[Pkg-phototools-devel] Bug#878839: marked as done (optipng: CVE-2017-16938: global-buffer-overflow bug while parsing GIF file)

Sat, 09 Dec 2017 04:06:49 -0800 

Your message dated Sat, 09 Dec 2017 12:03:01 +0000
with message-id <e1endqp-0004lr...@fasolo.debian.org>
and subject line Bug#878839: fixed in optipng 0.7.6-1+deb9u1
has caused the Debian Bug report #878839,
regarding optipng: CVE-2017-16938: global-buffer-overflow bug while parsing GIF 
file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878839
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: optipng
Version: 0.7.6-1
Severity: normal

Dear Maintainer,

global-buffer-overflow bug while parsing GIF file

Running 'optipng' with the attached file raises global-buffer-overflow
bug,
which may allow a remote attacker to cause a denial-of-service attack or
other unspecified impact with a crafted file.

I expected the program to terminate without segfault, but the program
crashes as follow

************************************************************************
* Please consider that this bug isn't found in default debian optipng  *
* which is installed by apt-get.                                       *
* This bug is only triggered when optipng was compiled by clang or by  *
* gcc without any optimizations.                                       * 
************************************************************************
-----------------------------

<logs with address sanitizer>

june@june:~/project/analyze/poc/optipng$ optipng poc
** Processing: poc
Warning: Bogus data in GIF
=================================================================
==11381==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55c9084bf040 at pc 0x55c908286630 bp 0x7fffd3831e40 sp 0x7fffd3831e38
WRITE of size 4 at 0x55c9084bf040 thread T0
=================================================================
==11381==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55c9084bf040 at pc 0x55c908286630 bp 0x7fffd3831e40 sp 0x7fffd3831e38
WRITE of size 4 at 0x55c9084bf040 thread T0
#0 0x55c90828662f
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7362f)
#1 0x55c908285912
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x72912)
#2 0x55c90828549f
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7249f)
#3 0x55c908284e00
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x71e00)
#4 0x55c908239928
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x26928)
#5 0x55c9082367a7
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x237a7)
#6 0x55c908229674
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x16674)
#7 0x55c90822b778
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x18778)
#8 0x55c90822c9fe
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x199fe)
#9 0x55c90822731e
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x1431e)
#10 0x55c908227436
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x14436)
#11 0x7fb1b02de2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#12 0x55c908224389
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x11389)

0x55c9084bf040 is located 0 bytes to the right of global variable
'stack' defined in 'gifread.c:401:16' (0x55c9084b7040) of size 32768
0x55c9084bf040 is located 32 bytes to the left of global variable
'oldcode' defined in 'gifread.c:398:27' (0x55c9084bf060) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7362f) 
Shadow bytes around the buggy address:
  0x0ab9a108fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab9a108fe00: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x0ab9a108fe10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ab9a108fe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:       fa
Heap right redzone:      fb
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack partial redzone:   f4
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
==11381==ABORTING

<stack trace>
(gdb) r poc
Starting program: /usr/bin/optipng poc
** Processing: poc
Warning: Bogus data in GIF

Program received signal SIGSEGV, Segmentation fault.
0x000055555557d075 in LZWReadByte (init_flag=0, input_code_size=2,
stream=0x55555579e010)
    at gifread.c:499
    499             *sp++ = table[1][code];
(gdb) bt
#0  0x000055555557d075 in LZWReadByte (init_flag=0, input_code_size=2,
stream=0x55555579e010) at gifread.c:499
#1  0x000055555557ca05 in GIFReadImageData (image=0x7fffffffb310,
stream=0x55555579e010) at gifread.c:261
#2  0x000055555557c846 in GIFReadNextImage (image=0x7fffffffb310,
stream=0x55555579e010) at gifread.c:217
#3  0x000055555557c618 in GIFReadNextBlock (image=0x7fffffffb310,
ext=0x7fffffffb2f0, stream=0x55555579e010) at gifread.c:163
#4  0x0000555555561055 in pngx_read_gif (png_ptr=0x55555579e240,
info_ptr=0x55555579e4a0, stream=0x55555579e010) at pngxrgif.c:151
#5  0x000055555555f658 in pngx_read_image (png_ptr=0x55555579e240,
info_ptr=0x55555579e4a0, fmt_name_ptr=0x7fffffffbc30,
fmt_long_name_ptr=0x0) at pngxread.c:130
#6  0x0000555555558d3b in opng_read_file (infile=0x55555579e010) at
optim.c:939
#7  0x000055555555a106 in opng_optimize_impl (infile_name=0x7fffffffe487
"poc") at optim.c:1503
#8  0x000055555555b01b in opng_optimize (infile_name=0x7fffffffe487
"poc") at optim.c:1853
#9  0x0000555555557525 in process_files (argc=2, argv=0x7fffffffe178) at
optipng.c:941
#10 0x00005555555575da in main (argc=2, argv=0x7fffffffe178) at
optipng.c:975

This bug happened because below loop worked infinitely.

while (code >= clear_code)
{
  *sp++ = table[1][code];
  if (code == table[0][code])
    GIFError("GIF/LZW error: circular table entry");
  code = table[0][code];
}

(gdb) p table[0]
$3 = {0, 0, 0, 0, 0, 0, 3, 0, 0, 15, 9, 15, 8, 10, 1, 13, 0 <repeats
4080 times>}

code value is assigned 15 -> 13 -> 10 -> 9 -> 15 -> 13 -> 10 -> 9 -> ...
repetedely.
15, 13, 10, 9 are always bigger than clear_code so this loop runs
forever
and sp pointer will increase forever which causes buffer overflow.

-----------------------------

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages optipng depends on:
ii  libc6        2.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  zlib1g       1:1.2.8.dfsg-5

optipng recommends no packages.

optipng suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: optipng
Source-Version: 0.7.6-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
optipng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated optipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Dec 2017 21:42:04 +0100
Source: optipng
Binary: optipng
Architecture: source
Version: 0.7.6-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian PhotoTools Maintainers 
<pkg-phototools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 878839 882032
Description: 
 optipng    - advanced PNG (Portable Network Graphics) optimizer
Changes:
 optipng (0.7.6-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent integer overflow in minitiff_read_info() (CVE-2017-1000229)
     (Closes: #882032)
   * gifread: Detect indirect circular dependencies in LZW tables
     (CVE-2017-16938) (Closes: #878839)
Checksums-Sha1: 
 9f1dc801a97f22f995446910d6fac6573da854de 2183 optipng_0.7.6-1+deb9u1.dsc
 abc480543b85d227db4a84be80ae2dd8a8e53a66 200670 optipng_0.7.6.orig.tar.gz
 2ea608a8c694116b801b98268b90c664e6c0361c 5976 
optipng_0.7.6-1+deb9u1.debian.tar.bz2
Checksums-Sha256: 
 e283b8af9c96d29fda091b9bc383e3f91c33424698da3e0ca060c4fa3486babc 2183 
optipng_0.7.6-1+deb9u1.dsc
 cd7eccd51f15c789e61041b3e03260e2886e74a274c9a6513a1f6db6cce07dc8 200670 
optipng_0.7.6.orig.tar.gz
 79c6b09880fe5c2d72f261caac08f297abf2ca267024f2db00316e63eaf83bed 5976 
optipng_0.7.6-1+deb9u1.debian.tar.bz2
Files: 
 952cd81e91d3f9ff2d80af1d6bfa3453 2183 graphics optional 
optipng_0.7.6-1+deb9u1.dsc
 c36836166ec3b6a12a75600fdb73e6ce 200670 graphics optional 
optipng_0.7.6.orig.tar.gz
 c8c3f9d47a9a0c885d2c9786c83f8ae5 5976 graphics optional 
optipng_0.7.6-1+deb9u1.debian.tar.bz2

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlopqC9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiWEP/1ldAZiQVcD/F9w2pcFttzbHmF5o5V+R
i+rIh1xHKiepOGxGvBj/Rp0vZJQUHNo/bQuirtBO3drZ+G5QhatFBFEhgiuUpp1Q
1kd8c7wnWCMVq7lza0zacWX6KONABbYOLmO3FLFPjv02HfpCcduP5rV+6U9UgJfB
UZWy4+1/k1TnKGmLxU0aN6q41yVFqa6ci8w4qYeJ09oPcE4Cap3ZV1xP7gMFVggf
nOUJfRyejDHzeg6AUupMv/7VRR3I4s0qg5m5cPUGR0o3IUOc6hUZFrExHIEXckZD
YiXy9/RbEkC7LiaicMRKxEHn6TTB/ftWX+G5xwcajV4wKYvBGikLHd8Jwz5++dBK
aeg0fKh+9O1T05Hsc1GxBFD8crAdtIDa3jhSaiVBeqDseBIrNFlZJmcjq1ua2DKe
8wcWtlNucTbF1PSH4LsHr9vPeZwyor5FZdFEdL9rSiBaGso5hRAoYqt04R0HbrwV
CHn32Q7CA91dAIgrutwbnTUalZjh61Oab5lO3ZOmTDo3jPZyiE/lkzbSt+bpAiKx
pe58/aBWILOKuVzehfxpA69bp002QtNAkGOesCj8suqc2AP4C7WxEczgNsjePYvA
qRBVTsKJxw2KMjuoBSzwffAVx7OVQ+zlY57tT1SMw/t108nSEpbe9rdotQZlJ8uF
5Xpl657y9aIY
=RNAL
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-phototools-devel mailing list
Pkg-phototools-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel

Reply via email to