libpe icon indicating copy to clipboard operation
libpe copied to clipboard

Published 20 hours ago verified publisher icon merces

Is one-off in pe_utils_str_widechar2ascii() a security issue?

Open petterreinholdtsen opened this issue 3 years ago • 9 comments

Dear developer. The fix in 5737a97c57be175333fc0c6f51bb2cdd7101c17e was just brought to my attention, and it made me wonder if the issue can cause a security issue with specially created PE binaries. Is the fix security related, and if so, is there a CVE assigned to the issue?

petterreinholdtsen avatar May 01 '21 06:05 petterreinholdtsen

https://bugs.debian.org/987959 is the background for my question.

petterreinholdtsen avatar May 05 '21 12:05 petterreinholdtsen

Hi @petterreinholdtsen. This looks like a security issue, you're right. However, we haven't assigned any CVE to it. @jweyrich do you have more details here since you were the one fixing the bug?

merces avatar May 17 '21 14:05 merces

No security issue was reported for this case. At least not that I'm aware of. But yes, theoretically, a malformed binary could cause arbitrary code execution - I didn't try it though. IRC, we detected the issue during one of our Discord sessions.

jweyrich avatar May 18 '21 16:05 jweyrich

Should a CVE be requested for this issue?

petterreinholdtsen avatar Dec 18 '21 23:12 petterreinholdtsen

I'd be fine with that, yes. Should we work on it ourselves or you do it, @petterreinholdtsen ?

Thanks.

merces avatar Dec 21 '21 21:12 merces

[Fernando Mercês]

I'd be fine with that, yes. Should we work on it ourselves or you do it, @petterreinholdtsen ?

I do not have any source of CVEs myself, my approach would be to talk to the Debian security team to ask for their help, as I am involved in Debian. No idea if that is a better option than your ideas. I suspect it is better that you, who know the source and issue, do it.

-- Happy hacking Petter Reinholdtsen

petterreinholdtsen avatar Dec 21 '21 22:12 petterreinholdtsen

[Fernando Mercês] I'd be fine with that, yes. Should we work on it ourselves or you do it, @petterreinholdtsen ? I do not have any source of CVEs myself, my approach would be to talk to the Debian security team to ask for their help, as I am involved in Debian. No idea if that is a better option than your ideas. I suspect it is better that you, who know the source and issue, do it. -- Happy hacking Petter Reinholdtsen

If a CVE is warranted for the issue, please do request a CVE directly via https://cveform.mitre.org.

carnil avatar Dec 22 '21 06:12 carnil

Hi @carnil, thanks for pointing that out. ;)

Hi @petterreinholdtsen , we're now in the process of finding someone to takeover this project alongside with pev, because we don't have the time to work on them anymore. I truly appreciate your understanding as I didn't want to see pev being kicked out from Debian repos. I hope to find a new maintainer that will take care of this and other issues.

Thanks, Fernando

merces avatar Jan 28 '22 01:01 merces

[Fernando Mercês]

Hi @petterreinholdtsen , we're now in the process of finding someone to takeover this project alongside with pev, because we don't have the time to work on them anymore.

Thank you for not forgetting this issue. For the record, I am not volunteering to take over libpe and pev. Way too many other tasks on my plate. :)

-- Happy hacking Petter Reinholdtsen

petterreinholdtsen avatar Jan 28 '22 08:01 petterreinholdtsen