Bug 711818 (CVE-2019-11371)

Summary:

sci-biology/bwa: Buffer overflow (long prefix) in bns_fasta2bntseq, bns_dump (CVE-2019-11371)

Product:

Gentoo Security

Reporter:

Sam James <sam>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

IN_PROGRESS ---

Severity:

trivial

CC:

ajak, sci-biology

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

https://github.com/lh3/bwa/issues/239

Whiteboard:

~3 [upstream/ebuild cve]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
fix-buffer-overflows.patch	none

Description Sam James archtester

2020-03-07 20:42:28 UTC

Description:
"BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow via a long prefix that is mishandled in bns_fasta2bntseq and bns_dump at btnseq.c."

Based on discussions at URL (the PR), it looks like it'd be trivial to generate a patch. I'll try to attach one if I get a chance, but I don't use BWA, so it'd still need testing.

Comment 1 John Helmert III archtester

2020-06-26 05:34:38 UTC

Created attachment 646462 [details, diff]
fix-buffer-overflows.patch

PoC:

bwa-0.7.16a $ ./bwa fa2pac -f bwa `python -c "print('a'*1020)"`
*** buffer overflow detected ***: terminated
[1]    3619877 abort (core dumped)  ./bwa fa2pac -f bwa `python -c "print('a'*1020)"`

With my patch:

bwa-0.7.16a $ ./bwa fa2pac -f bwa `python -c "print('a'*1020)"`
[bns_fasta2bntseq] fail to open file '[lots of a's].pa' : File name too long

Hunk #4 comes from an upstream commit to fix another buffer overflow: https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e

I was only able to reach the buffer overflow in bns_fasta2bntseq when testing locally because fopen fails if the filename is longer than PATH_MAX and the program exits before reaching the other vulnerable strcpy calls. I fixed them anyway, just in case. Like Sam, I don't use this program so more testing would be prudent.