Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711818 (CVE-2019-11371) - sci-biology/bwa: Buffer overflow (long prefix) in bns_fasta2bntseq, bns_dump (CVE-2019-11371)
Summary: sci-biology/bwa: Buffer overflow (long prefix) in bns_fasta2bntseq, bns_dump ...
Status: IN_PROGRESS
Alias: CVE-2019-11371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/lh3/bwa/issues/239
Whiteboard: ~3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-07 20:42 UTC by Sam James
Modified: 2020-06-29 00:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix-buffer-overflows.patch (fix-buffer-overflows.patch,2.51 KB, patch)
2020-06-26 05:34 UTC, John Helmert III
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-07 20:42:28 UTC
Description:
"BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow via a long prefix that is mishandled in bns_fasta2bntseq and bns_dump at btnseq.c."

Based on discussions at URL (the PR), it looks like it'd be trivial to generate a patch. I'll try to attach one if I get a chance, but I don't use BWA, so it'd still need testing.
Comment 1 John Helmert III gentoo-dev Security 2020-06-26 05:34:38 UTC
Created attachment 646462 [details, diff]
fix-buffer-overflows.patch

PoC:

bwa-0.7.16a $ ./bwa fa2pac -f bwa `python -c "print('a'*1020)"`
*** buffer overflow detected ***: terminated
[1]    3619877 abort (core dumped)  ./bwa fa2pac -f bwa `python -c "print('a'*1020)"`

With my patch:

bwa-0.7.16a $ ./bwa fa2pac -f bwa `python -c "print('a'*1020)"`
[bns_fasta2bntseq] fail to open file '[lots of a's].pa' : File name too long

Hunk #4 comes from an upstream commit to fix another buffer overflow: https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e

I was only able to reach the buffer overflow in bns_fasta2bntseq when testing locally because fopen fails if the filename is longer than PATH_MAX and the program exits before reaching the other vulnerable strcpy calls. I fixed them anyway, just in case. Like Sam, I don't use this program so more testing would be prudent.