Vulnerabilities > CVE-2016-8859 - Integer Overflow or Wraparound vulnerability in Etalabs Musl
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-91.NASL description This update for tre fixes one issue. This security issue was fixed : - CVE-2016-8859: Fixed multiple integer overflows which allowed attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggered an out-of-bounds write (boo#1005483) last seen 2020-06-05 modified 2018-01-26 plugin id 106360 published 2018-01-26 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106360 title openSUSE Security Update : tre (openSUSE-2018-91) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-91. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(106360); script_version("3.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-8859"); script_name(english:"openSUSE Security Update : tre (openSUSE-2018-91)"); script_summary(english:"Check for the openSUSE-2018-91 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for tre fixes one issue. This security issue was fixed : - CVE-2016-8859: Fixed multiple integer overflows which allowed attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggered an out-of-bounds write (boo#1005483)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1005483" ); script_set_attribute(attribute:"solution", value:"Update the affected tre packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:agrep"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:agrep-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtre5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtre5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-tre"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-tre-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tre"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tre-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tre-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tre-lang"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"agrep-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"agrep-debuginfo-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libtre5-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libtre5-debuginfo-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"python-tre-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"python-tre-debuginfo-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"tre-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"tre-debugsource-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"tre-devel-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"tre-lang-0.8.0_git201402282055-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"agrep-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"agrep-debuginfo-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtre5-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtre5-debuginfo-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-tre-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"python-tre-debuginfo-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tre-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tre-debugsource-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tre-devel-0.8.0_git201402282055-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tre-lang-0.8.0_git201402282055-10.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "agrep / agrep-debuginfo / libtre5 / libtre5-debuginfo / python-tre / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2016-0FF6C3D84B.NASL description This update includes the following fixes : - fix for CVE-2016-8859 - fix for CVE-2015-3796 (see https://github.com/laurikari/tre/issues/37 and https://bugs.chromium.org/p/project-zero/issues/detail?i d=428) - fix for parallel installation of multilib packages Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-15 plugin id 94777 published 2016-11-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94777 title Fedora 23 : tre (2016-0ff6c3d84b) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-687.NASL description A vulnerability has been found in the tre package that could allow an attacker to perform controlled heap corruption. For Debian 7 last seen 2020-03-17 modified 2016-10-28 plugin id 94343 published 2016-10-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94343 title Debian DLA-687-1 : tre security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-11.NASL description The remote host is affected by the vulnerability described in GLSA-201701-11 (musl: Integer overflow) A vulnerability was discovered in musl’s tre_tnfa_run_parallel function buffer overflow logic, due to the incorrect use of integer types and missing overflow checks. Impact : An attacker, who controls the regular expression and/or string being searched, could execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96242 published 2017-01-03 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96242 title GLSA-201701-11 : musl: Integer overflow NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-554.NASL description This update introduces kubernetes version 1.14.1 and cri-o 1.17.1 to Leap 15.1. last seen 2020-04-30 modified 2020-04-27 plugin id 136011 published 2020-04-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136011 title openSUSE Security Update : kubernetes (openSUSE-2020-554) (Dirty COW) NASL family Fedora Local Security Checks NASL id FEDORA_2016-CD09EAB674.NASL description This update includes the following fixes : - fix for CVE-2016-8859 - fix for CVE-2015-3796 (see https://github.com/laurikari/tre/issues/37 and https://bugs.chromium.org/p/project-zero/issues/detail?i d=428) - fix for parallel installation of multilib packages Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-15 plugin id 94863 published 2016-11-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94863 title Fedora 24 : tre (2016-cd09eab674) NASL family Fedora Local Security Checks NASL id FEDORA_2016-0A952A3BC0.NASL description This update includes the following fixes : - fix for CVE-2016-8859 - fix for CVE-2015-3796 (see https://github.com/laurikari/tre/issues/37 and https://bugs.chromium.org/p/project-zero/issues/detail?i d=428) - fix for parallel installation of multilib packages Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-21 plugin id 94990 published 2016-11-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94990 title Fedora 25 : tre (2016-0a952a3bc0)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
- http://www.openwall.com/lists/oss-security/2016/10/19/1
- http://www.openwall.com/lists/oss-security/2016/10/19/10
- http://www.securityfocus.com/bid/93795
- https://security.gentoo.org/glsa/201701-11
- https://security.gentoo.org/glsa/202007-43