diff --git a/0001-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch b/0001-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch new file mode 100644 index 0000000000000000000000000000000000000000..1bd7ffad7f9d02fe4886a99f4f3a54e223d56b0c --- /dev/null +++ b/0001-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch @@ -0,0 +1,95 @@ +From 771728218dac2fbf6997a7e53225e75a4c6b7255 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 8 Jul 2021 19:00:45 +0100 +Subject: [PATCH] lib/node.c: Limit recursion in ri-records (CVE-2021-3622) + +Windows Registry hive "ri"-records are arbitrarily nested B-tree-like +structures: + + +-------------+ + | ri | + |-------------| + | nr_offsets | + | offset[0] ------> points to another lf/lh/li/ri block + | offset[1] ------> + | offset[2] ------> + +-------------+ + +It is possible to construct a hive with a very deeply nested tree of +ri-records, causing the internal _get_children function to recurse to +any depth which can cause programs linked to hivex to crash with a +stack overflow. + +Since it is not thought that deeply nested ri-records occur in real +hives, limit recursion depth. If you hit this limit you will see the +following error and the operation will return an error instead of +crashing: + + \> ls + hivex: _get_children: returning EINVAL because: ri-record nested to depth >= 32 + ls: Invalid argument + +Thanks to Jeremy Galindo for finding and reporting this bug. + +Reported-by: Jeremy Galindo, Sr Security Engineer, Datto.com +Signed-off-by: Richard W.M. Jones +Fixes: CVE-2021-3622 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975489 +(cherry picked from commit 781a12c4a49dd81365c9c567c5aa5e19e894ba0e) +--- + lib/node.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/lib/node.c b/lib/node.c +index 7b002a46..eb7fe93c 100644 +--- a/lib/node.c ++++ b/lib/node.c +@@ -203,7 +203,7 @@ hivex_node_classname (hive_h *h, hive_node_h node) + + static int _get_children (hive_h *h, hive_node_h blkoff, + offset_list *children, offset_list *blocks, +- int flags); ++ int flags, unsigned depth); + static int check_child_is_nk_block (hive_h *h, hive_node_h child, int flags); + + /* Iterate over children (ie. subkeys of a node), returning child +@@ -335,7 +335,7 @@ _hivex_get_children (hive_h *h, hive_node_h node, + goto error; + } + +- if (_get_children (h, subkey_lf, &children, &blocks, flags) == -1) ++ if (_get_children (h, subkey_lf, &children, &blocks, flags, 0) == -1) + goto error; + + /* Check the number of children we ended up reading matches +@@ -383,7 +383,7 @@ _hivex_get_children (hive_h *h, hive_node_h node, + static int + _get_children (hive_h *h, hive_node_h blkoff, + offset_list *children, offset_list *blocks, +- int flags) ++ int flags, unsigned depth) + { + /* Add this intermediate block. */ + if (_hivex_add_to_offset_list (blocks, blkoff) == -1) +@@ -486,7 +486,17 @@ _get_children (hive_h *h, hive_node_h blkoff, + } + } + +- if (_get_children (h, offset, children, blocks, flags) == -1) ++ /* Although in theory hive ri records might be nested to any ++ * depth, in practice this is unlikely. Recursing here caused ++ * CVE-2021-3622. Thus limit the depth we will recurse to ++ * something small. ++ */ ++ if (depth >= 32) { ++ SET_ERRNO (EINVAL, "ri-record nested to depth >= %u", depth); ++ return -1; ++ } ++ ++ if (_get_children (h, offset, children, blocks, flags, depth+1) == -1) + return -1; + } + } +-- +2.32.0 + diff --git a/download b/download new file mode 100644 index 0000000000000000000000000000000000000000..242ab8d56081d4ce9302a516fdda316fc3f3c469 --- /dev/null +++ b/download @@ -0,0 +1,2 @@ +8468074cdc6e870e8f6a2c831ce22a0d hivex-1.3.18.tar.gz +92a1fbe68d98f9031cbfac4c9c88e252 hivex-1.3.18.tar.gz.sig diff --git a/hivex-1.3.18.tar.gz b/hivex-1.3.18.tar.gz deleted file mode 100644 index ef8ecaec8d9379b77d3ddf607dd624397f96e871..0000000000000000000000000000000000000000 Binary files a/hivex-1.3.18.tar.gz and /dev/null differ diff --git a/hivex-1.3.18.tar.gz.sig b/hivex-1.3.18.tar.gz.sig deleted file mode 100644 index ee867fdbb5ed2df9cb91e9b1b48f1cc69ca1e0a5..0000000000000000000000000000000000000000 --- a/hivex-1.3.18.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJFBAABCAAvFiEE93dPsa0HSn6Mh2fqkXOPc+G3aKAFAlxJfxkRHHJpY2hAYW5u -ZXhpYS5vcmcACgkQkXOPc+G3aKCZBRAAqXBbrDyf+TtXCLZBIrs0MkfrYtQFDxps -nTNz6sdNXftYl0LKJ6dhEkNwVg0QP31ifX1mQfU4EmJiEOI7qW6xqNLPlwhkKaIP -qoB7ctesELb3LBhcgjI9lUjaCeGXrWkIHxp9SWC3esGqHIxWVu+BwKmFt1DfAZtH -KE9gtVO6g5sbCdZEP2b4d/PwsL1vO0glekCkEZ0n3PcOgf0isVU0IUSz2IVhcy6e -DqY4puYFwopVEpPzzRI9oW/y2XJTTssCM9F420HDnemtUQpx0Uw637MiCRLoN6Or -PA1IkTzx/01Ub6OKl3gbMoY3s27yOFJToBVkTmYDvZHUJpNRCj7ytaKAIiZ4aan7 -WOi+7h9cvkjcr0OhomN+5bDLg6XpaVj9SPuM3W/AgDaYu6PeSvpr5yAtg3VEArJ3 -Lh4y8b+fh1pzdkLJsvGxK+YpL+ollgTP2y2CAXxgTDv0oMrUI9O4vrNKaOSE4Qnl -TinMMFaYvuBWzzTKfjhtnFOMI8YvAFHHVDhBSWost2ZR5W6SCd9xXAvMdUQDL3aD -ReesInrLptdklyKL+4l8miokUfq+U0ASi1PC3+Ek/yk13LtUXHEvXfb9rQlPhOc3 -Fp1278JziKQd7xlkvMuo+Q2PSRGSDaBACqmqjwBaLsPDoz8jsiZOZ/qPg6qcx0kM -y93C/w1pCcA= -=YBlx ------END PGP SIGNATURE----- diff --git a/hivex.spec b/hivex.spec index abe5338664dfd9150e26e1bc169631d0d4837a07..3a0ec4fa2b7f8a27bb093cccb6ac963546dc30c7 100644 --- a/hivex.spec +++ b/hivex.spec @@ -10,7 +10,7 @@ Name: hivex Version: 1.3.18 -Release: 21%{?dist} +Release: 23%{?dist} Summary: Read and write Windows Registry binary hive files License: LGPLv2 @@ -33,6 +33,9 @@ Patch0002: 0002-Win-Hivex-Regedit-Ignore-comments.patch # Bounds check for block exceeding page length (CVE-2021-3504). Patch0003: 0001-lib-handle.c-Bounds-check-for-block-exceeding-page-l.patch +# Limit recursion in ri-records (CVE-2021-3622). +Patch0004: 0001-lib-node.c-Limit-recursion-in-ri-records-CVE-2021-36.patch + BuildRequires: perl-interpreter BuildRequires: perl-devel BuildRequires: perl-generators @@ -277,6 +280,14 @@ fi %changelog +* Mon Sep 6 2021 Richard W.M. Jones - 1.3.18-23 +- Limit recursion in ri-records (CVE-2021-3622) + resolves: rhbz#1976194 + +* Thu Sep 2 2021 Danilo C. L. de Paula - 1.3.18-22.el8 +- Resolves: bz#2000225 + (Rebase virt:rhel module:stream based on AV-8.6) + * Sat Apr 17 2021 Richard W.M. Jones - 1.3.18-21 - Bounds check for block exceeding page length (CVE-2021-3504) resolves: rhbz#1950501