Skip to content

less out of bounds read access - TFPA 002/2014

An out of bounds read access in the UTF-8 decoding can be triggered with a malformed file in the tool less. The access happens in the function is_utf8_well_formed (charset.c, line 534) due to a truncated multibyte character in the sample file. It affects the latest upstream less version 470. The bug does not crash less, it can only be made visible by running less with valgrind or compiling it with Address Sanitizer. The security impact is likely minor as it is only an invalid read access.

This issue has been found with the help of Address Sanitizer.

The upstream developers have been informed about this issue on 4th November 2014, no fix is available yet. The less webpage has no bug tracker, no open mailing list and no other way to publicly report and document bugs.

Conclusion

Even tools that only do very minor file parsing can expose bugs due to charset encoding, especially in multibyte characters. Please note that the bigger security threat in less comes from the use of lesspipe.

It is unsettling that the upstream project of an important tool like less is completely unresponsive to bugs and has no public way to discuss them.

less out of bounds read sample with gif header
simpler sample with no header, only works when LESSOPEN is not set
OSVDB 115007 : less GIF File Handling Out-of-bounds Read Issue
Discussion of lesspipe security issues on oss-security
CVE-2014-9488

Update 2014-12-15: less released a new version 471 and this issue is not fixed.

Update 2015-03-10: Version 475 of less contains a fix for this issue. I never received any reply from the developers.

less doesn't have public release announcements or a repository, so it's hard to track their changes. The file version.c contains some entry mentioning this issue (without any credit):
v475 3/2/15 Fix possible buffer overrun with invalid UTF-8

The fix is in the file charset.c. Here is a patch.

Update 2015-06-03: It has been pointed out in the comments that the patch I provided was wrong (it was an unrelated fix for another issue). I have replaced it with the correct patch now. Also for clarification it should be pointed out that the latest "stable" version (according to the less webpage) 458 is not affected.

Buffer overflow and other minor issues in GnuPG and libksba - TFPA 001/2014

Fuzzing GnuPG uncovered a couple of issues with potential security impact. All issues found with american fuzzy lop and Address Sanitizer.

Buffer Overflow in OID decoding

A Buffer Overflow has been found in the OID decoding function with malformed OIDs. The code is shared between GnuPG and libksba. libksba is used for OID decoding by gpgsm and dirmngr. In GnuPG the error can be triggered by using the --list-packets parameter on the fuzzing sample.

The bug can be used for Denial of Service. Code execution is unlikely but cannot be ruled out.

Affected are GnuPG 2.1.0 and its beta versions and all libksba versions before 1.3.2. The issue is fixed in libksba 1.3.2 and will be fixed in the soon to be released GnuPG 2.1.1. GnuPG 2.0.x and 1.x versions are not affected.

libksba 1.3.2 release announcement
GnuPG commit / patch
libksba commit / patch
Fuzzing sample
CVE-2014-9087

Multiple invalid memory access issues

Malformed packets can cause access to uninitialized variables and an off by one access with --list-packets. A NULL pointer dereference can happen on --verify (already independently discovered and fixed). A malformed encrypted packet causes a call to BUG() (no security impact, just a funny error message). Likely all minor issues.

GnuPG commit / patch for uninitialized variable access
GnuPG commit / pach for NULL pointer deref
GnuPG commit / patch for off-by-one
Fuzzing sample uninitialized variable access
Fuzzing sample off-by-one
Fuzzing sample NULL pointer deref

All issues have been privately reported to GnuPG developer Werner Koch on 2014-11-23/24/25 who quickly fixed them.

Conclusion

More people should fuzz GnuPG.