#1137251 braa: out-of-bounds stack read via crafted BER length in braaasn.c

Package:
braa
Source:
braa
Description:
Mass SNMP scanner
Submitter:
Igor Garofano
Date:
2026-06-20 18:35:02 UTC
Severity:
normal
Tags:
#1137251#5
Date:
2026-05-21 18:51:14 UTC
From:
To:
braa 0.82 contains an out-of-bounds stack read in braa_InternalDecodeBER()
(braaasn.c). When parsing a BER long-form length field, the code reads
length bytes without checking that the buffer contains enough data:

    int noct = len & 0x7f;   /* attacker-controlled: 0-127 */
    for(j = 0; j < noct; j++)
        len |= data[j + 1];  /* NO bounds check - reads beyond packet */

A 3-byte crafted UDP SNMP response (SEQUENCE tag, len=0xff, 1 data byte)
causes the loop to read up to 125 bytes beyond the stack-allocated receive
buffer pbuff[] (queries.c:502), disclosing adjacent stack memory.

The fix is present in upstream 0.9.1:
https://github.com/mteg/braa/releases/tag/v0.9.1

The package should be updated from 0.82-7 to 0.9.1.

Note: 0.9.1 still contains an uninitialized variable 'compl' when parsing
negative integers with len > 4 (braaasn.c), but this has no memory safety
impact.

Reported by: Igor Garofano <igorgarofano@gmail.com>
Coordinated with: Moritz Muehlenhoff <jmm@debian.org>

*Igor Garofano*

Cyber Security Specialist

*+39-3922283057*


*EC-council CTIA, CEH v10, CHFI, ITIL v3, Splunk, IBM Qradar Siem
Foundation, Oracle Cloud Architect Associate, **Google Cloud Architect,**
NSE4.*
#1137251#12
Date:
2026-06-19 07:01:15 UTC
From:
To:
Hi all,

upstream's braa sources suffer from non-incremental version numbers:
0.82 < 0.9 < 0.9.1 according to the order of commits [1] (don't rely on
the order of tags displayed [2]). The current packaging in Debian has
version 0.82-7 [3].

To be able to fix RC bug #1137251 [4], I would like to increase the
epoch to 1 and update the package to version 1:0.9.1.

I herewith ask for consent to increment the epoch of the package in
accordance with Debian Policy, chapter 5.6.12 [5].

Best,
Sven

[1] https://github.com/mteg/braa/commits/master/
[2] https://github.com/mteg/braa/tags
[3] https://tracker.debian.org/pkg/braa
[4] https://bugs.debian.org/1137251
[5] https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
#1137251#17
Date:
2026-06-19 07:20:57 UTC
From:
To:
Hi,

It looks like 0.82 was actually 0.8.2, so why not release 0.9.1 with the reversed logic as '0.91+actually0.9.1'?
The package is at 0.x, so I guess there will be time to introduce semver [2] version numbers until 1.x gets released.

With kind regards,
Roland Clobus

[1] https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
[2] https://semver.org/
#1137251#22
Date:
2026-06-19 13:13:10 UTC
From:
To:
Hi Roland,

Thanks for your idea. On the other hand 0.82 fits the once apparently
deliberately chosen numbering pattern [3] with even versions numbers
0.4, 0.41, 0.42, 0.421 (sic!).

Given upstream's sparse activities on braa, I feel not too confident
that a 1.0.0 will be released even in years.

So, I still wonder whether bumping the epoch would be the appropriate
choice in this case.

Are there other ideas?

Best,
Sven

[3] https://web.archive.org/web/20100725000743/http://s-tech.elsat.net.pl/braa/
#1137251#27
Date:
2026-06-19 14:19:54 UTC
From:
To:
Have you contacted upstream and asked them to cut a new release,
preferable following semver?
#1137251#32
Date:
2026-06-20 17:25:25 UTC
From:
To:
Hi Roland, Tobias & Michael,

Thanks for your thoughts. Will reach out to upstream and fix the bug
independently of the version number issue.

Cheers,
Sven
#1137251#35
Date:
2026-06-20 18:00:23 UTC
From:
To:
Hello,

Bug #1137251 in braa reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-security-team/braa/-/commit/56d5ae9e8bc1038c8174f50c2ae7e73b32fe4a03
------------------------------------------------------------------------
d/p/*: Add patch to fix out-of-bounds stack read via crafted BER length.

Closes: #1137251
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1137251
#1137251#42
Date:
2026-06-20 18:33:57 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
braa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1137251@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Geuer <sge@debian.org> (supplier of updated braa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 20 Jun 2026 19:55:41 +0200
Source: braa
Architecture: source
Version: 0.82-9
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Sven Geuer <sge@debian.org>
Closes: 1137251
Changes:
 braa (0.82-9) unstable; urgency=medium
 .
   * Team upload.
   * d/p/*: Add patch to fix out-of-bounds stack read via crafted BER length.
     (Closes: #1137251)
Checksums-Sha1:
 c7917f432cb6cabc15a404a835bcfe918ea580b7 1875 braa_0.82-9.dsc
 1849abc72563a5aa0380944ea8e2a025d3ef44f2 6644 braa_0.82-9.debian.tar.xz
 89d1e100886c142ebee79c15cacbd99314c184a0 5634 braa_0.82-9_amd64.buildinfo
Checksums-Sha256:
 b89791817934d957794eda75b4f8365a49f2cf36bc5ce9ce190eaf309299c724 1875 braa_0.82-9.dsc
 94ddc30eee43dbccd026411e032c97767622b630ad8619d1f9df850f839ab34d 6644 braa_0.82-9.debian.tar.xz
 bc54144e3bc1abb62ddaf71299bdf2a182d0968cc0ffe78c5a0f0b4884aa30f7 5634 braa_0.82-9_amd64.buildinfo
Files:
 521e607386546143d8205d2aef20e977 1875 net optional braa_0.82-9.dsc
 af3443a0385228ef924ba213e99d4a78 6644 net optional braa_0.82-9.debian.tar.xz
 1d0e6a872eb4e44171c8449b34e6ae5b 5634 net optional braa_0.82-9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAmo21wYPHHNnZUBkZWJp
YW4ub3JnAAoJEK31Dtr4rdWFsv0P/juP+PO9mp9QNFO1aUygo6q34RC1kxa+Vwhq
mmxMJMGJL1pffbHbZpG1fE/7eLkC+KhBPIULu+rTYa3am+usdIqly5eS5hkNl6EK
P01Na85DaSdK6XDsSU91hZ+VCejVZUDHId6xaLso46XIyZZZc0IQQLzaaUhLwJmH
B7sognf+qNSTFMGPHfQGDKyNr3ihINw4R3WGgNQ8M4riRGLn70XFtu+EwiprpF2f
LvK+dfDn6LhXXLYlelDSN4DRMvGkS8swzdxvsh9axT6Az5iGtdrCQsB3466+fhI0
XfjSWi5a63//bA3nKbqyJYhFtSB58jqRkpCU5koMLlHFyBzZx29/iLCFAd3x52OC
X3tNYi2yJGRT3fX2f4muGYtc5UQgW7hJPCXUJNtJwwEDmJ3Tmf3uDfvCBQrG8d/y
8PpUYC4AvtTMD6ch/6T8EZJPnXXE2UVyrsEo3l9IuSLFMzSfPFqNJ6Cf4K8tAmIc
DF1lNFk7DPCU1gUFTyGKNULliG9MLn0VqM8jfylFc+EI3h9t2qrq/JMXFPJ+fCXB
vIazJmJaZ+7Hf3EscajBr5ar+2BwJ4L0czISricOEZnwMySjbWgdueUFHnsjEbr6
x4Xavj3TLcuLykAcPOAvv27NSHkmDAzU9IumKjNseLt9ib5bgHa3H9WlCQsJY8xc
okBAIK9k
=Tfkr
-----END PGP SIGNATURE-----