Closed pjlantz closed 4 years ago
Patrick,
Thank you for the vuln report! I'll push "pause" on the release I'm working on and check this bug. @mskucherawy will as well.
This issue appears to have been assigned CVE-2020-12460.
Upgrading to a CVE tag.
On Tue, Jul 28, 2020 at 2:11 PM carnil notifications@github.com wrote:
This issue appears to have been assigned CVE-2020-12460.
— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDMARC/issues/64#issuecomment-665224466, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5KKNS2HR4WJLHU7HYUCDR54PGTANCNFSM4PHMYLRQ .
I believe this is resolved by 50d28af25d8735504b6103537228ce7f76ad765f, which is on the "develop" branch.
Hello, I would like to get the fix for this into Debian.
I need to reproduce and test the fix, so if anyone already has a quick reproduction program, that would make the job much easier. Thank you.
edit: I see now that just creating a C program that calls opendmarc_xml_parse
with the poc.xml file above is enough to trigger the bug.
There is a memory corruption vulnerability in
opendmarc_xml()
of libopendmarc during parsing of DMARC aggregate reports. The versions affected by this seem to be OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1.The root cause is improper null termination. The function opendmarc_xml_parse() does not explicitly add a null terminator ('\0') to the buffer holding the XML data after reading the contents from a report file. This can cause an off-by-one error in opendmarc_xml() in certain cases depending on the report file, resulting in a one-byte heap overflow.
A null byte write occurs during the parsing at opendmarc_xml.c:171,
*sp = '\0'
. Eventually, during parsing of a specially crafted report, this null byte will overflow to the next chunk on the heap, overwriting the heap metadata, as indicated by the following valgrind output.The size field and the least significant bits used as flags are overwritten in the metadata. The relevant flag for this vulnerability is the bit indicating 'previous chunk in use', known as PREV_INUSE which will be set to zero and determines if the previous chunk (storing bufp) is free. When the buffer is later free'd at opendmarc_xml.c:616,
(void) free(bufp)
- a crash occurs asbufp
is listed as not used.A remote attacker could provide a specially crafted report that is parsed by this library, causing a denial of service. It could possibly lead to code execution depending on how libopendmarc is used and integrated into the application, in particular if the opendmarc_xml function is used explicitly without calling opendmarc_xml_parse and with input that is not null-terminated.
A DMARC aggregate report that triggers this vulnerability can be generated using the following commands: