52 UTC 
Just to be clear, the issue was initially spotted by Yegor Timoshenko who submitted the additional test images for mirage2iso. I've merely debugged it a bit (to confirm it's not mirage2iso's fault) and passed it over to the upstream.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-22 07:23:48 UTC 
Arch teams, please stabilize the libmirage set. Few notes:

a. cdemu-3.1.0 was accidentally committed with stable keywords. Since nobody reported an issue for 2 months already, I suppose there's no point to drop the keywords now and go back-forth on users. So please just confirm that it works fine for you.

b. mirage2iso is added to the set since it provides a number of tests for libmirage which original packages lack.

c. It would be nice to actually test cdemu, i.e.:

  modprobe vhba
  cdemu load 0 some_image.iso
  mount /dev/srX /media/cdrom
  # check if /media/cdrom is fine

and the same via gcdemu tray icon.

If you need a quick set of test images, mirage2iso provides some [1].

[1]:https://github.com/mgorny/mirage2iso/tree/master/tests
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-09-04 15:17:33 UTC 
amd64/x86 stable

@maintainer, please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2017-09-04 17:34:19 UTC 
Bug has been referenced in the following commit:
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2ad1f9edd3ed267547908158de203a0c5a241fd

    commit e2ad1f9edd3ed267547908158de203a0c5a241fd
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2017-09-04 17:29:08 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2017-09-04 17:33:55 +0000

    dev-libs/libmirage: Drop old (security cleanup)
    
    Bug: https://bugs.gentoo.org/628502

 dev-libs/libmirage/Manifest               |  2 --
 dev-libs/libmirage/libmirage-3.0.3.ebuild | 54 -------------------------------
 dev-libs/libmirage/libmirage-3.0.4.ebuild | 54 -------------------------------
 3 files changed, 110 deletions(-)
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-09-04 18:55:23 UTC 
GLSA Vote: No

Thanks, Michał!