libtiff/REDTEAM-CVE-2017-17095 and REDTEAM-CVE-2018-18557: Unable to generate crash free constraint

[ChrisTimperley]

REDTEAM-CVE-2018-18557:

                [warning] Unknown Crash Reason: jbg_dec_init

                [error] unknown crash type: None
        Analysis Failed
        Unable to generate crash free constraint
        Runtime Error
        Error. Exiting...

REDTEAM-CVE-2017-17095:

                [warning] Unknown Crash Reason: jpeg_std_error

                [error] unknown crash type: None
        Analysis Failed
        Unable to generate crash free constraint
        Runtime Error
        Error. Exiting...

[rshariffdeen]

CVE-2018-18557 fixed in 89b9217

[rshariffdeen]

fixed the reported issue of CVE-2017-17095 in 49c17d4

[ChrisTimperley]

@rshariffdeen CVE-2017-17095 still fails on the latest commit:

                extracting instruction trace
                        [note] program did not crash
                        [note]: the program did not crash

Run time statistics:
-----------------------

        Startup: 0.000 minutes
        Build: 0 minutes
        Concrete Analysis: 0 minutes
        Concolic Analysis: 0 minutes
        Total Analysis: 0 minutes
        Localization: 0 minutes

CRepair finished successfully after 11.008 minutes 

FATAL ERROR: analysis failed: no localization file was produced
root@83fdcfeaa13d:/data/vulnloc/libtiff/REDTEAM-CVE-2017-17095# 

[rshariffdeen]

The reported issue is fixed for REDTEAM-CVE-2017-17095 which was missing link to libjpeg library, this is fixed. However, the exploit trace includes the use of longjmp which is not supported by KLEE hence this bug cannot be reproduced using Klee.

[ChrisTimperley]

Any updates on REDTEAM-CVE-2018-18557?

[rshariffdeen]

It was already fixed in 89b9217 I updated the analysis to generate fix constraints with call expressions, in ae2eb5d however the linter is not parsing it, you will have to update the parser?