|Summary:||sci-biology/bwa: Buffer overflow (long prefix) in bns_fasta2bntseq, bns_dump (CVE-2019-11371)|
|Product:||Gentoo Security||Reporter:||Sam James <sam>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||~3 [upstream/ebuild cve]|
|Package list:||Runtime testing required:||---|
Description Sam James 2020-03-07 20:42:28 UTC
Description: "BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow via a long prefix that is mishandled in bns_fasta2bntseq and bns_dump at btnseq.c." Based on discussions at URL (the PR), it looks like it'd be trivial to generate a patch. I'll try to attach one if I get a chance, but I don't use BWA, so it'd still need testing.
Comment 1 John Helmert III 2020-06-26 05:34:38 UTC
Created attachment 646462 [details, diff] fix-buffer-overflows.patch PoC: bwa-0.7.16a $ ./bwa fa2pac -f bwa `python -c "print('a'*1020)"` *** buffer overflow detected ***: terminated  3619877 abort (core dumped) ./bwa fa2pac -f bwa `python -c "print('a'*1020)"` With my patch: bwa-0.7.16a $ ./bwa fa2pac -f bwa `python -c "print('a'*1020)"` [bns_fasta2bntseq] fail to open file '[lots of a's].pa' : File name too long Hunk #4 comes from an upstream commit to fix another buffer overflow: https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e I was only able to reach the buffer overflow in bns_fasta2bntseq when testing locally because fopen fails if the filename is longer than PATH_MAX and the program exits before reaching the other vulnerable strcpy calls. I fixed them anyway, just in case. Like Sam, I don't use this program so more testing would be prudent.