Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 661160 (CVE-2018-11737, CVE-2018-11738, CVE-2018-11739, CVE-2018-11740, CVE-2018-19497) - <app-forensics/sleuthkit-4.6.5: Multiple vulnerabilities
Summary: <app-forensics/sleuthkit-4.6.5: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-11737, CVE-2018-11738, CVE-2018-11739, CVE-2018-11740, CVE-2018-19497
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2019-14531, CVE-2019-14532, CVE-2020-10232, CVE-2020-10233 721154
Blocks:
  Show dependency tree
 
Reported: 2018-07-14 16:50 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-18 02:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-14 16:50:08 UTC
CVE-2018-11740 (https://nvd.nist.gov/vuln/detail/CVE-2018-11740):
  An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from release
  4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found
  in the function tsk_UTF16toUTF8 in tsk/base/tsk_unicode.c which could be
  leveraged by an attacker to disclose information or manipulated to read from
  unmapped memory causing a denial of service attack.

CVE-2018-11739 (https://nvd.nist.gov/vuln/detail/CVE-2018-11739):
  An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from release
  4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found
  in the function raw_read in tsk/img/raw.c which could be leveraged by an
  attacker to disclose information or manipulated to read from unmapped memory
  causing a denial of service attack.

CVE-2018-11738 (https://nvd.nist.gov/vuln/detail/CVE-2018-11738):
  An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release
  4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found
  in the function ntfs_make_data_run in tsk/fs/ntfs.c which could be leveraged
  by an attacker to disclose information or manipulated to read from unmapped
  memory causing a denial of service attack.

CVE-2018-11737 (https://nvd.nist.gov/vuln/detail/CVE-2018-11737):
  An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release
  4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found
  in the function ntfs_fix_idxrec in tsk/fs/ntfs_dent.cpp which could be
  leveraged by an attacker to disclose information or manipulated to read from
  unmapped memory causing a denial of service.
Comment 1 D'juan McDonald (domhnall) 2018-07-14 17:51:20 UTC
Bugs Fixed in 4.7 Release: http://www.sleuthkit.org/autopsy/history.php


>Memory leaks and other issues revealed by fuzzing the The Sleuth Kit have been fixed.

>Result views (upper right) and content views (lower right) stay in synch when switching result views.

>Concurrency bugs in the ingest tasks scheduler have been fixed.

>Assorted small bug fixes are included.
Comment 2 Göktürk Yüksek archtester gentoo-dev 2018-07-17 22:43:45 UTC
(In reply to D'juan McDonald (domhnall) from comment #1)
> Bugs Fixed in 4.7 Release: http://www.sleuthkit.org/autopsy/history.php
> 
> 

That link is for Autopsy, not TSK. I don't see a version 4.7.0 for TSK. Moreover, I see no activity on the GitHub issue links. Can you double check please?
Comment 3 D'juan McDonald (domhnall) 2018-07-18 18:01:12 UTC
(In reply to Göktürk Yüksek from comment #2)
>Can you double check please?

Just did and you're right. Was in a hurry and overlooked the TSK version. No changes upstream since then. Thanks
Comment 4 D'juan McDonald (domhnall) 2018-10-31 07:24:07 UTC
Update: sleuthkit-4.6.3 now available. No fixes mentioned in changelogs wrt listed CVE. Upstream tickets 1264,1265,1266,1267 are still open with no activity since initial report. 

Changelog/NEWS.txt: Sleuthkit-4.6.3
"
https://github.com/sleuthkit/sleuthkit/blob/sleuthkit-4.6.3/NEWS.txt

--------------- VERSION 4.6.3 --------------
C/C++ Code:
- Hashdb bug fixes for corrupt indexes and 0 hashes
- New code for testing power of number in ExtX code

Java Code: 
- New class that allows generic database access
- New methods that check for duplicate artifacts
- Added caches for frequently used content 

Database Schema: 
- Added Examiner table 
- Tags are now associated with Examiners
- Changed parent_path for logical files to be consistent with FS files.

"

Upstream:
CVE-2018-11740(https://github.com/sleuthkit/sleuthkit/issues/1264):
> in the function tsk_UTF16toUTF8 in tsk/base/tsk_unicode.c

CVE-2018-11739(https://github.com/sleuthkit/sleuthkit/issues/1267):
>in the function raw_read in tsk/img/raw.c

CVE-2018-11738(https://github.com/sleuthkit/sleuthkit/issues/1265):
>in the function ntfs_make_data_run in tsk/fs/ntfs.c

CVE-2018-11737(https://github.com/sleuthkit/sleuthkit/issues/1266):
>in the function ntfs_fix_idxrec in tsk/fs/ntfs_dent.cpp 


Gentoo Security Padawan
(domhnall/mbailey_j)
Comment 5 Göktürk Yüksek archtester gentoo-dev 2018-11-29 03:00:41 UTC
I just bumped sleuthkit to 4.6.4 (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e848842de5bfddc72ef014c13d97b62801b5b6fd). However, there's already a vulnerability bug open for this release (https://github.com/sleuthkit/sleuthkit/pull/1374). Allegedly it's CVE-2018-19497 but MITRE disagrees. We should keep an eye on it.
Comment 6 Larry the Git Cow gentoo-dev 2018-11-29 18:08:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=117cb1fe33767577c267e12a721e7d47781edd85

commit 117cb1fe33767577c267e12a721e7d47781edd85
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2018-11-29 18:07:42 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2018-11-29 18:07:42 +0000

    app-forensics/sleuthkit: backport fix for CVE-2018-19497 to 4.6.4
    
    Bug: https://bugs.gentoo.org/661160
    Bug: https://github.com/sleuthkit/sleuthkit/pull/1374
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 .../sleuthkit-4.6.4-CVE-2018-19497-backport.patch  | 83 ++++++++++++++++++++++
 ...hkit-4.6.4.ebuild => sleuthkit-4.6.4-r1.ebuild} |  1 +
 2 files changed, 84 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2019-01-24 20:18:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e26009a67724d3af2dbdaae47d1dcf2288c5539

commit 3e26009a67724d3af2dbdaae47d1dcf2288c5539
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-01-24 19:44:24 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-01-24 20:17:39 +0000

    app-forensics/sleuthkit: bump to 4.6.5
    
    Also addresses CVE-2018-19497.
    
    Bug: https://bugs.gentoo.org/661160
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-forensics/sleuthkit/Manifest               |   1 +
 app-forensics/sleuthkit/sleuthkit-4.6.5.ebuild | 255 +++++++++++++++++++++++++
 2 files changed, 256 insertions(+)
Comment 8 Sam James archtester gentoo-dev Security 2020-03-19 03:54:43 UTC
@maintainer(s), ok to cleanup please?
Comment 9 Sam James archtester gentoo-dev Security 2020-05-04 15:58:31 UTC
(In reply to Sam James (sec padawan) from comment #8)
> @maintainer(s), ok to cleanup please?

Uh. Stable.
Comment 10 Sam James archtester gentoo-dev Security 2020-06-10 21:50:04 UTC
@maintainer(s), please cleanup
Comment 11 Larry the Git Cow gentoo-dev 2020-06-18 02:46:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35a65cf8e9d105ff217d35c4ea0ba6f52b6ba74c

commit 35a65cf8e9d105ff217d35c4ea0ba6f52b6ba74c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-18 02:45:51 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-18 02:45:51 +0000

    app-forensics/sleuthkit: drop vulnerable
    
    Bug: https://bugs.gentoo.org/661160
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-forensics/sleuthkit/Manifest               |   1 -
 app-forensics/sleuthkit/sleuthkit-4.5.0.ebuild | 169 -------------------------
 2 files changed, 170 deletions(-)